Incident ResponderIncident Responder

Table of Contents

Get Started with Incident Responder

Welcome to Incident Responder, the security orchestration, automation, and response (SOAR) solution that helps you work more productively, make less mistakes, and quickly resolve security incidents using playbooks and a visual editor.

To understand what Incident Responder is and how to use it, here are some key concepts that might help you.

  • Incident Responder

    Incident Responder automates your repetitive and manual tasks, like looking up the reputation of an IP address. Respond quickly and efficiently to incidents using actions and playbooks.

  • Incident Responder Services

    Integrate Incident Responder with a service to run actions and playbooks.

  • Incident Responder Actions

    Call a third-party service and gather data points manually or automatically using actions.

  • Playbooks

    Automate your tasks, immediately neutralize attacks, and mitigate damages with Incident Responder playbooks.

  • Get to Know the Playbook EditorGet to Know the Playbook Editor

    Learn about the components you use to create and edit playbooks.

Incident Responder

Incident Responder automates your repetitive and manual tasks, like looking up the reputation of an IP address. Respond quickly and efficiently to incidents using actions and playbooks.

Exabeam Incident Responder is a security orchestration, automation, and response (SOAR) solution that features playbooks and a visual editor. With Incident Responder, your SOC works more productively, makes less mistakes, and quickly resolves security incidents.Get to Know the Playbook Editor

If you're an overburdened analyst, integrated services and automated workflows help you avoid repetitive tasks and switch between security tools.

If you're a SOC manager, Incident Responder helps you deal with a shortage of talent. You create and maintain playbooks using a simple drag-and-drop editor, no coding experience required. You can even use playbook templates to teach junior analysts about your organization's best practices for common scenarios, like phishing and malware.Playbook Templates

Incident Responder requires a separate license. To learn more, contact your technical account manager or watch product videos on the Exabeam Community.

Network Prerequisites for Deploying Incident Responder

Before you deploy Incident Responder, open ports and whitelist URLs.

Open Ports

Note

For IMAP and POP3, only open the ports that match the email server protocol you use.

From

To

Port

Protocol

User Network

Case Manager Node

22/TCP

SSH

Log Sources

Case Manager Node

9875/TCP and UDP

Syslog

Incident Responder Appliance

Internal Email Server

143/TCP

IMAP

Incident Responder Appliance

Internal Email Server

993/TCP

IMAPS

Incident Responder Appliance

Internal Email Server

25/TCP

SMTP

Incident Responder Appliance

Internal Email Server

587/TCP

SMTPS

Incident Responder Appliance

Internal Email Server

110/TCP

POP3

Incident Responder Appliance

Internal Email Server

995/TCP

Secure POP3

Incident Responder Appliance

External Internet

43/TPC

WHOIS (HTTP)

Whitelist URLs

You must whitelist URLs to use some services and actions.

Service

URL

Actions

MaxMind

  • maxmind.com

  • geopip.maxmind.com

Geolocate IP

VirusTotal

virustotal.com

Get URL Reputation

Get IP Reputation

IP-API

ip-api.com

Geolocate IP

GoogleSafe Browsing

  • googleapis.com

  • safebrowsing.googleapis.com

Get URL Reputation

Get IP Reputation

Microsoft Trace

  • reports.office365.com/ecp/reportingwebservice

  • /reporting.svc/MessageTrace

Microsoft Outlook Message Track

Incident Responder Services

Integrate Incident Responder with a service to run actions and playbooks.

A service is a third-party product or vendor you integrate with Incident Responder to run actions and playbooks. This service is usually one your organization already uses, like Cisco Threatgrid or Palo Alto Networks Wildfire. Instead of leaving Incident Responder to use these services, integrate them so you access them in one location.

You configure each service differently. Once you configure a service, you can edit or disable it.Configure ServicesConfigure ServicesEdit a ServiceDisable a Service

If you don't want to purchase additional services from third parties, you can use Exabeam's in-house service, Exabeam Actions. It is free to use and available out of the box. You can also upload a custom service. This custom service can be one you developed from scratch or one that customizes an out-of-the-box third-party service.Upload a Custom ServiceUpload a Custom Service

If you use a third-party service we don't yet support, contact your Sales Representative to request it.

Exabeam Actions Service

Get started using basic actions with the Exabeam Actions service.

Exabeam Actions is an in-house service that is free to use and available out-of-the-box. With the Exabeam Actions service, you can start using actions or playbooks, like turnkey playbooks, without purchasing additional services from third parties.Turnkey Playbooks

The service supports basic actions, including:

  • Detonate File in Sandbox

  • Detonate URL in Sandbox

  • Get Domain Reputation

  • Get URL Reputation

  • Get Email Reputation

  • Get IP Reputation

  • Get File Reputation

To assess the reputation of an entity, Exabeam Actions searches across various sources, like threat feeds and IP reputation lists, for evidence that the entity may be risky. Then, it compares the evidence against a set of conditions. Depending on which conditions the evidence matches, Exabeam Actions assigns the entity a severity level between 0 and 99. If the entity has a severity level of 50 and above, Exabeam Actions considers the entity to have a malicious reputation.

