├── Detect
├── Analyst Review of System Alerts
│ ├── Analyst Review of System Alerts.bpmn
│ ├── Analyst_Review_of_System_Alerts.png
│ └── README.md
├── Calculate IOC Risk Score
│ ├── Calculate IOC Risk Score.bpmn
│ ├── Calculate_IOC_Risk_Score.png
│ └── README.md
├── Evaluate IOC
│ ├── Evaluate IOC.bpmn
│ ├── Evaluate_IOC.png
│ └── README.md
├── ICS Asset Integrity Check
│ ├── ICS Asset Integrity Check.bpmn
│ ├── ICS_Asset_Integrity_Check.png
│ └── README.md
├── Identify Systems and IOCs
│ ├── Identify Systems and IOCs.bpmn
│ ├── Identify_Systems_and_IOCs.png
│ └── README.md
├── Monitor Account
│ ├── Monitor Account.bpmn
│ ├── Monitor_Account.png
│ └── README.md
├── Monitor Internal System
│ ├── Monitor Internal System.bpmn
│ ├── Monitor_Internal_System.png
│ └── README.md
├── Process AV-EDR Alert
│ ├── Process AV-EDR Alert.bpmn
│ ├── Process_AV-EDR_Alert.png
│ └── README.md
├── Process Alert on Account
│ ├── Process Alert on Account.bpmn
│ ├── Process_Alert_on_Account.png
│ └── README.md
├── Process ICS alert
│ ├── Process ICS alert.bpmn
│ ├── Process_ICS_alert.png
│ └── README.md
├── Process Internal FW Alert
│ ├── Process Internal FW Alert.bpmn
│ ├── Process_Internal_FW_Alert.png
│ └── README.md
├── Process Internal IDS Alert
│ ├── Process Internal IDS Alert.bpmn
│ ├── Process_Internal_IDS_Alert.png
│ └── README.md
├── Process New IOCs
│ ├── Process New IOCs.bpmn
│ ├── Process_New_IOCs.png
│ └── README.md
├── Process Service Heartbeat Failure
│ ├── Process Service Heartbeat Failure.bpmn
│ ├── Process_Service_Heartbeat_Failure.png
│ └── README.md
├── Removable Media Alert
│ ├── README.md
│ ├── Removable Media Alert.bpmn
│ └── Removable_Media_Alert.png
├── Rogue System Detected
│ ├── README.md
│ ├── Rogue System Detected.bpmn
│ └── Rogue_System_Detected.png
├── Suspicious Email Submission Triage
│ ├── README.md
│ ├── Suspicious Email Submission Triage.bpmn
│ └── Suspicious_Email_Submission_Triage.png
└── System Response Type Review
│ ├── README.md
│ ├── System Response Type Review.bpmn
│ └── System_Response_Type_Review.png
├── Identify
├── Create Submitter Behavior Profile
│ ├── Create Submitter Behavior Profile.bpmn
│ ├── Create_Submitter_Behavior_Profile.png
│ └── README.md
├── Curate Incoming STIX messages
│ ├── Curate Incoming STIX messages.bpmn
│ ├── Curate_Incoming_STIX_messages.png
│ └── README.md
├── Process Incoming CVE
│ ├── Process Incoming CVE.bpmn
│ ├── Process_Incoming_CVE.png
│ └── README.md
├── Remove False Positive STIX Object
│ ├── README.md
│ ├── Remove False Positive STIX Object.bpmn
│ └── Remove_False_Positive_STIX_Object.png
├── Review Submitted IDS Rules
│ ├── README.md
│ ├── Review Submitted IDS Rules.bpmn
│ └── Review_Submitted_IDS_Rules.png
├── Share Event Information
│ ├── README.md
│ ├── Share Event Information.bpmn
│ └── Share_Event_Information.png
├── Submit IOC Sighting
│ ├── README.md
│ ├── Submit IOC Sighting.bpmn
│ └── Submit_IOC_Sighting.png
└── Threat Intel Receipt
│ ├── README.md
│ ├── Threat Intel Receipt.bpmn
│ └── Threat_Intel_Receipt.png
├── Images
├── BPMN_Workflow_Dependency_Map.png
└── Simple_BPMN_Guide.png
├── LICENSE
├── Protect
├── CVE Patch Testing
│ ├── CVE Patch Testing.bpmn
│ ├── CVE_Patch_Testing.png
│ └── README.md
├── Patch Systems for CVE
│ ├── Patch Systems for CVE.bpmn
│ ├── Patch_Systems_for_CVE.png
│ └── README.md
└── Verify CVE Patch Testing
│ ├── README.md
│ ├── Verify CVE Patch Testing.bpmn
│ └── Verify_CVE_Patch_Testing.png
├── README.md
├── Recover
├── Blocked File Digest Review
│ ├── Blocked File Digest Review.bpmn
│ ├── Blocked_File_Digest_Review.png
│ └── README.md
├── Monitor Threat Feed Ingest
│ ├── Monitor Threat Feed Ingest.bpmn
│ ├── Monitor_Threat_Feed_Ingest.png
│ └── README.md
└── Resolve IOC Block-Allow Conflict
│ ├── README.md
│ ├── Resolve IOC Block-Allow Conflict.bpmn
│ └── Resolve_IOC_Block-Allow_Conflict.png
├── Respond
├── Account COA Alert Review
│ ├── Account COA Alert Review.bpmn
│ ├── Account_COA_Alert_Review.png
│ └── README.md
├── Add Domain-URL to IDS
│ ├── Add Domain-URL to IDS.bpmn
│ ├── Add_Domain-URL_to_IDS.png
│ └── README.md
├── Add Email to Blocked Senders List
│ ├── Add Email to Blocked Senders List.bpmn
│ ├── Add_Email_to_Blocked_Senders_List.png
│ └── README.md
├── Add File Hash to IDS
│ ├── Add File Hash to IDS.bpmn
│ ├── Add_File_Hash_to_IDS.png
│ └── README.md
├── Add IP to IDS
│ ├── Add IP to IDS.bpmn
│ ├── Add_IP_to_IDS.png
│ └── README.md
├── Analyst review of Account Alert
│ ├── Analyst review of Account Alert.bpmn
│ ├── Analyst_review_of_Account_Alert.png
│ └── README.md
├── Block Domain-URL at Firewall
│ ├── Block Domain-URL at Firewall.bpmn
│ ├── Block_Domain-URL_at_Firewall.png
│ └── README.md
├── Block Domain-URL at Proxy
│ ├── Block Domain-URL at Proxy.bpmn
│ ├── Block_Domain-URL_at_Proxy.png
│ └── README.md
├── Block Email to Email Security Appliance
│ ├── Block Email to Email Security Appliance.bpmn
│ ├── Block_Email_to_Email_Security_Appliance.png
│ └── README.md
├── Block File at Endpoint
│ ├── Block File at Endpoint.bpmn
│ ├── Block_File_at_Endpoint.png
│ └── README.md
├── Block IP at Firewall
│ ├── Block IP at Firewall.bpmn
│ ├── Block_IP_at_Firewall.png
│ └── README.md
├── Evaluate IOC COAs
│ ├── Evaluate IOC COAs.bpmn
│ ├── Evaluate_IOC_COAs.png
│ └── README.md
├── ICS Asset Mitigation
│ ├── ICS Asset Mitigation.bpmn
│ ├── ICS_Asset_Mitigation.png
│ └── README.md
├── ICS Asset Recovery
│ ├── ICS Asset Recovery.bpmn
│ ├── ICS_Asset_Recovery.png
│ └── README.md
├── Rebuild Server
│ ├── README.md
│ ├── Rebuild Server.bpmn
│ └── Rebuild_Server.png
├── Reinstall Service
│ ├── README.md
│ ├── Reinstall Service.bpmn
│ └── Reinstall_Service.png
├── Remediate Systems
│ ├── README.md
│ ├── Remediate Systems.bpmn
│ └── Remediate_Systems.png
├── Select Heartbeat Failure COAs
│ ├── README.md
│ ├── Select Heartbeat Failure COAs.bpmn
│ └── Select_Heartbeat_Failure_COAs.png
└── System COA Alert Review
│ ├── README.md
│ ├── System COA Alert Review.bpmn
│ └── System_COA_Alert_Review.png
└── Use Case -- SLTT Pilot
├── IOCs from Email
├── ParseEmail.bpmn
└── ParseEmail.png
├── Response to Domain IOC
├── Domain IOC Response Ex1.bpmn
├── Domain IOC Response Ex1.png
├── Response to Domain IOC Ex2.bpmn
├── Response to Domain IOC Ex2.png
├── Response to Domain IOC Ex3.bpmn
├── Response to Domain IOC Ex3.png
├── Response to Domain IOC Ex4.bpmn
├── Response to Domain IOC Ex4.png
├── Response to Domain IOC Ex5.bpmn
└── Response to Domain IOC Ex5.png
├── Response to Email IOC
├── Response to Email IOC Ex1.bpmn
├── Response to Email IOC Ex1.png
├── Response to Email IOC Ex2.bpmn
├── Response to Email IOC Ex2.png
├── Response to Email IOC Ex3.bpmn
└── Response to Email IOC Ex3.png
├── Response to File Hash IOC
├── Response to File Hash Ex1.bpmn
├── Response to File Hash Ex1.png
├── Response to File Hash IOC Ex2.bpmn
├── Response to File Hash IOC Ex2.png
├── Response to File Hash IOC Ex3.bpmn
├── Response to File Hash IOC Ex3.png
├── Response to File Hash IOC Ex4.bpmn
└── Response to File Hash IOC Ex4.png
├── Response to IP IOC
├── Response to IP IOC Ex1.bpmn
├── Response to IP IOC Ex1.png
├── Response to IP IOC Ex2.bpmn
├── Response to IP IOC Ex2.png
├── Response to IP IOC Ex3.bpmn
├── Response to IP IOC Ex3.png
├── Response to IP IOC Ex4.bpmn
└── Response to IP IOC Ex4.png
├── Shareable+Workflows+for+Scoring+and+Responding+to+Indicators+of+Compromise.pdf
├── Threat Feed Ingestion
├── Threat Feed Ingestion Ex1.bpmn
├── Threat Feed Ingestion Ex1.png
├── Threat Feed Ingestion Ex2.bpmn
├── Threat Feed Ingestion Ex2.png
├── Threat Feed Ingestion Ex3.bpmn
└── Threat Feed Ingestion Ex3.png
├── Threat Feed
├── Domain_Regret_Workflow.bpmn
├── Domain_Regret_Workflow.png
├── Email_Workflow.bpmn
├── Email_Workflow.png
├── Filehash_Regret_Workflow.bpmn
├── Filehash_Regret_Workflow.png
├── High_Level_Process.bpmn
├── High_Level_Process.png
├── IP_Regret_Workflow.bpmn
├── IP_Regret_Workflow.png
├── Parse_IOC.bpmn
├── Parse_IOC.png
├── Post_Analyst_Workflow.bpmn
├── Post_Analyst_Workflow.png
├── Revocation_Workflow.bpmn
├── Revocation_Workflow.png
├── STIX_Workflow.bpmn
└── STIX_Workflow.png
└── Threat Intel Enrichment
├── Threat Enrichment.bpmn
└── Threat Enrichment.png
/Detect/Analyst Review of System Alerts/Analyst Review of System Alerts.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_01ccpsc
6 |
7 |
8 |
9 |
10 | Flow_01ccpsc
11 | Flow_04hkn95
12 |
13 |
14 |
15 | Flow_04hkn95
16 | Flow_0d5snx6
17 |
18 |
19 |
20 | Flow_0d5snx6
21 | Flow_1s7t86k
22 |
23 |
24 |
25 | Flow_1s7t86k
26 | Flow_0uk1lu3
27 |
28 |
29 | Flow_0uk1lu3
30 | Flow_0pjcbuh
31 | Flow_0vuzboy
32 |
33 |
34 |
35 |
36 | Flow_0pjcbuh
37 | Flow_1fu63b1
38 |
39 |
40 | Flow_1fu63b1
41 | Flow_0rpglwk
42 |
43 |
44 |
45 | Flow_0rpglwk
46 |
47 |
48 |
49 |
50 | Flow_0vuzboy
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
--------------------------------------------------------------------------------
/Detect/Analyst Review of System Alerts/Analyst_Review_of_System_Alerts.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Detect/Analyst Review of System Alerts/Analyst_Review_of_System_Alerts.png
--------------------------------------------------------------------------------
/Detect/Analyst Review of System Alerts/README.md:
--------------------------------------------------------------------------------
1 | # Analyst Review of System Alerts Detail
2 |
3 | ## Description
4 | The purpose of this workflow is to handle system alerts that do not fit identified
5 | thresholds for automated response. It is designed to gather all the relevant data from a
6 | SOAR case involving a system alert, create a ticket for a SOC analyst review and then
7 | notify the SOC of the ticket so that action can be decided.
