Adding URL Playbook Files

[Yusuf-Amr]

URL Playbook

Overview

This submission adds a new playbook for URL analysis and incident response, automating the process of investigating potentially malicious URLs.

Changes Made

• Added the following files:
  • URL Playbook.png
  • URL Playbook.json
  • URL Playbook.py

Playbook Workflow

The playbook operates through the following steps:

1. Initial URL Checks:

   • Query VirusTotal
   • Query MetaDefender Sandbox
   • Query Joe Sandbox
   • Query Falcon Sandbox

2. If URL is Malicious:

   • Check if the URL is allowed on the proxy:
     • If Allowed:
       • Block URL on Proxy
       • Create Incident Ticket
       • Notify SOC via Email
       • Perform a Splunk query to list affected users
       • LDAP Machine Resolution
       • Notify Incident Response Team
       • Scan Machines
       • Acquire Downloads, Browser History, etc.
       • Wait for Manual Interaction (Isolation Decision)
         • If isolation is needed, quarantine devices.
     • If Blocked:
       • Check Referer URL
       • Analyze for Suspicious Activity (User Agent, Traffic, Content-Type, URI Scheme, Category, etc.)
         • If suspicious, notify SOC and repeat the incident response steps.
         • If all checks are clean, end the process.

3. If URL is Clean:

   • Repeat the checks for the Referer URL and assess for suspicious activity.

Tools and Technologies Considered

• VirusTotal
• MetaDefender Sandbox
• Joe Sandbox
• Falcon Sandbox
• Splunk
• LDAP
• Zscaler Proxy
• Microsoft Defender for Endpoint (EDR)
• JIRA for ticket management
• SMTP for sending emails