When we started Demisto a little over 2 years ago, our main objective was to optimize incident response in the SOC. We created a platform that can respond to incidents in split seconds based on playbooks that require little if any human intervention. Now that we have many customers around the world, we always ask – how can we make your SOC even more efficient?
One answer that we heard everywhere is that the SOC does not only respond to incidents, it also performs many operational tasks; SOCs make sure that detection systems are running and up-to-date, add URLs to the proxy white list, go through checklists when certain employees leave the organization, and so on.
We analyzed many of these tasks and realized that, in most cases, our Demisto server was already connected to the systems in question and all that was missing were relevant playbooks and a few other features that will allow customers to easily manage their SOC. We released this function about a year ago and it witnessed quick and encouraging adoption. We also realized that Jobs can help in proactively finding attacks before the detection systems discover them.
Desperately Seeking Attacks
Let’s talk about the over-reliance on reactive investigative measures in SOCs today. Even well-functioning SOCs continue to have problems with proactively running checks that identify incipient attacks before they manifest themselves and generate an incident. In most cases, attacks will leave breadcrumbs and give out warning signals before they actually become ‘attacks’; these signals can be picked up if SOCs proactively search for them instead of responding to incidents.
Most SOCs do not proactively look for attacks simply because their staff are busy responding to incidents that have already been discovered. This is unlikely to change – SOCs must prioritize, and we have not seen a single SOC where analysts are idle and can afford the luxury of searching for unknown attacks in their networks. Enter Jobs – a Demisto feature that runs playbooks and helps SOCs automate proactive security operations.
In this blog, we’ll go over the Jobs feature in Demisto, which enables proactive security operations by facilitating both scheduled and on-demand playbook runs that orchestrate across the entire security product stack.
How Demisto Jobs Work
Jobs in Demisto are playbooks that you can either schedule to run at pre-determined times and frequencies or have easy access to for on-demand execution.
Jobs can be accessed by clicking the ‘Jobs’ button on the left toolbar. The default view of the Jobs page is given below:
Fig 1: The Jobs home screen shows a dashboard of all Jobs and a tabular view with Jobs details
The top half of the screen shows a dashboard view of all the Jobs created by your SOC in Demisto. You can see which Jobs are currently running, waiting for analyst input, disabled, or experiencing errors. If you have a large number of Jobs stored on the platform, you can write search queries or click on the sub-section of categories that you want to be shown.
The bottom half of the screen shows a tabular view of the Jobs along with salient details such as Job Status (Idle, Enabled, Disabled), Run Status (Aborted, Running, Waiting, Error), the timeline of the Job’s most recent run, when the next run is scheduled, and any additional details as notes.
If you want to see details of a single Job, click on the ‘Summary View’ button. This is how the Summary View looks like:
Fig 2: The Summary View shows the detailed run history of each Job
In this view, you can study the run history of a particular Job. In the screenshot above, the ‘Enrichment IOC’ Job has been selected, and you can see details of each instance it was run, such as incident creation and closure times.
Creating a new Job:
To create a new Job, click in the ‘New Job’ button on the top right of the page.
Fig 3: Click the 'New Job' button to create a new Job
This will throw up the ‘New Job’ window, which looks like this:
Fig 4: The New Job window
Here, you can fill in the Job’s name, assign owners as needed, choose the specific playbook that will run for this Job, enter timeline details if it’s a scheduled Job, and add any other tags, labels, or details as relevant. Once done, just click the ‘Create new job’ button on the bottom right.
Running a Job:
To run a Job, click on the checkbox next to the Job in question and select the ‘Run now’ button on the top menu as shown in this GIF:
Fig 5: Running a Job
Here, a VPN check is run, which triggers a playbook that follows a series of steps to verify whether there are any VPN transgressions in the organization (which haven’t manifested themselves as incidents yet).
Once you run a Job, the ‘Run Status’ column for that Job will change to ‘Running’. Click this button to go straight to a live run of the playbook in question.
Demisto Jobs Use Cases
Jobs can be used for any workflows that need to be implemented at regular intervals by the SOC. They are also useful for having playbooks at the ready and launching them proactively instead of triggering them when an incident occurs.
A few use cases for Demisto Jobs are:
- Running scheduled VPN checks.
- Threat hunting exercises using uploaded STIX files of IOCs.
- Checks for expired SSL certificates.
- Scans for vulnerable applications.
- Policy compliance checks.
- Checks on security system health.
- Onboarding and removing privileged users.
By using Demisto’s playbooks both as response mechanisms to incidents and as proactive Jobs, SOCs can cater to holistic security operations without being forced into a reaction-only mindset.
To see Demisto in action, you can download our Free Community Edition below.