In today’s ever-changing security landscape, incident response teams often miss out on potential threats that can impact their organization because they’re time-strapped by manual processes and high alert volume. They’re unable to take advantage of the breadth of external threat intelligence available and instead focus only on internal logs and data. Security teams need a platform that can centralize threat intelligence across sources in real-time and harness that information to drive action across security infrastructures.
To meet these challenges, users can combine the comprehensive real-time contextual threat intelligence of Palo Alto Networks AutoFocus with the security orchestration and automation features of Demisto to improve threat visibility and accelerate incident response.
- Automate retrieval of AutoFocus threat analysis as playbook-driven tasks within Demisto.
- Perform quick custom searches across billions of AutoFocus samples and trillions of artifacts within Demisto, either as automatable playbook tasks or in real-time.
- Get details of specific AutoFocus sessions within Demisto for enhanced incident context.
- Leverage hundreds of Demisto product integrations by using AutoFocus intelligence and coordinating response across security functions.
- Run thousandsof commands (including for AutoFocus) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
USE CASE #1
Automated Threat Enrichment and Response
The disparate nature of threat intelligence and incident response tools can make it tough for SOC teams to track the lifecycle of an incident due to moving between screens, fragmented information, and the lack of single-window documentation. Incident response will also often involve a host of important but repetitive actions that analysts need to perform, leaving them time-strapped for actual problem-solving and decision-making.
SOCs using AutoFocus for contextual threat intelligence and Demisto Enterprise for security orchestration and automation respectively, can automate indicator enrichment from AutoFocus through Demisto playbooks. These playbooks will harness rich, multi-source intelligence from AutoFocus and use that information to execute actions across the entire stack of products that a SOC uses.
For example, analysts can leverage AutoFocus to check file reputation of hashes, retrieve sample analyses, and search for session details as automatable playbook tasks.
Demisto playbooks coupled with AutoFocus actions can standardize and speed up triage and resolution of security alerts. Analysts get a comprehensive view of the response workflow on a single screen. With the repeatable tasks now automated, analyst time is freed up for deeper investigation and strategic action.
To learn more about our integration with AutoFocus, view our joint solution brief:
USE CASE #2
Interactive, Real-Time Investigation for Complex Threats
Apart from running automated actions, attack investigations usually require additional real-time tasks such as pivoting from one suspicious indicator to another to gather critical evidence, drawing relations between incidents, and finalizing resolution. Running these commands traps analysts in a screen-switching cycle during investigation and a documentation-chasing cycle after investigations end.
After running enrichment playbooks, analysts can gain greater visibility and new actionable information about the attack by running AutoFocus commands in the Demisto War Room. For example, if playbook results display a sample analysis, analysts can run the autofocus-search-samples command in the War Room to get additional details on sample (as well as related samples).
Analysts can also run commands from other security tools in real-time using the War Room, ensuring a single-console view for end-to-end investigation. The War Room will document all analyst actions and suggest the most effective analysts and command-sets with time.
The War Room allows analysts to quickly pivot and run unique commands relevant to incidents in their environment from a common window. All participating analysts will have full task-level visibility of the process and be able to run and document commands from a unified console. They will also prevent the need for collating information from multiple sources for documentation.
We hope you found this integration overview useful. To explore Demisto in greater detail, you can download our free community edition below.