Scale your security program by creating high-fidelity alerts and automating manual remediation tasks
Introduction
To monitor for suspicious activity and gain operational awareness in the cloud, modern detection and response teams must process and analyze large volumes of log data from applications, networks, hosts, and cloud infrastructure. An end-to-end workflow typically involves analyzing logs, generating alerts, and taking action to determine whether the activity is either a true or false positive.
Historically, security teams had to manually review alerts and take steps to determine whether the activity was a real indicator of compromise. But as organizations move to the cloud and data volumes explode, adding automation can help security teams increase efficiency and scale their efforts.
In this blog post, well outline how teams can use Panther and Tines to generate alerts on suspicious activity, get answers from end-users, enrich data, and leverage automation to save time to focus on the issues that matter most: improving the security of your organization.
Watch our on demand webinar to learn how you can automate detection and response with Panther and Tines.
Threat Scenario
For this scenario, well analyze Okta SSO logs with Panther and send an alert each time a user is granted Administrator privileges. Because SSO is the gateway for accessing internal systems, delegating Admin privileges should be highly scrutinized.
Alerts will be sent from Panther to Tines via a webhook to initiate an automated response workflow that will:
Check that the client IP is not malicious
Ping the user on Slack to confirm the behavior
Depending on the users response, create a new case and lock the account
The end-to-end workflow will look like this:
The goal of this workflow is to proactively prevent an attacker from escalating privileges and causing harm to your organization.
Collecting and Monitoring Okta Logs
The first step is to gather and analyze Okta logs. With an API token, Panther can be configured to pull this data as so on as new logs are available.
Simply add a new Source in Panther:
Configure Panther to pull Okta log data
And add your Okta API details:
Add your Okta details to finish the configuration
Now, Panther will poll Okta for new logs each minute. The log below is an example Okta log that we will monitor:
Once these logs have been processed and normalized by Panther, they can be queried with SQL to review similar past events so that we can understand what normal activity looks like, and ultimately, write high-fidelity detections.
For example, if Panther is configured with Snowflake as the data store, the following query will display all previous events where an account was granted administrator privileges.
Now that we understand how to work with the data once its collected, lets convert this query to a Panther real-time Python rule.
Generating High-Value Alerts
In this scenario, our objective is to generate an alert each time a new user is granted Administrator privileges in Okta. In the previous event, we saw the following:
Who: Jack Naglieri is granting Organization & Application administrator
To: Thomas Kinsella
From: IP 194.88.246.242
In Panther, we can enable the following built-in rule to flag these events:
When True is returned from the rule() function, an alert will be generated for the security team to review.
Each alert includes a high-level overview, a summary of common attributes across all alert-generating events, and the normalized event logs that triggered the alert.
Review details for an alert
To save time and build repeatable processes for triaging alerts, a platform like Tines is utilized to automate follow-up actions that may help resolve these alerts without manual intervention.
Adding Context for Powerful Automation
To build intelligent and robust automation, Tines can use events from generated alerts to respond accordingly. In Panther, security analysts can build their detections with automation in mind by leveraging the alert_context() function to include arbitrary JSON data, such as event metadata, in the alert.
In this case, we add the following code to our rule to include in our alert the user triggering the activity (actor), the receiving user (target), metadata about the actor request (client), and all detected IPs (from Panthers standard fields):
The generated context is appended to alert events in a key called p_alert_context, and when the JSON is loaded, looks like this:
Panther aggregates and analyzes groups of events in a single detection, so this context is helpful for the post-processing of alerts. You can include any information youd like here, whether its from the relevant event or not.
These events will be transmitted to Tines with a webhook, which can be configured as a Destination within Panther and associated with our Rule either by severity or specifically with a destination override:
Configure Webhook as an alert destination
Set an alert destination for a specific rule
Now that all the pieces are in place, lets take action on this alert with Tines!
Triaging Alerts with Automation in Tines
The first action-item after receiving an alert about privilege escalation may be to ping the user on Slack and ask them to confirm whether the activity was legitimate. If the user responds, Yes, then the security team might deem the action authorized and close the alert. If the user responds, No, the security team may escalate the incident and lock the affected users account.
Additionally, we can also apply a layer of threat intelligence lookups on the IP address. In Tines, workflows can be created to automate this type of incident escalation.
Tines will receive events looking like:
Tines Events
Next, using the drag and drop workflow builder in Tines, we can automate the following remediation actions:
Lookup the clients IP address in VirusTotal and GreyNoise
If the IP is deemed malicious, ping the user on Slack to confirm their actions
If they dont recognize the action, create a new case in the Hive and lock the account in Okta
If they do recognize the activity, take no additional action
The Tines Story visualized
If the workflows predefined requirements are met, then the user will be pinged on Slack to confirm the activity:
The automated Slack message to confirm the suspicious activity
And if they click, I dont recognize this, then a case in the Hive is created, and the user account in Okta is locked out.
This is just one example workflow, but the options are endless!
Wrapping Up
Maintaining strong security as a company grows can be difficult. This problem is exacerbated by the rapidly growing scale of cloud environments. By applying automation to your security operations, you can reduce manual work, save valuable time, and decrease burnout across your SOC.
Get started today by running Panther and Tines together! Power better security outcomes across your organization and build a robust, end-to-end security pipeline using Python, SQL, and drag and drop automation workflows. Request a demo today.
