Aggregated Data, Automated Response
New cybersecurity threats are continually emerging to target enterprises by utilizing multiple attack vectors and evolving entry points. Facing this challenge, security teams often expend time that could be better spent quelling the attack collecting data from disparate sources and performing repeatable tasks instead. SOCs need a security tool stack that empowers analysts with access to rich, correlated data, and automates repeatable tasks so that teams have the time and energy they need for incident resolution.
Analysts can now leverage Demisto’s security orchestration and automation capabilities with LogRhythm’s deep data collection, preparation, and security analysis for efficient and accelerated threat detection and incident response.
- Ingest alarms from LogRhythm to create incidents in Demisto and trigger automated triage, enrichment, and response through playbooks.
- Access LogRhythm alarms and associated statuses and comments for deeper investigations in Demisto.
- Update LogRhythm alarm statuses and comments from within Demisto to provide continued access to LogRhythm monitoring and reporting.
- Leverage hundreds of Demisto product integrations to further enrich threat detection alarms from LogRhythm and coordinate response across security functions.
- Run 1000s of commands (including for LogRhythm) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
USE CASE #1
Automated alarm ingestion, enrichment, and response
If SOCs use multiple solutions for data/log enrichment and incident response, it can be tough to track the lifecycle of an incident due to screen switching, data fragmentation, and lack of single-window documentation. Analysts spend time completing low-level tasks that can be better spent resolving the incident.
If SOCs use LogRhythm NextGen SIEM for data enrichment and threat detection and Demisto Enterprise for security orchestration and automation respectively, they can automate incident creation in Demisto for each alarm type in LogRhythm. They can also trigger playbooks to execute upon incident creation. These playbooks orchestrate enrichment and response actions across the entire stack of products that a SOC uses in a single screen and seamless workflow.
For example, analysts can create tickets, quarantine endpoints, retrieve PCAPs, and send emails as automatable playbook tasks.
LogRhythm’s rich insights and data coupled with Demisto playbooks can speed up incident triage and resolution. Analysts can get a comprehensive view of the incident’s lifecycle, access documentation from a single source, and forego the need to switch between screens while performing investigation actions.
To learn more about Demisto's LogRhythm integration, read our joint solution brief
USE CASE #2
Interactive, real-time investigation for complex threats
While standardized, repeatable playbooks can automate commonly performed tasks to ease analyst load, an investigation requires additional tasks such as pivoting from one suspicious indicator to another to gather critical evidence, drawing connections between incidents, and finalizing resolution. For organizations that depend on multiple security technologies, performing these tasks traps analysts in a screen-switching cycle during investigation and a documentation-chasing cycle after investigations end.
After running enrichment playbooks, analysts can gain greater visibility and new actionable information about the attack by running LogRhythm commands in the Demisto War Room. For example, if playbook results present alarm details from LogRhythm, analysts can access a list of events related to that alarm and associated statuses/comments by running the respective LogRhythm command. Analysts can also run commands for other security tools in real time using the War Room, providing a single-console view for end-to-end investigation.
The War Room will document all analyst actions and over time will suggest the most effective analysts and command-sets.
The War Room allows analysts to quickly pivot and run unique commands relevant to incidents in their network from a common window. All participating analysts will have full task-level visibility of the process and be able to run and document commands from the same window. They will also prevent the need for collating information from multiple sources for documentation.
We hope you found this integration overview useful. To explore Demisto in greater detail, you can download the Free Community Edition below.