New forms of sophisticated cybersecurity threats are continually emerging to target enterprises by utilizing multiple attack vectors and entry points. In this environment, security teams often waste time collecting data from disparate sources and performing repeatable tasks while the attack continues to engulf the system. SOCs need security tools that enable analysts with rich, correlated data, and automate repeatable tasks so that analysts have the time and energy they need for incident resolution.
- Ingest insights from JASK to create incidents in Demisto and trigger automated triage, enrichment, and response.
- Search for specific JASK insights, signals, and entities from within Demisto.
- Access JASK entity whitelists, related entities, and riskiest entity details for deeper investigations in Demisto.
- Leverage hundreds of Demisto product integrations to enrich insights from JASK and coordinate response across security functions.
- Run 1000s of commands (including for JASK) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
USE CASE #1
Automated insight ingestion, enrichment, and response
If SOCs use different solutions for data/log enrichment and incident response, it can be tough to track the lifecycle of an incident due to flitting between screens, fragmented information, and lack of single-window documentation. Analysts spend time completing low-level tasks that can be better spent resolving the incident.
If SOCs use JASK for data enrichment and Demisto Enterprise for security orchestration and automation respectively, they can automate incident creation in Demisto for each insight type in JASK. They can also trigger playbooks to execute upon incident creation. These playbooks will orchestrate enrichment and response actions across the entire stack of products that a SOC uses in a single screen and seamless workflow.
For example, analysts can create tickets, quarantine endpoints, retrieve pcaps, and send emails as automatable playbook tasks.
JASK’s rich data coupled with Demisto playbooks can speed up incident triage and resolution. Analysts can get a comprehensive view of the incident’s lifecycle, access documentation from a single source, and forego the need to switch between screens while performing investigation actions.
To learn more about our integration with JASK, download our joint solution brief
USE CASE #2
Interactive, real-time investigation for complex threats
While standardized, repeatable playbooks can automate commonly performed tasks to ease analyst load, an attack investigation usually requires additional tasks such as pivoting from one suspicious indicator to another to gather critical evidence, drawing relations between incidents, and finalizing resolution. Running these commands traps analysts in a screen-switching cycle during investigation and a documentation-chasing cycle after investigations end.
After running enrichment playbooks, analysts can then gain greater visibility and new actionable information about the attack by running JASK commands in the Demisto War Room. For example, if playbook results throw up signal details from JASK, analysts can get a list of records related to that signal and access entity whitelists by running the respective JASK command. Analysts can also run commands from other security tools in real-time using the War Room, ensuring a single-console view for end-to-end investigation.
The War Room will document all analyst actions and suggest the most effective analysts and command-sets with time.
The War Room allows analysts to quickly pivot and run unique commands relevant to incidents in their network from a common window. All participating analysts will have full task-level visibility of the process and be able to run and document commands from the same window. They will also prevent the need for collating information from multiple sources for documentation.
We hope you found this integration overview helpful. To explore Demisto in greater detail, you can access the Free Community Edition below.
Stay tuned for more product integration walkthroughs in the coming weeks.