WEBVTT 1 00:00:04.140 --> 00:00:17.250 Nick Lewis: hi everyone, welcome to the net plus Palo Alto networks Community call for September 2021 i'm Nick Lewis from Internet too and we'll get kicked off for this month real quick. 2 00:00:18.300 --> 00:00:23.220 Nick Lewis: The This call is recorded we'll be posting the recording and then plus Palo Alto networks. 3 00:00:25.260 --> 00:00:32.370 Nick Lewis: wiki and if you haven't renamed yourself to be your name plus your campus name and zoom please do so, so that the. 4 00:00:34.140 --> 00:00:40.140 Nick Lewis: All the other attendees have that context we're going along during the any discussion that we have. 5 00:00:42.030 --> 00:00:47.220 Nick Lewis: So the the call this month is on security OPS our automation. 6 00:00:48.390 --> 00:00:52.230 Nick Lewis: Alex Garcia from will be talking a bit about X or. 7 00:00:53.460 --> 00:01:03.420 Nick Lewis: And one of the things that we've as part of the net plus Palo Alto networks program we built out specific bundles and the previous calls we've gone over. 8 00:01:05.340 --> 00:01:12.390 Nick Lewis: Remote access cloud native security next gen X GR and the call this month is focused on security automation. 9 00:01:16.620 --> 00:01:17.130 Nick Lewis: and 10 00:01:18.690 --> 00:01:36.360 Nick Lewis: One of the as part of the security automation discussion, we know that there's a number of campus challenges that that you have around too many security products that don't work together and increasing number of tasks and types of attacks and so Alex will talk a bit about how. 11 00:01:37.590 --> 00:01:41.040 Nick Lewis: You can use the Palo Alto networks X or as part of the automation. 12 00:01:43.470 --> 00:01:44.100 Nick Lewis: and 13 00:01:45.270 --> 00:01:46.110 Nick Lewis: Over to you Sophie. 14 00:01:50.670 --> 00:02:01.800 Sophie Marinelli: it's Nick the other one, so he married now here, I am actually filling in for hunter elite, he is our higher education strategist at Palo Alto networks. 15 00:02:02.730 --> 00:02:14.910 Sophie Marinelli: But you know just thank you for joining the fourth call in the series with Internet to in that plus like Nick said we're going to talk about security operations that automation today with X or and. 16 00:02:16.470 --> 00:02:20.850 Sophie Marinelli: As part of the four bundles that we have been talking about you know, over the past couple of months. 17 00:02:21.570 --> 00:02:30.450 Sophie Marinelli: We will be doing a recap next month in October is call, and you know we'll tie it all together, and you know show you how. 18 00:02:31.140 --> 00:02:45.090 Sophie Marinelli: It can be perceived as one comprehensive solution for you, but for today, I just want to just turn it over to Alex our CFO he is the system engineer specialist or cortex X or i'll just let it. 19 00:02:46.800 --> 00:02:47.100 Sophie Marinelli: out. 20 00:02:47.940 --> 00:02:51.750 Alex Garcia: Thank you Sophie let me go ahead and share my screen welcome everybody. 21 00:02:52.290 --> 00:02:58.440 Alex Garcia: Thank you for giving me the opportunity to present to you to you guys and and thank you again for. 22 00:02:58.650 --> 00:03:13.080 Alex Garcia: One and learn a little bit more about excellent so a little bit about myself i've been in the in the industry for 20 years so it's been a while i've started my career in the United States air force. 23 00:03:14.370 --> 00:03:14.940 Alex Garcia: and 24 00:03:16.320 --> 00:03:28.140 Alex Garcia: When when I left the military service I jumped right into on the on the customer side right so i've worked primarily based out of Houston so I primarily work with oil and gas. 25 00:03:29.970 --> 00:03:34.950 Alex Garcia: Companies enterprises right and though we're we're here in the in the Gulf oil and gas district right so. 26 00:03:36.420 --> 00:03:36.720 Nisha Modi: But. 27 00:03:36.750 --> 00:03:38.940 Alex Garcia: But yeah most of my career, I spend it on the customer side. 28 00:03:39.510 --> 00:03:56.640 Alex Garcia: And this is my first job that i'm working on the vendor side of things right, so one of the one of the things that I think I bring to Palo Alto networks is is that visibility from the from the customer side because what i'm going to share with you guys here in the slides I had to. 29 00:03:57.900 --> 00:04:13.440 Alex Garcia: deal with some of these things right, so one of the big things that we're looking to address but that's where is the the alert fatigue right so as we, as we know it today, the the security operations falls within the Security program right and so. 30 00:04:14.460 --> 00:04:29.760 Alex Garcia: The businesses are not they're not up and run into deploy firewalls to build the router acl and spam gateways and you know what have you there they're in business to to sell their widgets to make money. 31 00:04:30.390 --> 00:04:41.400 Alex Garcia: And to keep moving forward right innovation and things like that, so what we have today with the security operations is that sometimes we have to tactically deploy. 32 00:04:42.180 --> 00:04:53.400 Alex Garcia: Security tools, because we experienced an issue we experienced an incident that we have to mitigate that right, and so we got to stop the bleeding and so that has led us to a place where. 33 00:04:54.690 --> 00:05:03.480 Alex Garcia: The sock the security analysts are having to work with security tools across the infrastructure across the enterprise across the landscape essentially. 34 00:05:04.050 --> 00:05:17.790 Alex Garcia: As well as dealing with with other teams right that sometimes you you can't work with them, because they have other priorities from my experience, you know, sometimes, specifically on the firewall side you have those. 35 00:05:18.690 --> 00:05:19.740 Alex Garcia: challenges where. 36 00:05:20.340 --> 00:05:29.010 Alex Garcia: The line is responsible for the firewalls is IT security is that the network team, you know those those things that happened right i've seen them everywhere i've worked. 37 00:05:29.610 --> 00:05:36.480 Alex Garcia: We have that we have to deploy these these implement these racy matrix this and things like that to start to get the teams to work together. 38 00:05:36.780 --> 00:05:54.210 Alex Garcia: And that's sometimes leads into some some hostilities so lot a lot of problems here with regards to people technology and processes right, so this is what we call this is our security operations, as we know it today, so we call it a legacy legacy sock. 39 00:05:55.410 --> 00:06:06.000 Alex Garcia: So what are some of the enemies of the sonic so the because we have too many security tools out there we're getting bombarded with with too many alerts and not the not. 40 00:06:07.080 --> 00:06:15.570 Alex Garcia: Just the quantity of alerts that we're getting but also the quality right, so the quality is very important, and sometimes we miss miss these things. 41 00:06:16.260 --> 00:06:33.540 Alex Garcia: The investigations are taking way too long to to identify what really needs to go up to tier two tier three and then the the repetition of tasks manual tasks, and this is a big one, because, again, going back to my experience with being on the customer side you have. 42 00:06:34.620 --> 00:06:45.750 Alex Garcia: analyst a, for example, that is used to addressing things in a certain way, in a way that may not be part of the standard operating procedure or may not be documented. 