Skip to main content

General Documents

Onboard Incidents from Microsoft Cloud Access Security Broker (CASB)

Abstract

Download PDF

Category: Data Enrichment and Threat Intelligence, Network Security

Cyware Products Used:

  • Cyware Fusion and Threat Response (CFTR)

  • Orchestrate (CO)

Third-Party Integrations Used:

  • Microsoft CASB: To retrieve open alerts

  • VirusTotal: Enrichment of the IPs observed from Microsoft CASB alerts

Problem Statement

Cloud Access Security Broker (CASB) offers a range of security benefits that allow enterprises to ensure cloud app security across authorized and unauthorized applications and managed and unmanaged devices. CASBs can combine multiple different security policies, from authentication and credential mapping to encryption, malware detection, and more.

CASB solutions receive alerts every day and require data analysis to process the data for further investigation. It also requires a significant degree of expert human intervention oversight to determine if the security events are false positives or actual incidents that require investigation.

Solution

An ideal combination of CASB solution and Security, Orchestration, Automation, and Response (SOAR) platforms helps manage incident response much faster by removing the arduous manual incident prioritization and response process.

The Microsoft CASB solution is a security policy enforcement point positioned between enterprise users and cloud service providers. The solution retrieves alerts created for suspicious activities that require the attention of a security analyst. The offenses are further onboarded to the Cyware Fusion and Threat Response Platform (CFTR) by leveraging Orchestrate (CO) playbooks to allow security analysts to conduct comprehensive investigations.

Onboard_Incidents_from_Microsoft_Cloud_Access_Security_Broker__CASB_.svg

How do we solve this problem?

  1. Retrieve Open Alerts: The Onboard Alerts from Microsoft CASB playbook retrieves all the new alerts triggered in the Microsoft CASB application. If no new alerts are found, the playbook stops.

  2. Create CFTR incident: Create an incident on CFTR using the alert details retrieved from the Microsoft CASB application. The playbook also performs the following activities:

    1. Formats the data from Microsoft CASB to identify important information and maps them to relevant fields of the CFTR incident.

    2. Add source details for the incident using the information received from the Microsoft CASB alert.

    3. Assigns a business unit and location to the incident based on the client impacted.

    4. Assigns an appropriate user group and user to investigate the incident.

  3. Enrichment: The playbook enriches the indicators such as IP, URL, email, domain, and hash values using the VirusTotal application. After enrichment, the enrichment score, TLP value, IOC status, and severity rating are updated to the CFTR incident.

  4. Filter False Positives: The playbook filters false positive alerts using the enrichment details provided by VirusTotal. False positive incidents are marked as False Positive on CASB and closed. Additionally, the CFTR incident is also updated and closed.

  5. Ready for Investigation: The incidents identified as true positives are available on CFTR to be taken over by analysts for manual investigations.

  6. Response and Remediation: Creates an action in CFTR to block the malicious indicators on the Crowdstrike Endpoint Detection and Response tool. You can use a preferred endpoint detection and response tool of your choice to initiate the response action.

Benefits

Respond Quickly and Accurately

The solution automatically collates all the relevant information in one place for easier and faster access and helps users prioritize the incidents, thereby assisting security teams in assessing and responding faster to similar incidents.

Streamline Incident Onboarding Process

Security teams can automatically gather alerts from CASB, perform enrichment, and automatically generate incidents for investigation. This streamlines the process by removing the need for a human to notice the relevant security data, identify it as a security incident, and manually set up an incident in the system.

Respond Faster and More Efficiently

By automating manual tasks, security teams can enable analysts to focus on high-value investigations.