0

Just landed a new position where I will be in charge of doing some system integrations and automations in regards to security. I have never done any integrations or automations so this is my first rodeo. I have the following tools at my disposal:

  • ZScaler
  • Azure Sentinel
  • Microsoft Cloud App Security
  • Microsoft Power Suite
  • Mcafee EPO

I have been given a list of action items to complete. A lot of them require responding to an incident as soon as it occurs, which is where I am lost. So for example, say Zscaler detects an IA infection and we want X and X actions to happen once detected. How do I ensure our systems are alerted immediately after the incident occurs? I am guessing this is a matter of querying the API, but what is the proper way of setting this up with the tools I have?

Erik Oppedijk
  • 3,496
  • 4
  • 31
  • 42
KennyT
  • 1
  • 1

1 Answers1

0

Normally you would send the logs of those security tools to Log Analytics, and could construct KQL queries based on them.

For example after having a custom log source for McAfee EPO, you could create a recurring query such as

McafeeEPO | where EventType = ThreatEventLog | extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s

I used https://github.com/Azure/Azure-Sentinel/blob/master/Detections/EsetSMC/eset-threats.yaml as an example, you can check for others as well.

inverzeio
  • 525
  • 2
  • 10