43 00:06:46.320 --> 00:06:54.570 Alex Garcia: And when he leaves the company or goes on vacation and you have to deal with something like this, you don't know where to start, so you got to go down and. 44 00:06:55.110 --> 00:07:06.240 Alex Garcia: figure it out on your own and a lot of times those things don't get documented, so what is what is that what is the impact to the sock from from those things that we're having to deal with again the. 45 00:07:06.870 --> 00:07:14.070 Alex Garcia: Important threads get missed right so we're we're we're flooded with alerts and we may miss some really important things. 46 00:07:15.990 --> 00:07:31.470 Alex Garcia: And then, most of our time is spent, focusing on on analyzing alerts and so like I said earlier, the security program should be there to bring value to the to the business not bogged down right so. 47 00:07:32.850 --> 00:07:50.340 Alex Garcia: We as as practitioners should be should be bringing value to the program but we can't because we're dealing with all these alerts and continuous firefighting which leads us to you know, maybe deploying more technology into into the stack teams teams tend to. 48 00:07:51.570 --> 00:07:59.580 Alex Garcia: get bigger because you need to you need that headcount to to tackle the amount of alerts are coming in and then all of that. 49 00:08:00.330 --> 00:08:13.500 Alex Garcia: impacts, the personnel morale right i've seen it people are just leaving you know they spend maybe 912 months in a position, and they leave they find something else, and so that's the sort of the impacts, to the to the sock. 50 00:08:14.970 --> 00:08:29.880 Alex Garcia: here's a slide high level view of what Palo Alto is doing to rewire the security operations Center and you know this is internal, this is the, this is a team that supports the security operations for Palo Alto networks. 51 00:08:30.840 --> 00:08:40.140 Alex Garcia: So, as you can see, here we have our enforcement points deployed across the infrastructure across the enterprise from the network and point and cloud. 52 00:08:40.650 --> 00:09:00.360 Alex Garcia: And the data that we're collecting from these enforcement points is being fed today to cortex data lake some of the other tools that we use that are not Palo Alto products proof point rapid seven knock the there today they're flowing into DEMO but as a as as the introduction of cortex. 53 00:09:01.710 --> 00:09:12.150 Alex Garcia: there's a there's a shift happening today where we're redirecting those logs into cortex Dr and eventually depot is going to become just start cold storage. 54 00:09:13.170 --> 00:09:22.950 Alex Garcia: If you will right so most of our analytics are going to be ran out of cortex str correlation rules are going to be a rat ran out of X Dr and. 55 00:09:23.460 --> 00:09:29.940 Alex Garcia: Then our our Sim queries are all going to get ported over into cortex er and. 56 00:09:30.840 --> 00:09:37.860 Alex Garcia: Those are going to trigger alerts, which are going to feed into X or X force them to reach out to next Dr and interrogated right we're looking for things. 57 00:09:38.280 --> 00:09:43.740 Alex Garcia: And you can see over on the left hand side or threat intelligence, led by auto focus. 58 00:09:44.310 --> 00:10:01.680 Alex Garcia: plus some some additional threat Intel feats there they're also being fed into cortex X or and in the indicators that are coming out of X Dr B and enriched all in one central location, and this, you can kind of start to see here that. 59 00:10:02.700 --> 00:10:21.750 Alex Garcia: That deployment of the various products across the landscape are starting to get corralled into into one one console one central console which is going to be excellent right, so what one of the things that we've done here we have addressed from a personal perspective is. 60 00:10:22.920 --> 00:10:29.190 Alex Garcia: We we were a 24 by seven shop and so, because of the The ability for us to. 61 00:10:30.240 --> 00:10:45.030 Alex Garcia: You know, feed these these logs and incidents and alerts into X or and then allowing the machine to to respond to it will not just the respond but analyze the the alerts and then respond to the alerts as. 62 00:10:45.750 --> 00:10:58.290 Alex Garcia: The playbooks take place we've been able to to downgrade our service to say downgrade but we went from 24 by seven to eight by five Monday through Friday operations. 63 00:10:59.370 --> 00:11:07.920 Alex Garcia: And so, so, as you can imagine our analysts are really happy speaking of our analysts we're doing all of this with a nine person team in our sock. 64 00:11:08.400 --> 00:11:17.220 Alex Garcia: And so yeah so the the team has the evenings off and the weekends and if something happens when they're they're off duty. 65 00:11:17.940 --> 00:11:26.520 Alex Garcia: xr will reach out to the person on on on call via pager duty and let them know hey we got a case here, take a quick look at it kind of thing. 66 00:11:26.850 --> 00:11:42.000 Alex Garcia: But uh but yeah, so this is, this is one of the This is very important right the one of the things that I mentioned here we're we're burning out our analysts, and so this is, this is a really, really nice way to give them a little bit of time little downtime and whatnot so. 67 00:11:44.340 --> 00:11:45.090 Alex Garcia: X or. 68 00:11:46.530 --> 00:11:58.380 Alex Garcia: Would you guys saw last month was around next vr right, so the piece that was missing from that that presentation that demonstration was this X or puzzle piece right so. 69 00:11:59.790 --> 00:12:08.490 Alex Garcia: cortex quick cortex SS a as a whole is a business unit within Palo Alto networks we're looking at a. 70 00:12:09.570 --> 00:12:17.190 Alex Garcia: platform, not just a product or point product right, so what what makes the security operations. 71 00:12:18.270 --> 00:12:31.800 Alex Garcia: run on on steroids, if you will, is working everything working together and intend them right, so in this slide you can see here that we're feeding our X Dr alerts whether they're coming from the Dr. 72 00:12:32.940 --> 00:12:41.850 Alex Garcia: logs or from the network traffic analysis alerts or the va or the CIO sees everything is fed into X or when when an incident is triggered. 73 00:12:43.260 --> 00:12:54.840 Alex Garcia: Then the next working consume that and take the appropriate actions so we're essentially extending the the response capabilities, with the next Dr right so as you guys learned last month X Dr has. 74 00:12:55.800 --> 00:13:07.620 Alex Garcia: Some remediation capabilities there's the LIFE terminal feature that has some some response actions when you get started and interrogate the endpoint you can isolated, you can. 75 00:13:08.700 --> 00:13:17.400 Alex Garcia: Live terminal to it, and you know retrieve files telemetry out of that endpoint you know, or what have you now, you can you can. 76 00:13:17.910 --> 00:13:27.990 Alex Garcia: Once once you plug in X or in the picture here, you can start to do all of that automatically and not just within X Dr, but you can extend what you learn. 77 00:13:28.860 --> 00:13:37.650 Alex Garcia: From your investigation there into other security tools and also take remediation actions on the data that you collected within the endpoint out to your other security tools. 