8 |
9 | The workflow is called from the "Monitor Internal System" workflow.
10 |
11 | The end result is to either stop the workflow if the alert was deemed to be a false
12 | postive or to forward the data to the "System COA Alert Review" (respond) workflow
13 |
14 |
15 | ## Workflow
16 |
17 | 
--------------------------------------------------------------------------------
/Detect/Calculate IOC Risk Score/Calculate_IOC_Risk_Score.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Detect/Calculate IOC Risk Score/Calculate_IOC_Risk_Score.png
--------------------------------------------------------------------------------
/Detect/Calculate IOC Risk Score/README.md:
--------------------------------------------------------------------------------
1 | # Calculate IOC Risk Score Detail
2 |
3 | ## Description
4 | The purpose of this workflow is to aid in the decision logic required to decide a
5 | course of action in response to an Indicator of Compromise (IOC). It's primary goal is
6 | to incorporate risk associated with the IOC. To aid in this calculation, local enrichment
7 | data may be required. This can consist of a variety of sources to include (but not
8 | limited to):
9 | - Types of machines affected by IOC
10 | - Whether an affected machine is a server or workstation
11 | - Any users associated with local activity involving the IOC
12 | - Core Function of any affected assets
13 | - Missions supported by affected assets
14 | - Whether or not an affected system has a hot spare
15 | - The network location of any affected systems
16 | - The current patch level of any affected systems
17 |
18 | There are multiple kinds of risk that may apply to an IOC and these may result in
19 | different response options. These can include:
20 | - Vulnerability Risk
21 | - This is often based on the severity of the potential machine compromise
22 | - Mission Risk
23 | - The missions impacted by the IOC
24 | - The criticality of the affected assets
25 | - The level of impact to missions if assets are compromised
26 | - The level of impact to missions if an asset is quarantined or offline
27 |
28 | This workflow is called by the "Evaluate IOC" (Detect) workflow.
29 |
30 | This workflow results in forwarding the information to the "Evaluate IOC COAs" (Respond)
31 | workflow.
32 |
33 | ## Workflow
34 |
35 | 
--------------------------------------------------------------------------------
/Detect/Evaluate IOC/Evaluate_IOC.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Detect/Evaluate IOC/Evaluate_IOC.png
--------------------------------------------------------------------------------
/Detect/Evaluate IOC/README.md:
--------------------------------------------------------------------------------
1 | # Evaluate IOC Detail
2 |
3 | ## Description
4 | This workflow assists with the triage of incoming Indictors of Compromise (IOC)
5 |
6 | If an IOC is already blocked or if it is already on an Allow list, the workflow notes the
7 | receipt of the IOC and stops follow-on actions.
8 |
9 | For all other IOCs, the workflow collects information as to whether or not there is local
10 | prevalence for the IOC. This means determining if any systems have visited the IP address,
11 | domain, URL, if they have received files identified as an IOC, or received email from a
12 | sender identified as a malicious IOC.
13 |
14 | - For IOCs that have prevalence, this workflow will call the "Calculate IOC Risk Score"
15 | (Detect) workflow.
16 |
17 | - For IOCs that do not have prevalence, this workflow will call the "Evaluate IOC COAs"
18 | (Respond) workflow.
19 |
20 | This workflow is called from the "Process New IOCs" (Detect) workflow.
21 |
22 | ## Workflow
23 |
24 | 
--------------------------------------------------------------------------------
/Detect/ICS Asset Integrity Check/ICS_Asset_Integrity_Check.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Detect/ICS Asset Integrity Check/ICS_Asset_Integrity_Check.png
--------------------------------------------------------------------------------
/Detect/ICS Asset Integrity Check/README.md:
--------------------------------------------------------------------------------
1 | # ICS Asset Integrity Check Detail
2 |
3 | ## Description
4 | This workflow is triggered when an internal alert is sent to SOAR and that alert involves
5 | an Industrial Control System (ICS) asset. The workflow will identify the assets from the
6 | alert and conduct integrity checks on the asset.
7 |
8 | `Note: an asset integrity check may consist of multiple automated workflows. These will
9 | be defined by the organization and are often based on the types of logs and data that can
10 | be collected for the asset`
11 |
12 | - For assets that fail an integrity check, the "ICS Asset Mitigation" (Respond) workflow
13 | is called.
14 | - For assets that do not fail an integrity check, a ticket is generated for manual
15 | response and the automated workflow is cancelled.
16 |
17 | This workflow is called by the "System Response Type Review" (Detect) workflow.
18 |
19 | ## Workflow
20 |
21 | 
--------------------------------------------------------------------------------
/Detect/Identify Systems and IOCs/Identify_Systems_and_IOCs.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Detect/Identify Systems and IOCs/Identify_Systems_and_IOCs.png
--------------------------------------------------------------------------------
/Detect/Identify Systems and IOCs/README.md:
--------------------------------------------------------------------------------
1 | # Identify Systems and IOCs Detail
2 |
3 | ## Description
4 | This workflow's purpose is to process a variety of internal alerts and identify
5 | appropriate follow-on actions.
6 |
7 | - For Indicators of Compromise (IOC) identified from the alert, the "Process New IOCs"
8 | (Detect) workflow is called.
9 | - For any affected systems identified from the alert, the "System Response Type Review"
10 | (Detect) workflow is called.
11 |
12 | This workflow may be called from a variety of other workflows including:
13 | - "Suspicious Email Submission Triage" (Detect)
14 | - "Process AV-EDR Alert" (Detect)
15 | - "Process Internal Firewall Alert" (Detect)
16 | - "Process Internal IDS Alert" (Detect)
17 | - "Process Service Heartbeat Failure" (Detect)
18 | - "Process ICS Alert" (Detect)
19 |
20 | ## Workflow
21 |
22 | 
--------------------------------------------------------------------------------
/Detect/Monitor Account/Monitor_Account.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Detect/Monitor Account/Monitor_Account.png
--------------------------------------------------------------------------------
/Detect/Monitor Account/README.md:
--------------------------------------------------------------------------------
1 | # Monitor Account Detail
2 |
3 | ## Description
4 | This workflow will extract information on a user or service account for monitoring if
5 | criteria are met from an alert on an account.
6 |
7 | - In the event that it appears to be an infrastructure breach, an urgent ticket is sent
8 | to the SOC and the automation terminates
9 | - If criteria are met to cancel monitoring, the workflow terminates
10 | - If criteria are met for action to be taken, the "Account COA Alert Review" (Respond)
11 | workflow is triggered.
12 | - If criteria are met for a manual review, the "Analyst Review of Account Alerts"
13 | (Respond) workflow is triggered.
14 |
15 | This workflow is called by the "Process Alert on Account" (Detect) workflow.
16 |
17 | ## Workflow
18 |
19 | 
--------------------------------------------------------------------------------
/Detect/Monitor Internal System/Monitor_Internal_System.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Detect/Monitor Internal System/Monitor_Internal_System.png
--------------------------------------------------------------------------------
/Detect/Monitor Internal System/README.md:
--------------------------------------------------------------------------------
1 | # Monitor Internal System Detail
2 |
3 | ## Description
4 | This workflow collects additional data on potentially affected systems in response to an
5 | internal alert. It utilizes a fixed interval to collect data and review for follow on
6 | action:
7 | - If the criteria are met to stop monitoring, the workflow is terminated.
8 | - If criteria are met to take action, the "System COA Alert Review" (Respond) workflow
9 | is triggered.
10 | - If criteria are met for a human review, the "Analyst Review of System Alerts" (Detect)
11 | workflow is triggered.
12 |
13 | This workflow is called by the "System Response Type Review" (Detect) workflow.
14 |
15 | ## Workflow
16 |
17 | 
--------------------------------------------------------------------------------
/Detect/Process AV-EDR Alert/Process AV-EDR Alert.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_1bgfopa
6 |
7 |
8 | Flow_1bgfopa
9 | Flow_017q5eb
10 |
11 |
12 | Flow_017q5eb
13 | Flow_1jkwvw5
14 | Flow_1g10y9a
15 |
16 |
17 | Flow_1f96l27
18 | Flow_006qjb3
19 |
20 |
21 |
22 | Flow_1g10y9a
23 | Flow_031zd3o
24 | Flow_0w9k4zf
25 |
26 |
27 | Flow_031zd3o
28 | Flow_110b3rh
29 |
30 |
31 | Flow_0w9k4zf
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 | Flow_110b3rh
42 | Flow_1f96l27
43 |
44 |
45 |
46 | Flow_1jkwvw5
47 | Flow_006qjb3
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
--------------------------------------------------------------------------------
/Detect/Process AV-EDR Alert/Process_AV-EDR_Alert.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Detect/Process AV-EDR Alert/Process_AV-EDR_Alert.png
--------------------------------------------------------------------------------
/Detect/Process AV-EDR Alert/README.md:
--------------------------------------------------------------------------------
1 | # Process AV-EDR Alert Detail
2 |
3 | ## Description
4 | This workflow is triggered by a new alert present from Antivirus or Endpoint Detection and
5 | Response (EDR) infrastructure.
6 |
7 | - If criteria are met for taking action or for collecting more data, the "Identify Systems
8 | and IOCs" (Detect) workflow is triggered.
9 | - In all other cases, the workflow will terminate.
