Onboard Incidents from Microsoft Azure Sentinel
Category: Analytics and SIEM, Data Enrichment and Threat Intelligence
Cyware Products Used:
Cyware Fusion and Threat Response (CFTR)
Orchestrate (CO)
Third-Party Integrations:
Microsoft Azure Sentinel: To retrieve newly triggered incidents and their entity details.
VirusTotal: Enrichment of the IOCs observed from Microsoft Azure Sentinel incidents.
Problem Statement
Security Information and Event Management (SIEM) systems help security teams to collect, analyze, and store security incidents and events. SIEM solutions receive large number of alerts everyday and require data analysis to process the data for further investigation. It also requires a large degree of expert human intervention oversight to determine if the security events are false positives or actual incidents that require investigation.
Solution
An ideal combination of SIEM and Security, Orchestration, Automation, and Response (SOAR) platforms helps manage incident response much faster by removing the arduous manual incident prioritization and response process.
The Microsoft Azure Sentinel SIEM solution monitors and detects security incidents based on advanced analytics rules. The solution retrieves alerts created for suspicious activities that require the attention of a security analyst. The offenses are further onboarded to the Cyware Fusion and Threat Response Platform (CFTR) by taking advantage of Orchestrate (CO) playbooks to allow security analysts to conduct comprehensive investigations.
How do we solve this problem?
Retrieve the list of Incidents: The Azure Sentinel Incident Onboarding playbook retrieves all the latest incident alerts triggered in the Azure Sentinel application in the past 24 hours.
Retrieve Additional Entity Information: The playbook retrieves the entities such as Host, Account, IP, URL, and email ID related to the incident. This information is collated with the incident details.
Create CFTR Incident: Create an incident on CFTR using the incident details and entities retrieved from the Microsoft Azure Sentinel application. The playbook also performs the following activities.
Assigns a business unit to the incident based on the client impacted.
Assigns an appropriate user group and user to investigate the incident.
Creates notes for every entity retrieved from the Microsoft Azure Sentinel application.
Update Azure Sentinel Status: To allow analysts to keep track of the incident, the playbook updates the status of the incident on the Microsoft Azure Sentinel application from New to Active.
Enrichment: The playbook enriches the indicators such as IP, URL, email, Domain, and Hash values using the VirusTotal application. After enrichment, the enrichment score, TLP value, IOC status, and severity rating are updated to the CFTR incident.
Connect the Dots: The playbook connects the dots to uncover correlations between isolated threats and incidents. Additionally, the playbook performs the following activities.
Searches for the affected host in CFTR and connects it to the incident. If no host is found, it creates a new host.
Searches for the affected user in CFTR and connect it to the incident. If no user is found, it creates a new user.
Ready for Investigation: The incident is available on CFTR to be taken over by Analysts for manual investigations.
Benefits
Respond Quickly and Accurately
The solution automatically collates all the relevant information in one place for easier and faster access and helps users prioritize the incidents, thereby assisting security teams in assessing and responding faster to similar incidents
Streamline Incident Onboarding Process
Security teams can automatically gather data from SIEM, perform enrichment and automatically generate incidents for investigation. This streamlines the process by removing the need for a human to notice the relevant security data, identify it as a security incident, and manually set up an incident in the system.
Respond faster and more efficiently
By automating manual tasks, security teams can allow their analysts to focus on high-value investigations.