Introducing ThreatZone: Seamlessly Integrating with Palo Alto Networks Cortex XSOAR

Threat.Zone elevates your security investigations with its cutting-edge capabilities. Dive into real-time analysis of malware, enabling you to dissect its inner workings and behavior.

Our hypervisor-based approach empowers you to effectively fight back against emerging threats. Threat.Zone enrichments are adaptable and can seamlessly integrate into various playbooks, such as sandbox, static-scan, and CDR playbooks, along with incidents and related files marked as indicators for threat intelligence, when you choose Threat.Zone, you’re selecting unparalleled capabilities to enhance your security operations.

How to install and configure

In order to configure Threat.Zone on the Cortex XSOAR platform, you’ll need to follow these steps:

• Navigate to Marketplace & Search for ThreatZone

• Click “Install”

• Navigate to Settings > Integrations > Instances
• Search for ThreatZone

• Click Add instance to create and configure the new integration instance
• A few parameter configurations are required:
  • API key
  • Server URL (default: https://app.threat.zone)
  • Source Reliability (default: A - Completely reliable)
  • Trust any certificate (not secure): False
  • Use system proxy settings: False

• Click Test to check if the URL, API key, and connection are working as expected

• If a “Success” message appears, you are prepared to test ThreatZone commands in XSOAR Playground.
• You can start executing supported ThreatZone commands within the CLI interface located at the bottom of the screen. Simply prepend the necessary parameters by placing an exclamation mark at the beginning of the command, as depicted below:

Supported commands

Here is a collection of supported commands that you can run within the Cortex XSOAR CLI. You can utilize these commands as part of an automation or within a playbook. Once a command is executed, the War Room will display a DBot message with the command details for your reference.

• tz-check-limits
• tz-sandbox-upload-sample
• tz-static-upload-sample
• tz-cdr-upload-sample
• tz-get-result

Ready-to-use Playbooks

We also offer a selection of ready-to-use playbooks within the ThreatZone integration. You can refer to these playbooks for guidance on utilizing the commands, whether you’re incorporating them into your own playbooks or using them directly.

• Analyze File - Sandbox - ThreatZone
• Analyze File - Static Scan - ThreatZone
• Sanitize File - CDR - ThreatZone

Enhancing Threat Intelligence Integration

In the context of ThreatZone Integration, it’s crucial to emphasize that all data is meticulously transformed into indicators, ensuring no information is lost. This preservation of data integrity is instrumental for future analysis, enabling security professionals to extract valuable insights and make informed decisions confidently.

When submission results are asked after the operation successfully finished, with the help of tz-get-result command, it converts sample analysis data into actionable indicators. This feature accelerates investigations, fortifies proactive threat detection, and streamlines incident response, empowering XSOAR users to bolster their cybersecurity defenses with greater precision and efficiency.

Immediately following the completion of the analysis and the determination of the threat level, indicator data seamlessly integrates into both the related Incident page and the Threat Intelligence page. This swift and automated integration process not only expedites response efforts but also enhances overall threat visibility. Security professionals can promptly access critical information about potential threats, facilitating rapid and informed decision-making.

• Incident Page

• Indicator Page

To sum up...

By following the simple installation and configuration steps outlined, you can quickly harness the full potential of Threat.Zone within the Cortex XSOAR platform. With a range of supported commands and ready-to-use playbooks, you have the flexibility to tailor your security operations to meet the demands of your environment.

In a landscape where every second counts, choose Threat.Zone to elevate your security operations and defend against the ever-evolving threat landscape. Stay vigilant, stay secure, with Threat.Zone and Cortex XSOAR at your side.

Author: Veli Tekin