Bolster Playbooks connects with new API connector


The Summer Olympics are getting our attention so much that some recent news may have been buried. We understood. This is why we wanted to highlight a recent feature.

Bolster introduced a new Playbook API connector to help streamline the incredibly important work required to analyze suspicious and fraudulent sites.

This new connector is an extension of our existing Playbook feature that was released to the platform earlier in the year. Many teams, especially within the DevSecOps space, have become accustomed to being able to post information about malicious events directly to Slack or other REST API endpoints. We recognize that there are many alerting, ticketing, collaboration, and ETL-like use cases that can be supported if we could get our platform to “talk” to these disparate services.

After some initial feedback, our engineers quickly got to work addressing Bolster’s growing need to interface with other services. We now have a fairly easy way for our admins to create a custom webhook to other platforms using our Playbook API connector, which is in addition to our existing Email and Slack options.

Using Bolster’s playbook templates, customers can choose to send the following data without much additional configuration:
• Sites where logos have been detected
• Phishing sites found
• Long-lived phishing sites
• Deleted sites
• Sites that have reappeared

Real world examples

Since this connector was released into production over a month ago, we have now had the opportunity to check with our customers to see how they are using the feature. Below are some of the great examples and use cases we were able to collect.

Zoom on the cat

Zoom offers an inbound webhook application on its marketplace that works well with our new connectors and Zoom Chat. We have a client who collects results from recent phishing sites that have been deleted and then posts those results in a Zoom chat to keep the entire security team informed. The team preferred this method to email, as much of the information sharing they already do happens through this channel. Although the same data is available in the Bolster user interface, sending results to Zoom Chat on a regular basis allowed the team to collaborate and have discussions quickly.

Bolster Playbooks connects with new API connector
Figure 1 – Example of Zoom chat configuration

Sumo Logic

In our internal testing of these custom webhooks, we integrated Sumo Logic, a comprehensive, cloud-native, observability and security product. The idea to send suspicious sites to Sumo Logic was to use their Threat Intelligence database to further analyze the data on those sites and to check if domains or URLs would also be considered Indicators of Compromise (IOC). . In this case, the data was provided as a comma delimited CSV file.

Bolster Playbooks connects with new API connector
Figure 2 – Sumo Logic configuration example

Splunk

Splunk is another observability tool that many large organizations use as an on-premises SIEM solution. One idea a client had was to send the details of any site that reappears to Splunk, where they could then further analyze the results and create the necessary alerts for their SOC. Re-emerging sites can be considered a bit more serious, as a bad actor decided to switch from one web host to another with the same phishing or scam content. In this case, the client decided to output the results in JSON.

Bolster Playbooks connects with new API connector
Figure 3 – Splunk Configuration Example

Teeth

Tines is a platform used to reduce the time spent investigating and resolving security incidents through the automation of workflows. In short, it is used as a security orchestration response and automation (SOAR) tool in many cases due to the ease with which it can integrate with other services. For brands that have a lower volume of phishing and scam sites, we think it’s okay to alert all new sites on a daily basis; therefore, a Bolster playbook may send a list of malicious sites to Tines each day, which will then trigger specific actions to be performed automatically.

Bolster Playbooks connects with new API connector
Figure 4 – Example of tooth configuration

Plug it in

There are usually existing workflows and processes that many SOC, DevOps, Legal, Brand Protection, and IP teams already have in place. In order to reduce the change management involved in introducing a new tool like Bolster into the mix, we are simply allowing our users to log into their existing services, allowing them to function as they did in the past, with the additional benefit of easily obtaining information on fraudulent sites detected, monitored and deleted by our platform.

Our new API connector is a great way to add value to Bolster Playbooks and we hope you find time to explore it. If you have your own examples and use cases to share, feel free to do so in the comments below.

*** This is a Syndicated Security Bloggers Network blog from Bolster Blog written by Latimer Luis. Read the original post at: https://bolster.ai/blog/bolster-playbooks-get-the-hookup-with-new-api-connector/


Comments are closed.