Enhance threat investigations by combining the world’s largest threat intelligence data lake with powerful automation and workflow capabilities
In the SOC, having access to timely and accurate threat intelligence is essential for conducting investigations and effective incident response. In addition, the need for automation and orchestration is greater than ever given limited resources and the increasing number of sophisticated attacks, malware and alerts.
We're excited to announce an integration between Team Cymru's Scout, which provides comprehensive insights on IP addresses and domains with Cortex XSOAR. This integration is available as a Content pack and has already been certified by Palo Alto Networks.
What is Team Cymru’s Scout?
Team Cymru’s Scout is a powerful, web & API-based threat intelligence and investigation tool designed for security analysts of varying experience levels. Scout has a simple GUI, graphical displays, tagged results, and easy-to-use searches. Scout helps quickly determine if suspicious IPs are malicious or compromised and has underlying data - from NetFlow communications, Whois data, passive DNS records, X.509 certificates, and fingerprinting details— to power a complete investigation.
Integrating Scout into Cortex XSOAR gives you immediate access to critical information that helps your team quickly triage and address potential threats. This integration streamlines your investigative process but can also reduce alert fatigue for Security Operations Center (SOC) teams.
Key Benefits: Team Cymru Scout Integration with Cortex XSOAR
1. Access to IP communications, Netflow and domain intelligence to Empower the Cortex War Room: Centralize all critical security data in the Cortex War Room, but enhance it with external netflow, IP intelligence and domain intelligence. The data provided by Scout helps understand adversary communication patterns, domain and IP intelligence, and other critical information about potential threats needed to conduct an investigation and leverage the appropriate playbooks to drive an automated response.
Above: IP information is automatically extracted from Scout into the XSOAR War Room for deep IP and domain analysis to accelerate information gathering necessary for an investigation or to drive an automated response
2. Real-Time External Threat Intelligence: Get immediate access to vital information allowing security teams to make informed decisions quicker and make informed decisions quickly.
Leverage communication data to identify correlations between IP addresses, uncover compromised hosts, and discover other indicators of an attack.
NetFlow and Whois Information: Access a quick summary of NetFlow communications, Whois data, passive DNS (PDNS) records, X.509 certificates, and fingerprinting details—all in one place.
IPv4 and IPv6 Support: The integration supports both IPv4 and IPv6 address queries, ensuring that you can address any potential threats, regardless of the IP version.
Scout automatically enriches XSOAR with critical netflow communications data, fingerprint information, X509, pdns and other critical information related to IP and domain intelligence.
3. Add Critical data for your Evidence Board: Streamline work by collecting and reviewing everything in one place. Under the Evidence Board tab, you will find the indicators and other evidence flagged earlier in the War Room. You can use this evidence to track relevant details needed for your response and to populate post-mortem reports and stakeholder presentations.
4. Empower Automated Security Workflows: Cortex XSOAR provides thousands of automation scripts out of the box. Indicators gleaned through the integration with Scout will help you make rapid decisions and carry out remedial actions such as blocking the indicator and thwarting lateral movement of the attack.
5. Provide indicators and data for closure and post-mortem: Now you can open, edit, and close incident tickets from within XSOAR without having to pivot to ServiceNow, Jira, Slack or other tools. Easily leverage the information from Scout to help inform and streamline this process.
For more information about specific use cases and the integration, you can visit the Scout / Cortex XSOAR Web page on the Team Cymru Website.
How to Get Started:
-Access the Team Cymru Scout platform. If you don’t yet have access, please contact our team.
-Use an API Key or Basic Auth credentials for authentication.
Generating API Keys: If you prefer to use an API key for authentication, you can generate one as follows:
Go to the Team Cymru Scout API Keys page.
Click on the "Create" button.
Provide the description for the key, if needed.
Click on the "Create Key" button to generate the API key.
Download the Team Cymru Content Pack for Palo Alto XSOAR in the Palo Alto Cortex Marketplace.
Note: The number of API keys allowed for each organization is equal to the number of user seats. Therefore, an individual user may have multiple keys, but all the users in your organization may have a maximum of 5 keys. The API Keys page shows the total number of keys used by your organization.
Download and use with confidence
This integration has been formally certified by Palo Alto Networks. Team Cymru provides comprehensive documentation and support resources to assist with setup, configuration, and troubleshooting, ensuring a smooth integration process. For technical questions or support contact: support@cymru.com.
Conclusion
The integration of Team Cymru's Scout into Palo Alto Cortex XSOAR is a significant step forward in enhancing your threat investigation and automated response capabilities.
The Scout integration enhances your investigation, analysis, and response capabilities by providing real-time insights and comprehensive data on IP and domains, PDNS as well as netflow to reveal adversary and threat actor communications. Your team will be better equipped to detect, identify, respond, and mitigate even the toughest threats.
What are you waiting for? Get Started Here:
Download: Scout Content Pack for Cortex XSOAR
Access: Team Cymru Scout here
Comments