Cortex XSOAR

• About The Integration

• Demo Video

• Manual Commands

• Using The Playbooks

• Demisto & Endpoint Protection Matrix

  -   Carbon Black
  -   Cybereason
  -   CrowdStrike Falcon

About The Integration

Security teams face many alerts from their endpoint protection solution. The teams lack context on these alerts: Are these indicate a real incident or not? What is the risk and the impact? How to respond? The alerts can be on a specific file, hash, or on the endpoint itself.

Utilizing Intezer’s technology, can gain additional unique information about alert, such as: malware family, threat actor, similarities to other known malware and more. 

This information can help not only get a malicious verdict but much more context for accelerating and tailoring incident response.

Demo Video

Here is a video summarizing the integration benefits, workflow and commands.

Manual Commands

There are four implemented commands with Intezer:

• Submit file
• Submit file hash
• Submit URL
• Get analysis results (metadata, code reuse)

Here you can view the integration, the setup, and the explanation on how to use it:

https://xsoar.pan.dev/docs/reference/integrations/intezer-v2

Using The Playbooks

This app provides three playbooks:

• Intezer - Analyze by hash - Analyzes the given file hash on Intezer Analyze and enriches the file reputation. Supports SHA256, SHA1, and MD5 hashes.
• Intezer - Analyze an uploaded file - Uploads a file to Intezer Analyze to analyze and enrich the file reputation.
• Intezer - Scan host - Uses Demisto D2 agent to scan a host using Intezer scanner.

Demisto & Endpoint Protection Matrix

Carbon Black

There is rich built-in integration with CB Live response, which enables the security operators to collect information and take action on remote endpoints in real-time, both for CB Response (EDR) and CB Defense (EPP).

• Implemented commands:
  • cb-get-file-from-endpoint - Get a file from an endpoint, relevant for the "submit file" command
  • cb-push-file-to-endpoint - Save a file to an endpoint
  • cb-process-execute - Run an executable on an endpoint
  • cb-memdump - Endpoint memory dump
• Implemented commands for CB Response (EDR)
  • cb-eedr-report-create - Adds a new watchlist report for a certain IOC (IP, MD5, DNS)
  • cb-eedr-get-file-metadata - Returns all of the metadata for the specified binary identified by the SHA256 hash, including if it's available for download or not
  • cb-eedr-files-download-link-get - The files are able to be downloaded via AWS S3 pre-signed URLs.

Cybereason

Demisto has basic integration with Cybereason, it looks like there is no automatic way to retrieve the suspicious file from the endpoint/execute remote commands on the endpoint

• Implemented commands:
  • cybereason-query-file - Retrieves info on the detection's details from Cybereason, including the file hash, path, process, etc.

CrowdStrike Falcon

• Implemented commands:
  • cs-falcon-run-command - Sends commands to hosts.
  • cs-falcon-get-extracted-file - Get a file based on SHA256 & host
  • cs-falcon-run-script - Runs a script on the host
  • cs-falcon-search-iocs - Search IOCs (IP, MD5, SHA1, SHA256, domain)
  • cs-falcon-upload-ioc - Update Falcon with IOCs (IP, MD5, SHA256, domain, IP)
  • cs-falcon-processes-ran-on - Can be used also for proactive hunting