10 |
11 | ## Workflow
12 |
13 | 
--------------------------------------------------------------------------------
/Detect/Process Alert on Account/Process Alert on Account.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_1xgasbu
6 |
7 |
8 |
9 | Flow_1xgasbu
10 | Flow_0ps7rk0
11 |
12 |
13 | Flow_0ps7rk0
14 | Flow_00i6av8
15 | Flow_0cfilzc
16 |
17 |
18 |
19 |
20 | Flow_00i6av8
21 |
22 |
23 |
24 | Flow_0cfilzc
25 | Flow_0q7weq9
26 | Flow_0h4jfc2
27 |
28 |
29 |
30 |
31 | Flow_0q7weq9
32 |
33 |
34 |
35 | Flow_0h4jfc2
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
--------------------------------------------------------------------------------
/Detect/Process Alert on Account/Process_Alert_on_Account.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Detect/Process Alert on Account/Process_Alert_on_Account.png
--------------------------------------------------------------------------------
/Detect/Process Alert on Account/README.md:
--------------------------------------------------------------------------------
1 | # Process Alert on Account Detail
2 |
3 | ## Description
4 | This workflow is designed to start when a new alert is present that involves an internal
5 | account. It is envisioned that this would be a triggering alert from a SIEM, but it could
6 | be customized for other environments.
7 |
8 | - If the alert meets criteria for taking action, the "Account COA Alert Review" (Respond)
9 | workflow is triggered.
10 | - If the alert meets criteria for more data collection, the "Monitor Account" (Detect)
11 | workflow is triggered.
12 | - In all other cases, the workflow will terminate
13 |
14 | ## Workflow
15 |
16 | 
--------------------------------------------------------------------------------
/Detect/Process ICS alert/Process_ICS_alert.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Detect/Process ICS alert/Process_ICS_alert.png
--------------------------------------------------------------------------------
/Detect/Process ICS alert/README.md:
--------------------------------------------------------------------------------
1 | # Process ICS alert Detail
2 |
3 | ## Description
4 | This workflow is triggered by a new alert present in the SIEM that originates from an
5 | Industrial Control System network.
6 |
7 | - If the affected ICS asset can be identified, the "Identify Systems and IOCs" (Detect)
8 | workflow is triggered.
9 | - If the asset cannot be identified but the alert is actionable, an operator is notified
10 | to respond to the issue
11 | - In all other cases, the information is appended to a digest and the workflow terminates.
12 |
13 | ## Workflow
14 |
15 | 
--------------------------------------------------------------------------------
/Detect/Process Internal FW Alert/Process Internal FW Alert.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_0is3e5g
6 |
7 |
8 | Flow_0is3e5g
9 | Flow_1odfmle
10 |
11 |
12 | Flow_1odfmle
13 | Flow_1nes6t0
14 | Flow_1h214vz
15 |
16 |
17 | Flow_1h214vz
18 | Flow_0qyymrg
19 | Flow_0tq6ttn
20 |
21 |
22 | Flow_0tq6ttn
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 | Flow_1hrgm4t
32 | Flow_1nwkcae
33 |
34 |
35 |
36 | Flow_0qyymrg
37 | Flow_1accc27
38 |
39 |
40 | Flow_1accc27
41 | Flow_1hrgm4t
42 |
43 |
44 | Flow_1nes6t0
45 | Flow_1nwkcae
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
--------------------------------------------------------------------------------
/Detect/Process Internal FW Alert/Process_Internal_FW_Alert.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Detect/Process Internal FW Alert/Process_Internal_FW_Alert.png
--------------------------------------------------------------------------------
/Detect/Process Internal FW Alert/README.md:
--------------------------------------------------------------------------------
1 | # Process Internal FW Alert Detail
2 |
3 | ## Description
4 | This workflow is triggered by a new alert present from the firewall that involves
5 | an internal system on the network.
6 |
7 | - If criteria are met for taking action or for collecting more data, the "Identify Systems
8 | and IOCs" (Detect) workflow is triggered.
9 | - In all other cases, the workflow will terminate.
10 | ## Workflow
11 |
12 | 
--------------------------------------------------------------------------------
/Detect/Process Internal IDS Alert/Process Internal IDS Alert.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_1fabxmp
6 |
7 |
8 |
9 | Flow_1fabxmp
10 | Flow_1uz8nr4
11 |
12 |
13 | Flow_1uz8nr4
14 | Flow_1o5vnws
15 | Flow_1mnzr96
16 |
17 |
18 |
19 |
20 | Flow_1mnzr96
21 | Flow_0ehq4gh
22 | Flow_0p3vbxc
23 |
24 |
25 |
26 |
27 | Flow_0p3vbxc
28 |
29 |
30 |
31 | Flow_0smygir
32 | Flow_0as6y6d
33 |
34 |
35 |
36 | Flow_0ehq4gh
37 | Flow_11ie4ry
38 |
39 |
40 | Flow_11ie4ry
41 | Flow_0smygir
42 |
43 |
44 | Flow_1o5vnws
45 | Flow_0as6y6d
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
--------------------------------------------------------------------------------
/Detect/Process Internal IDS Alert/Process_Internal_IDS_Alert.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Detect/Process Internal IDS Alert/Process_Internal_IDS_Alert.png
--------------------------------------------------------------------------------
/Detect/Process Internal IDS Alert/README.md:
--------------------------------------------------------------------------------
1 | # Process Internal IDS Alert Detail
2 |
3 | ## Description
4 | This workflow is triggered by a new alert present from the Intrusion Detection System
5 | (IDS) that involves traffic to or from an internal system.
6 |
7 | - If criteria are met for taking action or for collecting more data, the "Identify Systems
8 | and IOCs" (Detect) workflow is triggered.
9 | - In all other cases, the workflow will terminate.
10 |
11 | ## Workflow
12 |
13 | 
--------------------------------------------------------------------------------
/Detect/Process New IOCs/Process_New_IOCs.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Detect/Process New IOCs/Process_New_IOCs.png
--------------------------------------------------------------------------------
/Detect/Process New IOCs/README.md:
--------------------------------------------------------------------------------
1 | # Process New IOCs Detail
2 |
3 | ## Description
4 | This workflow begins the process of determining the appropriate action for a received
5 | Indicator of Compromise (IOC). The workflow will check relevant block and allow lists to
6 | determine if the IOC is on either of those lists.
7 |
8 | - For IOCs that have been found on both a block and allow list, the "Resolve IOC Block -
9 | Allow Conflict" (Recover) workflow is triggered.
10 | - For IOCs that are new, from a new source, updated after a 7 day period, and/or meet the
11 | criteria for sharing IOCs, the "Evaluate IOC" (Detect) workflow is triggered
12 | - For all other cases, the workflow will terminate.
13 |
14 | This workflow can be called from the following workflows:
15 | - "Identify Systems and IOCs" (Detect)
16 | - "Threat Intel Receipt" (Identify)
17 |
18 | ## Workflow
19 |
20 | 
--------------------------------------------------------------------------------
/Detect/Process Service Heartbeat Failure/Process_Service_Heartbeat_Failure.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Detect/Process Service Heartbeat Failure/Process_Service_Heartbeat_Failure.png
--------------------------------------------------------------------------------
/Detect/Process Service Heartbeat Failure/README.md:
--------------------------------------------------------------------------------
1 | # Process Service Heartbeat Failure Detail
2 |
3 | ## Description
4 | This workflow is triggered when a service fails to deliver the required heartbeat messages
5 | within an approved threshold. The workflow will collect all available information on
6 | both the service and the hosting server.
7 |
8 | - If the heartbeat failure is determined to be a false positive, the workflow will
9 | terminate.
10 | - Otherwise, the workflow will attempt to migrate to a hot spare if available and the
11 | "Identify Systems and IOCs" (Detect) workflow will be triggered.
12 |
13 | ## Workflow
14 |
15 | 
--------------------------------------------------------------------------------
/Detect/Removable Media Alert/README.md:
--------------------------------------------------------------------------------
1 | # Removable Media Alert Detail
2 |
3 | ## Description
4 | This workflow is triggered by an alert on the use of removable media. The workflow will
5 | collect information on the user that attempted the use of removable media and collect
6 | relevant information.
7 | - If the user was allowed removable media use, a ticket is created to resolve the error
8 | causing the alert.
9 | - If the user is not allowed removable media use, a ticket is created so that the SOC
10 | may resolve the issue with the user.
11 |
12 | ## Workflow
13 |
14 | 
--------------------------------------------------------------------------------
/Detect/Removable Media Alert/Removable_Media_Alert.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Detect/Removable Media Alert/Removable_Media_Alert.png
--------------------------------------------------------------------------------
/Detect/Rogue System Detected/README.md:
--------------------------------------------------------------------------------
1 | # Rogue System Detected Detail
2 |
3 | ## Description
4 | This workflow handles alerts when an unrecognized system attempts to connect to the
5 | network.
6 |
7 | - In the event that the unrecognized system is successfully connected to the production
8 | network, the SOC is notified for immediate response.
9 | - In other cases, the workflow will attempt to identify which approved users, if any,
10 | are attempting to connect the system and the SOC will be notified via a ticket that has
11 | been enriched with as much information that can be captured about the unauthorized
12 | system. The decision on whether to allow or ban the system is left to the SOC.
13 |
14 | ## Workflow
15 |
16 | 
--------------------------------------------------------------------------------
/Detect/Rogue System Detected/Rogue_System_Detected.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Detect/Rogue System Detected/Rogue_System_Detected.png
--------------------------------------------------------------------------------
/Detect/Suspicious Email Submission Triage/README.md:
--------------------------------------------------------------------------------
1 | # Suspicious Email Submission Triage Detail
2 |
3 | ## Description
4 | This workflow is initiated when a user forwards a suspicious email to the SOC phishing
5 | triage inbox. The workflow will extract all potential IOCs from the email, compare those
6 | IOCs against known allow and block lists, and collect reputation information on the IOCs.
7 |
8 | - For any IOCs on both allow and block lists, that status will be annotated to the case
9 | and the "Identify Systems and IOC" (Detect) workflow will be triggered.
10 | - Any IOCs with unknown status will cause the "Identify Systems and IOCs" (Detect)
11 | workflow to be triggered as well.
12 | - For known malicious IOCs, the user will receive an email notifying them that the mail
13 | was in fact malicious and the workflow will terminate.
14 | - If all IOCs are known good, the user will be notified that the message was not
15 | malicious and the workflow will terminate.
16 |
17 | ## Workflow
18 |
19 | 
--------------------------------------------------------------------------------
/Detect/Suspicious Email Submission Triage/Suspicious_Email_Submission_Triage.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Detect/Suspicious Email Submission Triage/Suspicious_Email_Submission_Triage.png
--------------------------------------------------------------------------------
/Detect/System Response Type Review/README.md:
--------------------------------------------------------------------------------
1 | # System Response Type Review Detail
2 |
3 | ## Description
4 | This workflow will forward cases based on alerts to the appropriate subsequent workflows.
5 |
6 | - For cases based on heartbeat failure alerts, the "Select Heartbeat Failure COA"
7 | (Respond) workflow is triggered.
8 | - For cases based on ICS alerts, the "ICS Asset Integrity Check" (Detect)
9 | workflow is triggered.