78 00:13:38.190 --> 00:13:45.660 Alex Garcia: Whether it's network security email security, what have you, you can you can do all of that, with with the application here. 79 00:13:46.500 --> 00:13:54.510 Nick Lewis: Alex just a real quick interruption, so there was a question about integrations with other security tools and was or. 80 00:13:55.620 --> 00:13:58.260 Nick Lewis: You know if there's an integration with recorded future. 81 00:13:59.580 --> 00:14:14.490 Alex Garcia: So me, so I have, I have a tab open here, you can see that so export today has over 700 integrations that we support out of the box if we don't have an integration for the for a tool. 82 00:14:14.940 --> 00:14:25.620 Alex Garcia: that's something that we can work with our customer success team or professional services team and our solutions architects to get that put together today the queue I believe it's about eight weeks to get that turned around. 83 00:14:26.340 --> 00:14:42.690 Alex Garcia: But, but you can go into this decide that sword that pan divi divi and if you click on the reference link here, look at the integrations you can see everything that we've got an out of the box right so recorded future was the one that we're looking for. 84 00:14:45.090 --> 00:14:45.810 Nick Lewis: that's correct. 85 00:14:46.590 --> 00:14:58.560 Alex Garcia: Okay let's see recorded future there it is so we got a couple of a, so this is dedicated so this means that this what's written in Python two X we're we're migrating our integrations our code to the Python three. 86 00:14:59.250 --> 00:15:03.750 Alex Garcia: And you'll see in the i'll show the automation and whatnot and the snippets of code that that. 87 00:15:04.560 --> 00:15:13.590 Alex Garcia: build the applications, and one thing that I want to share, about this is and i'll jump into record a future, you can you can see, all of the details so cortex exports very open. 88 00:15:14.160 --> 00:15:22.650 Alex Garcia: And you can see, all of the details of the integrations, what are we doing with the integration, what are the commands that are supported so all of this is API driven right so. 89 00:15:23.400 --> 00:15:28.410 Alex Garcia: The vendor supports API commands a little will bring them into our integration. 90 00:15:29.130 --> 00:15:40.770 Alex Garcia: Right so here's all of these so it's not a it's not as a lot, like some of the other products, but here's all of the capabilities that you, you can do for this specific integration here's what the automation look like. 91 00:15:42.210 --> 00:15:51.330 Alex Garcia: And yeah so so visit the site, if you have questions about a specific product that you're working with you can learn quite a bit out of this documentation. 92 00:15:51.990 --> 00:15:53.940 Nick Lewis: Great Thank you and there was a. 93 00:15:54.120 --> 00:15:59.100 Nick Lewis: link in chat from Jeff thanks for putting the link in there about the xr integration. 94 00:16:00.690 --> 00:16:01.530 Alex Garcia: Thank you, thanks. 95 00:16:02.970 --> 00:16:05.790 Alex Garcia: Okay, so let me go back to my. 96 00:16:07.860 --> 00:16:23.640 Alex Garcia: Okay, so what's what's helping cortex X or promote this this rewired into security operations are these four pillars, these are key to what we're doing with X or in in our rewiring of SEC OPS. 97 00:16:24.300 --> 00:16:37.320 Alex Garcia: The first component, there is the automation and orchestration right so we've got over 700 integrations today thousands of automation so I mentioned that just a second ago the animations are essentially. 98 00:16:38.730 --> 00:16:48.330 Alex Garcia: scripting out the the the commands the API commands that the integration supports and then the the playbooks the playbook editor it is, it is so easy to build these things. 99 00:16:48.870 --> 00:16:59.370 Alex Garcia: they're very modular you can create playbooks within playbooks so think about a programming like a nested type of task within the playbook so i'll kind of walk through that here in the DEMO. 100 00:17:00.420 --> 00:17:09.360 Alex Garcia: The collaboration piece that's very important right to to humans collaboration so each case each incident that gets created in next door has its own. 101 00:17:09.990 --> 00:17:17.070 Alex Garcia: Virtual war room where where everything that gets processed during the automation during the playbook run. 102 00:17:17.580 --> 00:17:23.760 Alex Garcia: or gets gets recorded in this virtual warm or, if you take manual active my actions. 103 00:17:24.240 --> 00:17:31.710 Alex Garcia: Those those things get recorded there as well, plus, you have the ability to chat with teammates right so there's multiple people working on the incident, you can. 104 00:17:32.010 --> 00:17:41.970 Alex Garcia: You can chat there everything gets recorded there, and you can actually bring in other teammates that may not be part of that investigation, you can bring them in for help, and they would. 105 00:17:42.900 --> 00:17:49.230 Alex Garcia: They would essentially have access to this incident to work with you on it then there's the case management so. 106 00:17:50.340 --> 00:18:00.300 Alex Garcia: We have a our own case management with the next word that manages and maintains the incidents that there be as they're being created. 107 00:18:00.600 --> 00:18:10.800 Alex Garcia: In you may ask the question will I have service now today they are integrations into service now jira confluence those other ticketing systems were. 108 00:18:11.310 --> 00:18:14.970 Alex Garcia: In and I tell you I used to hate this when I was working on the customer side. 109 00:18:15.510 --> 00:18:31.380 Alex Garcia: When i'd had to work on a on an incident, I had to create a case in service now and then populate all the mandatory fields and then I do my work and then I had to go back and updated the ticket, I just wanted to do my job, so one of the things that was my favorite piece, I think, is. 110 00:18:32.550 --> 00:18:41.610 Alex Garcia: Getting that integration, going so that, when an incident gets created a service now ticket gets automatically created and popular with the data that i've defined in my playbook. 111 00:18:42.120 --> 00:18:51.870 Alex Garcia: And as i'm working the case that those those components get automated are updated automatically why don't have to bother with service now and. 112 00:18:52.590 --> 00:19:06.150 Alex Garcia: In the security team works out of this case management, while everybody else in the enterprise is working out of service now, and you are working within service now but it's not you doing it it's the automation so it was really cool. 113 00:19:07.470 --> 00:19:18.030 Alex Garcia: yeah I used to hate working out of service now and then, finally, the threat intelligence management, this is a new component of X, where I believe it was released in the six. 114 00:19:18.840 --> 00:19:30.180 Alex Garcia: version, this is, as you guys are aware X or came from the acquisition of the mistletoe, and so the Mr did not have this thread until management so. 115 00:19:30.690 --> 00:19:42.240 Alex Garcia: We have introduced TIM, and some of the the main features here one of my favorites is the ability to correlate ios ease with other cases, so it kind of gives you a. 116 00:19:42.750 --> 00:19:57.480 Alex Garcia: better picture of a holistic picture of you know your your attack surface, are you being targeted by advanced persistent threat actor, are you seeing the same maybe ransomware. 