Document toolboxDocument toolbox

How to Update ThreatLink via the UseCase Library

Owned by Alvaro de la Serna Martinez
Dec 16, 2024
2 min read

  • Download the following files for use with this installation:

    • Case Settings:

 

Upgrading ThreatLink: A Step-by-Step Guide

Follow these simple steps to upgrade your ThreatLink environment:

  1. Install the Latest Version:

  • Head over to the SOAR use case library.

  • Locate the newest ThreatLink version and install it.

  • During the installation, make sure to configure the necessary connections.

  1. Import Case Settings:

  • Go to "Settings."

  • Select "Case Settings."

  • Choose "General."

  • Click "Import" and import the provided Case Setting JSON file from the top of this page.

  1. Update the Case Template:

  • Open the Case Template.

  • Add two new tabs: "Alert Queries" and "System Fields."

  • Populate these tabs with the associated fields (refer to the screenshot provided).

    Case Template Screenshot.png

  1. (MSSP Instances Only) Set Up Child Domain Integrations:

  • If you're upgrading an MSSP instance with alerting in child domains, you'll need to set up new Devo integration connections.

  • Use the alert API for each child domain.

  • Make a note of the connection names for each child domain.

  1. (MSSP Instances Only) Configure Domain Connection List:

  • Open the "Domain Connection Custom List."

  • Map each child domain to its corresponding connection name.

  1. Activate the New Version:

  • Pause the old ThreatLink streams.

  • Start the new playbook streams.

That's it! You've successfully upgraded your ThreatLink environment.

Important Notes:

  • Make sure you have the necessary permissions to perform these actions.

  • If you encounter any issues during the upgrade process, refer to the ThreatLink documentation or contact support for assistance.

  • Always back up your existing configuration before performing an upgrade.

  • After the upgrade, test your ThreatLink playbooks thoroughly to ensure they function correctly.

How to upgrade an existing environment:

  1. Install the newest version from the SOAR use case library

  2. During the import process, configure the connections.

  3. Import the Case Setting JSON.   (Settings/case settings /general /import)

  4. Update the case template; see the screenshot above.

    1. Add a new tab called Alert Queries and the associated field.

    2. Add a new tab called System Fileds and associated fields.

  5. If upgrading an MSSP instance where alerting is configured in child domains:

    1. Set up new Devo integration connections using the alert API for each child domain and note the connections' names.

    2. Configure the Domain Connection Custom List, mapping the domain to the connection names.

  6. Pause the old streams.

  7. Start the new playbook streams.