Inspiration

  • Desire to protect our network in the face of rising of ransomware and malware attacks
  • Challenges associated with incident triage and alert fatigue
  • Challenges balancing incident response with other projects and tasks in a small team
  • Reducing incident response times for potential critical incidents

What it does

A combination of an analytics rule and playbooks to reduce detection and response time for incidents involving suspicious network connections, that are possibly related to phishing, malware or a network breach, in order to avoid widespread infection or compromise of the network. The analytics rule runs every 10 minutes to check Cisco Umbrella threat logs for suspicious connections over the last 30 minutes. The playbook will trigger when an incident is generated by this rule.

In addition to performing automated investigation and alert enrichment functions, the solution aides in starting containment and eradication procedures earlier in the incident response cycle during the detection and analysis phase. This is achieved using Cisco Umbrella, Email Relay, VirusTotal API, and Outlook and Microsoft Teams integrations. This allows security analysts to receive notifications for critical incidents and take action from anywhere, anytime, even if they currently only have their mobile device.

How we built it

  • Built playbook to ingest Cisco Umbrella threat logs to Azure Log Analytics
  • Wrote analytics rule to detect suspicious network connections from Cisco Umbrella threat logs
  • Built playbook to automate investigation, enrichment, notification, containment, and eradication procedures

Challenges we ran into

  • Building efficient streamlined processes to reduce playbook runtime and speed results
  • API call limits for free tier APIs. As we are working on multiple proof-of-concept projects we utilize several free tier open-source APIs which occasionally causes us to reach daily or rate limits

Accomplishments that we're proud of

  • Notification of potential critical incidents in real-time
  • Streamlines incident response procedures
  • Reduced total time for incident response
  • Enables analyst to take action from anywhere at anytime

What we learned

  • Most incident triage and investigation steps can be automated
  • Automated alert enrichment reduces total investigation time
  • Automated and semi-automated (with human decision) remediation measures reduce response cycle duration and potential for lateral movement
  • When using free tiered APIs it is good to evaluate all playbooks to find overlap in functionality and either remove steps from one or combine playbooks when possible

What's next for Mitigating Threats with Azure Sentinel from Cisco Umbrella

  • We are building an ultimate incident management playbook to automate most incident response processes
    • Uses multiple sources for alert enrichment and IOC checks
    • Advanced hunting queries to check attack vectors and IOCs
    • Automated escalation and notification via Teams channels for potential critical incidents
    • Combination of automated and semi-automated containment, eradication, and recovery procedures (blacklisting, updating IOCs in systems, network isolation, etc.)

Built With

Share this project:

Updates