117 00:19:58.500 --> 00:20:14.040 Alex Garcia: binaries you know you can start to get a picture of what's happening with the enterprise in terms of attacks, so it does come with a full version of autofocus so that you know gives you the additional benefit of having the threat Intel feed. 118 00:20:15.180 --> 00:20:18.960 Alex Garcia: of our wildfire data so very, very important piece there. 119 00:20:20.790 --> 00:20:29.340 Alex Garcia: here's some of the main some of the big logos that we have integrations with again over 700 integrations we had you can see, we have a good mix of everything from. 120 00:20:29.790 --> 00:20:43.710 Alex Garcia: network security to endpoint to analytics so if if you're working with security tool there's very high probability that the integration that's already there, and if it's not it's just a matter of building that integration with our team. 121 00:20:46.260 --> 00:20:54.780 Alex Garcia: Some some of our out of the box in in our some of our most popular playbooks do you see them on the left hand side cortex str incident. 122 00:20:55.230 --> 00:21:06.870 Alex Garcia: When windows event alerts tcp firewall logs or the firewall alerts so there's there's quite a few playbooks that you get out of the box and then like I said. 123 00:21:08.340 --> 00:21:17.610 Alex Garcia: You can have playbooks inside of playbooks right so you'd have your standard playbook that would address something like an SDR incident, for example, but then inside of that. 124 00:21:18.810 --> 00:21:33.060 Alex Garcia: workflow you may have things or or tasks, where you are you're going to want to identify maybe there's a file attached to this alert right and then run that file through our threat intelligence analysis. 125 00:21:33.660 --> 00:21:38.160 Alex Garcia: Something like that right, and so that could be a separate task outside of the main. 126 00:21:39.150 --> 00:21:53.310 Alex Garcia: response a playbook and so that becomes our sub playbook and you can see there's containment eradication and then post, the analysis type of playbook so there's quite a few things that you can you can immediately do out of the box. 127 00:21:54.990 --> 00:21:59.250 Alex Garcia: And i'm going to jump into the DEMO any any questions so far. 128 00:22:02.250 --> 00:22:10.200 Nick Lewis: I have a question to kind of go with the common and chat somebody mentioned about basically compromised accounts. 129 00:22:11.250 --> 00:22:21.360 Nick Lewis: To me, what i'm wondering, is one of the playbooks I assume there's some a playbook around fishing because that's obviously campuses do that all day long. 130 00:22:21.510 --> 00:22:31.200 Alex Garcia: yeah yeah yeah and you know that's actually one of the first things that that we get asked when we when we start to talk to to customers to prospects to partners. 131 00:22:33.210 --> 00:22:42.450 Alex Garcia: We we we talked about the capabilities of the Platform and the first thing they ask is do you guys, where do you guys do with fishing and so. 132 00:22:43.080 --> 00:22:51.450 Alex Garcia: From my perspective, I think, I think, fishing is is like you said you do it all day long and so it's one of those tasks that. 133 00:22:52.260 --> 00:22:59.280 Alex Garcia: It becomes a little mundane in in very time consuming right and so i'm going to jump right into the sensitive. 134 00:22:59.850 --> 00:23:14.940 Alex Garcia: That I created I actually created a fishing incident to walk through the DEMO i'll go through the different components within next word here in a second but let's see let's jump into this incident, so what we're looking at here is. 135 00:23:15.990 --> 00:23:19.830 Alex Garcia: I generated this manually the fishing alert and so. 136 00:23:21.360 --> 00:23:29.310 Alex Garcia: Each each incident that you want to address you want to address with X or you build an incident type and then. 137 00:23:29.850 --> 00:23:39.300 Alex Garcia: That type is associated with a with an incident layout and so and I mentioned this, because this is important, is, I want you to guys to imagine this you can you can customize this. 138 00:23:40.350 --> 00:23:45.120 Alex Garcia: With whatever data, you want to populate right, so the case info would be for someone. 139 00:23:45.840 --> 00:23:52.830 Alex Garcia: Maybe maybe a sock manager to come and take a look at this and you know kind of get a high level perspective of what's going on with the incident. 140 00:23:53.370 --> 00:24:02.580 Alex Garcia: But under investigation, I want to I want this data to be for the analyst right so some of the very some of the key artifacts with them. 141 00:24:03.420 --> 00:24:11.970 Alex Garcia: The the fishing message right so here's the restoration of the email well, what is it that we saw or the user saw. 142 00:24:12.510 --> 00:24:21.600 Alex Garcia: Right, so you can get an idea of what that was what would it look like in their mailbox here's the html from the email, the text. 143 00:24:22.590 --> 00:24:37.020 Alex Garcia: In basic info here, what was the subject line, who was it from who was going to here are the indicators of compromise and notice here the threat Intel pieces enabled so we're also getting a verdict associated with that I will see. 144 00:24:37.800 --> 00:24:49.620 Alex Garcia: You can see where the where that verdict came from so there's various threat intelligence feeds associated with this with this with these indicators and you have the ability to. 145 00:24:50.100 --> 00:25:08.370 Alex Garcia: Based on your experience in your your preference for the feed, you have the ability to tell X or This is my most reliable threat Intel feet, so if you have competing verdicts it will always take the one that you did you set so you're you're always always true always is correct. 146 00:25:10.470 --> 00:25:24.180 Alex Garcia: Had see incident file so against the in with the IOC and then any attachments right, so this is, this is the information that we as analyst as practitioners are going to be interested in, of course, this too, but this is more of a high level. 147 00:25:25.440 --> 00:25:32.610 Alex Garcia: perspective of that incident and then here's our war room, I mentioned that earlier that it's one of the main pillars of xr. 148 00:25:34.290 --> 00:25:36.540 Alex Garcia: Everything that was performed during the. 149 00:25:37.890 --> 00:25:46.800 Alex Garcia: during the run of the playbook gets recorded here there you find some things that may be of interest you want to mark them as evidence, you know, the ability to. 150 00:25:48.060 --> 00:25:49.500 Alex Garcia: tag that as an evidence item. 151 00:25:52.230 --> 00:26:03.720 Alex Garcia: And Marcus evidence and what this does is it makes it a little bit easier for us to go in and look at the relevant information, so we can go into our evidence board and it looks a little bit cleaner right so. 152 00:26:07.320 --> 00:26:15.660 Alex Garcia: Okay, and then here's our work plan or our playbook run and so here's a to answer your question. 153 00:26:16.620 --> 00:26:22.830 Alex Garcia: Here is what that looks like right, so the incident was created in first thing that you do in any. 154 00:26:23.190 --> 00:26:35.460 Alex Garcia: In any investigation, the first thing in the analysis of an incident or an alert is you start collected data, and you can see these little these little icons this circle represents a an automated task. 155 00:26:36.240 --> 00:26:44.760 Alex Garcia: Right and so you'll see this book here represents a sub sub playbook or a nest of tasks within this this workflow. 