Preventing Audit Muddles
As the fever of security orchestration and automation grips organizations, the first tasks to fall on the proof-of-concept anvil are usually administrative in nature. Account creation, device approval, user deprovisioning, and ticket management are popular use cases for automation and orchestration, witnessing an increase in speed, accuracy, and standardization as the machines take over.
However, there is a drawback to one-size-fits-all automation and orchestration in this case. If actions such as device approvals, device wipes, and user approvals are done using generic credentials instead of admin-specific ones, there is no accountable documentation and audit trail to fall back on in times of crisis or compliance.
Demisto’s integration with GSuite sidesteps this pitfall while maintaining the robustness of the intended orchestration and automation. Users can perform user approvals, device approvals, and device wipes using admin-specific credentials instead of generic credentials. This ensures that there is always a user attached to each action, resulting in comprehensive audit trails and task archives for future reference.
In this blog, we shall go through a device approval playbook that gets a Google authentication code and uses administrator credentials to help approve the device. We shall also see how the audit trail looks on the Google admin account. The flow is given below:
Let’s look at a snapshot of the playbook:
In brief, this playbook comes into effect a new device has to be approved. The first playbook task provides a Google authorization link that the user must go to using specific administrator credentials. After getting the token and plugging it into the second task, the device is approved and the playbook closes.
For this playbook to run, an integration with GSuite is a prerequisite.
Generate Google Auth token
Let’s look at each step in greater detail. Here’s a screenshot of the task details for the first task in the playbook’s run sequence.
The ‘Task Name’ and ‘Task Description’ tags are for adding context to the task for external viewers/users. The automation script attached to this task is GoogleAuthURL, which provides a link for device authentication. The output for the first task after a playbook run is given below:
Set token for device
The next task is used to set the token for the device. To get this token, you click on the authentication link given in the screenshot above, login using administrator credentials, and copy the generated token. A screenshot of the token screen is given below:
After getting the token from the screen shown above, you plug it in the output fields (specifically the ‘value’ field) for the second task, as shown below.
And in these three simple steps, the device has been approved!
View audit trail
The true value of this playbook comes across when audit trails need to be viewed. If you log in as Google admin and view the device usage reports, the recently approved device will have a complete entry with the respective admin, date and timestamp of approval, and IP address.
Device approval is only one among many actions that the GSuite integration enables. You can also approve user logins, wipe devices, and deprovision user logins using this integration.
Stay tuned for more sample playbook walkthroughs in the coming weeks! If you would like to know more about Demisto’s GSuite integration, you can watch our video walkthrough here.
If you are new to Demisto and interested in exploring the platform further, we invite you to sign-up for the Demisto Community Edition.