SecureX threat response Ecosystem
Some time ago, Cisco Security announced the SecureX platform with 2 core capabilities: threat reaction and orchestration. For the reason that announcement, we brought focus on nearly two dozen integrations with SecureX threat response, cisco Threat Response formerly.
With SecureX, it is possible to accelerate threat hunting and incident reaction by integrating SecureX threat reaction as well as your existing security technology seamlessly. You have the flexibleness to collectively bring your tools, whether it’s with integrations which are built-in, pre-packaged, or even custom. For those who have Cisco Stealthwatch, Firepower, AMP for Endpoints, Umbrella, E-mail Security, Web Protection, or Threat Grid; SecureX risk response is included together with your license at no additional expense.
- Connect your entire safety stack–Cisco or even otherwise–for quicker investigations
- Aggregate and correlate protection context from multiple systems in one view
- Get the most from your existing safety investments, including from our technology companions
The SecureX platform has 3 categories of integrations:
- Built-in integrations are produced by Cisco, or go for technology partners, for clients to configure instantly. These typically are usually integrations where SecureX threat reaction produces threat cleverness to become visualized in the companions’ interface. Though there are several exceptions like VirusTotal or whenever a companion builds the threat reaction APIs to their core code.
- Pre-packaged integrations are produced by Cisco or technology partners for customers to utilize ready-made scripts they install into cloud infrastructure, that they maintain. The right period spent is minimized, as you don’t should try to learn any kind of APIs or write any kind of code. These generally are SecureX threat reaction modules that generate threat intelligence to end up being visualized in SecureX. They are accessible modules in SecureX.
- Custom integrations could be created by clients leveraging Cisco and technologies partners’ open APIs. Enough time allocated to integration is reduced through the use of our resources on DevNet to quickly begin, including training, links to code on GitHub and substantial use case and workflow documentation about ReadtheDocs.
We made a guarantee in later April: “… we’re accelerating detection, investigation, and remediation across your atmosphere with a lot more pre-packaged integrations. We have been delighted to announce that point is now.
Built-in integrations
VirusTotal is really a free program that inspects products with more than 70 antivirus (AV) scanner and URL/domain blocked listing services. The threat response VirusTotal module enables you to query a URL, Ip, file or domain hash, inside the incident response process, to get extra context from the AV companies and scanners regarding the threats linked to the sample. You can sign up for a free VirusTotal accounts and receive an API essential. Threat Reaction uses the API important on your behalf to add VirusTotal query outcomes in any investigation.
The threat response extension supplies the capabilities to right-click pivot from an IP in QRadar into a study inside the Threat Response console and hover more than 100+ property field types and query threat response for Verdicts.
ServiceNow Security Operations
ServiceNow Security Operations (Security Incident Response and Threat Intelligence) can leverage the Verdicts, Response and refer features provided by threat reaction to assist the protection analyst within their investigation workflow. This permits the analyst to consider response activities from within ServiceNow to remediate threats.
SecureX Threat Response Add-On for Splunk offers a custom made search command allowing users to query threat response for targets and verdicts from observables inside a Splunk instance.
Phantom threat response plug-in enables a consumer, or even an automated playbook/activity, initiates the query to threat reaction for Sightings or even Verdicts of a good observable and render within a table.
Swimlane Security Operations Management
Swimlane threat response plugin allows link with the Threat Reaction API, to extract and enrich observables.
TheHive Project – Cortex Analyzers*
Pre-packaged integrations
To work with the pre-packaged integrations, you need to very first deploy a cloud infrastructure to put into action the danger reaction serverless relay API. We developed a step-by-step installation guide and recorded tutorials to create it easier and code on GitHub, that’s pre-configured for AWS Lamba. The API itself is a basic Flask (WSGI) app which can be quickly packaged and deployed being an AWS Lambda Functionality, functioning behind an AWS API Gateway proxy making use of Zappa. An currently deployed Relay API (electronic.g., packaged being an AWS Lambda Functionality) could be pushed to risk response simply because a Relay Module utilizing the Threat Response Relay CLI. The threat reaction python API module can be acquired with pip install.
Threat response module for the investigation of IPs and URLs. AbuseIPDB helps both IPv6 and IP. API limits: 1000 / time. Came back Entities: Verdicts, Judgement, Sighting, Indicator.
Threat Response module to query AlienVault OTX for observables (IP, IPV6, domain, hash values) and come back Sightings and Indicators from the “Pulses” in AlienVault. Pivot to AlienVault OTX UI via refer activities.
Threat Response module for investigations of IPs or domains and receives Sightings response from APIVoid blocklist aggregation.
Threat Response module for investigation of IPs. Query Auth0 Indicators for an Ip to discover out if it’s on any blocklists. Come back verdicts for the IP in line with the scoring supplied. Returns Open-Source Cleverness (OSINT) context from over 100 curated and normalized blocklists.
