SBN

Bolster Playbooks get the hookup with new API connector

Bolster Playbooks get the hookup with new API connector

The Summer Olympics are drawing so much of our attention that some recent news may have been buried. We get it. That's why we wanted to highlight a recent feature release.

Bolster has introduced a new Playbook API connector to help streamline the incredibly important work needed to analyze suspicious and fraudulent sites.

This new connector is an extension to our existing Playbook feature which was released into the platform earlier in the year. Many teams, especially within the DevSecOps space, have become accustomed to being able to post information about malicious events directly to Slack or other REST API endpoints. We recognize that there are many alerting, ticketing, collaboration, and ETL-type of use cases that can be supported if we could have our platform “speak” to these disparate services.

After some early feedback, our engineers quickly got to work to address the growing need for Bolster to interface with other services. We now have a fairly easy way for our admins to create a custom webhook to other platforms using our Playbook API connector, which adds to our existing Email and Slack options.

Using Bolster’s playbook templates, customers can opt to send the following data without much additional configuration:
• Sites where logos were detected
• Phishing sites found
• Phishing sites with long lifespans
• Sites taken down
• Sites that have reemerged

Real World Examples

With this connector having been released into production over a month ago, we’ve now had an opportunity to check in on our customers to see how they're utilizing the feature. Below are some of the great examples and use cases we have been able to collect.

Zoom Chat

Zoom offers an incoming webhook app on their marketplace that works well with our new connectors and Zoom Chat. We have a customer who gathers results about recent phishing sites that have been taken down and then posts those results into a Zoom Chat for the entire security team to be informed. The team preferred this method over Email as a lot of the information sharing they are already doing is done through this channel. While the same data is available in the Bolster UI, sending the results to Zoom Chat on a recurring basis gave the team a quick way to collaborate and have discussions.

Bolster Playbooks get the hookup with new API connector
Figure 1 – Zoom Chat Configuration Example

Sumo Logic

In our internal testing of these custom webhooks, we integrated with Sumo Logic, a comprehensive, cloud-native, observability and security product. The idea for sending suspicious sites to Sumo Logic was to utilize their Threat Intelligence database to further analyze the data about these sites and to cross-check if the domains or URL’s would also be found to be Indicators of Compromise (IOC’s). In this case, the data was provided as a comma-delimited CSV.

Bolster Playbooks get the hookup with new API connector
Figure 2 – Sumo Logic Configuration Example

Splunk

Splunk is another observability tool that many large organizations use as their on-premise SIEM solution. One idea that a customer had was to send details of any site that re-emerges to Splunk, where they could then further analyze the results and build the necessary alerting for their SOC. Re-emerging sites can be viewed as a bit more serious, since a bad actor has decided to move from one hosting provider to another with the same phish or scam content. In this case, the customer decided to output the results in JSON.

Bolster Playbooks get the hookup with new API connector
Figure 3 – Splunk Configuration Example

Tines

Tines is a platform used to cut down the amount of time spent investigating and resolving security incidents through the automation of workflows.  In short, it’s used as a Security Orchestration Automation and Response (SOAR) tool in many cases due to how easily it can integrate with other services. For brands that have a lower volume of phishing and scam sites, we believe it is okay to alert on all new sites daily; therefore, a Bolster playbook can send a list of malicious sites to Tines each day, which will then triggers specific actions to be completed automatically.

Bolster Playbooks get the hookup with new API connector
Figure 4 – Tines Configuration Example

Hook It Up

There are usually existing workflows and processes that many SOC, DevOps, Legal, Brand Protection and IP teams already have in place. In order to reduce the change management involved by introducing a new tool like Bolster into the mix, we simply allow our users to hook into their existing services, allowing them to operate as they have done in the past, with the added benefit of easily obtaining information about fraudulent sites being detected, monitored, and taken down by our platform.

Our new API connector is a tremendous way to add value to Bolster’s Playbooks and we hope you find time to explore this. If you have your own examples and use cases to share, please feel free to do so in the comments below.

*** This is a Security Bloggers Network syndicated blog from Bolster Blog authored by Latimer Luis. Read the original post at: https://bolster.ai/blog/bolster-playbooks-get-the-hookup-with-new-api-connector/