Cyber Triage users now have another option when looking for Security Orchestration and Automation Response (SOAR) solutions because Demisto can now launch a Cyber Triage investigation. Orchestration solutions allow companies to have a faster and more efficient response because common steps are automated and do not require human intervention. For Demisto users who are not already using Cyber Triage, this integration gives them agentless endpoint visibility. They can collect data without needing a full EDR deployment.
This blog post covers what the integration does and how to set it up.
What You Can Now Do
Cyber Triage focuses on the collection and analysis of endpoint data and the integration makes it easier to start the collections. There are two ways that this can occur:
- Responders can manually start a Cyber Triage collection. The benefit here is that the responder can start the collection without leaving the Demisto UI. They simply type in ‘!ct-triage-endpoint’ as a command in the chat box and supply the remote host name.
The DBot ChatBot will confirm.
- Cyber Triage can also be started from a playbook. Demisto playbooks define a series of tasks that should occur based on either alerts or some manual trigger. One of those tasks can now be a Cyber Triage collection.
Regardless of the approach used in Demisto, the server of Cyber Triage’s Team edition will remotely execute its collection tool and receive results (such as processes, startup items, and execution history). The incident responder can then log into Cyber Triage and review the analysis results.
Setting It Up
The main requirements for the integration are Demisto and a Team license of Cyber Triage. The standard version of Cyber Triage does not have the REST API that the integration depends on.
In Demisto, ensure that you have the most up-to-date integrations and then locate Cyber Triage.
Click on “Add Instance” and fill in the:
- Hostname of the Cyber Triage server
- Cyber Triage API key that you can get from the Options panel in Cyber Triage
- Username and password that you want the collection tool to remotely run as
Once you have the fields filled in, press the “Test” button to ensure that Demisto can contact the Cyber Triage REST API.
Automation becomes a key theme as incident response capabilities of companies mature. A Demisto and Cyber Triage combination allows responders to use their time more efficiently and start collections without leaving Demisto or have them automatically started.
If you are not a Cyber Triage customer and want to try the integration, then contact firstname.lastname@example.org for a Team evaluation license (if you fill out the standard evaluation form, you will not get a Team license). If you are a customer and need some help with the integration, contact email@example.com.