Operationalizing Threat Intelligence
ThreatWorx provides highly valuable intelligence in the form of threat alerts. Where many security teams struggle, is figuring out how to act on threat intelligence in a timely fashion. In a SOC that is ingesting dozens of alerts and threat reports from ThreatWorx and other sources, it would require a lot of dedicated resources to manually parse incoming threat intelligence, hunt for threats in the environment, and block any malicious IOCs.
By adding D3’s automation and orchestration, users can consistently act on ThreatWorx’s alerts without committing additional resources. D3 ingests ThreatWorx intelligence and parses out the IOCs, such as file hashes, URLs, IP addresses, and domains. Then, D3 can hunt for those IOCs in the environment. In the case of a file hash, D3 can query an integrated EDR tool to find out if the hash is present on any company endpoints. If the hash is found, D3 can orchestrate the EDR tool to quarantine the endpoint, once approval is given by the appropriate person. In the case of IPs and URLs, D3 can add them to the blocklist on any integrated firewalls.
In this fully automatable process, you can consistently take action against potential threats before they do significant damage. ThreatWorx’s detailed threat intelligence provides D3 with the data it needs to run threat hunting and incident response playbooks that remediate threats and proactively defend against future risks.