All Posts

Rapid Detection and Response with Panther & Tines

Mark Stone

As the threat landscape evolves and the magnitude of potential threats skyrockets, security teams often struggle to keep up. Compounding the issue, organizations are ingesting more data from cloud infrastructure, applications, networks, and hosts than ever before. 

As data volumes explode, adding automation can help security teams increase efficiency and scale their efforts. Currently, the threat detection and response process is very time-consuming. Security teams spend hours reviewing false positive alerts or performing mundane tasks to resolve security incidents. 

Panther and Tines are modern solutions that work together to rapidly detect and respond to threats, saving time and improving security operations.

Panther is a modern Security Information and Events Management (SIEM) platform that transforms terabytes of raw logs per day into a structured security data lake for real-time detection and investigations. With detection-as-code and native integrations with dozens of log sources, Panther is built for scale.

Similarly, Tines is at the forefront of “no-code automation,” and provides a best-in-class solution for automating repetitive, manual processes – from simple tasks to complex workflows. With Tines, security teams can simply drag and drop Actions into a workflow, wire them together, enter the parameters, test, and deploy. 

How Panther and Tines can work together 

In this article, we will outline three common use cases that many organizations use to automate their detection and response. 

Use Case 1: Proactively prevent an attacker from escalating privileges

Any infrastructure or SaaS application has a number of accounts. Most of the accounts are user accounts with limited privileges that only allow users to access features limited to their accounts. The remaining are administrative accounts that have the ability to create or remove users, assign privileges, modify system settings, access user data, and more. For attackers, escalating privileges to compromise administrative accounts is an effective way to access sensitive files and documents. Privilege escalation maps to Privilege Escalation Tactic (in MITRE ATT&CK TA0004). 

Let’s assume an organization uses Okta for identity and access management. Panther provides several out-of-the-box detections, one of which checks when a user is assigned admin privileges. When this rule triggers an alert, Panther sends the alert to Tines which checks an enrichment database (such as VirusTotal) to determine if the IP is malicious. If the IP is deemed malicious, Tines generates an API call to lock the account in Okta. All of this without any analyst intervention.

To set up this scenario in your environment, follow the steps here. 

Use Case 2: Automatically quarantine malicious host

In this scenario, the organization is using an Endpoint Detection and Response (EDR) tool such as Crowdstrike or Sophos that can detect malware on a host. If malware is detected on a host, the EDR delivers an alert to Panther. A Panther detection, such as this for CrowdStrike, will then generate an alert.

Learn more about running a Crowdstrike real-time response command in Tines here

First, Tines can create a task in Asana for case tracking. Next Tines makes a call to external services to validate that the hash of the file is malicious. If the indicators are deemed malicious, Tines will send an API call to the EDR to isolate the device, automatically preventing the malware from communicating with its command and control server or moving laterally.

Use Case 3: Reduce analyst friction due to accidental account lockouts 

One of the common ways adversaries try to compromise user accounts is through brute force. Without knowledge of the password, an adversary may systematically guess the password using a repetitive or iterative mechanism. To defend against brute force attacks, the application may be set up to lock user accounts after a number of unsuccessful attempts. In many cases, legitimate users may find themselves accidentally locked out if they aren’t able to log in within the allowed number of attempts. 

In this scenario, let’s assume that a user changed their password recently, but forgot their password. They attempt to enter their username and password, and after 5 unsuccessful attempts, they are locked out. Simultaneously, if Panther is set up to detect brute force attempts, it generates an alert after 5 unsuccessful attempts.

Learn more about monitoring Okta for invalid sign-in attempts in Tines here

Panther will route the alert to Tines which automatically generates an email or Slack message to the user asking if they tried to sign into their account at Okta. If the user confirms it wasn’t malicious, Tines will call the Okta API to automatically unlock the account. If the user cannot confirm it was malicious, Tines will create a high-severity alert and send it to Panther and the security team. Throughout the process, no analyst interaction is required.

Get Started

Panther can analyze log data from hundreds of systems including AWS, GCP, Microsoft 365, G Workspaces, Crowdstrike, OSquery, and more. Check out a list of all our supported integrations. Follow our Quick Start community guide & get started with Panther or contact us for a demo.