SecureX threat response module for investigation of IP addresses. SecureX receives a Verdict reaction from C1fApp. Malicious Verdict because the observable is available on a block checklist and the Indicator may be the feed on which it had been seen.
Threat response module for the investigation for verdicts in IPs and URLs, getting Cybertracker Judgements plus Verdicts.
Threat response module for the investigation of IPs, domains, file and hashes names. Came back Entities: Verdicts and Judgements.
The Farsight Security SecureX threat response module enables a user to initiate a study for verdicts about IPs and Domains. Farsight Safety DNSDB provides enrichment information about IP Addresses (IP and IPv6) and Domains. Certified as Cisco Compatible.
The Gigamon ThreatINSIGHT module enables threat reaction to query network and threat data for Sightings of observables from the Gigamon intelligence. Gigamon completed the Cisco Compatible Certification for the integration and published a joint solution short.
The Google Chronicle threat response module enables queries for Sightings of observables (IP, domain, hash, file title, file path) within the SIEM. Also, Checklist Assets, obtain IOC Information, to List Alerts inside a right time range, also to List IOCs inside a right time range.
Threat response module for the integration of Google Secure Browsing; a blacklist provider provided by Google that delivers lists of URLs for internet resources which contain malware or phishing articles. The Search engines Chrome, Safari, Firefox, Vivaldi, and GNOME Browsers utilize the lists from the Search engines Safe Browsing support for checking web pages against potential threats, and an individual is enabled by this particular integration to really have the blacklist intelligence in threat response.
Threat response module for the investigation of a SHA256. The module provides context around a compromised e-mail and username connected with that e-mail and context in regards to a user for a host. If Cisco Email Protection Appliance module is allowed, after that it returns that SHA256 has been delivered to identified e-mail addresses, as has already been seen in the info breaches. Small regular for subscription.
Threat response module for the investigation of URLs. Returns the Verdict.
The Quays Indication of Compromise threat response module is utilized for the investigation of Sightings of supported observables on Targets. Works with hashes (MD5, SHA256) of the file picture on disk, the picture on disk for a working process, and the picture on disk for loaded modules. Also, Document Name (Process Title), IP, Domain, File Mutex and path.
Radware WAF and DDoS
SecureX threat response modules for Ip(sera) investigation, for both WAF and DDoS abusive action, along with Indicators for all those Sightings. Certified as Cisco Compatible.
Query SecurityTrails with this particular module, for enrichment information about Domains and IP Addresses (IP and IPv6). Pivot to Protection Trails UI to find Domains and IP Addresses (IP and IPv6).
ServiceNow Security Operations
The ServiceNow module in Threat Response, enables ServiceNow to become a data source once the analyst starts a study in the Threat Reaction UI or via the API. This permits the analyst to query ServiceNow for traditional context from prior incidents that involved confirmed observable.
SecureX threat response Pivot / Respond menu in an Ip. Shodan is a internet search engine for Internet-connected gadgets. Web search engines, such as for example Bing and Google, are excellent for finding websites.
Signal Sciences Web Application Protection
Signal Sciences is really a leading web software security company, with a next-gen web program firewall (WAF) and runtime app self-security (RASP) solution. Through the threat response integration produced by Signal Sciences, your Security Operations group shall have immediate presence into episodes across all web software workloads With the integration, it is possible to take immediate action. Qualified as Cisco Compatible.
The SecureX threat response SpyCloud module empowers customers to initiate a study right into a SHA256. The module provides context around a compromised e-mail and username connected with that e-mail and context in regards to a user for a host. If Cisco Email Safety module is enabled, it returns that SHA256 has been delivered to e then.g. these e-mail addresses have already been seen in the info breaches.
ThreatQuotient Security Operations Platform
ThreatQuotient periodically posts Judgements and Verdicts of observables to Cisco Threat Cleverness API, for visualization in threat reaction. Furthermore, ThreatQ uses threat reaction being an enrichment source for danger intelligence.
SecureX threat response module to submit URL(s) into urlscan.io for risk intelligence context.
The SecureX ecosystem shall continue steadily to grow, with additional integrations in growth now, both by Cisco and our technology partners. You as well as your organization may also be empowered to build your own. The charged energy of the SecureX system is yours.
Acknowledgements: My because of Michael Auger, supervisor of ecosystem integrations, and my companion inside this endeavor. Michael created the relay architecture that produced rapid development achievable, between SecureX and technologies partners. Michael directed a united group of twelve developers, program quality and supervisors assurance engineers, and caused partners&rsquo closely; engineering groups; to build 27 integrations with 24 partners for the original SecureX release. Done well!!
*Community/open source