COVID-19 Indicator Check

Description

The playbook is a self-contained set of actions that takes MD5 file hashes, IPs, domains, and URLs as input. It then leverages the lookups in Splunk provided by TA-covidIOCs to determine if the indicators from the Phantom event are COVID-related.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring, SOC Automation

Category

Threat Intelligence

Security Impact

This is a great example of a playbook that is modular in design and can be incorporated into most existing playbooks as a subplaybook.

Alert Volume

Very Low

Journey

Stage 5

Data Sources

Network Communication
Endpoint Detection and Response
Web Proxy

   How To Respond

This playbook takes MD5 file hashes, IPs, domains, and URLs as input. It then leverages the lookups in Splunk provided by TA-covidIOCs to determine if the indicators from the Phantom event are COVID-related. If matches are found the playbook will add the matched indicators to HUD Cards by category (URLs, Hashes, IPs, Domains). Additionally, an artifact field "covid_related = yes" will be added to the artifact from where the indicator came

   Help

COVID-19 Indicator Check Help

Simply deploy Phantom and import the playbook from the Splunk Phantom GitHub repo

   The Easy Guide to Adding COVID-19 Context to Any Process

Full details on how to implement this use case can be found in the Splunk Blog "Integrating COVID (or Any) Threat Indicators with MISP and Splunk Enterprise Security". Use the link below to get the full details.

Learn More...

Screenshot of Demo Data