SecOps
Alert Detection and Notification: Alerts from Splunk are detected and notifications are sent to relevant teams. This replaces manual monitoring and alerting, ensuring immediate awareness and response to potential security threats, reducing the time taken to initiate action.
User and Event Analysis: User profiles and recent sign-in events are analyzed to assess the threat level. This task, which would typically require manual data gathering and analysis, is automated to provide quick insights, enhancing decision-making speed and accuracy.
Remediation Action Execution: Actions such as account locking, password resets, or IP blocking are executed based on analysis. Automating these critical responses ensures swift action against threats, minimizing potential damage and improving overall security posture.
Splunk is the primary source for detecting brute-force alerts. It continuously monitors and identifies potential security threats, triggering the automated workflow to ensure timely incident response.
Slack: Slack notifies the relevant teams about detected alerts. It facilitates communication and collaboration, allowing teams to discuss and decide quickly on the necessary actions to address the threat.
Microsoft Graph: Microsoft Graph interfaces with Azure to gather user profiles and sign-in events. It is critical to analyze user activity and determine the appropriate remediation actions, such as account locking or password reset.
VirusTotal: VirusTotal is utilized to scan and verify suspicious IP addresses. It helps assess the threat level of detected IPs and supports informed decision-making for blocking or allowing network access.
Siit: Siit is integrated to create and manage incident tickets. It ensures that all remediation actions are documented and tracked, providing a comprehensive audit trail for security incidents.
