Building Best-of-Both-Worlds Automation and Threat Intel With Swimlane and VirusTotal Part One – Security Boulevard

Posted: November 5, 2021 at 10:16 pm

With extensive out-of-the-box integrations and an API-first architecture, Swimlane enables simple interoperability with any organizations existing security stack. Integrations for new and custom applications can also be easily developed using common scripting languages and a RESTful API.

The new partnership between Swimlane and VirusTotal is a great example of this approach in action. In this two part blog series, well start by taking a look at how we work together, and in part two, well share step-by-step guidance for users looking to go live with this powerful technology integration.

VirusTotals new VT Augment Widget feature gives Swimlane and other applications the ability to display up-to-date threat intelligence from right within the Swimlane platform, as well as returning immediately actionable intelligence detection ratios.

This empowers analysts to drill down into the latest, most actionable intelligence and allows us to automate initial classification and triage from a single API call.

How it works

In order to integrate the new VT Augment functionality into Swimlane, we first had to decide how to architect the solution. The following workflow was decided upon, where:

A Source Alert such as a Phishing Email or XDR Alert enters the Swimlane Platform

External IP addresses

Domains

URLs

File Hashes (SHA1/SHA256/MD5)

query: The IOC for which we wish to obtain reputation information (required)

fg1: The desired hex color of the main Widget text (optional)

bg1: The desired primary background color in hex (optional)

bg2: The desired secondary background color in hex (optional)

bd1: The desired border color in hex (optional)

url: The URL to use as an iframe src to display the VT Augment Widget

detections: Number of positive VT engine detections

total: Number of engines scanned against

The returned detection ratio can be used to power initial determination of the IOCs maliciousness, and any automations based on prioritization or automatic determination of the IOCs nature.

The returned URL is embedded in an iframe in a Swimlane Widget, where it remains ready for manual analysis

When an analyst opens the Threat Intelligence Record for the IOC, the Widget automatically renders, displaying the full results of the investigation from VirusTotals VT Augment /widget/html endpoint.

This workflow is documented in the following diagram:

In part two, well walk through the process of adding VT Augment functionality to a Threat Intelligence Application in Swimlane.

*** This is a Security Bloggers Network syndicated blog from Swimlane (en-US) authored by Nick Tausek. Read the original post at: https://swimlane.com/blog/building-best-of-both-worlds-automation-and-threat-intel-with-swimlane-and-virustotal-part-one/

Read more from the original source:

Building Best-of-Both-Worlds Automation and Threat Intel With Swimlane and VirusTotal Part One - Security Boulevard

Related Posts