Hello folks.
Our SOC analysts working on Defender alerts manually for many of the alerts and carrying out the activities like revoke sessions and reset passwords etc. I want to pull defender alerts/incidents into InsightConnect and investigate them here in InsightConnect and do the rest of the activities based on the investigation results.
Is it possible to do so? Your insights would be appreciated…
Thank You.
We have two Defender plugins that have the ability to trigger from Events happening in Defender.
Defender for Endpoint has a trigger for New Alerts.
Defender for Incidents can trigger from new incidents.
I recommend setting up two different workflows, one for each trigger. Activate the workflows and see what data comes in. Once you have an understanding of the data available within InsightConnect you can better judge if your desired outcome can be achieved.
Generally speaking you can ingest your events into InsightConnect and work them from within the InsightConnect platform if you wish.
Thanks Darrick, for the insights.
My question is, if I automate the investigation with the help of InsightConnect, my SOC analysts need not to do the same in Defedner. Isn’t it?
And the use case I will be working upon is about releasing of quarantined message upon user request or denying that request on the basis of investigation. So, any insights for that? Is it possible?
Once again, thank you.
I don’t know what a quarantined message is in Defender.
You would have to talk me through your process more in depth.
Initial questions you need to think through are along the lines of:
What will be the triggering event? What happens that then sends data to InsightConnect and kicks off a workflow. Is it a new alert, is it a Teams message from a user, something else?
Then you need to know what actions you want to perform. Once you know what actions you want to perform you can see if we already have plugin actions for this. If yes you can just use those plugins. An example is the Azure AD Admin plugin. It can revoke user sessions, so you can use that plugin as part of your process.
If there is an action that you want to perform, but you don’t see it as a plugin support action, you can pivot to the Python plugin as long as the action you want to perform has an endpoint within Microsoft Graph, and your licensed for that level of access within Microsoft.
If you can share more details I can help you think through the process, but I am not a Microsoft Expert. Some of the process will need a bit more detail, such as the quarantined message piece you spoke to earlier.
Thanks Darrick, for the response.
When I said quarantined message, defender has certain capabilities to put certain email messages or teams messages in the quarantined folder. This basically possible, may be due to intelligence associated with defender or the threat hunting queries.
Now, we are receiving the email every time a user requests to release certain quarantined message to one of our security mail Id(this user activity is considered an alert of informational severity). Once we receive that email, one of the SOC analysts assign themselves to the alert and check for legitimacy of the message. If they find it legitimate they would release the message , else they would escalate the alerts to L2 support or just deny the request and send the details in the teams channel.
So, this is my actual question. Any idea on this part?
Thank you.
We have a trigger for the Office 365 Email plugin that allows you to kick off a workflow upon an email being received. You could automate the ingestion of this email into InsightConnect.
Depending what data is in the email would determine how much further you can go. If it contains the necessary data to get to that specific event within Defender itself is the next question.
Thanks Darrick, appreciate your quick response.
May be this would work. I don’t know what kind of data we would be receiving from the plugin execution. Let me work upon this idea and I will let you know in this thread, about further process, if in case possible with the data received.