156 00:26:45.690 --> 00:27:02.610 Alex Garcia: But yeah so you start collecting data looking for a user ID information was there, an account here with what is the let's go and get the information from this account from active directory and then here's the processing of the email, so we take a look at this in open up the sub playbook. 157 00:27:05.280 --> 00:27:19.680 Alex Garcia: You can see that all these other tasks are happening in parallel inside of that one task and and then we can have other tasks, so if it would have gone down this route, they could have run another set of playbooks so. 158 00:27:20.700 --> 00:27:30.840 Alex Garcia: keeps it keeps it Nice and clean makes it to where the playbooks the automation or modular so that you can use them in other incidents right you don't have to recreate the workflows. 159 00:27:32.130 --> 00:27:44.070 Alex Garcia: So yeah so stay in in with your question so here's the user ID information that gets captured out of active directory, we need we need that right so here's this alert came from. 160 00:27:45.930 --> 00:28:03.870 Alex Garcia: From from us monitoring a phishing mailbox where where users report potentially phishing emails and now it's talking to the active directory going out and through our threat intelligence it's extracting indicators and then enriching that and see that here. 161 00:28:04.950 --> 00:28:09.960 Alex Garcia: It was the verdict of the of those indicators wasn't malicious it looks like it went down the yes path. 162 00:28:10.440 --> 00:28:23.520 Alex Garcia: Okay it's updating the case right so now we're collecting that data that we're going to present in the in the incident layouts over him these tabs okay is changing the severity of the case, so this is important and right because the case may have. 163 00:28:24.630 --> 00:28:29.070 Alex Garcia: If this alert came from from assume or from a security mail gateway. 164 00:28:30.420 --> 00:28:43.530 Alex Garcia: The severity may be a little bit lower but based on our analysis of the threat intelligence and those indicators, may have a higher severity right, so we have the ability to change the case with the next war hey this needs immediate attention. 165 00:28:44.220 --> 00:28:57.150 Alex Garcia: don't trust the the alert setting within your other security tool, because we are enrichment says hey, this is a higher severity, the one with the security tool set, but now we have the ability to tie into our. 166 00:28:58.350 --> 00:29:03.690 Alex Garcia: Exchange mailboxes or or G sweet if you guys are using G sweet but. 167 00:29:04.470 --> 00:29:11.670 Alex Garcia: Looking for those indicators within users mailboxes right did we find them that we find them there so maybe the case now. 168 00:29:12.060 --> 00:29:25.110 Alex Garcia: has expanded from one user when impacted user to multiple users, so in this case, we were setting this very to a higher severity and we're hunting for those indicators of compromise here's a here's a self playbook so if we open this up. 169 00:29:28.260 --> 00:29:32.220 Alex Garcia: You can see that we've got several security. 170 00:29:33.510 --> 00:29:42.210 Alex Garcia: tools that we're working with here, and certainly as part of the demonstration, you would maybe I would have like maybe a Sim firewall and then maybe an endpoint solution here. 171 00:29:42.780 --> 00:29:52.530 Alex Garcia: Right, but you can start to see how you can start to corral a use that word earlier, you can start to corral your security tools looking for looking for these these bad things. 172 00:29:54.180 --> 00:30:02.610 Alex Garcia: And it's happening in parallel right you saw those those those tasks were side by side, so that means that they're happening in parallel so rather than you. 173 00:30:02.940 --> 00:30:18.450 Alex Garcia: As a human analyst going into your Sim looking for this indicators getting the data going now let's go into the firewall logs let me look for that data, let me jump in my Sim so all of that stuff is happening at machine speed in parallel, something that we can't we can't do. 174 00:30:20.100 --> 00:30:32.460 Alex Garcia: So we're confirming that this was fishing, yes, or else two different paths, so it said enough is not fishing and it's going to close the incident once I take this manual. 175 00:30:33.060 --> 00:30:41.220 Alex Garcia: tasks, so this little human icon here means that this is a manual tasks, I need to go in here and change, you know market as complete. 176 00:30:41.760 --> 00:30:59.220 Alex Garcia: And then the automation picks it up and it closes the incident so that was a quick run through of efficient incident that also have a malware alert and I want to show you this one, because this one actually has some response actions. 177 00:31:00.690 --> 00:31:06.780 Alex Garcia: Right, so the other one was more of an investigation and it turned out to be benign but this one. 178 00:31:08.430 --> 00:31:25.020 Alex Garcia: Okay Now let me jump back into the case info So you can see that the case is this the layout is a little different, so now we have the direct link to the to the to the actual incident, so you guys learn a little bit about cortex 60 our last week so i'll jump in here and show you. 179 00:31:26.190 --> 00:31:38.550 Alex Garcia: Right, so it takes us directly to the to the SDR instance it's going to take us to the case it's supposed to take us to the case I know it's been it's been updated to reflect the three hours so it's not going to do it. 180 00:31:39.840 --> 00:31:58.920 Alex Garcia: But uh looking at the investigation, you can see that type of data that's being presented is different it's relevant to this type of alert of incidents that here, solar str artifacts are binaries here's our network IOC and then that users that were part of this. 181 00:32:00.000 --> 00:32:06.960 Alex Garcia: alert and here's our indicators in their verdicts so looking at the playbook at the work plan. 182 00:32:09.090 --> 00:32:16.800 Alex Garcia: You know same same kind of thing right, we want to start with data collection okay well, are there any users, if there are what's the context. 183 00:32:17.790 --> 00:32:28.590 Alex Garcia: Are there any files let's run them through autofocus let's run him through wildfire and it's running through a sandbox and see what happens in all that data gets captured and reported back into the investigation. 184 00:32:30.210 --> 00:32:30.780 Alex Garcia: layout. 185 00:32:32.310 --> 00:32:37.770 Alex Garcia: Looking again it's very it's one of those deployments because we, we tend to trust what comes from the. 186 00:32:38.790 --> 00:32:45.150 Alex Garcia: From from the security tools, but now that you have the ability to correlate the indicators and then with with other. 