With extensive out-of-the-box integrations and an API-first architecture, Swimlane enables simple interoperability with any organizations existing security stack. Integrations for new and custom applications can also be easily developed using common scripting languages and a RESTful API.<\/p>\n
The new partnership between Swimlane and VirusTotal is a great example of this approach in action. In this two part blog series, well start by taking a look at how we work together, and in part two, well share step-by-step guidance for users looking to go live with this powerful technology integration.<\/p>\n
VirusTotals new VT Augment Widget feature gives Swimlane and other applications the ability to display up-to-date threat intelligence from right within the Swimlane platform, as well as returning immediately actionable intelligence detection ratios.<\/p>\n
This empowers analysts to drill down into the latest, most actionable intelligence and allows us to automate initial classification and triage from a single API call.<\/p>\n
How it works<\/p>\n
In order to integrate the new VT Augment functionality into Swimlane, we first had to decide how to architect the solution. The following workflow was decided upon, where:<\/p>\n
A Source Alert such as a Phishing Email or XDR Alert enters the Swimlane Platform<\/p>\n
External IP addresses<\/p>\n
Domains<\/p>\n
URLs<\/p>\n
File Hashes (SHA1\/SHA256\/MD5)<\/p>\n
query: The IOC for which we wish to obtain reputation information (required)<\/p>\n
fg1: The desired hex color of the main Widget text (optional)<\/p>\n
bg1: The desired primary background color in hex (optional)<\/p>\n
bg2: The desired secondary background color in hex (optional)<\/p>\n
bd1: The desired border color in hex (optional)<\/p>\n
url: The URL to use as an iframe src to display the VT Augment Widget<\/p>\n
detections: Number of positive VT engine detections <\/p>\n
total: Number of engines scanned against<\/p>\n
The returned detection ratio can be used to power initial determination of the IOCs maliciousness, and any automations based on prioritization or automatic determination of the IOCs nature. <\/p>\n
The returned URL is embedded in an iframe in a Swimlane Widget, where it remains ready for manual analysis<\/p>\n
When an analyst opens the Threat Intelligence Record for the IOC, the Widget automatically renders, displaying the full results of the investigation from VirusTotals VT Augment \/widget\/html endpoint.<\/p>\n
This workflow is documented in the following diagram:<\/p>\n
In part two, well walk through the process of adding VT Augment functionality to a Threat Intelligence Application in Swimlane.<\/p>\n
*** This is a Security Bloggers Network syndicated blog from Swimlane (en-US) authored by Nick Tausek. Read the original post at: https:\/\/swimlane.com\/blog\/building-best-of-both-worlds-automation-and-threat-intel-with-swimlane-and-virustotal-part-one\/<\/a> <\/p>\n <\/p>\n Read more from the original source:<\/p>\n Building Best-of-Both-Worlds Automation and Threat Intel With Swimlane and VirusTotal Part One - Security Boulevard<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" With extensive out-of-the-box integrations and an API-first architecture, Swimlane enables simple interoperability with any organizations existing security stack. Integrations for new and custom applications can also be easily developed using common scripting languages and a RESTful API. The new partnership between Swimlane and VirusTotal is a great example of this approach in action Continue reading