1. ThreatFuse ingested data into Siemplify about new malicious entities – hashes, IPs and URLs:
    FileSHA1: 46930ec6d7ddf5fc7dc7e08fe5ec4bf6
    IP: 91.195.240.87
    URL: https://172.30.203.36/#/main/entity-explorer/HTTPS:%2F%2FWWW.EXPROOFPOINT.COM%2FCNPP%2FNFCCA.PHP/Default%20Environment
  2. Siemplify automation adds those entities to Firewall blocklists: URL and IP to Check Point blocklist, HASH – to SentinelOne blocklist.
  3. The playbook queries ThreatFuse in order to find other URLs and hashes related to malicious entities. Those entities can be found by campaigns, malicious actors and other types of associations. Related entities were successfully retrieved.
  4. Automation queries SIEM in order to find hosts that have interacted with malicious HASHes and URLs. The query returned following result:
    Following hosts interacted with malicious entities: DESKTOP-8P0TH6Q,LP-Yair,HW-HOST-027.


  1. The case is escalated and the case stage is changed to “Investigation”.
  2. Siemplify automation creates entities for affected internal hosts and adds them to the case.
    An analyst can now proceed with the response process

Need more help with this?
Click here to open a Support ticket

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.