A few years back when I was doing professional services at a financial company, I talked with one of the security operations center (SOC) analysts about one of the worst days in their career.
It started with a mundane phishing investigation that led to the blocking of a domain. Due to a typo, instead of blocking {}.com, the analyst added {}*.com to the EDL blocklist, and the organization was crippled for a few hours until the root cause of the issue was discovered.
This is a case where automating such a task could have prevented this simple case of human error.
An EDL (External Dynamic List) is a text file hosted on an external web server so multiple security products across your organization, including firewalls, EDRs, SIEMs, threat intel platforms (TIPs), can import objects such as IP addresses, URLs, domains to be included in the list for policy enforcement.
In order to save time and effort, security teams use EDLs to manage their firewall allow and block lists. As the security teams modify the block lists, the security products dynamically import the list to enforce a policy without the need to make a configuration change. This is less invasive than manually pushing policy change to firewalls and it also enables automatic blocking of malicious traffic.
As customers transition their security operations to Cortex XSOAR, and use it to manage all their security incidents from one location, there is also a consolidation of indicators of compromise (IOCs) from various sources within XSOAR. As of XSOAR 5.5, the platform allows the hosting of specific files that automatically consolidate these indicators within XSOAR, eliminating the need for maintaining a text file on a dedicated web server.
The playbooks profiled in this Playbook of the Week are part of the Generic Export Indicators Service pack, which was created to automate the distribution of indicators from XSOAR to enforcement points in the network. With this pack, users can generate a list based on their threat intel library, and export it to any enforcement point in their network, such as their firewalls, EDRs or SIEMs. Additionally, the pack includes safeguards to prevent incorrect insertions of domains, like the typo mentioned above.
This pack not only provides a simple, automated process to modify and update EDLs within XSOAR, it can also replace existing manual processes for updating firewall allow lists and block lists. By doing so, analysts may make these changes directly in XSOAR by simply adding or removing indicators from the EDL.
In turn, customers can auto digest and update their allow and block lists, and distribute it across all of their security products, with XSOAR acting as a single source of truth for EDL maintenance.
In order to create the automated EDL flow within Cortex XSOAR, we recommend the following steps:
For more information on the Generic Export Indicators Service Pack and other XSOAR packs and playbooks, visit our Cortex XSOAR Developer Docs reference page.
Don’t have Cortex XSOAR? Download our free Community Edition today to test out this playbook and hundreds more automations for common use cases you deal with daily in your security operations or SOC.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.