In today’s ever-changing security landscape, incident response teams need to take advantage of the breadth of external threat intelligence available in real-time to enrich data gathered from internal logs and systems, and to better understand threats impacting their organizations.
With this integration, security teams get direct access via Demisto to PolySwarm’s real-time threat intelligence from a crowdsourced network of security experts and antivirus companies, This rich source of threat intelligence can now be leveraged during incident investigations or by automated playbooks to improve threat visibility and accelerate incident response.
Integration Features
- Ingest PolySwarm alerts to be leveraged for playbook-driven tasks within Demisto.
- Run automated scans, searches and threat hunting, either as automatable playbook tasks or in real-time.
- Get details on suspicious files or URLs from within Demisto for enhanced incident context.
- Leverage hundreds of Demisto product integrations by using PolySwarm intelligence and coordinating response across security functions.
- Run thousands of actions (including for PolySwarm) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
Use Case #1: Automated Threat Enrichment and Response
Challenge
In order to track the lifecycle of an incident from detection to resolution, security teams often go through a host of security tools and repetitive actions, leaving them time-strapped for actual problem-solving and decision-making.
Solution
Security teams using PolySwarm for threat intelligence and Demisto Enterprise for security orchestration and automation respectively, can automate indicator enrichment from PolySwarm through Demisto playbooks. These playbooks will harness real-time, crowd-sourced intelligence from PolySwarm for use in automated actions across the entire stack of products that a SOC uses.
For example, analysts can check file, domain, IP or URL reputation of suspicious files or URLs directly via Demisto.
Benefit
Demisto playbooks coupled with PolySwarm actions can standardize and speed up triage and resolution of security incidents. Analysts get a comprehensive view of the response workflow on a single screen. With the repeatable tasks now automated, analyst time is freed up for deeper investigation and strategic action.
Use Case #2: Interactive Real-Time Investigation for Complex Threats
Challenge
While automated playbooks can ease your analyst’s workload, an attack investigation usually requires him/her to perform additional tasks such as pivoting from one suspicious indicator to another to gather critical evidence, draw relations between incidents, and finalize resolution.
Solution
After running playbooks, your analysts can then gain greater visibility and new actionable information about the attack by running PolySwarm commands in the Demisto War Room. They can query and view data such as scan analysis results, reports or file details, via the Work Plan and War Room windows. They can also run commands from other security tools in real-time, ensuring a single-console view for end-to-end investigation. The War Room auto-documents all analyst actions and make recommendations for analyst assignments and command-sets over time.
Benefit
All participating analysts will have full task-level visibility into the process and be able to run and document commands from the same window. Auto-documentation of all automation and analyst actions enables you to bypass the manual collation of data for reports and our reports can also be customized to suit the specific needs of your audience.
We hope you found this integration overview useful. To explore Demisto in greater detail, you can download our free community edition below.