Are the alerts flowing in from the desktops, laptops and devices you manage beginning to resemble the incessant chatter of a hundred (or thousand) minions? If a malicious threat is detected, how does your team go about understanding attack context and remediating the problem at scale, especially if multiple endpoints are impacted?
Understanding attack components and context can involve coordinating between different systems to capture, collect and correlate data. These tasks are often manual, repetitive and a time sink for your team. The remediation that follows the investigation is also often handled by various team members on an ad hoc basis.
The Demisto and Microsoft Defender Advanced Threat Protection (ATP) integration provides IT Security teams with broad visibility and protection across their endpoint devices and helps them drive scalable responses via automated data enrichment and incident response.
Run Microsoft Defender ATP queries from within Demisto for real-time investigations or for use in playbooks.
Ingest Microsoft Defender ATP alerts into Demisto to trigger playbooks for standardized incident response across multiple endpoints.
Leverage other Microsoft and 3rd party product integrations within Demisto to enrich incident data for investigations or to coordinate response across security functions.
Run commands (including for Microsoft Defender ATP) interactively via a ChatOps interface while collaborating with other analysts.
Use Case #1: Automated Incident Response Across Endpoints
Attempting to manually respond to incoming alerts is both inefficient and slow. In cases where multiple endpoints are infected, it can take days to remediate and restore these endpoints to their normal state.
Microsoft Defender ATP alerts can trigger Demisto playbooks that orchestrate actions across multiple endpoints in a single seamless workflow. For example, IT Security teams can leverage automated playbook tasks to initiate anti-virus scans, retrieve machine status or contextual user data, isolate infected machines and send end user communications simultaneously across multiple endpoints.
Demisto playbooks standardize and speed up triage and resolution of alerts, eliminating rote work for the IT Security team and improving mean time to respond (MTTR).
Use Case #2: Coordinate Response Across Security Functions
IT Security teams often have to coordinate between endpoint tools and other security tools, having multiple consoles open simultaneously and spending valuable time cross referencing data between them. Due to the fragmented information distributed across multiple locations, it can be easy to miss critical indicators of compromise lurking across a network.
Demisto playbooks help unify the capabilities of multiple Microsoft products and the entire security product stack in a single workflow, standardizing incident response across disparate networks, such as on-premise and cloud environments. For example, as a Microsoft Defender ATP alert triggers a Demisto playbook, the playbook can generate a case management ticket for the incident from within Demisto, extract any file hashes and check hash reputation against threat intelligence sources. If the hash is determined to be malicious, the playbook can scan other endpoints for presence of the hash and trigger actions (e.g. notify Security administrator for further investigation or isolate infected endpoints). Similar remediation actions can also be performed across the Azure cloud environment. Finally, once the problem is addressed, actions can be taken to automatically restore (undo isolation) the machines to their normal state.
Process-based security operations and incident response that seamlessly connect disparate security tools, teams and infrastructures empower security teams to improve their organization’s overall security posture.
Use Case #3: Interactive, Real-Time Investigation for Complex Threats
While automated playbooks can ease analyst load, an attack investigation usually requires additional tasks such as pivoting from one suspicious indicator to another to gather critical evidence, draw relations between incidents and finalize resolution.
After running playbooks, IT Security teams can then gain greater visibility and new actionable information about the attack by running Microsoft Defender ATP commands in the Demisto War Room. Security administrators can query and view data in real-time via the Work Plan and War Room windows. They can also run commands from other security tools in real-time, ensuring a single-console view for end-to-end investigation. The War Room auto-documents all actions taken and recommends the appropriate subject matter experts and command-sets over time.
All participating team members will have full task-level visibility into the process and be able to run and document commands from the same window. Auto-documentation of all automation and team member actions allow for reports to be generated quickly for executive review or post-investigation debriefs.
We hope you found this integration overview useful. To explore Demisto in greater detail, you can download our free community edition below.