Alert Type - Anonymous IP address
Alert Type - Malware Linked IP
Alert Type - Atypical Locations
We wanted to build something on security platform which will reduce manual effort and will ease the job of a security analyst in terms of analysis, redundant work, accuracy.
What it does
This application helps the analysts to visualize the data fetched using Microsoft Graph API in a very clear and comfortable manner and increases their accuracy in taking actions on the security alerts.
How we built it
This application is built in three parts: 1) First the security data is fetched by a python script using Microsoft Graph API. 2) Data is fed into ELK for visualizing it as per the alert types. 3) Sending automatic emails to respective internal teams for taking necessary actions. (Details on respective suspected users are also sent as attachment)
Challenges we ran into
While analyzing the alerts, we found some of the data is false positive.
Accomplishments that we're proud of
We tried making something relevant using Microsoft Graph API and have come up with this application where besides using the data got using Graph API we also enhanced it adding some more data like IP Reputation, Geo Location.
What we learned
We have learnt to see data not only in a developer's perspective but also in an analyst's perspective which in fact helped us to enrich this application.
What's next for Security Analytical App using Microsoft Graph API
There are many. Some of them are:
1) After the auto mails triggered to our internal teams we are planning to capture there responses(Actions taken, Suspected Users Justification etc) and will visualize that user wise, IP wise etc.
2) We are working towards making more test cases, simpler features to make it more effective and useful.