Task Automation

Wednesday, January 8, 2025 12:13 AM

Lesson 8 of 13
Task Automation
What is Task Automation?
In ThreatStream, you can automate your investigation tasks.
When you need to run several checks on an observable, you
can use an automated task—a predefined sequence of
enrichments applied to a specific type of the observable
during the investigation.

Automated tasks can be run on the following types of nodes:

• Domain
• Email
• IP
• Hash
• URL

Automated tasks can be created by anyone from your organization. You

can create your own custom automated tasks. You can edit and delete
your automated tasks except those that are active and used by the other
users in your organization.
All automated tasks are available on the Manage > Task Automation page.
 Lesson 9 of 13
Investigation Demo
As we found a malicious IP address in our infrastructure it's now time to investigate the
incident.
In the previous lessons we've explored the tools available in ThreatStream to analyze and
enrich intelligence. Now, we are going to put all that knowledge into practice, as we start an
Investigation.
We've covered multiple ways to create a new investigation in ThreatStream; while how and
when your users should start an investigation depends on internal processes and workflows,
this lesson we are going to demonstrate an investigation manually started by an analyst, to
follow up on the SIEM alert scenario.

Please note, this Investigation video was recorded before the release of the MITRE ATT&CK framewor
within Investigation models, therefore you'll notice that it's missing.

Lesson 10 of 13
Mastering the MITRE ATT&CK in Investigations
Threat hunters can leverage the MITRE ATT&CK framework to quickly highlight specific TTPs
that are more likely to be used by actors and adversaries known for being potential threats. By
focusing on adversary tactics and techniques rather than observables that are easily changed b
adversaries, analysts are able to move from a reactive to a proactive approach.
The framework proved itself very useful in gauging an Organization’s level of visibility against
targeted attacks with the existing tools deployed across an organization's security structure.

In the video below we demonstrate how this fantastic tool can be used in your
day-to-day work.
It will review the scenario introduced in the "Searching and Editing Existing
 in

rk

y
by

r
Task Automation Page
The Task Automation page displays a list of every automated task
associated with your organization that is visible to you.

To learn more about the Task Automation interface,

please click on the circles below:
D
T
T
o
h

E
 The framework proved itself very useful in gauging an Organization’s level of visibility against
targeted attacks with the existing tools deployed across an organization's security structure.

In the video below we demonstrate how this fantastic tool can be used in your
day-to-day work.
It will review the scenario introduced in the "Searching and Editing Existing
Intelligence in ThreatStream" module. We have received an alert from our
SIEM regarding suspicious network traffic for the IP address 39.105.168[.]13,
which has been added to an Investigation along with its associated Entities.

Lesson 11 of 13
Why Not Try It Yourself?
Do You Have Access to Your Organization's
Threatstream?
This section is completely optional, but if you have access to your
organization's ThreatStream platform, why not practice the skills that you
have learned in this lesson and work through the following Exercises:

Exercise One: Review an existing Investigation

○ From Research, click on Investigations and use the filter options to locate an
Investigation of your likings.
○ Click on the Investigation and review existing Entities, Models, Description and
Attachments

Exercise Two: Create a new Investigation and add entities

Manually create a new Investigation, either starting from an observable or a blank one (if preferred add a TEST at the start of the
○
Investigation Title).

(Investigations that you have created can also be deleted later on if needed to keep your live
environment tidy)
○ Populate the Investigation with entities available in ThreatStream or manually add new
ones.
○ Click Show Models and review how those entities are added to the Investigation Entities
model and the MITRE ATT&CK framework.
r

e
Creating Automated Tasks
You can create your own automated tasks. A task consists of the
following:

• Trigger - a starting point of an automated task. An observable in an

investigation can be a trigger.
• Actions - checks and transformations that will be done on a trigger for
more detailed analysis. An enrichment in an investigation can be an
action.

Each automated task has one trigger and can have up to 20

actions.

To create an automated task:

E
 (Investigations that you have created can also be deleted later on if needed to keep your live
environment tidy)
○ Populate the Investigation with entities available in ThreatStream or manually add new
ones.
○ Click Show Models and review how those entities are added to the Investigation Entities
model and the MITRE ATT&CK framework.
○ BONUS: Why not manually linking entities to the Kill Chain and the Diamond models?

Exercise Three: Create a Threat Bulletin

○ Using the Investigation button, export your Investigation to a Threat
Bulletin. Since this is a test, remember to clearly mark this as a TEST
and delete afterwards if required.
e
 Each automated task has one trigger and can have up to 20
actions.

To create an automated task:

○ 1
1
Navigate to Manage > Task Automation.
○ 2
2
Click New in the upper-right corner.

Automating Investigation Tasks in ThreatStream