Ingesting threat data, malware analysis, and data enrichment can all be time consuming tasks. ThreatConnect’s Playbooks feature can automate these things along with almost any cybersecurity task using an easy drag-and-drop interface - no coding needed. You’ll learn how to: - Build Playbooks that automatically run based on events in your network. - Easily send indicators to any of ThreatConnect’s 100+ integration partners including firewalls and SIEMS. - Ingest and send data from any tool (including tools not yet integrated with ThreatConnect). - Use Playbooks to get disconnected tools to all talk to each other. We build a Playbook live on the webinar and also show you where to find ThreatConnect-provided Playbook templates.

1. Save Time and Act Faster with
Playbooks
Dan Cole
Director of Product Management
Ryan Fortress
Senior Security Engineer

2. © 2017 ThreatConnect, Inc. All Rights Reserved.
Today’s Agenda
Save Time and Act Faster with Playbooks
• What’s a Playbook?
• Playbook Basics
• Playbooks for Power Users
2

3. © 2017 ThreatConnect, Inc. All Rights Reserved.
The Tao of Intelligence-Led Operations
The “eternal” feedback loop
3
Intelligence
Operations
Intelligence informs decision making
Operations beget knowledge of adversary
• Incident management and Artifacts
captured
• Threat Investigations/Research
• IOC Observations/FP Metrics
• Correlation of incidents: IOC, TTPs
• Global pattern recognition
• Recommendations on COA

4. What’s a Playbook?
Union of Intel & Operations

5. © 2017 ThreatConnect, Inc. All Rights Reserved.
Playbooks Overview
• Drag-and-drop interface
• Turn manual processes into scripted automations
• Connect best-of-breed tools
• Built into ThreatConnect & can leverage the data you have now
• Can be exported, imported, Templated, shared
5
Free Yourself from Mundane Tasks
“It’s like having an army of
interns that do exactly what
I say every time!”
-ThreatConnect Customer

6. Playbook Basics
Triggers & Apps

7. © 2017 ThreatConnect, Inc. All Rights Reserved.
Playbooks Overview
What happens to start the Playbook?
• New Indicator added
• Update to an Incident
• User clicks a button
• Incoming email
• HTTP endpoint is accessed
• Timer goes off
• ..and more
7
Triggers
Trigger

8. © 2017 ThreatConnect, Inc. All Rights Reserved.
Playbooks Overview
What does the Playbook do?
• Queries an enrichment service
• Blocks an address on a firewall
• Detonates an executable in a sandbox
• Performs static analysis
• Sends a communication (email, chat, etc.)
• Connects to an API
• Updates records in ThreatConnect
• ...and much much more
8
Apps
App

9. © 2017 ThreatConnect, Inc. All Rights Reserved.
Apps & Triggers Can Communicate!
• Triggers & Apps pass information
downstream as Variables
• When the Playbook runs, Variables
are turned into data populated from
the rest of the Playbook
• System & Local Variables
9
Variables
Variable

10. © 2017 ThreatConnect, Inc. All Rights Reserved.
DEMO
Build a Basic Playbook

11. The Power of Playbooks
Advanced Tips & Tricks

12. © 2017 ThreatConnect, Inc. All Rights Reserved.
The Power of Playbooks
• Get different technologies talking
• Extract only the data you need;
no firehose
• Use best-of-breed tools the way you want
• Flexibility > quantity
• Don’t get shoehorned into using only
natively-supported integrations
• 1,000 integrations is great, but what if
yours is 1,001?
• ThreatConnect’s data model serves as a
common language
12
Free Yourself from Lackluster Software
I’m your favorite
firewall. I only speak
XML and my weird
proprietary scripting
language.
I’m your favorite
indicator watchlist. I get
sent to you via email in
JSON with lots of
useless metadata!
“Utility” Apps

13. © 2017 ThreatConnect, Inc. All Rights Reserved.
DEMO
Playbooks for Power Users

14. © 2017 ThreatConnect, Inc. All Rights Reserved.
Questions?

15. © 2017 ThreatConnect, Inc. All Rights Reserved.
Thank You
THREATCONNECT.COM