10 | - For cases that meet policy thresholds for automated response, the "System COA Alert
11 | Review" (Respond) workflow is triggered.
12 | - For cases that meet policy thresholds for monitoring, the "Monitor Internal System"
13 | workflow (Detect) is triggered.
14 | - For all other cases, the workflow terminates.
15 |
16 | This workflow is called from the "Identify Systems and IOCs" (Detect) workflow.
17 |
18 | ## Workflow
19 |
20 | 
--------------------------------------------------------------------------------
/Detect/System Response Type Review/System_Response_Type_Review.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Detect/System Response Type Review/System_Response_Type_Review.png
--------------------------------------------------------------------------------
/Identify/Create Submitter Behavior Profile/Create_Submitter_Behavior_Profile.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Identify/Create Submitter Behavior Profile/Create_Submitter_Behavior_Profile.png
--------------------------------------------------------------------------------
/Identify/Create Submitter Behavior Profile/README.md:
--------------------------------------------------------------------------------
1 | # Create Submitter Behavior Profile Detail
2 |
3 | ## Description
4 | This workflow creates profiles for threat intelligence submitters so an organization may
5 | apply policy on submitted IOCs, TTPs, or other artifacts (such as IDS rules) based on that
6 | organization's opinion of the submitter's quality.
7 |
8 | - If a submitter's activity has met the threshold for creating a new profile, the original
9 | profile is archived and the profile is re-initialized.
10 | - For intelligence submissions that are deemed false positives, the submitter's reputation
11 | is updated and the relevant STIX files are deleted from the Threat Intelligence Platform
12 | (TIP)
13 | - For intelligence submissions that are valid, the submitter profile is updated and the
14 | STIX is confirmed in the TIP
15 | - If enough data has been collected to complete the profile, the automation will flag the
16 | profile as complete and will stop processing for that submitter unless it is flagged for
17 | re-baseline in the future
18 |
19 | This workflow can be called from the following workflows:
20 |
21 | - "Curate Incoming STIX messages" (Identify)
22 | - "Remove False Positive STIX Object" (Identify)
23 |
24 | ## Workflow
25 |
26 | 
--------------------------------------------------------------------------------
/Identify/Curate Incoming STIX messages/Curate_Incoming_STIX_messages.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Identify/Curate Incoming STIX messages/Curate_Incoming_STIX_messages.png
--------------------------------------------------------------------------------
/Identify/Curate Incoming STIX messages/README.md:
--------------------------------------------------------------------------------
1 | # Curate Incoming STIX messages Detail
2 |
3 | ## Description
4 | This workflow reviews submitted STIX messages to determine their validity and whether
5 | modifications are needed for the submitters profile.
6 |
7 | The data in the STIX object first is
8 | reviewed by a set of rules determined by the SOC. In the event that the STIX object fails
9 | a rule check, a ticket is generated for the Threat Intelligence analyst to determine if it
10 | truly fails the rule check.
11 |
12 | If the object passes a rule check, it is then reviewed against behavior analytics based on
13 | the submitter's profile. Failure of the behavior results in a ticket for the Threat
14 | Intelligence Analyst to determine if it truly fails the behavior check.
15 |
16 | - For submitters that do not have a behavior profile, the "Create Submitter Behavior
17 | Profile" (Identify) workflow is triggered.
18 | - For STIX objects that pass both checks, the "Threat Intel Receipt" (Identify) workflow is
19 | triggered.
20 | - For STIX objects that also meet the threshold for sharing, the object is published to a
21 | TAXII server for sharing
22 | - For STIX objects that fail either check, the STIX is marked as a false positive and the
23 | "Remove False Positive STIX Object" (Identify) workflow is triggered.
24 |
25 | ## Workflow
26 |
27 | 
--------------------------------------------------------------------------------
/Identify/Process Incoming CVE/Process_Incoming_CVE.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Identify/Process Incoming CVE/Process_Incoming_CVE.png
--------------------------------------------------------------------------------
/Identify/Process Incoming CVE/README.md:
--------------------------------------------------------------------------------
1 | # Process Incoming CVE Detail
2 |
3 | ## Description
4 | This workflow is triggered when a new Common Vulnerability Enumeration (CVE) message is
5 | received.
6 |
7 | - For CVEs that have already been addressed, the workflow terminates
8 | - For CVEs that have no presence in the network, vulnerability scanners are updated and
9 | the CVE is marked as Not Applicable, resulting in the workflow terminating.
10 | - For CVEs whose risk or severity meet the threshold for response, the "CVE Patch Testing"
11 | (Protect) workflow is triggered.
12 | - For all other CVEs, a ticket is generated for the Network Operations Center (NOC) to
13 | address the CVE within approved policy.
14 |
15 | ## Workflow
16 |
17 | 
--------------------------------------------------------------------------------
/Identify/Remove False Positive STIX Object/README.md:
--------------------------------------------------------------------------------
1 | # Remove False Positive STIX Object Detail
2 |
3 | ## Description
4 | This workflows process STIX objects that have been marked as a false positive. It will
5 | delete the STIX object from the Threat Intelligence Platform (TIP) and update the
6 | submitter's behavior profile.
7 |
8 | - If policy thresholds have been met to justify re-baseline of the submitter profile, the
9 | "Create Submitter Behavior Profile" (Identify) workflow is triggered.
10 | - In all other cases, the workflow terminates
11 |
12 | This workflow is called from the "Curate Incoming STIX messages" (Identify) workflow.
13 |
14 | ## Workflow
15 |
16 | 
--------------------------------------------------------------------------------
/Identify/Remove False Positive STIX Object/Remove_False_Positive_STIX_Object.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Identify/Remove False Positive STIX Object/Remove_False_Positive_STIX_Object.png
--------------------------------------------------------------------------------
/Identify/Review Submitted IDS Rules/README.md:
--------------------------------------------------------------------------------
1 | # Review Submitted IDS Rules Detail
2 |
3 | ## Description
4 | This workflow processes Intrusion Detection System (IDS) rules that have been submitted
5 | by outside organizations. It creates a ticket for SOC analyst review.
6 |
7 | - If the SOC approves the rule, the workflow will add the rule to the IDS and then
8 | terminate.
9 | - If the SOC rejects the rule, the workflow will terminate.
10 |
11 | This workflow is called by the "Threat Intel Receipt" (Identify) workflow.
12 |
13 | ## Workflow
14 |
15 | 
--------------------------------------------------------------------------------
/Identify/Review Submitted IDS Rules/Review Submitted IDS Rules.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_17f67ig
6 |
7 |
8 |
9 |
10 | Flow_17f67ig
11 | Flow_1xmouus
12 |
13 |
14 |
15 | Flow_1xmouus
16 | Flow_042idd3
17 |
18 |
19 |
20 | Flow_042idd3
21 | Flow_0pr1pt4
22 |
23 |
24 |
25 | Flow_0pr1pt4
26 | Flow_1knmvoa
27 |
28 |
29 | Flow_1knmvoa
30 | Flow_1758zul
31 | Flow_08d5rpk
32 |
33 |
34 |
35 |
36 | Flow_1758zul
37 | Flow_0awq1ry
38 |
39 |
40 |
41 | Flow_17tiry4
42 |
43 |
44 |
45 |
46 | Flow_0awq1ry
47 | Flow_08d5rpk
48 | Flow_17tiry4
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
--------------------------------------------------------------------------------
/Identify/Review Submitted IDS Rules/Review_Submitted_IDS_Rules.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Identify/Review Submitted IDS Rules/Review_Submitted_IDS_Rules.png
--------------------------------------------------------------------------------
/Identify/Share Event Information/README.md:
--------------------------------------------------------------------------------
1 | # Share Event Information Detail
2 |
3 | ## Description
4 | This workflow formats information from a security case that have been marked for sharing.
5 | It creates a ticket for the Threat Intelligence team to review the shared data and mark
6 | appropriate IOCs, IDS rules, and COAs that should be shared with an organization's
7 | community. The approved data is then formatted into STIX by the automation and shared via
8 | a TAXII server upload.
9 |
10 | This workflow may be called by the following workflows:
11 | - "Evaluate IOC COAs" (Respond)
12 | - "System COA Alert Review" (Respond)
13 |
14 | ## Workflow
15 |
16 | 
--------------------------------------------------------------------------------
/Identify/Share Event Information/Share_Event_Information.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Identify/Share Event Information/Share_Event_Information.png
--------------------------------------------------------------------------------
/Identify/Submit IOC Sighting/README.md:
--------------------------------------------------------------------------------
1 | # Submit IOC Sighting Detail
2 |
3 | ## Description
4 | This workflow gathers and submits sighting data for an IOC when it has met an
5 | organization's policy for sighting submission. It formats and submits based on the
6 | organization's preferred method for sharing.
7 |
8 | This workflow is called by the "Evaluate IOC COAs" (Respond) workflow.
9 |
10 | ## Workflow
11 |
12 | 
--------------------------------------------------------------------------------
/Identify/Submit IOC Sighting/Submit_IOC_Sighting.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Identify/Submit IOC Sighting/Submit_IOC_Sighting.png
--------------------------------------------------------------------------------
/Identify/Threat Intel Receipt/README.md:
--------------------------------------------------------------------------------
1 | # Threat Intel Receipt Detail
2 |
3 | ## Description
4 | This workflow process new information found in a received STIX object.
5 |
6 | - If no new data is found in the STIX object, the workflow terminates
7 | - IOCs found in the STIX object are extracted and the "Process New IOCs" (Detect) workflow is
8 | triggered.
9 | - IDS rules found in the STIX object are extracted and the "Review Submitted IDS Rule"
10 | (Identify) workflow is triggered.
11 | - COAs received in the STIX object are formatted into a ticket for the SOC to review and
12 | determine whether and how to employ the COA.
13 |
14 | This workflow is called by the "Curate Incoming STIX Messages" (Identify) workflow.
15 |
16 | ## Workflow
17 |
18 | 
--------------------------------------------------------------------------------
/Identify/Threat Intel Receipt/Threat_Intel_Receipt.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Identify/Threat Intel Receipt/Threat_Intel_Receipt.png
--------------------------------------------------------------------------------
/Images/BPMN_Workflow_Dependency_Map.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Images/BPMN_Workflow_Dependency_Map.png
--------------------------------------------------------------------------------
/Images/Simple_BPMN_Guide.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Images/Simple_BPMN_Guide.png
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Creative Commons Legal Code
2 |
3 | CC0 1.0 Universal
4 |
5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
12 | HEREUNDER.
13 |
14 | Statement of Purpose
15 |
16 | The laws of most jurisdictions throughout the world automatically confer
17 | exclusive Copyright and Related Rights (defined below) upon the creator
18 | and subsequent owner(s) (each and all, an "owner") of an original work of
19 | authorship and/or a database (each, a "Work").
20 |
21 | Certain owners wish to permanently relinquish those rights to a Work for
22 | the purpose of contributing to a commons of creative, cultural and
23 | scientific works ("Commons") that the public can reliably and without fear
24 | of later claims of infringement build upon, modify, incorporate in other
25 | works, reuse and redistribute as freely as possible in any form whatsoever
26 | and for any purposes, including without limitation commercial purposes.
