Research: Cloud Automation Use Cases

Hello everyone,
We are researching automation & orchestration use cases built off of cloud services & applications. If you have any 100% cloud-based workflows that we might help automate or simplify, please share them in this thread.
Thanks!

1 Like

@spencer_engleson1-- I know we have some use cases that we have thought of here. Mind sharing them here? Would be good for our customers and other community members to see them and give some feedback!

Sure thing! A few of our ideas thus far:

  1. Lookup a vulnerability in Rapid7’s Exploit DB from chatops
    –> Get severity info
    –> Get patch info

  2. Lookup a potential indicator of compromise from chatops
    –> Lookup indicators in AbuseIPDB, Anomali, Recorded Future, OTX, BlueCoat Labs, HaveIBeenPwnd, ThreatStack, etc.
    –> Get basic risk analysis in chatops, link to detailed report

  3. Check the SSL certificate status of a provided domain from chatops
    –> Input a host, get SSL certificate details

  4. Forward alerts from various security tools to chatops
    –> Alerts from InsightIDR, Proofpoint, Mimecast, Carbon Black, MS Defender…
    –> Push alerts to Slack or Teams, including description and link to alert in product

1 Like

I’ll follow that awesome list with:

IDR - Investigation “Account x had OUTBOUND firewall traffic”
If outbound IP not in abuseIPDB
API - Lookup source IP (json file)
If IP is in one of the known IP ranges
Then close case
Send API counter to datadog

IDR - Investigation “Harvested Credentials”
"x.x.x.x failed to access 3 distinct accounts in 2 hours 38 minutes 42 seconds”
API - Lookup source IP (json file)
If IP is known/Office IP
Close investigation
Send API counter to datadog

IDR - Investigation “Disabled User”
“Disabled user user@host.com accessed the network or a cloud service using google”
GSuite - Lookup User, email, status, last logged in time - enrich investigation
AD - Lookup user info (as below) - enrich investigation
AD - Lookup user based on email attribute - enrich investigation
Send API counter to datadog

Send Top 10 vulnerable assets (with stats) from sites in InsightVM to slack (so teams can see their assets)

3 Likes

This is awesome, thank you!!! Pulling these ideas into our workflow ideas board now.

Keep 'em coming :sunglasses:

I tried my hand at the last, Top 10 Vulnerable Assets, use case. The InsightVM plugin has a top remediations action, but of course getting the top vulnerabilities will be a little more difficult!

I’ll continue tinkering, but was also thinking a workflow where the user can request the top remediations for a particular asset might be useful? I believe this could easily be “up-leveled” to the asset group or site level to provide a broader scope for top remediation actions.

Thoughts?