187 00:32:46.320 --> 00:32:49.860 Alex Garcia: threat Intel feeds me may require you know. 188 00:32:51.480 --> 00:32:58.680 Alex Garcia: Further further investigation, but now we're talking to the analyst we're communicating with the analysts, we have some. 189 00:32:59.190 --> 00:33:12.270 Alex Garcia: I think that ran through the search license so the other day, but we're asking, do we want to disable user accounts right we saw that Mr Rogers was one of those and yeah I did I replied, yes, already so. 190 00:33:12.780 --> 00:33:21.690 Alex Garcia: This is one of those things where we were investigating or the machine is investigating and it said hey there's some serious stuff here here's the user ID. 191 00:33:23.340 --> 00:33:29.670 Alex Garcia: We we should we should disable it but it's asking the human, because you know these these are. 192 00:33:31.320 --> 00:33:42.810 Alex Garcia: Critical response actions you don't want to interrupt maybe a VIP get yourself in some hot water there so we're asking, are you sure you want to disable this account, and then we so we say yes. 193 00:33:43.740 --> 00:33:52.950 Alex Garcia: And the machine proceeds to reach out to active directory to disable that user's account and then in parallel it's also doing the same thing for an IP that was. 194 00:33:53.490 --> 00:34:05.580 Alex Garcia: identified so we're asking the analyst hey, this is the, this is the IP that we saw that we want to block this at the firewall We say yes reaches out to the firewall and. 195 00:34:06.570 --> 00:34:21.180 Alex Garcia: adds it to a blacklist now from the from again from the email side of things we want to interrogate those mailbox databases are those are those suspicious files found anywhere else if they are. 196 00:34:22.800 --> 00:34:33.600 Alex Garcia: let's go ahead and just you know this Google search and destroy let's go ahead and find them and remove them here's the task it didn't find any so it's a different path, but if it would have found them, you can see that the. 197 00:34:34.050 --> 00:34:40.140 Alex Garcia: The tasks to automatically destroy those files within those mailboxes is there as part of the remediation. 198 00:34:40.830 --> 00:34:49.080 Alex Garcia: So you think about it, you got active directory working here, you have the network firewalls and then you also have your email. 199 00:34:50.010 --> 00:34:59.790 Alex Garcia: Infrastructure and then of course the the source of the alert xdr so you've got four different components working within one one playbook now. 200 00:35:00.750 --> 00:35:10.260 Alex Garcia: Something else that you can expand on here would be like your service now tickets right, so you can go out and generate a service now ticket if you needed to maybe re image discount. 201 00:35:10.890 --> 00:35:22.230 Alex Garcia: You can issue a request to the to the help desk guys to go ahead and issue either temporary computer whatever whatever the process is there, but you can see that again. 202 00:35:23.280 --> 00:35:32.820 Alex Garcia: That the the corralling of infrastructure in tools into under one platform is, it is totally possible what. 203 00:35:33.330 --> 00:35:34.200 Alex Garcia: We see here. 204 00:35:34.620 --> 00:35:40.500 Nick Lewis: i'm wondering about that Sir corral and the infrastructure and you'd mentioned sending something off to the help desk for. 205 00:35:40.800 --> 00:35:54.600 Nick Lewis: Maybe reemerging the endpoint how about for sending something via service now to the help desk to say you need to reach out to this user to talk to them to reset their password things like that could you have multiple. 206 00:35:55.800 --> 00:36:00.030 Nick Lewis: Basically service now tickets created to do a bunch of different things. 207 00:36:00.540 --> 00:36:13.530 Alex Garcia: Yes, yes, you can one of the one of the things here that you can do, and it was listed here is directly interact with the with the user to lawyer, where it happened to me not too long ago I I. 208 00:36:14.520 --> 00:36:25.980 Alex Garcia: Put in my password on a on a portal that I thought was Palo Alto networks and I got a note an email from the sock that said hey we saw your password was used on the. 209 00:36:27.360 --> 00:36:42.810 Alex Garcia: Non Palo Alto networks portal, and you have to change it in did you use this and I said yes and they said okay yeah okay go ahead and change I can't remember what the word was like yeah go ahead and change it, or will disable your account, I thought I was talking to someone, but it was. 210 00:36:42.960 --> 00:36:44.340 Alex Garcia: I was talking to excellent yeah. 211 00:36:44.400 --> 00:36:46.740 Alex Garcia: So you can definitely do something like that. 212 00:36:50.970 --> 00:37:00.900 Alex Garcia: So yeah so here's the so that's the malware incident that I wanted to show you any other questions on this no jumped into the components here the platform. 213 00:37:02.940 --> 00:37:07.080 Nick Lewis: That will pause for questions any questions from the from the group. 214 00:37:08.250 --> 00:37:25.110 Nisha Modi: hi Alex can ask you something I Nick oh like I said, if somebody is using some Jamie Lopez in Mexico, you know that is what what is the best way to fix that problem you know yakking. 215 00:37:27.030 --> 00:37:43.200 Alex Garcia: And so you know first, you have to have the the ability to identify that right, and so something like a like a uva is going to give you those kinds of alerts cortex str has uba capabilities, but you have to determine okay. 216 00:37:44.010 --> 00:37:58.020 Alex Garcia: Some tool has to tell you hey this is suspicious activity, this is probably impersonation or compromised account right, so that is the, that is what would trigger an incident so you'll configure the. 217 00:37:58.860 --> 00:38:13.710 Alex Garcia: The incident feed, if you will, through these integrations here's our list of integrations that I showed him the in this link here, and also in the slides there the 700 plus so quick tip 60 are let's say. 218 00:38:14.910 --> 00:38:32.280 Alex Garcia: Is our uba right so here's the the integration to deprecate it already but there's a new one here, just so we would adjust that alert and then we could have a playbook built out to respond to compromised accounts so let's see. 219 00:38:34.080 --> 00:38:34.890 Alex Garcia: count. 220 00:38:43.290 --> 00:38:54.720 Alex Garcia: Okay, so here's an active directory investigation right so maybe look at the permissions to that account that that account has served permissions assigned to it, so it just. 221 00:38:55.680 --> 00:39:02.910 Alex Garcia: here's a was it a compromised, yes or no So these are these are out of the box playbooks you see the little lock there, but would you want to. 222 00:39:04.680 --> 00:39:06.780 Alex Garcia: explore explore is a. 223 00:39:08.250 --> 00:39:15.690 Alex Garcia: sock process improvement tool right So if you don't have those standard operating procedures defined today. 224 00:39:16.230 --> 00:39:21.900 Alex Garcia: That, I think that would be the first step right get get those implemented what what is it that you're looking for. 225 00:39:22.260 --> 00:39:34.530 Alex Garcia: And then, how are you going to address it, and once you put it down on paper and then you can start to build out these these playbooks really easily, and you can you can take some of these like, for example, I can clone this. 226 00:39:37.710 --> 00:39:49.320 Alex Garcia: And then i'm going to edit the the playbook and then, if I don't need this, for example, I can take it out, and then I can bring in a new task I don't know, maybe something with my firewall. 