Remediate unusual login alerts from a SIEM system with Slack and Google Admin

Atlassian Jira Work Management

Google Workspace Admin Directory

open_in_full

Import

This automation handles unusual login alerts from a SIEM system, integrating tools like Panther, Slack, Google Admin, and AbuseIPDB for data enrichment and alert management. It automates incident response, saving time and improving security by allowing SOC teams to remediate threats faster and with better context.

Automate Incident Management

Integration

Panther

Explore canvas

Automate Incident Management

Flow Automation Highlights

Suspicious Login Detection and Notification: When a suspicious login is detected, the system automatically identifies the alert, a process that traditionally requires manual monitoring and alert assessment. This automation ensures that high-risk events are detected in real-time, improving response times and minimizing potential threats.

Account Suspension in Google Admin: Automatically suspending accounts with unusual login activity significantly reduces the time taken compared to manual interventions. This proactive approach mitigates the risk of further security breaches by rapidly addressing compromised accounts.

IP Reputation Lookup with Abuse IPDB: The process of checking the reputation of an IP address is automated, removing the need for manual lookups. This reduces delays in verifying whether the login attempt is from a suspicious source, allowing for faster decision-making on the appropriate remediation actions.

Orchestration Toolbox

Panther: In this use case, Panther serves as the SIEM (Security Information and Event Management) tool responsible for detecting suspicious login activities. It generates alerts when unusual behavior is identified, triggering the automation process that handles investigation and remediation.

Slack: Slack is the communication platform where alerts and notifications are sent. It notifies security teams of suspicious login events and allows them to receive updates on actions being taken, facilitating real-time communication and collaboration throughout the remediation process.

Google Admin: Google Admin plays a critical role in managing user accounts. In this case, it is used to automatically suspend accounts involved in suspicious login activities, significantly reducing response times compared to manual interventions.

Abuse IPDB: Abuse IPDB is used to automatically check the reputation of IP addresses associated with suspicious login attempts. It helps determine if an IP is linked to malicious activity, speeding up the decision-making process for remediation.

Google Admin Directory: The Google Admin Directory is utilized to retrieve information about users. This integration ensures that all actions, such as user suspension, are applied to the correct accounts, streamlining the investigation and remediation workflow.