27 | These owners may contribute to the Commons to promote the ideal of a free
28 | culture and the further production of creative, cultural and scientific
29 | works, or to gain reputation or greater distribution for their Work in
30 | part through the use and efforts of others.
31 |
32 | For these and/or other purposes and motivations, and without any
33 | expectation of additional consideration or compensation, the person
34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she
35 | is an owner of Copyright and Related Rights in the Work, voluntarily
36 | elects to apply CC0 to the Work and publicly distribute the Work under its
37 | terms, with knowledge of his or her Copyright and Related Rights in the
38 | Work and the meaning and intended legal effect of CC0 on those rights.
39 |
40 | 1. Copyright and Related Rights. A Work made available under CC0 may be
41 | protected by copyright and related or neighboring rights ("Copyright and
42 | Related Rights"). Copyright and Related Rights include, but are not
43 | limited to, the following:
44 |
45 | i. the right to reproduce, adapt, distribute, perform, display,
46 | communicate, and translate a Work;
47 | ii. moral rights retained by the original author(s) and/or performer(s);
48 | iii. publicity and privacy rights pertaining to a person's image or
49 | likeness depicted in a Work;
50 | iv. rights protecting against unfair competition in regards to a Work,
51 | subject to the limitations in paragraph 4(a), below;
52 | v. rights protecting the extraction, dissemination, use and reuse of data
53 | in a Work;
54 | vi. database rights (such as those arising under Directive 96/9/EC of the
55 | European Parliament and of the Council of 11 March 1996 on the legal
56 | protection of databases, and under any national implementation
57 | thereof, including any amended or successor version of such
58 | directive); and
59 | vii. other similar, equivalent or corresponding rights throughout the
60 | world based on applicable law or treaty, and any national
61 | implementations thereof.
62 |
63 | 2. Waiver. To the greatest extent permitted by, but not in contravention
64 | of, applicable law, Affirmer hereby overtly, fully, permanently,
65 | irrevocably and unconditionally waives, abandons, and surrenders all of
66 | Affirmer's Copyright and Related Rights and associated claims and causes
67 | of action, whether now known or unknown (including existing as well as
68 | future claims and causes of action), in the Work (i) in all territories
69 | worldwide, (ii) for the maximum duration provided by applicable law or
70 | treaty (including future time extensions), (iii) in any current or future
71 | medium and for any number of copies, and (iv) for any purpose whatsoever,
72 | including without limitation commercial, advertising or promotional
73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
74 | member of the public at large and to the detriment of Affirmer's heirs and
75 | successors, fully intending that such Waiver shall not be subject to
76 | revocation, rescission, cancellation, termination, or any other legal or
77 | equitable action to disrupt the quiet enjoyment of the Work by the public
78 | as contemplated by Affirmer's express Statement of Purpose.
79 |
80 | 3. Public License Fallback. Should any part of the Waiver for any reason
81 | be judged legally invalid or ineffective under applicable law, then the
82 | Waiver shall be preserved to the maximum extent permitted taking into
83 | account Affirmer's express Statement of Purpose. In addition, to the
84 | extent the Waiver is so judged Affirmer hereby grants to each affected
85 | person a royalty-free, non transferable, non sublicensable, non exclusive,
86 | irrevocable and unconditional license to exercise Affirmer's Copyright and
87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the
88 | maximum duration provided by applicable law or treaty (including future
89 | time extensions), (iii) in any current or future medium and for any number
90 | of copies, and (iv) for any purpose whatsoever, including without
91 | limitation commercial, advertising or promotional purposes (the
92 | "License"). The License shall be deemed effective as of the date CC0 was
93 | applied by Affirmer to the Work. Should any part of the License for any
94 | reason be judged legally invalid or ineffective under applicable law, such
95 | partial invalidity or ineffectiveness shall not invalidate the remainder
96 | of the License, and in such case Affirmer hereby affirms that he or she
97 | will not (i) exercise any of his or her remaining Copyright and Related
98 | Rights in the Work or (ii) assert any associated claims and causes of
99 | action with respect to the Work, in either case contrary to Affirmer's
100 | express Statement of Purpose.
101 |
102 | 4. Limitations and Disclaimers.
103 |
104 | a. No trademark or patent rights held by Affirmer are waived, abandoned,
105 | surrendered, licensed or otherwise affected by this document.
106 | b. Affirmer offers the Work as-is and makes no representations or
107 | warranties of any kind concerning the Work, express, implied,
108 | statutory or otherwise, including without limitation warranties of
109 | title, merchantability, fitness for a particular purpose, non
110 | infringement, or the absence of latent or other defects, accuracy, or
111 | the present or absence of errors, whether or not discoverable, all to
112 | the greatest extent permissible under applicable law.
113 | c. Affirmer disclaims responsibility for clearing rights of other persons
114 | that may apply to the Work or any use thereof, including without
115 | limitation any person's Copyright and Related Rights in the Work.
116 | Further, Affirmer disclaims responsibility for obtaining any necessary
117 | consents, permissions or other rights required for any use of the
118 | Work.
119 | d. Affirmer understands and acknowledges that Creative Commons is not a
120 | party to this document and has no duty or obligation with respect to
121 | this CC0 or use of the Work.
122 |
--------------------------------------------------------------------------------
/Protect/CVE Patch Testing/CVE_Patch_Testing.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Protect/CVE Patch Testing/CVE_Patch_Testing.png
--------------------------------------------------------------------------------
/Protect/CVE Patch Testing/README.md:
--------------------------------------------------------------------------------
1 | # CVE Patch Testing Detail
2 |
3 | ## Description
4 | This workflow receives a CVE that requires patching and/or mitigation within an
5 | organization's network. The workflow will identify necessary systems and available
6 | patches.
7 |
8 | - When a patch exists and a test image for affected assets can be found, the workflow
9 | will create test machines for the patch, deploy the patch, and begin logging for test
10 | metrics. This will call the "Verify CVE Patch Testing" (Protect) workflow.
11 | - In all other cases, the workflow will combine all relevant data and initiate
12 | collaboration between the Security and Network Operations Centers so that the CVE can be
13 | addressed.
14 |
15 | This workflow is called by the "Process Incoming CVE" (Identify) workflow.
16 |
17 | ## Workflow
18 |
19 | 
--------------------------------------------------------------------------------
/Protect/Patch Systems for CVE/Patch_Systems_for_CVE.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Protect/Patch Systems for CVE/Patch_Systems_for_CVE.png
--------------------------------------------------------------------------------
/Protect/Patch Systems for CVE/README.md:
--------------------------------------------------------------------------------
1 | # Patch Systems for CVE Detail
2 |
3 | ## Description
4 | This workflow assists the patching of systems affected by a CVE after the CVE patch
5 | testing has been verified.
6 |
7 | For CVEs requiring expedited patching, the Network Operations Center is notified so that
8 | the patch may be deployed rapidly.
9 |
10 | For other patches, they are deployed via configuration management in accordance with
11 | policy.
12 |
13 | After patch rollout is verified, the automation conducts vulnerability scans. If systems
14 | are still vulnerable, the Security Operations Center is notified to develop a mitigation
15 | strategy and deploy the strategy.
16 |
17 | This workflow is called by the "Verify CVE Patch Testing" (Protect) workflow.
18 |
19 | ## Workflow
20 |
21 | 
--------------------------------------------------------------------------------
/Protect/Verify CVE Patch Testing/README.md:
--------------------------------------------------------------------------------
1 | # Verify CVE Patch Testing Detail
2 |
3 | ## Description
4 | This workflow collects testing data from automated patch testing, notifies both the
5 | Network and Security Operations Centers of the results via tickets, and facilitates the
6 | SOC and NOC review so that both policy and risk can be mitigated.
7 |
8 | Once agreement is reached on the patch effectiveness, the "Patch Systems for CVE" (Protect)
9 | workflow is triggered.
10 |
11 | This workflow is called by the "CVE Patch Testing" (Protect) workflow.
12 |
13 | ## Workflow
14 |
15 | 
--------------------------------------------------------------------------------
/Protect/Verify CVE Patch Testing/Verify_CVE_Patch_Testing.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Protect/Verify CVE Patch Testing/Verify_CVE_Patch_Testing.png
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Sample SOAR Workflows
2 |
3 | ## Overview
4 | This is a repository of workflows provided for those interested in deploying
5 | Security Orchestration, Automation, and Response capabilities within their
6 | organizations.
7 |
8 | The workflows are mapped and organized based on how their core effects align with the
9 | NIST Cybersecurity Framework. For more information on the NIST framework, documentation
10 | is available at the [NIST Website](https://www.nist.gov/cyberframework)
11 |
12 | In Addition to the main set of workflows, a sample of workflows that were developed for
13 | a pilot on Indicator of Compromise Automation for State, Local, Tribal, and Territorial
14 | governments is also provided as a use case. These samples provide a Use Case to
15 | illustrate how organizations can tailor these workflows to address their own environments
16 |
17 | ## Guide to Workflows
18 |
19 | Many of these workflows are designed to work in an integrated environment where one
20 | workflow can call another. To better understand the relationships between workflows,
21 | the following mapping is provided as a guide.
22 |
23 | 
24 |
25 | ## Business Process Model and Notation (BPMN)
26 |
27 | BPMN is a standard for modeling business process that is used for the workflows in this
28 | repository. It is maintained by the Object Management Group and full documentation is
29 | available on the
30 | [BPMN Specification Website](https://www.omg.org/spec/BPMN/2.0/About-BPMN/). The
31 | workflows in this repository are
32 | provided in the XML format ".bpmn" as well as in PNG form. The XML files can be read
33 | using a variety of [tools](https://bpmnmatrix.github.io)
34 |
35 | To aid the reader in understanding the syntax used in these workflows, the following
36 | abridged guide to BPMN is provided.
37 |
38 | 
39 |
40 | ## Acknowledgement
41 |
42 | This material is based upon work supported by the U.S. Department of Homeland Security /
43 | Cybersecurity & Infrastructure Security Agency under Grant Award Number
44 | DHS-19-CISA-128-SLT-001 State, Local, Tribal and Territorial Indicators of
45 | Compromise Automation Pilot.
46 |
47 | ## Disclaimer
48 |
49 | The views and conclusions contained in this document are those of the authors and should
50 | not be interpreted as necessarily representing the official policies, either expressed
51 | or implied, of the U.S. Department of Homeland Security / Cybersecurity & Infrastructure
52 | Security Agency.
53 |
54 | ## License
55 |
56 | This work is licensed under CC0 1.0 Universal. To the extent possible under law,
57 | the authors have waived all copyright and related or neighboring rights to Shareable
58 | SOAR Workflows. This work is published from: United States.
--------------------------------------------------------------------------------
/Recover/Blocked File Digest Review/Blocked_File_Digest_Review.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Recover/Blocked File Digest Review/Blocked_File_Digest_Review.png
--------------------------------------------------------------------------------
/Recover/Blocked File Digest Review/README.md:
--------------------------------------------------------------------------------
1 | # Blocked File Digest Review Detail
2 |
3 | ## Description
4 | This workflow is designed to run daily in order to review files that have been added to
5 | an organization's block list.
6 |
7 | - If the list is empty for that day, the workflow terminates.
