This is a quick overview of how users can share indicators across instances of Demisto Enterprise. Sharing indicators across instances can be very useful if SOCs are geographically distributed, have different consoles for specific teams, or have separate instances for each business unit.
Through a simple Indicator Sharing playbook, users can set custom criteria for indicators from Demisto’s central indicator repository that they’d like to share with peer organizations and thus increase the efficiency of security operations. Demisto supports multi-party sharing and bidirectional syncs across instances. These sharing operations can be scheduled to run at regular intervals or run on-demand across organizations.
This is not a replacement for STIX, which is a protocol-based mechanism for more generic indicator sharing. This playbook is meant for easier Demisto-to-Demisto indicator sharing that obviates the need for working with formats, tools, and consoles outside of Demisto.
What is the Central Indicator Repository?
Demisto’s Central Indicator Repository is an auto-recorded collection of indicators across incidents and alerts ingested into the platform. These indicators are captured along with important labels and properties such as source, reputation, time stamps, incident correlations, and so on. You can read more about the Central Indicator Repository here.
Setting Up Demisto Integration
Before running the Indicator Sharing Playbook, users will need to set up a Demisto integration on their environment. This integration enables Demisto instances to communicate with each other via REST APIs.
To set up a Demisto Integration, go to Settings -> Integrations -> Servers & Services and search for Demisto REST API.
Click on 'Add Instance', fill in the required credentials, and click 'Done' to finish setting up the integration.
This integration will now be used every time the Indicator Sharing Playbook is run.
Indicator Sharing Playbook
Let’s look at the default version of the Indicator Sharing Playbook below:
This playbook, which can be scheduled or run on-demand, checks indicators for certain conditions (as specified by the user) and shares indicators that match those conditions with destination systems. In the default version, the only condition this playbook checks is whether the ‘Shared’ value for indicators is set to true.
Users can edit these conditions for greater complexity. For instance, a modified condition can check whether the ‘Shared’ value is true, the reputation is malicious, and the timestamp is recent.
For example, the query shown below shares indicators whose 'Shared' value is true and reputation is bad.
Running the Playbook
Let’s go over a sample run of this playbook that involves sharing a single indicator with a destination system. To enable sharing for this indicator, click the ‘Edit’ button after selecting the indicator in the Central Indicator Repository.
Next, check the ‘Shared’ option for this indicator so that it matches the condition in the playbook.
Once this is done, the Indicator Sharing Playbook will share this indicator to the destination system the next time it runs (as set by the schedule). Users can change this schedule from the ‘Jobs’ screen or click ‘Run Now’ to run the playbook in real-time.
This is a quick and easy way to share indicators across Demisto instances, and another example of how security orchestration and automation can improve organizational efficiencies.
If you’d like to explore Demisto features in greater detail, sign-up for the Community Edition below.