Incident Responder Actions

Call a third-party service and gather data points manually or automatically using actions.

An action is an API call to a service that gathers specific data points about an indicator of compromise (IOC) in an incident; for example, it can find the reputation of an IP address artifact. It is a Python script that you can edit or create on your own. You execute them manually, or automatically using a playbook. There are out-of-the-box actions, or you integrate Incident Responder with a service to run others.IP Artifact DataManually Run an ActionConfigure a ServiceConfigure ServicesConfigure Services

Playbooks

Automate your tasks, immediately neutralize attacks, and mitigate damages with Incident Responder playbooks.

A playbook is a standard, repeatable sequence of actions that responds to specific incident types, like phishing or malware, based on your best practices. It automates your workflow and completes complex, manual, and repetitive tasks so you quickly identify and address incidents.

You design a logic flow that triggers the playbook under certain conditions. Then, the playbook automatically runs the relevant responses. You make workflows semi-automated so it runs at the push of a button, or fully automated so it runs without any human intervention.Manually Run a Playbook

You manage a playbook and track its history in an incident's workbench.The WorkbenchThe WorkbenchThe Workbench

You can create your own playbook from scratch, create a playbook from a pre-designed template, or run a fully configured turnkey playbook.Create a PlaybookPlaybook TemplatesTurnkey Playbooks

Playbook Terminology

Define all the terms you encounter when dealing with playbooks.

Action

A scripted task to call a third-party API service and gather data, executed manually or automatically using playbooks; for example, retrieve the reputation information for a given URL or search emails by sender.Manually Run an Action

You use action nodes in playbooks. It has an inbound port on the left and an outbound on the right.

An Example playbook with a start node linked to a New Action Node linked to a decision node; the New Action node is highlighted with a red rectangle.
Decision

A node that indicates a boolean (if/else) decision. It has one inbound node on the left, an if/true node on the right, and else/false nodes on the top and bottom.

An Example playbook with a start node linked to a New Action Node, linked to a decision node; the decision node is highlighted with a red rectangle.
Input

Data passed from one node to another; data from a Case Manager incident, entity, or artifact.

Node

The fundamental building blocks of playbooks. Each one represents an action, decision, start, or end.

An Example playbook with a start node that connects to a New Action Node, that connects to a decision node; these and the end node are highlighted with red rectangles.
Operator

Compares operands and returns a logical value if the comparison is true. Operands may be numerical, string, logical, or object values. Strings are compared based on standard lexicographical ordering, using Unicode values.

Port

Each node has at least one inbound port and one outbound port that connects it to another node (except the start node and end node). An inbound port receives data from another note, and an outbound node sends data.

An Example playbook with a start node linked to a New Action Node, linked to a decision node; the New Action Node inbound and outbound ports are highlighted with red circles.
Service

A third-party product or vendor you integrate with Incident Responder to run actions and playbooks. For example: Cisco Threatgrid, Palo Alto Networks Wildfire. You interact with multiple instances of a service from within Incident Responder. Information about a service, like how to connect to it and which actions are defined, is stored in the Incident Responder server.

Playbook Triggers

Automatically run playbooks using triggers.

Playbooks run automatically if you prescribe it to run under a certain circumstance and that circumstance happens. This circumstance is called a trigger. There are six circumstances that trigger a playbook:Create a Playbook Trigger

  • Incident Created – When a playbook triggers and creates an incident.

  • Status Changed – When someone changes an incident's status.

  • Priority Changed – When someone changes an incident's priority.

  • Queue Changed – When someone is assigned to another queue.

  • Assignee Changed – When someone changes who's assigned to an incident.

  • Incident Type Changed – When an incident's type changes, manually or automatically.

If you already created an incident manually and the details match the conditions of a playbook trigger, the playbook won't trigger automatically.

Get to Know the Playbook Editor

Learn about the components you use to create and edit playbooks.

In the playbook editor, you create and edit playbooks.

This is a new playbook created using the phishing template. Let's explore this playbook:

The phishing playbook template highlighted with red rectangles and labeled with numbers.

1 Control how you view the interface. Zoom in, out, or reset the view to the default.

2 Save your playbook and return to the PLAYBOOKS page. You can save your playbook even if it's incomplete, but if it contains any errors, it will not run.

3 A playbook is made of nodes. You connect each node to one or more other nodes. Each node has two or more ports, inbound and outbound. To view a node's ports, hover over the node.

Every playbook has a start node and end node that defines its logical boundaries, where the playbook starts and ends. You cannot change these two nodes. The start node has one outbound port; the end node has one inbound port.

To build the logic of your playbook, add nodes, and configure action, decision, and filter nodes.

If a node is outlined in red, it needs your attention. When you create a playbook using a template, all the nodes are initially outlined in red. You must click on the node and change how it's configured, or the playbook will not run.