8 | - For all other cases, a review ticket is generated for the SOC to facilitate any
9 | modifications to the block list if they are needed (e.g. if a blocked file was determined
10 | to be a false positive)
11 |
12 | ## Workflow
13 |
14 | 
--------------------------------------------------------------------------------
/Recover/Monitor Threat Feed Ingest/Monitor_Threat_Feed_Ingest.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Recover/Monitor Threat Feed Ingest/Monitor_Threat_Feed_Ingest.png
--------------------------------------------------------------------------------
/Recover/Monitor Threat Feed Ingest/README.md:
--------------------------------------------------------------------------------
1 | # Monitor Threat Feed Ingest Detail
2 |
3 | ## Description
4 | This workflow monitors incoming threat intelligence feeds on a regular interval and
5 | notifies the Threat Inteligence team if a potential failure in the feed connectivity is
6 | observed.
7 |
8 | ## Workflow
9 |
10 | 
--------------------------------------------------------------------------------
/Recover/Resolve IOC Block-Allow Conflict/README.md:
--------------------------------------------------------------------------------
1 | # Resolve IOC Block-Allow Confilict Detail
2 |
3 | ## Description
4 | This workflow notifies the SOC if an IOC appears on both a block and an allow list so that
5 | the SOC can determine and deploy a mitigation to that status.
6 |
7 | The workflow is called by the "Process New IOCs" (Detect) workflow.
8 |
9 | ## Workflow
10 |
11 | 
--------------------------------------------------------------------------------
/Recover/Resolve IOC Block-Allow Conflict/Resolve IOC Block-Allow Conflict.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_1bf4k8j
6 |
7 |
8 |
9 |
10 | Flow_1bf4k8j
11 | Flow_1fcpljv
12 |
13 |
14 |
15 | Flow_1fcpljv
16 | Flow_1azmbva
17 |
18 |
19 |
20 | Flow_1azmbva
21 | Flow_0h0z0tl
22 |
23 |
24 |
25 | Flow_0h0z0tl
26 | Flow_1wn5oci
27 |
28 |
29 |
30 | Flow_1wn5oci
31 | Flow_0or9zwq
32 |
33 |
34 | Flow_0or9zwq
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
--------------------------------------------------------------------------------
/Recover/Resolve IOC Block-Allow Conflict/Resolve_IOC_Block-Allow_Conflict.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Recover/Resolve IOC Block-Allow Conflict/Resolve_IOC_Block-Allow_Conflict.png
--------------------------------------------------------------------------------
/Respond/Account COA Alert Review/Account_COA_Alert_Review.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Respond/Account COA Alert Review/Account_COA_Alert_Review.png
--------------------------------------------------------------------------------
/Respond/Account COA Alert Review/README.md:
--------------------------------------------------------------------------------
1 | # Account COA Alert Review Detail
2 |
3 | ## Description
4 | This workflow manages tasks related to responding to alerts regarding network accounts.
5 | There are multiple steps to enforce policy for general users, privileged users, and
6 | service accounts.
7 |
8 | When in accordance with policy, automatic password resets are sent.
9 |
10 | In cases that require more review, the appropriate analysts, users, and service owners are
11 | notified so that efficient collaboration and resolution can take place.
12 |
13 | This workflow is called from the following workflows:
14 | - "Process Alert on Account" (Detect)
15 | - "Monitor Account" (Detect)
16 |
17 | ## Workflow
18 |
19 | 
--------------------------------------------------------------------------------
/Respond/Add Domain-URL to IDS/Add Domain-URL to IDS.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_105wmof
6 |
7 |
8 |
9 |
10 | Flow_105wmof
11 | Flow_0bmmm0n
12 |
13 |
14 |
15 | Flow_0bmmm0n
16 | Flow_1t9q8bc
17 |
18 |
19 |
20 | Flow_1t9q8bc
21 | Flow_0cfkbbz
22 |
23 |
24 | Flow_19luxh4
25 |
26 |
27 |
28 |
29 | Flow_0cfkbbz
30 | Flow_19luxh4
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
--------------------------------------------------------------------------------
/Respond/Add Domain-URL to IDS/Add_Domain-URL_to_IDS.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Respond/Add Domain-URL to IDS/Add_Domain-URL_to_IDS.png
--------------------------------------------------------------------------------
/Respond/Add Domain-URL to IDS/README.md:
--------------------------------------------------------------------------------
1 | # Add Domain-URL to IDS Detail
2 |
3 | ## Description
4 | This workflow retrieves a Domain-URL IOC, formats it for submission to an Intrusion
5 | Detection System, and adds the rule to the IDS.
6 |
7 | The workflow is called from the "Evaluate IOC COAs" (Respond) workflow.
8 |
9 | ## Workflow
10 |
11 | 
--------------------------------------------------------------------------------
/Respond/Add Email to Blocked Senders List/Add Email to Blocked Senders List.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_02eg9ax
6 |
7 |
8 |
9 |
10 | Flow_02eg9ax
11 | Flow_1vo1372
12 |
13 |
14 |
15 | Flow_1vo1372
16 | Flow_0mhhe3u
17 |
18 |
19 | Flow_0kkhkc2
20 |
21 |
22 |
23 | Flow_0mhhe3u
24 | Flow_0kkhkc2
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
--------------------------------------------------------------------------------
/Respond/Add Email to Blocked Senders List/Add_Email_to_Blocked_Senders_List.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Respond/Add Email to Blocked Senders List/Add_Email_to_Blocked_Senders_List.png
--------------------------------------------------------------------------------
/Respond/Add Email to Blocked Senders List/README.md:
--------------------------------------------------------------------------------
1 | # Add Email to Blocked Senders List Detail
2 |
3 | ## Description
4 | This workflow extracts an email sender address from an IOC and adds that address to the
5 | blocked sender's list on the mail server.
6 |
7 | The workflow is called from the "Evaluate IOC COAs" (Respond) workflow.
8 |
9 | ## Workflow
10 |
11 | 
--------------------------------------------------------------------------------
/Respond/Add File Hash to IDS/Add File Hash to IDS.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_105wmof
6 |
7 |
8 |
9 |
10 | Flow_105wmof
11 | Flow_0bmmm0n
12 |
13 |
14 |
15 | Flow_0bmmm0n
16 | Flow_1t9q8bc
17 |
18 |
19 |
20 | Flow_1t9q8bc
21 | Flow_1ywohs1
22 |
23 |
24 | Flow_0jjv8q7
25 |
26 |
27 |
28 | Flow_1ywohs1
29 | Flow_0jjv8q7
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
--------------------------------------------------------------------------------
/Respond/Add File Hash to IDS/Add_File_Hash_to_IDS.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Respond/Add File Hash to IDS/Add_File_Hash_to_IDS.png
--------------------------------------------------------------------------------
/Respond/Add File Hash to IDS/README.md:
--------------------------------------------------------------------------------
1 | # Add File Hash to IDS Detail
2 |
3 | ## Description
4 | This workflow extracts a file hash from an IOC, formats an Intrusion Detection Rule to
5 | search for that hash, and uploads the rule to the IDS.
6 |
7 | The workflow is called from the "Evaluate IOC COAs" (Respond) workflow.
8 |
9 | ## Workflow
10 |
11 | 
--------------------------------------------------------------------------------
/Respond/Add IP to IDS/Add IP to IDS.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_105wmof
6 |
7 |
8 |
9 |
10 | Flow_105wmof
11 | Flow_0bmmm0n
12 |
13 |
14 |
15 | Flow_0bmmm0n
16 | Flow_1t9q8bc
17 |
18 |
19 |
20 | Flow_1t9q8bc
21 | Flow_02m0eax
22 |
23 |
24 | Flow_19f429e
25 |
26 |
27 |
28 | Flow_02m0eax
29 | Flow_19f429e
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
--------------------------------------------------------------------------------
/Respond/Add IP to IDS/Add_IP_to_IDS.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Respond/Add IP to IDS/Add_IP_to_IDS.png
--------------------------------------------------------------------------------
/Respond/Add IP to IDS/README.md:
--------------------------------------------------------------------------------
1 | # Add IP to IDS Detail
2 |
3 | ## Description
4 | This workflow extracts an IP address from an IOC, formats an Intrusion Detection System
5 | rule to monitor for traffic to/from that address, and loads the rule onto the IDS.
6 |
7 | This workflow is called from the "Evaluate IOC COAs" (Respond) workflow.
8 |
9 | ## Workflow
10 |
11 | 
--------------------------------------------------------------------------------
/Respond/Analyst review of Account Alert/Analyst_review_of_Account_Alert.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Respond/Analyst review of Account Alert/Analyst_review_of_Account_Alert.png
--------------------------------------------------------------------------------
/Respond/Analyst review of Account Alert/README.md:
--------------------------------------------------------------------------------
1 | # Analyst review of Account Alert Detail
2 |
3 | ## Description
4 | This workflow assists the SOC analyst in reviewing alerts and monitoring with respect to
5 | a case involving a flagged account.
6 |
7 | - If the case data indicates an infrastructure breach, the event is escalated for manual
8 | response and the automation workflow terminates.
9 | - If the analyst determines the case to be a false positive, the workflow terminates.
10 | - In all other cases, the "Account COA Alert Review" (Respond) workflow is triggered.
11 |
12 | This workflow is called from the "Monitor Account" (Detect) workflow.
13 |
14 | ## Workflow
15 |
16 | 
--------------------------------------------------------------------------------
/Respond/Block Domain-URL at Firewall/Block Domain-URL at Firewall.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_0c3zg25
6 |
7 |
8 |
9 | Flow_0l7t9np
10 | Flow_1ydmz44
11 |
12 |
13 | Flow_1r4eoxc
14 |
15 |
16 |
17 | Flow_0c3zg25
18 | Flow_0l7t9np
19 |
20 |
21 |
22 |
23 | Flow_1ydmz44
24 | Flow_0h9ej2m
25 |
26 |
27 |
28 | Flow_0h9ej2m
29 | Flow_1r4eoxc
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
--------------------------------------------------------------------------------
/Respond/Block Domain-URL at Firewall/Block_Domain-URL_at_Firewall.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Respond/Block Domain-URL at Firewall/Block_Domain-URL_at_Firewall.png
--------------------------------------------------------------------------------
/Respond/Block Domain-URL at Firewall/README.md:
--------------------------------------------------------------------------------
1 | # Block Domain-URL at Firewall Detail
2 |
3 | ## Description
4 | This workflow extracts a Domain-URL from the case, enables a block of the Domain-URL at
5 | the firewall, and updates a digest of newly blocked Domains-URLs.
6 |
7 | The workflow is called from the "Evaluate IOC COAs" (Respond) workflow.
