Enrich Graph Security alerts to create a threat intelligence feed

What it does

By using the Swimlane platform and our Microsoft Graph Security API bundle, we have created two applications that store all Graph Security alerts and automate the creation of a threat intelligence feed as well as performing remediation against on on-premises firewall appliance.

We have a scheduled process (every hour - but is configurable) to continually pull and either create new records or update existing records in our MS Graph Hackathon application.

The second application, called MS Graph Hackathon - IPs, Hashes, and URLs extracts all ip addresses, hashes, or urls from the Graph Security alerts and stores this information in a record in this new application. We then perform enrichment from 5 different sources depending on the type of extracted value we are needing to enrich.

Note: as an example we are performing enrichment using 5 different sources but this application can have less, more or different enrichment sources based on an organizations needs

Once enrichment is complete, we generate a threat feed that is automatically posted to a private (internal) GitHub repository. We also use GitHub pages to render this threat feed.

Please note, that we are using GitHub as an example but an organization could store this threat feed in a different location using a pre-built bundle or a custom integration.

This generated threat feed can be used to enhance an organizations threat hunting activities and provide context surrounding Graph Alerts.

Our application can also automatically (or manually) perform automated remediation by adding IPs or URLs to a Palo Alto Panorama firewall.

How we built it

We built these applications utilizing the Swimlane platform. We used Swimlane built bundles/integrations to perform most of the actions within this application but we did also write custom integrations within the Swimlane platform by creating script tasks using Python.

Challenges we ran into

Our biggest challenges were extrapolating and understanding what would be valuable in a threat feed from a users perspective. We did tons of research by looking at other threat feeds and determined the best information based on the enrichment sources.

Additional challenges included identifying the best way to score each enrichment source, since most enrichment sources do not provide a straightforward threat score so we wrote custom Python script tasks to determine threat scores.

Accomplishments that we're proud of

We think that we have created a great resource that shows the power of SOAR. Additionally, we were able to provide a tool/resource that is able to generate a threat feed from already known data - we believe this area is lacking in the security space.

What we learned

We learned a lot about how Microsoft Graph API works, especially the in's and out's of the Graph Security API alerts endpoint. We now know that there is a lot of great information within the Graph Security API, but we think that we have augmented this information by automating the enrichment and remediation of these alerts.

What's next for Microsoft Graph Security - Security Alerts Enrichment

We plan on adding many more enrichment sources and adding the ability to perform remediation across a multitude of application types in the near future (e.g. EDR, SIEM, etc.).

Built With

Share this project: