SIEMs are usually considered the brains of an organization, providing real-time collection, enrichment, and logging of data across a variety of sources. But, taking this biological analogy further, a brain's actionable functions are limited without a nerve system to carry out the orders. Over the past few years, security automation and orchestration tools have fulfilled this purpose, functioning in concert with SIEMs to enable SOC readiness across the incident lifecycle.
Demisto has powerful integrations with a host of SIEM platforms. In this article, we will go through Demisto's bi-directional integration with McAfee ESM and some illustrative use cases that highlight user benefits.
Users can now combine the data visibility, correlation, and threat intelligence capabilities of McAfee ESM with the security orchestration and automation features of Demisto to achieve rich, multi-source context and accelerated incident response.
- Ingest and triage alert data from McAfee ESM into Demisto Enterprise.
- Trigger specific playbooks in Demisto in response to gather more information about McAfee ESM alerts and to respond to these alerts.
- Leverage hundreds of Demisto product integrations to further enrich McAfee ESM alerts and coordinate response across security functions.
- Run 1000s of commands (including for McAfee ESM) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
USE CASE #1
Automated incident ingestion and response
If a security analyst uses different solutions for event logging and investigation actions respectively, it can be tough to track the lifecycle of an incident due to flitting between screens, fragmented information, and lack of single-window documentation.
If SOCs use McAfee ESM as a SIEM and Demisto Enterprise for security orchestration and automation respectively, they can trigger actions for specific alert types in McAfee ESM to create an incident and trigger a playbook in Demisto. This playbook will orchestrate investigation actions across the suite of products that a SOC uses – including threat feeds, endpoint solutions, ticket management, and malware analysis – in a single screen and seamless workflow.
Demisto playbooks and investigation toolkits can gather additional information needed for triage and resolution of McAfee ESM alerts. Analysts get a comprehensive view of the incident’s lifecycle, can access documentation from a single source, and forego the need to switch between screens while performing investigation actions.
To learn more about our McAfee ESM integration, read the solution brief
USE CASE #2
Interactive, real-time investigation for complex threats
While standardized, repeatable playbooks can automate commonly performed tasks to ease analyst load, an attack investigation usually requires additional tasks such as pivoting from one suspicious indicator to another to gather critical evidence, drawing relations between incidents, and finalizing resolution. Running these commands traps analysts in a screen-switching cycle during investigation and a documentation-chasing cycle after investigations end.
After running enrichment playbooks, analysts can then gain greater visibility and new actionable information about the attack by running McAfee ESM commands in the Demisto War Room. For example, if playbook results throw up alert details, analysts can fetch fields and case details for those alerts, get user lists, or search the ESM database for specific information. Analysts can also run commands from other security tools in real-time using the War Room, ensuring a single-console view for end-to-end investigation.
The War Room will document all analyst actions and suggest the most effective analysts and command-sets with time.
The War Room allows analysts to quickly pivot and run unique commands relevant to incidents in their network from a common window. All participating analysts will have full task-level visibility of the process and be able to run and document commands from the same window. They will also prevent the need for collating information from multiple sources for documentation.
We hope you found this integration overview helpful. To explore Demisto in greater detail, you can access the Free Community Edition below.
Stay tuned for more product integration walkthroughs in the coming weeks.