- ThreatFuse ingested data into Siemplify about new malicious entities – hashes, IPs and URLs:
- Siemplify automation adds those entities to Firewall blocklists: URL and IP to Check Point blocklist, HASH – to SentinelOne blocklist.
- The playbook queries ThreatFuse in order to find other URLs and hashes related to malicious entities. Those entities can be found by campaigns, malicious actors and other types of associations. Related entities were successfully retrieved.
- Automation queries SIEM in order to find hosts that have interacted with malicious HASHes and URLs. The query returned following result:
Following hosts interacted with malicious entities: DESKTOP-8P0TH6Q,LP-Yair,HW-HOST-027.
- The case is escalated and the case stage is changed to “Investigation”.
- Siemplify automation creates entities for affected internal hosts and adds them to the case.
An analyst can now proceed with the response process
Need more help with this?
Click here to open a Support ticket
Thanks for your feedback.