Security Orchestration Use Case: Automating Threat Hunting

Nov 13, 2018
4 minutes

Too Blunt to Hunt  

Security teams are often too focused with fighting daily incident response fires to devote time to proactive and scheduled threat hunting operations and catch incipient threats before they manifest on user environments. Even when they have enough time to execute threat hunting exercises, correlating intelligence from multiple threat feeds is a manual, repetitive exercise that doesn’t leave enough time for decision-making.

How Orchestration Helps

Threat Hunting Workflow

Orchestration tools help with threat hunting in two ways.

Firstly, automated playbooks for incident response free up analyst time to focus on proactive tasks such as threat hunting. For the hunting exercises themselves, security teams can execute playbooks that ingest malicious IOCs and hunt for more information across a range of threat intelligence tools.

These playbooks can be run in real-time or scheduled at pre-determined intervals, ensuring both proactive and reactive approaches to threat hunting.

1. Ingestion

The playbook ingests a list of IOCs as attached csv/text files.

2. Extract IOCs

The playbook extracts the IOCs (IPs, URLs, hashes, etc.) from the csv/text file using regular expressions.

3. Hunt IOCs Across Tools

Threat Hunting Playbook Screen

The playbook verifies how many threat intelligence tools are deployed by the SOC and hunts for the extracted IOCs on those tools. Wherever applicable, the playbook also checks endpoints and identifies if any endpoint has been compromised by the malicious IOCs.

4. Update Databases


Threat Hunting Playbook Screen

If malicious IOCs were found on any threat intelligence tool, the playbook updates databases of other tools and other watchlists/blacklists with this information.

Alternatively, the playbook can check if any devices were found to be infected, access the details of those devices, and notify the relevant analysts for further investigation. The screenshot above shows this alternative.


To access Cortex XSOAR's playbooks and orchestration use cases, visit our GitHub playbook repository and see what's possible


Unify security functions: By coordinating among different threat intelligence platforms, this playbook can enable security teams to have improved, centralized visibility over security data. It prevents the need for security teams to have multiple consoles open and perform these correlations manually.

Reactive and Proactive: This threat hunting playbook can be reactive - triggering every time there's a breach detected - or can be scheduled to run at regular intervals as a proactive scenario. Since security teams are busy fighting daily fires, they don't have time to conduct these checks and catch breaches before they manifest too heavily in user environments.

Improve investigation quality: Security orchestration platforms usually correlate intelligence from multiple tools so that security teams can quickly identify whether any attacks are isolated or persistent within their environments. In this example, the threat hunting playbook queries devices to check whether they were infected by IOCs and stores these device details for analysts to study and take subsequent action.

A Good Playbook Should Be...

Simple and intuitive: The playbook should ideally be represented as a task/process flow through a simple drag-and-drop graphical interface.  Coding expertise shouldn't be a 'must-have' to make even the most complex playbooks, although each playbook’s code should also be available for analysts to tweak if required.

Primed for automation: Analysts should be able to automate the entire playbook in response to a phishing attack, greatly reducing response time, effort, and the possibility of human error for large-volume attacks. However, analysts should also be able to include manual steps in playbooks and require human intervention for sophisticated attacks.

Customizable: Analysts should be able to make copies of the standard playbook, modify it, or embed it in other playbooks as needed.

We hope you found this use case walk-through helpful. This is only a skeletal workflow - your own 'playbook' can be as simple or complex as your needs merit.

To see Cortex XSOAR in action, sign up for our free Community Edition.

Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.