8 |
9 | ## Workflow
10 |
11 | 
--------------------------------------------------------------------------------
/Respond/Block Domain-URL at Proxy/Block Domain-URL at Proxy.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_0c3zg25
6 |
7 |
8 |
9 | Flow_0l7t9np
10 | Flow_1ydmz44
11 |
12 |
13 | Flow_0mctw55
14 |
15 |
16 |
17 | Flow_0c3zg25
18 | Flow_0l7t9np
19 |
20 |
21 |
22 |
23 | Flow_1ydmz44
24 | Flow_0vgyvad
25 |
26 |
27 |
28 | Flow_0vgyvad
29 | Flow_0mctw55
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
--------------------------------------------------------------------------------
/Respond/Block Domain-URL at Proxy/Block_Domain-URL_at_Proxy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Respond/Block Domain-URL at Proxy/Block_Domain-URL_at_Proxy.png
--------------------------------------------------------------------------------
/Respond/Block Domain-URL at Proxy/README.md:
--------------------------------------------------------------------------------
1 | # Block Domain-URL at Proxy Detail
2 |
3 | ## Description
4 | This workflow extracts a Domain-URL from an IOC, formats it to submit towards an
5 | internet proxy / DNS sinkhole, and uploads the Domain-URL to the proxy.
6 |
7 | The workflow is called from the "Evaluate IOC COAs" (Respond) workflow.
8 |
9 | ## Workflow
10 |
11 | 
--------------------------------------------------------------------------------
/Respond/Block Email to Email Security Appliance/Block Email to Email Security Appliance.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_0vxjfqm
6 |
7 |
8 |
9 |
10 | Flow_0vxjfqm
11 | Flow_1hrvxsl
12 |
13 |
14 |
15 | Flow_1hrvxsl
16 | Flow_0t80vce
17 |
18 |
19 |
20 | Flow_0t80vce
21 | Flow_1asib2a
22 |
23 |
24 | Flow_0q4uah1
25 |
26 |
27 |
28 | Flow_1asib2a
29 | Flow_0q4uah1
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
--------------------------------------------------------------------------------
/Respond/Block Email to Email Security Appliance/Block_Email_to_Email_Security_Appliance.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Respond/Block Email to Email Security Appliance/Block_Email_to_Email_Security_Appliance.png
--------------------------------------------------------------------------------
/Respond/Block Email to Email Security Appliance/README.md:
--------------------------------------------------------------------------------
1 | # Block Email to Email Security Appliance Detail
2 |
3 | ## Description
4 | This workflow extracts an email sender address from an IOC, uploads that address to an
5 | Email Security Appliance, and updates a digest of newly blocked email.
6 |
7 | The workflow is called from the "Evaluate IOC COAs" (Respond) workflow.
8 |
9 | ## Workflow
10 |
11 | 
--------------------------------------------------------------------------------
/Respond/Block File at Endpoint/Block File at Endpoint.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_13aqcnu
6 |
7 |
8 |
9 |
10 | Flow_13aqcnu
11 | Flow_0csgvi7
12 |
13 |
14 |
15 | Flow_0csgvi7
16 | Flow_0nmdgss
17 |
18 |
19 |
20 | Flow_0nmdgss
21 | Flow_0zhq6lp
22 |
23 |
24 |
25 | Flow_0zhq6lp
26 | Flow_1u20sp0
27 |
28 |
29 | Flow_0ko1z34
30 |
31 |
32 | Flow_1u20sp0
33 | Flow_0ko1z34
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
--------------------------------------------------------------------------------
/Respond/Block File at Endpoint/Block_File_at_Endpoint.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Respond/Block File at Endpoint/Block_File_at_Endpoint.png
--------------------------------------------------------------------------------
/Respond/Block File at Endpoint/README.md:
--------------------------------------------------------------------------------
1 | # Block File at Endpoint Detail
2 |
3 | ## Description
4 | This workflow extracts file information from an IOC, adds it to an Endpoint Detection and
5 | Response (EDR) server for blocking, has EDR push that policy down to protected systems,
6 | and updates a digest of newly blocked files.
7 |
8 | The workflow is called by the "Evaluate IOC COAs" (Respond) workflow.
9 |
10 | ## Workflow
11 |
12 | 
--------------------------------------------------------------------------------
/Respond/Block IP at Firewall/Block IP at Firewall.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_0c3zg25
6 |
7 |
8 |
9 | Flow_0l7t9np
10 | Flow_1ydmz44
11 |
12 |
13 | Flow_19ose2e
14 |
15 |
16 |
17 | Flow_0c3zg25
18 | Flow_0l7t9np
19 |
20 |
21 |
22 |
23 | Flow_1ydmz44
24 | Flow_0yae3bj
25 |
26 |
27 |
28 | Flow_0yae3bj
29 | Flow_19ose2e
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
--------------------------------------------------------------------------------
/Respond/Block IP at Firewall/Block_IP_at_Firewall.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Respond/Block IP at Firewall/Block_IP_at_Firewall.png
--------------------------------------------------------------------------------
/Respond/Block IP at Firewall/README.md:
--------------------------------------------------------------------------------
1 | # Block IP at Firewall Detail
2 |
3 | ## Description
4 | This workflow extracts an IP address from an IOC, blocks that IP at the firewall, and
5 | updates a daily digest of newly blocked IPs.
6 |
7 | The workflow is called from the "Evaluate IOC COAs" (Respond) workflow.
8 |
9 | ## Workflow
10 |
11 | 
--------------------------------------------------------------------------------
/Respond/Evaluate IOC COAs/Evaluate_IOC_COAs.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Respond/Evaluate IOC COAs/Evaluate_IOC_COAs.png
--------------------------------------------------------------------------------
/Respond/Evaluate IOC COAs/README.md:
--------------------------------------------------------------------------------
1 | # Evaluate IOC COAs Detail
2 |
3 | ## Description
4 | This workflow aids in the response to malicious IOCs.
5 |
6 | If the IOC has prevalence / history on the network or if it fails to meet criteria for
7 | automatic blocking, a SOC analyst is notified so that the proper COA can be employed to
8 | respond to the threat.
9 |
10 | If the IOC meets the criteria for sharing information, the "Share Event Information"
11 | (Identify) workflow is triggered.
12 |
13 | If the IOC results in a sighting and that sighting meets the sharing threshold, the
14 | "Submit IOC Sighting" (Identify) workflow is triggered.
15 |
16 | If automated block criteria are met, the following workflows are triggered based by IOC
17 | type:
18 | - "Add IP to IDS" (Respond)
19 | - "Block IP at Firewall" (Respond)
20 | - "Add Domain-URL to IDS" (Respond)
21 | - "Block Domain-URL at Proxy" (Respond)
22 | - "Block Domain-URL at Firewall" (Respond)
23 | - "Block File at Endpoint" (Respond)
24 | - "Add File Hash to IDS" (Respond)
25 | - "Block Email to Email Security Appliance" (Respond)
26 | - "Add Email to Blocked Sender List" (Respond)
27 |
28 | The workflow may be called by the following workflows:
29 | - "Evaluate IOC" (Detect)
30 | - "Calculate IOC Risk Score" (Detect)
31 | - "System COA Alert Review" (Respond)
32 |
33 | ## Workflow
34 |
35 | 
--------------------------------------------------------------------------------
/Respond/ICS Asset Mitigation/ICS_Asset_Mitigation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Respond/ICS Asset Mitigation/ICS_Asset_Mitigation.png
--------------------------------------------------------------------------------
/Respond/ICS Asset Mitigation/README.md:
--------------------------------------------------------------------------------
1 | # ICS Asset Mitigation Detail
2 |
3 | ## Description
4 | This workflow identifies an ICS asset that requires mitigation and quarantines the
5 | affected asset, migrates to a hot spare, and restores the asset via configuration
6 | management if a restoration image is present.
7 |
8 | If there is no spare or no restoration image, the workflow notifies the ICS operator to
9 | develop mitigation.
10 |
11 | Once complete, this workflow triggers the "ICS Asset Recovery" (Respond) workflow.
12 |
13 | This workflow is called from the "ICS Asset Integrity Check" (Detect) workflow.
14 |
15 | ## Workflow
16 |
17 | 
--------------------------------------------------------------------------------
/Respond/ICS Asset Recovery/ICS_Asset_Recovery.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Respond/ICS Asset Recovery/ICS_Asset_Recovery.png
--------------------------------------------------------------------------------
/Respond/ICS Asset Recovery/README.md:
--------------------------------------------------------------------------------
1 | # ICS Asset Recovery Detail
2 |
3 | ## Description
4 | Once mitigated, this workflow restores an ICS asset and tests asset functionality before
5 | confirming the incident involving the ICS asset has been resolved.
6 |
7 | In the event that restoration workflows do not exist or an asset fails final
8 | functionality test, the workflow notifies the ICS operator to manually restore
9 | functionality of the asset.
10 |
11 | This workflow is called from the "ICS Asset Mitigation" (Respond) workflow.
12 |
13 | ## Workflow
14 |
15 | 
--------------------------------------------------------------------------------
/Respond/Rebuild Server/README.md:
--------------------------------------------------------------------------------
1 | # Rebuild Server Detail
2 |
3 | ## Description
4 | This workflow restores a server from a restoration image and confirms service
5 | availability.
6 |
7 | If policy is not met for an automated rebuild, the workflow notifies the service owner
8 | to approve the rebuild.
9 |
10 | If the service is not available after rebuild, the SOC and service owner are notified to
11 | collaborate on restoration of services.
12 |
13 | This workflow can be called by the following workflows:
14 |
15 | - "Select Heartbeat Failure COAs" (Respond)
16 | - "Reinstall Service" (Respond)
17 |
18 | ## Workflow
19 |
20 | 
--------------------------------------------------------------------------------
/Respond/Rebuild Server/Rebuild_Server.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Respond/Rebuild Server/Rebuild_Server.png
--------------------------------------------------------------------------------
/Respond/Reinstall Service/README.md:
--------------------------------------------------------------------------------
1 | # Reinstall Service Detail
2 |
3 | ## Description
4 | This workflow collects information from a service that generated a heartbeat failure
5 | alert and attempts to reinstall the service from configuration management if policy is
6 | met for automated reinstall.
7 |
8 | If policy does not allow for automated reinstall, the service owner is notified to
9 | approve the reinstall.
10 |
11 | - If the service is confirmed available, the workflow terminates.
12 | - If the service is not available and policy is met for rebuild, the "Rebuild Server"
13 | (Respond) workflow is triggered.
14 | - If the service is not available and policy is not met for rebuild, an the SOC and
15 | service owner are notified to either send the asset to the "Rebuild Server" (Respond)
16 | workflow or manually resolve the issue.
17 |
18 | This workflow is called by the "Select Heartbeat Failure COAs" (Respond) workflow.
19 |
20 | ## Workflow
21 |
22 | 
--------------------------------------------------------------------------------
/Respond/Reinstall Service/Reinstall_Service.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Respond/Reinstall Service/Reinstall_Service.png
--------------------------------------------------------------------------------
/Respond/Remediate Systems/README.md:
--------------------------------------------------------------------------------
1 | # Remediate Systems Detail
2 |
3 | ## Description
4 | This workflow receives a system that requires remediation, attempts to migrate to a hot
5 | spare if possible, quarantines the system, and then attempts to restore via configuration
6 | management in accordance to policy.
7 |
8 | If the restoration does not complete automatically, the SOC is notified to restore the
9 | system manually.
10 |
11 | Once restored, the system is brought out of quarantine and the automation terminates.
12 |
13 | This workflow is called by the "System COA Alert Review" (Respond) workflow.