227 00:39:55.980 --> 00:39:57.720 Alex Garcia: and bring that over. 228 00:39:59.580 --> 00:40:08.040 Alex Garcia: Here, this, I can tell it, I can tell the canvas how I want this to to flow, you can put it anywhere you want. 229 00:40:09.270 --> 00:40:21.150 Alex Garcia: You can set the automation here, so I don't know that the IP reputation, maybe some of the things that I know off the top my head so but yeah that would be the first thing that you want to do you want to. 230 00:40:22.170 --> 00:40:33.840 Alex Garcia: Define that workflow and then you can start using these these animations to bail out that playbook but yeah to address the was was this account compromise. 231 00:40:34.380 --> 00:40:47.040 Alex Garcia: And here's some something to get you started with, and then you can you know again this is this is focused on investigating that but then, what happens if we do determined that it was compromised and you can start building out your. 232 00:40:47.730 --> 00:40:57.990 Alex Garcia: response actions so maybe from here let's this disable the user account notify the users manager, so you could have something else in parallel notify the users manager. 233 00:40:59.490 --> 00:41:12.360 Alex Garcia: Ask the user, you know, a question like hey have you enter your credentials into suspicious account portals or something like that right so yeah I mean you can see, I can I can go anywhere. 234 00:41:14.070 --> 00:41:18.600 Nick Lewis: So i'm thanks Alex so there's another question in the chat from Chris he was asking. 235 00:41:19.620 --> 00:41:31.440 Nick Lewis: Chris was asking is there an integration with Microsoft defender or m cast to source IP addresses that are password spring or have compromised accounts to be able to block the source IP. 236 00:41:33.060 --> 00:41:37.950 Alex Garcia: So that that would be part of our threat intelligence platform, you can see. 237 00:41:39.570 --> 00:41:40.950 Alex Garcia: The thread until feeds. 238 00:41:41.010 --> 00:41:41.430 here. 239 00:41:43.650 --> 00:41:54.480 Alex Garcia: In the indicators that are coming across and then you can take action, you can actually take the indicators and push them out to other security tools So yes, there is a there's some immigration so defender. 240 00:41:56.460 --> 00:41:59.310 Alex Garcia: And I might not have it active see. 241 00:42:01.980 --> 00:42:10.290 Alex Garcia: Microsoft defender for endpoint and then there's the advanced threat protection looks like it's getting deprecate it, so we have. 242 00:42:11.130 --> 00:42:17.610 Alex Garcia: We have a marketplace of remember the deprecation means that we're working on getting the Code, the language upgraded. 243 00:42:18.150 --> 00:42:30.390 Alex Garcia: But we do have a marketplace, where, if you don't find that integration, there you first place to look as a marketplace so think about the marketplace, as our apple iTunes store where. 244 00:42:31.440 --> 00:42:38.160 Alex Garcia: vendors partners and even customers if you want to share your content, you can upload it to our store. 245 00:42:38.760 --> 00:42:53.580 Alex Garcia: or marketplace, it does get vetted by our security team before it makes it into the store so, so there is that control there, but you can actually you can see there's a price tag to some of these right, so they are we operate off of coins or tokens. 246 00:42:54.630 --> 00:43:00.270 Alex Garcia: And so you can buy these tokens from your your friendly neighborhood Palo Alto networks sales team. 247 00:43:01.590 --> 00:43:19.800 Alex Garcia: But yeah if you wanted to charge for some of this content, you can a lot of it it's free and what we're trying to do here is foster Community collaboration right, so there may be some things that you may be doing already that maybe someone is struggling with right so being a good. 248 00:43:22.200 --> 00:43:26.340 Alex Garcia: Good security analyst and sharing some of that knowledge with other with other teams. 249 00:43:27.180 --> 00:43:39.840 Alex Garcia: You know, one of the things that we're seeing is we're seeing a lot of collaboration between the bad guys and why are we not collaborating right so coming again I told you guys I come from the oil and energy oil and gas. 250 00:43:41.910 --> 00:43:53.880 Alex Garcia: Business we were always told don't talk to these guys because they're all competitors, but that's the wrong attitude we're seeing the same attacks and we gotta we gotta be able to share a lot of this info. 251 00:43:54.930 --> 00:44:01.020 Alex Garcia: And then staying with that we're also seeing that these bad guys are using automation right they go home after. 252 00:44:01.410 --> 00:44:17.070 Alex Garcia: After work you work is done their work hours but they leave the computers running and the attacks are coming, and we are having to address them during during dinner midnight, you know, whatever and so let's fight automation with automation. 253 00:44:18.510 --> 00:44:24.630 Nick Lewis: Exactly there's a follow up question on the defend Microsoft or the windows defender integration. 254 00:44:25.890 --> 00:44:33.390 Nick Lewis: Trying to understand better did the windows defender ATP integration protect the tenant rather than the individual endpoint. 255 00:44:36.330 --> 00:44:41.460 Alex Garcia: So Microsoft defender for an endpoint this is microsoft's. 256 00:44:42.870 --> 00:44:49.620 Alex Garcia: EP EP endpoint protection platform right, so what we could take a look at the commands here, this is what it's going to. 257 00:44:50.340 --> 00:44:55.470 Alex Garcia: Give us the ability to run commands against a alerts that get generated within. 258 00:44:56.160 --> 00:45:08.280 Alex Garcia: The do their EP platform right retrieve alerts, because the alerts are going to be what's going to generate the incident right, but there are also some investigation type of. 259 00:45:08.850 --> 00:45:15.510 Alex Garcia: commands so here's like get IP alerts get IP statistics, so this is a remember this, is the. 260 00:45:16.320 --> 00:45:23.520 Alex Garcia: The automation are built around these tasks, so I can go in here and I don't have the integration active, so it won't work. 261 00:45:24.090 --> 00:45:38.430 Alex Garcia: In order for these commands to be available to me, the integration has to be there, but you could do you can do commands from straight from here so think about coi right, so I can do, and I have this integration active, so I can show you this IP reputation. 262 00:45:40.290 --> 00:45:41.730 Alex Garcia: I P equals. 263 00:45:46.170 --> 00:45:48.540 Alex Garcia: You know, go out and execute this for me. 264 00:45:51.120 --> 00:45:58.200 Alex Garcia: And it will give me the information about that IP address it went out to all our threat feeds and it's going out and giving me that information. 265 00:45:59.250 --> 00:46:00.000 Alex Garcia: Right so. 266 00:46:01.350 --> 00:46:04.350 Alex Garcia: here's the where's the IP. 267 00:46:11.100 --> 00:46:14.310 Alex Garcia: yeah yep this is that, right here okay so. 268 00:46:15.450 --> 00:46:33.450 Alex Garcia: You even though I use the IP reputation command, this could easily have been that Microsoft defender command get get IP statistics and and so what's important, there is the the commands are supported via API. 269 00:46:34.830 --> 00:46:38.640 Alex Garcia: That means that we have an integration or an automation and so. 270 00:46:39.930 --> 00:46:52.980 Alex Garcia: These those commands essentially on the back end become this these little scripts that's really this what they are so this one specific for abuse IP database populated indicators, but if we wanted to look at some of the Microsoft stuff. 