Improved Visibility, Faster Response
Security teams face serious challenges in safeguarding critical data and assets against attacks. We live our lives and conduct our business today over a confluence of network, cloud, and mobile environments, leading to an expanded threat surface and ballooning alert volumes. Incident responders need a security product stack that enables alert ingestion across sources, rich and correlated threat context, and accelerated remediation. With the surfeit of data out there, tools that drive data to action are the need of the hour.
Our users can now leverage the Microsoft Graph Security API to integrate deep security insights from Microsoft products, services, and partners with the security orchestration and automation capabilities of Demisto. The integration provides users with an actionable hub for alert ingestion, enrichment, and response at scale.
- Fetch alerts from all Microsoft Graph Security providers into Demisto to kick off automated, process-driven playbooks for enrichment and response.
- Get detailed alert information in a common schema from the Graph Security API – such as network connections, user states, processes, and registry keys – by running commands or automating tasks within Demisto.
- Update alerts via the Graph Security API from within Demisto.
- Further enrich data from the Graph Security API with intelligence from other security products via Demisto's orchestration.
- Interactively run 1000s of commands (including for the Graph Security API) via a ChatOps interface while collaborating with other analysts and Demisto's chatbot.
Use Case #1
Automated threat ingestion, enrichment, and response
If SOCs use multiple solutions for data/log enrichment and incident response, it can be tough to track the lifecycle of an incident due to screen switching, data fragmentation, and lack of single-window documentation. Analysts spend time completing low-level tasks that can be better spent resolving the incident.
SOCs can streamline operations by using the Microsoft Graph Security API to aggregate and integrate data across security technologies, and Demisto Enterprise for automating and orchestrating enrichment and response actions across the security product stack. They can automate incident creation in Demisto for each alert type accessible through the Graph Security API, and trigger playbooks to execute upon incident creation. These playbooks orchestrate enrichment and response actions across security products in a single screen and seamless workflow.
For example, analysts can create tickets, quarantine endpoints, retrieve PCAPs, and send emails as automatable playbook tasks.
Microsoft Graph Security provides easy access to rich insights and data. This data, coupled with Demisto’s actionable playbooks, can speed up incident triage and resolution. Analysts can get a comprehensive view of the incident’s lifecycle, access documentation from a single source, and forego the need to switch between screens while performing investigation actions.
Use Case #2
Real-time investigation for complex, evolving threats
While standardized, repeatable playbooks can automate commonly performed tasks to ease analyst load, an investigation requires additional tasks such as pivoting from one suspicious indicator to another to gather critical evidence, drawing connections between incidents, and finalizing resolution. For organizations that depend on multiple security technologies, performing these tasks traps analysts in a screen-switching cycle during investigation and a documentation-chasing cycle after investigations end.
After running enrichment playbooks, analysts can gain greater visibility and new actionable information about the attack by running Microsoft Graph Security API commands in the Demisto War Room. For example, if playbook results present alert details, analysts can access the network connections and user states connected to that alert by running the respective Graph Security API command. Analysts can also run commands for other security tools in real time using the War Room, providing a single-console view for end-to-end investigation.
The War Room will document all analyst actions and over time will suggest the most effective analysts and command-sets.
The War Room allows analysts to quickly pivot and run unique commands relevant to incidents in their network from a common window. All participating analysts will have full task-level visibility of the process and be able to run and document commands from the same window. They will also prevent the need for collating information from multiple sources for documentation.
We hope you found this integration overview useful. To explore Demisto in greater detail, you can download the Free Community Edition below.