14 |
15 | ## Workflow
16 |
17 | 
--------------------------------------------------------------------------------
/Respond/Remediate Systems/Remediate_Systems.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Respond/Remediate Systems/Remediate_Systems.png
--------------------------------------------------------------------------------
/Respond/Select Heartbeat Failure COAs/README.md:
--------------------------------------------------------------------------------
1 | # Select Heartbeat Failure COAs Detail
2 |
3 | ## Description
4 | This workflow assists in the process of restoring systems and services when a heartbeat
5 | failure alert has been associated with a service. The workflow will notify the SOC who may
6 | approve service restart.
7 |
8 | - If restart restores the service, the owner is notified of restart and the workflow
9 | terminates
10 | - If restart fails to restore, and policy is met for service reinstall, the "Reinstall
11 | Service" (Respond) workflow is triggered.
12 | - If restart fails to restore, and policy is not met for service reinstall, the workflow
13 | will check to see if policy is met for server rebuild and trigger the "Rebuild Server"
14 | (respond) workflow if conditions are met.
15 | - In all other cases, the workflow notifies the service owner and SOC to select an
16 | appropriate action:
17 | - Trigger the "Reinstall Service" (Respond) workflow
18 | - Trigger the "Rebuild Server" (Respond) workflow
19 | - Resolve the issue manually
20 |
21 | This workflow is called from the "System Response Type Review" (Detect) workflow.
22 |
23 |
24 |
25 | ## Workflow
26 |
27 | 
--------------------------------------------------------------------------------
/Respond/Select Heartbeat Failure COAs/Select_Heartbeat_Failure_COAs.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Respond/Select Heartbeat Failure COAs/Select_Heartbeat_Failure_COAs.png
--------------------------------------------------------------------------------
/Respond/System COA Alert Review/README.md:
--------------------------------------------------------------------------------
1 | # System COA Alert Review Detail
2 |
3 | ## Description
4 | This workflow processes details for a system that has been flagged for response due to an
5 | internal alert. The workflow provides suggested COAs to the SOC operator via a ticket and
6 | process the response from the operator:
7 |
8 | - If blocking of discovered IOCs are needed, the operator selects the IOCs and the
9 | "Evaluate IOC COAs" (Respond) workflow is triggered.
10 | - If systems require remediation, the "Remediate Systems" (Respond) workflow is triggered.
11 | - If information from the event meet policy for sharing, the analyst submits the
12 | information to the case and the "Share Event Information" (Identify) workflow is triggered.
13 | - If any additional COAs are required, the SOC executes those COAs manually.
14 |
15 | This workflow may be called from the following workflows:
16 | - "System Response Type Review" (Detect)
17 | - "Monitor Internal System" (Detect)
18 | - "Analyst Review of System Alerts" (Detect)
19 |
20 | ## Workflow
21 |
22 | 
--------------------------------------------------------------------------------
/Respond/System COA Alert Review/System_COA_Alert_Review.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Respond/System COA Alert Review/System_COA_Alert_Review.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/IOCs from Email/ParseEmail.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/IOCs from Email/ParseEmail.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Response to Domain IOC/Domain IOC Response Ex1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Response to Domain IOC/Domain IOC Response Ex1.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Response to Domain IOC/Response to Domain IOC Ex2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Response to Domain IOC/Response to Domain IOC Ex2.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Response to Domain IOC/Response to Domain IOC Ex3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Response to Domain IOC/Response to Domain IOC Ex3.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Response to Domain IOC/Response to Domain IOC Ex4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Response to Domain IOC/Response to Domain IOC Ex4.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Response to Domain IOC/Response to Domain IOC Ex5.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_12z2kzj
6 | Flow_0zm98di
7 |
8 |
9 | Flow_0zm98di
10 | Flow_04wfqs7
11 | Flow_1xrwm5a
12 |
13 |
14 | Flow_1bj2yp8
15 |
16 |
17 |
18 | Flow_1bj2yp8
19 | Flow_12z2kzj
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 | Flow_04wfqs7
28 | Flow_0zeupdl
29 |
30 |
31 | Flow_1xrwm5a
32 | Flow_0gr9cti
33 |
34 |
35 |
36 | Flow_0zeupdl
37 | Flow_1em0miw
38 |
39 |
40 | Flow_1em0miw
41 | Flow_183bcoy
42 |
43 |
44 |
45 |
46 | Flow_0gr9cti
47 | Flow_183bcoy
48 |
49 |
50 |
51 | Auto Block Domain
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Response to Domain IOC/Response to Domain IOC Ex5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Response to Domain IOC/Response to Domain IOC Ex5.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Response to Email IOC/Response to Email IOC Ex1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Response to Email IOC/Response to Email IOC Ex1.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Response to Email IOC/Response to Email IOC Ex2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Response to Email IOC/Response to Email IOC Ex2.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Response to Email IOC/Response to Email IOC Ex3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Response to Email IOC/Response to Email IOC Ex3.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Response to File Hash IOC/Response to File Hash Ex1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Response to File Hash IOC/Response to File Hash Ex1.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Response to File Hash IOC/Response to File Hash IOC Ex2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Response to File Hash IOC/Response to File Hash IOC Ex2.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Response to File Hash IOC/Response to File Hash IOC Ex3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Response to File Hash IOC/Response to File Hash IOC Ex3.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Response to File Hash IOC/Response to File Hash IOC Ex4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Response to File Hash IOC/Response to File Hash IOC Ex4.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Response to IP IOC/Response to IP IOC Ex1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Response to IP IOC/Response to IP IOC Ex1.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Response to IP IOC/Response to IP IOC Ex2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Response to IP IOC/Response to IP IOC Ex2.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Response to IP IOC/Response to IP IOC Ex3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Response to IP IOC/Response to IP IOC Ex3.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Response to IP IOC/Response to IP IOC Ex4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Response to IP IOC/Response to IP IOC Ex4.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Shareable+Workflows+for+Scoring+and+Responding+to+Indicators+of+Compromise.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Shareable+Workflows+for+Scoring+and+Responding+to+Indicators+of+Compromise.pdf
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Threat Feed Ingestion/Threat Feed Ingestion Ex1.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_15sqvod
6 |
7 |
8 | Flow_15sqvod
9 | Flow_0qm97tt
10 | Flow_050lh6c
11 |
12 |
13 | Flow_050lh6c
14 | Flow_14plscs
15 |
16 |
17 | Flow_12hcw1a
18 | Flow_0gvdlx3
19 |
20 |
21 |
22 | Flow_0y9pj18
23 | Flow_0bn75w1
24 |
25 |
26 | Flow_14plscs
27 | Flow_0y9pj18
28 |
29 |
30 |
31 |
32 |
33 | Flow_0bn75w1
34 | Flow_12hcw1a
35 |
36 |
37 | Flow_0gvdlx3
38 | Flow_1bbnxks
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 | Flow_0qm97tt
47 | Flow_1bbnxks
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Threat Feed Ingestion/Threat Feed Ingestion Ex1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Threat Feed Ingestion/Threat Feed Ingestion Ex1.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Threat Feed Ingestion/Threat Feed Ingestion Ex2.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_11bnb1w
6 |
7 |
8 |
9 | Flow_11bnb1w
10 | Flow_1ohft89
11 |
12 |
13 |
14 | Flow_1ohft89
15 | Flow_0jn9ls3
16 |
17 |
18 | Flow_0jn9ls3
19 | Flow_0rkgz8c
20 | Flow_13h0m2t
21 |
22 |
23 |
24 |
25 |
26 | Flow_13h0m2t
27 | Flow_12iwscc
28 |
29 |
30 | Flow_12iwscc
31 |
32 |
33 |
34 | Flow_0rkgz8c
35 | Flow_0wpx4jz
36 |
37 |
38 |
39 | Flow_0wpx4jz
40 |
41 |
42 |
43 | Error in processing STIX object?
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Threat Feed Ingestion/Threat Feed Ingestion Ex2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Threat Feed Ingestion/Threat Feed Ingestion Ex2.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Threat Feed Ingestion/Threat Feed Ingestion Ex3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Threat Feed Ingestion/Threat Feed Ingestion Ex3.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Threat Feed/Domain_Regret_Workflow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Threat Feed/Domain_Regret_Workflow.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Threat Feed/Email_Workflow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Threat Feed/Email_Workflow.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Threat Feed/Filehash_Regret_Workflow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Threat Feed/Filehash_Regret_Workflow.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Threat Feed/High_Level_Process.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Threat Feed/High_Level_Process.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Threat Feed/IP_Regret_Workflow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Threat Feed/IP_Regret_Workflow.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Threat Feed/Parse_IOC.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Threat Feed/Parse_IOC.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Threat Feed/Post_Analyst_Workflow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Threat Feed/Post_Analyst_Workflow.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Threat Feed/Revocation_Workflow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Threat Feed/Revocation_Workflow.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Threat Feed/STIX_Workflow.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 | Flow_0y990xw
7 | Flow_0qbdytw
8 | Flow_16ed3s3
9 |
10 |
11 |
12 |
13 | Flow_0zh4zmr
14 |
15 |
16 |
17 |
18 | Flow_11etd1c
19 |
20 |
21 |
22 |
23 |
24 |
25 | Flow_11etd1c
26 | Flow_0y990xw
27 |
28 |
29 | Flow_1r60fuy
30 | Flow_0sw2bt6
31 |
32 |
33 | Flow_0sw2bt6
34 | Flow_0zh4zmr
35 |
36 |
37 | Flow_16ed3s3
38 | Flow_1upoc26
39 |
40 |
41 | Flow_0qbdytw
42 | Flow_1upoc26
43 | Flow_1r60fuy
44 |
45 |
46 | Is this a revocation?
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Threat Feed/STIX_Workflow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Threat Feed/STIX_Workflow.png
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Threat Intel Enrichment/Threat Enrichment.bpmn:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Flow_0oth93z
6 | Flow_1793mg3
7 |
8 |
9 | Flow_17eyk31
10 | Flow_17vk7u2
11 |
12 |
13 | Flow_0fridj9
14 | Flow_0i2mkkz
15 |
16 |
17 | Flow_1793mg3
18 | Flow_1m0xz2z
19 |
20 |
21 | Flow_0fridj9
22 |
23 |
24 | Flow_17vk7u2
25 | Flow_1m0xz2z
26 | Flow_1vnqxtg
27 | Flow_1p8v03r
28 |
29 |
30 | Flow_1p8v03r
31 | Flow_1dve7ay
32 |
33 |
34 | Flow_1s59351
35 | Flow_1vnqxtg
36 |
37 |
38 | Flow_1dve7ay
39 |
40 |
41 |
42 | Flow_0i2mkkz
43 | Flow_0oth93z
44 | Flow_1s59351
45 | Flow_17eyk31
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
--------------------------------------------------------------------------------
/Use Case -- SLTT Pilot/Threat Intel Enrichment/Threat Enrichment.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cisagov/shareable-soar-workflows/652202283acc54e8a947ba230e077d0eddc66245/Use Case -- SLTT Pilot/Threat Intel Enrichment/Threat Enrichment.png
--------------------------------------------------------------------------------