Investigating Cyber Incidents with Demisto and Facebook ThreatExchange

Meir Wahnon
Jul 10, 2017 · 5 min read

Investigating a cyber incident is not easy as you need usually to gather information by ingesting data from multiply sources both internal and external and deciding what is relevant and might be an indicator.

This process is called triage, and an important part of it involves fetching data with Threat Intelligence platforms, which provide data over indicators and threat actors.
One of these Threat Intelligence platforms is ThreatExchange by Facebook, which is a platform where organizations and vendors can share threat information in a secure manner.

How enhance Demisto platform with Facebook’s ThreatExchange Capabilities.

To setup the ThreatExchange integration in Demisto platform, you must first make sure you have an app ID and app Secret provided by the Facebook ThreatExchange program. You can request those in here.

Now you can head over to the integration page ( under settings section), and pick the “Servers and Services” tab, and search there for ThreatExchange.
Once found, just add an instance, by filling in the needed App ID and Secret:

Run the Test button to make sure the credentials passed are correct, and then hit the Done button if they pass.

So now that we have ThreatExchange configured, we can start using it inside a Cyber Incident in Demisto. You can do this by investigating an incident from the incident page, or jumping to the playground, if you just want to play with the integration.

In the Demisto platform CLI try to run next command:

!domain biotecku.xyz 

This will check the domain “biotecku.xyz” against all the integration that support the domain action, where ThreatExchange is one of them).
If you want to run this command against ONLY ThreatExchange, just add the “using” argument like this:

!domain biotecku.xyz using=threatexchange_instance_1

This will be the result in the incident war room:

Notice this is a malicious domain, and you can see that in the result JSON.

Other commands supported are !ip to search reputation by ip:

!ip ip=8.8.8.8

This will return an empty JSON since it’s not an ip which appears in ThreatExchange.

Another command supported is !file to check file hash reputations, like :

!file dad3cf441c1da21395861b686d599799

Those are simple automations you can trigger during manual investigation of an incident, you can enhance that by incorporating these automations inside an automated(or semi-automated) playbook, so you can automate the triage process of your incident investigation.

Let’s do a short playbook example, we can go to demisto playbooks page, and create a new playbook:

This template playbook starts with a first step, that we can connect additional steps to it.
We can add steps either from the playbook palette, or from the task library, since we knew we want to use ThreatExchange task, using the task library will be easier:

You can now see easily all supported task by ThreatExchange, and just add them to the playbook, let’s choose the file task:

You can modify here the task name and description, and of course wire up the task input, in this case I want it to check all files attached to the incident, I will use the source input the special value ${File.MD5}, this will bring all files MD5 values as input for this task.

Next, I want to wire up a condition task (I will use the per built IsMaliciuosIndicatorFound task), that will check if any malicious indicator was found, based on that I will continue my playbook logic.

Once I wire the line from that step, a popup will ask me which path to take:

I will choose the yes condition, and on that case, I want to re check the file hash with VirusTotal:

Else, I just want to print that we are all clear:

Let’s run this playbook, by creating a new incident an choosing our new playbook to run on it:

I will attach it a non malicious file, and investigate the incident, the playbook will be triggered and execute the steps by order:

let’s review what just happened:

all the tasks in green were executed, the grayed out are tasks which were not executed, because the playbook path did not reach them.

Let’s drill down into the file step result:

First the in the step details, you can see it translated the file attached to it’s MD5 automatically in it’s inputs:

And the results:

ThreatExchange did not have any details about the file attached to the incident, so our next step, will find no maliciuos indicators in the incident:

And therefore will go to the print task :

This is a glimpse view of playbook automation power with ThreatExchange and Demisto, feel free to contribute your own open source playbook at:
https://github.com/demisto/content

And download our free community edition at:
https://www.demisto.com/

Look for more Demisto integrations at: https://www.demisto.com/partners/

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade