While Gurucul predicts, detects, and performs threat hunting use cases with its machine learning and data science techniques, the platform also exposes its data to Cortex XSOAR. Gurucul assigns a risk score for every user and entity for which anomalies are triggered. The risk scores along with anomaly metadata such as threat indicators, behavior baselines, event details etc. are passed to Cortex XSOAR to trigger appropriate remediation actions per their response playbooks. Gurucul supports API based integration with Cortex XSOAR that allows the system to perform an on-demand retrieval of Gurucul’s data and create incidents.
Gurucul uses a risk-based approach to help analysts prioritize the right incident that will make the most impact for investigation. This has enabled customers to achieve a 99.5% efficiency rate for true positive and impactful incidents and improve the variety and quality of the investigations. Analysts can gather more data from out-of- the-box Gurucul commands to complete and close investigations in Cortex XSOAR. Analysts can also configure the complex playbooks and workflows in Cortex XSOAR to be triggered automatically without Analyst involvement to reduce response times.
The Gurucul Cortex XSOAR integration workflow is as follows:
- High risk users and entities identified in the Gurucul platform are passed to Cortex XSOAR. The data sent includes user/entity attributes, risk score, accounts, context, anomalies triggered, etc.
- An Incident is created for each high risk user and entity within Gurucul case management.
- The incidents and corresponding data are passed to Cortex XSOAR.
- The appropriate workflow configured in Cortex XSOAR is triggered for remediation action – either automaticallyor via an admin.
- Incidents created in Cortex XSOAR will have mandatory attributes/fields populated.
- All the calls and actions to be recorded at War-Room for audits.