Automated Detection and Response with Panther and Tines

Scale your security program by creating high-fidelity alerts and automating manual remediation tasks

Introduction

To monitor for suspicious activity and gain operational awareness in the cloud, modern detection and response teams must process and analyze large volumes of log data from applications, networks, hosts, and cloud infrastructure. An end-to-end workflow typically involves analyzing logs, generating alerts, and taking action to determine whether the activity is either a true or false positive.

Historically, security teams had to manually review alerts and take steps to determine whether the activity was a real indicator of compromise. But as organizations move to the cloud and data volumes explode, adding automation can help security teams increase efficiency and scale their efforts.

In this blog post, we’ll outline how teams can use Panther and Tines to generate alerts on suspicious activity, get answers from end-users, enrich data, and leverage automation to save time to focus on the issues that matter most: improving the security of your organization.

Watch our on demand webinar to learn how you can automate detection and response with Panther and Tines.

Threat Scenario

For this scenario, we’ll analyze Okta SSO logs with Panther and send an alert each time a user is granted Administrator privileges. Because SSO is the gateway for accessing internal systems, delegating Admin privileges should be highly scrutinized.

Alerts will be sent from Panther to Tines via a webhook to initiate an automated response workflow that will:

  1. Check that the client IP is not malicious
  2. Ping the user on Slack to confirm the behavior
  3. Depending on the user’s response, create a new case and lock the account

The end-to-end workflow will look like this:

The goal of this workflow is to proactively prevent an attacker from escalating privileges and causing harm to your organization.

Collecting and Monitoring Okta Logs

The first step is to gather and analyze Okta logs. With an API token, Panther can be configured to pull this data as so on as new logs are available.

Simply add a new Source in Panther:

Okta Log
Configure Panther to pull Okta log data

And add your Okta API details:

Okta Details
Add your Okta details to finish the configuration

Now, Panther will poll Okta for new logs each minute. The log below is an example Okta log that we will monitor:

{
	"uuid": "2a992f80-d1ad-4f62-900e-8c68bb72a21b",
	"published": "2020-11-25 21:27:03.496000000",
	"eventType": "user.account.privilege.grant",
	"version": "0",
	"severity": "INFO",
	"legacyEventType": "core.user.admin_privilege.granted",
	"displayMessage": "Grant user privilege",
	"actor": {
		"id": "00uu1uuuuIlllaaaa356",
		"type": "User",
		"alternateId": "[email protected]",
		"displayName": "Jack Naglieri"
	},
	"client": {
		"userAgent": {
			"browser": "CHROME",
			"os": "Mac OS X",
			"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36"
		},
		"geographicalContext": {
			"geolocation": {
				"lat": 48.8916,
				"lon": 2.7939
			},
			"city": "Coupvray",
			"state": "Ile-de-France",
			"country": "France",
			"postalCode": "77700"
		},
		"zone": "null",
		"ipAddress": "194.88.246.242",
		"device": "Computer"
	},
	"request": {},
	"outcome": {
		"result": "SUCCESS"
	},
	"target": [
		{
			"id": "00u6eup97mAJZWYmP357",
			"type": "User",
			"alternateId": "[email protected]",
			"displayName": "Thomas Kinsella"
		}
	],
	"transaction": {},
	"debugContext": {
		"debugData": {
			"privilegeGranted": "Organization administrator, Application administrator (all)",
			"requestUri": "/api/internal/administrators/00u6eu8c68bb72a21b57",
			"threatSuspected": "false",
			"url": "/api/internal/administrators/00u6eu8c68bb72a21b57",
			"requestId": "X777JJ9sssQQHHrrrQTyYQAABBE"
		}
	},
	"authenticationContext": {},
	"securityContext": {}
}Code language: JSON / JSON with Comments (json)

Once these logs have been processed and normalized by Panther, they can be queried with SQL to review similar past events so that we can understand what ‘normal’ activity looks like, and ultimately, write high-fidelity detections.

For example, if Panther is configured with Snowflake as the data store, the following query will display all previous events where an account was granted administrator privileges.

SELECT *
FROM panther_logs.public.okta_systemlog
WHERE eventType = 'user.account.privilege.grant'
AND outcome:result = 'SUCCESS'
AND debugContext:debugData:privilegeGranted LIKE '%dministrator'Code language: SQL (Structured Query Language) (sql)

Now that we understand how to work with the data once it’s collected, let’s convert this query to a Panther real-time Python rule.

