Automating Response SOAR EDR - The SOAR (Tines) Playbook - Part B

Part 1: Setup LimaCharlie sensor and exploring the telemetry and benefits of the EDR

Part 2: Integrating our SOAR (Tines) and the communication channel (Slack)

Part 3: Building out the Story (Playbook) for automated response- Part A

Part 4: Building out the Story (Playbook) for automated response- Part B

Part 5(Optional): Bonus Section. Project enhancements: Build out a Slack custom app

Part 4:Building out the Story (Playbook) for automated response - Part B

To Recap: This is our General Flow Diagram. Everything in green is what we have already done. However, in this final part we will be building out what happens if in response to the alert in the page action the user decides to Isolate by clicking Yes.  The steps that we will include to complete our story should cover the steps outlined in red in our diagram below.

We need to drag another trigger to the board (1). We will name it user says yes by clicking on the trigger and changing the name in the right pane (2). It's almost like an If then statement. Connect the page action to the trigger(3&4). (5) Click on the trigger as we have set the rule to look for the variable in the event that stores whether a user clicks yes or no.

Delete the content of the field for Rules.

To make it easy for us. Simply copy the variable from the other trigger, "user says no" since it stores the event for both a user choosing yes or no.

Click on the "User says yes" trigger, press the plus.

Now paste the contents there. Notice that field still holds false since we clicked no the last time we were as if we want to isolate.

For the rule, we want fields under to state is equal to true.

Let's configure the next action that should occur which is that we want the device to be isolated by Lima Charlie if the Analysts selects yes on the page action form.

Click on templates to see if we have any Lima Charlie actions that can help Tines to reach out to isolate.

Drag it under the trigger for user says yes. Look for the isolate sensor template and select it.

Since we chose an action for our Lima Charlie template we can connect the trigger to it.

In the left pane, we see the settings we have to configure. Now a few things to note.

If we were to google for Limacharlie rest API docs, notice that it relies on the sensor id to isolate.

https://docs.limacharlie.io/apidocs/isolate-sensor

The  sensor id is one of the fields we report on in our slack message, HOWEVER, in our detection log, the sensor id is not stored in {}sid. Instead, it has been stored in the path below so copy the variable for the sensor id from the slack message and insert that in the URL in the isolate Sensor action.

Go back to Isolate Sensor action once the sensor ID path is copied.

Removed {}sid. Click the plus icon > Then value> then paste the variable for the sensor id in our playbook.

Notice its null? That is because we have to re-run the playbook for the detection data to feed in to the LimaCharlie Isolate Sensor action. The Isolate action was created after we last "re-emit" the webhook event or in other words re-ran the playbook, so it was not received by the Isolate sensor action.

Click on webhook again>events > Re-emit

Now by page action.. Actually let's use this opportunity to change the name from page action to Page Action (User Prompt). You will get a popup about renaming references, allow it to proceed.

Let's visit the page, choose the most recent event and this time select yes and submit.

The isolate sensor should get the Lima Detections data now but it appears there is an error. Let's investigate.

Click on the sensor id field, let's make sure it's no longer null.

It isn't which is good. The sensor Id now populates which means it should be able to go out and isolate the endpoint.

However, remember we need to establish credentials to allow this to work. The one listed here is null.

Navigate to your LimaCharlie tenant > Access Management > Rest API now copy the JSON Web Token (JWT) token. We will use this as our authentication to perform action in the LimaCharlie via API.

When Tines sends a request to isolate a sensor —for example, via the endpoint at https://api.limacharlie.io/v1/retrieve_lima_charlie_detections.body.detect.routing.sid/isolation it includes the Org JWT in the request header. LimaCharlie decodes the token, verifies its signature, and confirms that Tines has the necessary organizational permissions to execute the isolation command.

Using an Org JWT enhances security by clearly defining and limiting the scope of access to organization-level operations. This minimizes risks associated with using user API keys, which could potentially expose broader access if compromised. The JWT can be rotated or revoked as needed without impacting individual user accounts.

In short, the Org JWT is a secure, efficient credential that Tines uses to ensure that sensor isolation commands are both authorized and executed safely within LimaCharlie’s system.

Back to Tines. Press the Tines logo in the top left corner to take us back to the dashboard.

Then Click credentials.

Click new > Text.

In the name section enter LimaCharlie

In Value enter your copied Json Web Token (JWT)

In Urls and Domains enter *.limacharlie.io so it works for the domain and any subdomains.

Then Save.

To leave that screen simply click outside the new text credential box.

Go back to stories to get back to our playbook.

In the right pane Under credentials click connect and select Lima Charlie.

Clicking on the bearer now should not be empty anymore.