271 00:47:00.930 --> 00:47:04.650 Alex Garcia: here's the automation for this one Microsoft team ask. 272 00:47:06.480 --> 00:47:13.950 Alex Garcia: You can because, again, because I don't have that integration active those commands are not going to be listed but uh, but you can see the the. 273 00:47:14.370 --> 00:47:24.060 Alex Garcia: We don't hide what's running behind the scenes, if you guys have the the knowledge, the ability to to do this programming and Python three. 274 00:47:24.870 --> 00:47:40.770 Alex Garcia: You can build your own automation So if you wanted to so with That said, you can tie it into not just security operations tools, but anything anything that has the ability to to be programmed and access via API. 275 00:47:41.520 --> 00:47:52.800 Nick Lewis: And so Alex it sounds like something like there's the Ad integrations that are built in a lots of campuses use something called shibboleth or kaz which may be backed by ad in the back end. 276 00:47:53.250 --> 00:48:01.980 Nick Lewis: But they want to talk to their elder web server or they want to set some configuration setting in their shibboleth implementation so that if somebody. 277 00:48:03.000 --> 00:48:08.580 Nick Lewis: If they notice something suspicious that they want to force them to go through an MFA login on the next time. 278 00:48:09.030 --> 00:48:14.370 Nick Lewis: On the next time they log in to make sure the account isn't compromised, so if somebody were to. 279 00:48:14.760 --> 00:48:21.720 Nick Lewis: Going back to the screen, where you had the Python three code if they wanted to reach out to their ship with implementation or their. 280 00:48:22.200 --> 00:48:32.580 Nick Lewis: Their IBM system they could put basically they could write the code that code there and then use that as a shared playbook in any one of their or their share. 281 00:48:33.090 --> 00:48:34.440 Alex Garcia: With them when it would be an automation. 282 00:48:34.440 --> 00:48:37.980 Alex Garcia: For automation exactly exactly yes, yes, yes, and it was really easy. 283 00:48:39.450 --> 00:48:51.990 Alex Garcia: here's my notes I gotta give it a different name there you go and there you go you start building your your automation or modifying something that's already there, so you don't have to start from scratch, or there may be. 284 00:48:52.590 --> 00:48:59.790 Alex Garcia: An existing automation that you can already leveraged today so there's so much flexibility with the tool. 285 00:49:01.110 --> 00:49:02.670 Nick Lewis: And one of the things i'm. 286 00:49:02.700 --> 00:49:03.270 Alex Garcia: Sorry go ahead. 287 00:49:03.420 --> 00:49:07.440 Nick Lewis: And you can look up in like the I don't remember the store the plate in the store. 288 00:49:07.500 --> 00:49:09.060 Alex Garcia: Or the playbooks the marketplace. 289 00:49:09.120 --> 00:49:20.160 Nick Lewis: marketplace, thank you for to see if there is that code and if they didn't if there wasn't a code for that, and if there wasn't something they're already a campus could potentially submit that. 290 00:49:20.940 --> 00:49:22.020 Alex Garcia: Correct correct. 291 00:49:23.340 --> 00:49:30.780 Alex Garcia: One of the things that I haven't shown is that thread until I haven't touched on yet so it's important. 292 00:49:30.960 --> 00:49:33.570 Alex Garcia: to note that are good intelligence. 293 00:49:34.830 --> 00:49:50.490 Alex Garcia: module or TIM component is is out of sticks taxi to dotto, which means that we can support objects, not just with our traditional indicators like hash signatures fq DNS. 294 00:49:52.680 --> 00:50:01.590 Alex Garcia: IP we can we can ingest object types so i'll show you a really quick and easy example here, but this doesn't. 295 00:50:02.670 --> 00:50:04.470 Alex Garcia: Nothing I did not know seven days. 296 00:50:05.880 --> 00:50:12.240 Alex Garcia: let's do Okay, so you can see here that we have a miter attack. 297 00:50:13.890 --> 00:50:14.610 Alex Garcia: threat feed. 298 00:50:15.780 --> 00:50:30.900 Alex Garcia: That and that's a win, win and it's bringing in the the ttp from from mitre and so when we see activity incidents, we have the ability to correlate that activity to the the speeds right so then now you have an idea of. 299 00:50:32.160 --> 00:50:41.430 Alex Garcia: You know what is it that's happening with a specific incident is it related to something bigger right that we'd normally would not have visibility into until you start to. 300 00:50:41.850 --> 00:50:53.490 Alex Garcia: see more more and more of a pattern right, so now we we have the ability to give you that visibility immediately as soon as we see that incident and we we can tie it into http. 301 00:50:54.540 --> 00:51:05.400 Alex Garcia: We would identify that you'd see it here I don't have any today, but you would see that incident associated with this ttp from mitre and. 302 00:51:06.570 --> 00:51:14.880 Alex Garcia: And then, in the actual incident itself, there is a section called a canvas where you can actually start to. 303 00:51:15.960 --> 00:51:17.790 Alex Garcia: Either interrogate the incident. 304 00:51:18.870 --> 00:51:27.270 Alex Garcia: interrogate the incident, if you will, or tell the machine to populate auto populate the canvas and what this is going to do is going to bring in. 305 00:51:28.290 --> 00:51:40.740 Alex Garcia: All of the indicators of compromise that this one incident saw and then map them to other incidents that saw the same activity right so here's two tickets or two incidents. 306 00:51:41.220 --> 00:51:56.010 Alex Garcia: Here are the indicators of compromise, and then you can see that they were observed, and you know this one was seen by this incident and then this one was seen by this incident as well, so you can start to get a better picture like I was saying earlier what's happening with the attacks. 307 00:51:58.740 --> 00:52:14.100 Nick Lewis: Excellent thanks Alex that's been a really good overview of X or an automation we've got just a minute or so still to go and just want to some a change Alex i'm going to change over to. 308 00:52:14.160 --> 00:52:17.640 Nick Lewis: Present sure the last couple slides and. 309 00:52:19.740 --> 00:52:21.930 Nick Lewis: Then we will wrap up for. 310 00:52:22.950 --> 00:52:33.660 Nick Lewis: Today, so for campuses that are interested in participating in the program we have a number of resources that you can use that mentioned in the. 311 00:52:35.580 --> 00:52:50.700 Nick Lewis: In chat around the wiki will be posting this recording to the wiki if there's if you're interested in additional information on how to sign up for the program or more details, please reach out to us at net plus Internet today EDU there's. 312 00:52:52.020 --> 00:52:55.950 Nick Lewis: The link for the wiki and it's in the chat and then a link to the. 313 00:52:57.060 --> 00:53:09.990 Nick Lewis: email list our next call is on October 21 and it will be on the program program wrap up for the series and we'll send out an update reminder and. 314 00:53:12.240 --> 00:53:18.630 Nick Lewis: October thanks everyone for your time this month and we'll hopefully See you in October, thank you bye. 315 00:53:19.980 --> 00:53:20.430 Nisha Modi: bye.