In today’s security landscape, threat actors use multiple entry vectors and attack techniques to target organizations. With so many moving parts, security teams struggle to reconcile data between isolated malware analysis tools and other security products. They lose valuable time shuttling between screens and executing repeatable tasks while the attack continues to manifest. Analysts need a platform that unifies data from malware analysis products and other sources on one console, resulting in rich incident context and accelerated response without tab-switching and manual rework.
Joint users can combine SNDBOX’s AI-powered malware analysis capabilities with Demisto’s security orchestration and automation features to standardize their response processes, increase analyst productivity, and reduce time to detection and remediation.
- Orchestrate SNDBOX malware analysis actions along with actions from other security products in one window through Demisto playbooks.
- Submit samples to SNDBOX for analysis and download reports from within Demisto in real-time.
- Leverage hundreds of Demisto product integrations to further enrich SNDBOX data and coordinate response across security functions.
- Run thousands of commands (including for SNDBOX) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
Use Case #1
Automate malware analysis and response
As alert numbers grow, analysts find it tough to keep up with the repetitive, high-quantity tasks that encompass malware triage and analysis for further study. This can eventually lead to increased error rate, incomplete investigations, and alerts slipping through the cracks.
SOCs can have standardized playbooks that run automatically and query SNDBOX for malware analysis. These playbooks can perform checks to initiate triage, run detonation actions, and return the reports to the analysts for subsequent investigation. By aligning malware analysis with other concurrent security functions, these playbooks ensure that security teams have central visibility over incident response processes.
Analysts will save time and eliminiate redundant effort by automating triage and detonation tasks, saving their energies for more nuanced and sophisticated investigation actions. This will also ensure standardized response, reduced error rate, and no alerts slipping through the cracks.
To learn more about Demisto's integration with SNDBOX, view our joint solution brief
Use Case #2
Interactive investigations for deeper malware study
While conducting joint investigations, analysts struggle with attaching task-level accountability, documenting actions in one source, and learning from each other’s actions to reduce marginal time to incident resolution.
After playbook execution, analysts can conduct joint investigations in the Demisto War Room and run SNDBOX-specific commands in real-time. For example, analysts can run the sndbox-analysis-submit-sample command to submit a sample to SNDBOX for analysis. Security teams can also run commands from hundreds of other products in the War Room, ensuring a unified platform for collaboration, investigation, and documentation of actions.
All participating analysts will have full task-level visibility of the process followed, be able to run and document commands from the same window, and eschew the need for collating information from multiple sources for documentation.
We hope you found this integration overview useful. To explore Demisto in greater detail, you can download our Free Community Edition below.