SecOps
SecOps
Flow Automation Highlights
Alert Reception and Case Creation: Mindflow takes alerts from Sekoia.io EDR and automatically creates incident tickets in The Hive. This immediate creation and categorization of incidents replaces manual input and assessment, which can be slow and inconsistent, ensuring a timely and organized response to threats.
Hash and IP Reputation Analysis: Mindflow automatically submits file hashes and IP addresses associated with an alert to VirusTotal and AbuseIPDB for reputation checks. Doing this manually for each alert would be highly time-consuming and could delay threat response. This automation brings speed and accuracy to the threat assessment phase.
User and Computer Information Retrieval: Mindflow fetches information about potentially compromised users and systems by interfacing with the Trend Micro Workload Security API and Microsoft Graph. This replaces the need to manually query different systems and databases, which would significantly slow down the incident response process.
Security Team Notification: Mindflow automates notifying and seeking confirmation from the security team through Microsoft Teams. Compared to manual notification methods, this ensures that communications are immediate, traceable, and centralized, allowing for faster collaborative decision-making and action.
Orchestration Toolbox
Sekoia.io: In this use case, Sekoia.io EDR functions as the initial detection system, providing alerts on potential security incidents. Its role is to capture and forward detailed alert data, which would require extensive manual review and action without automation.
The Hive: The Hive is the incident management platform where tickets are created and enriched with data from various sources. It centralizes incident information and streamlines response actions, automating processes typically involving several disjointed manual steps.
VirusTotal: VirusTotal analyzes and validates the security of file hashes from alerts. It plays a crucial role in the automated assessment of potential threats, speeding up the validation process that would otherwise be a bottleneck if done manually.
AbuseIPDB: AbuseIPDB provides IP reputation data, helping to ascertain the risk associated with an IP address mentioned in an alert. Automating this task allows for immediate and thorough risk assessment compared to the slower and less comprehensive manual checks.
Trend Micro Workload Security: This API retrieves detailed security and configuration information about affected systems. It replaces what would typically be a manual, time-consuming task of gathering data from various system logs and configuration management databases.
Microsoft Graph—Users: Microsoft Graph for Users obtains information from Active Directory about users who may be involved in the alert. Automation eliminates the need for manual directory searches, speeding up user identification.
Microsoft Teams: Microsoft Graph for Teams communicates alert information and actions to the security team within Microsoft Teams. This ensures that the team is promptly informed and can collaborate on the response, whereas communication would be slower and possibly less organized manually.
