How to detect when a security incident occurs
Question
Just landed a new position where I will be in charge of doing some system integrations and automations in regards to security. I have never done any integrations or automations so this is my first rodeo. I have the following tools at my disposal:
- ZScaler
- Azure Sentinel
- Microsoft Cloud App Security
- Microsoft Power Suite
- Mcafee EPO
I have been given a list of action items to complete. A lot of them require responding to an incident as soon as it occurs, which is where I am lost. So for example, say Zscaler detects an IA infection and we want X and X actions to happen once detected. How do I ensure our systems are alerted immediately after the incident occurs? I am guessing this is a matter of querying the API, but what is the proper way of setting this up with the tools I have?
1 answers
solution1
0 2021-12-13 01:14:06
Normally you would send the logs of those security tools to Log Analytics, and could construct KQL queries based on them.
For example after having a custom log source for McAfee EPO, you could create a recurring query such as
McafeeEPO | where EventType = ThreatEventLog | extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s
I used https://github.com/Azure/Azure-Sentinel/blob/master/Detections/EsetSMC/eset-threats.yaml as an example, you can check for others as well.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.