BlackBerry Optics

The ThreatConnect integration with BlackBerry Optics enables automated investigation and response actions to be taken in real time. With the Playbook app, you’re provided a powerful set of actions that can be leveraged within a larger security workflow orchestration or even a simple automation. Immediate actions can be taken to investigate, stop, and remediate potential threats at the endpoint based on external threat intelligence. The following actions are available within the Playbook app:

• Get Detections
• Update Detections
• Get Recent Device
• Get Recent Detections
• Get Detections CSV
• Lockdown Device
• Request File Retrieval Status from Device
• Check File Retrieval Status from Device
• Get Retrieved File Result

With the Service app, you can interact with BlackBerry Optics in a similar fashion to the Get Detection action in the respective playbook except on a polling schedule. Service app inputs are:

• Poll Interval – The frequency in minutes to check for detections.
• Max Historical Poll Start – Upon activation, the first poll will be conducted after the completion of the first Poll Interval period. On future runs, if the time of last run is greater than the poll interval the app will only retrieve data as far back as the input value for this field.
• Severity – The severity value to use for the search.
• Device – The device name associated with the detection record.
• Detection Type Filter – This filters on the Detection Description field
• Service Endpoint – The endpoint for the set of BlackBerry servers to which your Organization belongs.
• Tenant ID – The BlackBerry Optics tenant ID. This information is found on the Optics Integrations page.
• Application ID – The BlackBerry Optics application ID.
• Application Secret Key – The BlackBerry Optics application secret key.

This listing can be found in the ThreatConnect App Catalog under the name: BlackBerry Optics (Playbook), BlackBerry Optics Service (Custom Trigger)