Generating High-Value Alerts

In this scenario, our objective is to generate an alert each time a new user is granted “Administrator” privileges in Okta. In the previous event, we saw the following:

  • Who: Jack Naglieri is granting Organization & Application administrator
  • To: Thomas Kinsella
  • From: IP 194.88.246.242
Administrator Roles

In Panther, we can enable the following built-in rule to flag these events:

import re

def rule(event):
    return (
        event['eventType'] == 'user.account.privilege.grant' and
        event['outcome'].get('result', '') == 'SUCCESS' and bool(
            re.search(
                r'[aA]dministrator',
                event['debugContext']['debugData'].get('privilegeGranted'))))Code language: Python (python)

When True is returned from the rule() function, an alert will be generated for the security team to review.

Each alert includes a high-level overview, a summary of common attributes across all alert-generating events, and the normalized event logs that triggered the alert.

Review details for an alert
Review details for an alert

To save time and build repeatable processes for triaging alerts, a platform like Tines is utilized to automate follow-up actions that may help resolve these alerts without manual intervention.

Adding Context for Powerful Automation

To build intelligent and robust automation, Tines can use events from generated alerts to respond accordingly. In Panther, security analysts can build their detections with automation in mind by leveraging the alert_context() function to include arbitrary JSON data, such as event metadata, in the alert.

In this case, we add the following code to our rule to include in our alert the user triggering the activity (actor), the receiving user (target), metadata about the actor request (client), and all detected IPs (from Panther’s standard fields):

def alert_context(event):
    return {
        'ips': event.get('p_any_ip_addresses', []),
        'actor': event['actor'],
        'target': event['target'],
        'client': event['client'],
    }Code language: Python (python)

The generated context is appended to alert events in a key called p_alert_context, and when the JSON is loaded, looks like this:

{
  "ips": [
    "194.88.246.242"
  ],
  "actor": {
    "id": "00uu1uuuuIlllaaaa356",
    "type": "User",
    "alternateId": "[email protected]",
    "displayName": "Jack Naglieri"
  },
  "target": [
    {
      "id": "00u6eup97mAJZWYmP357",
      "type": "User",
      "alternateId": "[email protected]",
      "displayName": "Thomas Kinsella"
    }
  ],
  "client": {
    "userAgent": {
      "browser": "CHROME",
      "os": "Mac OS X",
      "rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36"
    },
    "geographicalContext": {
      "geolocation": {
        "lat": 37.7852,
        "lon": -122.3874
      },
      "city": "Coupvray",
      "state": "Coupvray",
      "country": "France",
      "postalCode": "77700"
    },
    "zone": "null",
    "ipAddress": "194.88.246.242",
    "device": "Computer"
  }
}Code language: JSON / JSON with Comments (json)

Panther aggregates and analyzes groups of events in a single detection, so this context is helpful for the post-processing of alerts. You can include any information you’d like here, whether it’s from the relevant event or not.

These events will be transmitted to Tines with a webhook, which can be configured as a Destination within Panther and associated with our Rule either by severity or specifically with a destination override:

Set an alert destination for a specific rule
Configure Webhook as an alert destination
Set an alert destination for a specific rule
Set an alert destination for a specific rule

Now that all the pieces are in place, let’s take action on this alert with Tines!

Triaging Alerts with Automation in Tines

The first action-item after receiving an alert about privilege escalation may be to ping the user on Slack and ask them to confirm whether the activity was legitimate. If the user responds, “Yes”, then the security team might deem the action authorized and close the alert. If the user responds, “No”, the security team may escalate the incident and lock the affected user’s account.

Additionally, we can also apply a layer of threat intelligence lookups on the IP address. In Tines, workflows can be created to automate this type of incident escalation.

Tines will receive events looking like:

Tines Events
Tines Events

Next, using the drag and drop workflow builder in Tines, we can automate the following remediation actions:

  • Lookup the client’s IP address in VirusTotal and GreyNoise
  • If the IP is deemed malicious, ping the user on Slack to confirm their actions
  • If they don’t recognize the action, create a new case in the Hive and lock the account in Okta
  • If they do recognize the activity, take no additional action
The Tines Story visualized
The Tines Story visualized

If the workflow’s predefined requirements are met, then the user will be pinged on Slack to confirm the activity:

The automated Slack message
The automated Slack message to confirm the suspicious activity

And if they click, “I don’t recognize this”, then a case in the Hive is created, and the user account in Okta is locked out.

This is just one example workflow, but the options are endless!

Wrapping Up

Maintaining strong security as a company grows can be difficult. This problem is exacerbated by the rapidly growing scale of cloud environments. By applying automation to your security operations, you can reduce manual work, save valuable time, and decrease burnout across your SOC.

Get started today by running Panther and Tines together! Power better security outcomes across your organization and build a robust, end-to-end security pipeline using Python, SQL, and drag and drop automation workflows. Request a demo today.

Table of Contents

Recommended Resources

Escape Cloud Noise. Detect Security Signal.
Request a Demo