Let's test now. Navigate to the sensor in lima Charlie.

The device is currently not  isolated.

Let's also start an endless ping on the endpoint as well to so we can track if it starts to fail once isolated.

Let's click test and see if it isolates.

Click on the last event generate.

As we clicked test it was successful, all of a sudden the pings to my website stopped working.

Let's check Lima Charlie to see if it was indeed isolated.

Click rejoin network to see if the successfully disables the isolation.

It works!

Sidenote: Now a troubleshooting step here. For some reason in one of the testing attempts here, hitting rejoin network in Lima Charlie was not actually releasing the endpoint from isolation. The steps I took were, I refreshed Tines and I also refreshed the Lima Charlie webpage. Additionally, I tried to isolate from inside Lima Charlie and then releasing from isolation in there and that seemed to do the trick.

Now that we've confirmed that the automated response work, we need to finish off two steps.

We also need to send a message to the Alerts channel on slack indicating that the The <computer>has been isolated. Along with the isolation status which would confirm that it was actually isolated by getting that details from LimaCharlie,

Let's drag another LimaCharlie template on to our playbook and search for a Get Isolation status action.

Click on the template

Search and select the following.

You know the drill…. Update the URL for the the Get Isolation Status action by changing {}sid variable with the path to where the sensor is actually being stored. Copy it from the Limacharlie Isolate sensor action.

Then paste it in the Get Isolation Status URL.  As we can see the value for sensor ID is null.

This results from the fact that the last run of the playbook was before we created this action and so we have to rerun the playbook but before we do. Let's connect the isolate sensor action to the get isolation status action.

We don't have re-run the playbook from the top (webhook) for the data to feed into our newest action. We can re-run the playbook (re-emit) from the Page Action (user prompt) where we clicked yes isolate.

It should be our most recent event.

Your system should isolate again. Mine turned off this time lol. However, it is isolated. You may have to verify your sleep options if that happens.

However, it seems as though the Get Isolation Status action failed though. 

Click on the Get isolation status. Upon drilling down in the logs it failed due to  credentials not being connected.

The credential is null.

Click anywhere on the storyboard to get to your general pane. Under credentials there is another lima_charlie that we have to connect. I believe this is for the Get isolation Status. We need to connect the same credentials that we set up.

Let's test get isolation status again.

Based on the last event.

It isn't successful. It says token is expired. Copy and paste the Org JWT from LimaCharlie then update the JWT in credentials from the dashboard.

When you're done. test the Get isolation status again.

It works!.

Now that we have the isolation status.. We will be able to append that value to the note to the slack alert channel. Let's copy and paste one of our Send slack message actions to under the get isolation status action. Then we will have the find the JSON object path to the value in the response body that contains the isolation status.

And then connect it.

Change the text from:

To:

Under data, drill down into get isolation status by clicking it and then clicking it again.

How do we know where to go to get the value if I was isolated or not? Remember when we tested get isolation status it showed us the response.

So the path we are traversing down in slack is to find that value. So after drilling down into get isolation status, drill down into body.

It says error because we created this action after the play book was last ran, so we will just re-emit from Page Action user prompt again. This works because it regenerates the last event when the user clicked Yes.

This will feed all the isolation status data to the send slack action.

We should now be able to drill down further. Select is_isolated. Do you notice the value is "true"

So although the message says the machine is isolated. The get isolation status action actually verifies that it was done since it would provide the value of true or false.

Let's test it now.

Choose the most recent event.

Success!

Let's Demo the project now doing a complete run through.

1. Run Lazagne.exe

2. Open cmd and start a ping -t 8.8.8.8

Detections show up in the EDR.

This is a parent and child process that matches our detection, so when the event is picked up in Tines it may appear as duplicates. That's ok for now because we don't need to differentiate process IDs in our Playbook.

In line with the playbook the alert also shows up in the inbox. You may have service now setup that emails to this inbox create a ticket and you may choose to handle it there. That's one breakout solution.

It also shows up in Slack.

Before we continue or Org JWT (JSON web token) maybe expired so let's copy and paste a new one in our LimaCharlie credential.

In the playbook click on the Page Action (user prompt).

Choose Isolate and submit.

Pinging stops instantly.

Let's see if our message gets to slack.

Go to the sensor page.

Release from isolation.

And we're back up.

This is the end of the lab. However, a significant room for improvement here is that It still does not completely mirror a real word Automated response use case. I say this because we still have to come into Tines to visit the Page Action (user prompt) and choose to isolate from there. How would you remedy this?

If you're interested in seeing how we make it more of an automated response using a Slack App, please check the bonus section. It does get more complex but also more rewarding.

Part 5(Optional): Bonus Section. Project enhancements: Build out a Slack custom app