Integrate External Attack Surface Management (EASM) with Microsoft Sentinel
Integrate External Attack Surface Management with Microsoft Sentinel
- Get a free community account at RiskIQ Community Edition.
- Go to the GitHub playbook page: Azure-Sentinel/Solutions/RiskIQ/Playbooks at master · Azure/Azure-Sentinel · GitHub
-
- The Deploy to Azure button is broken on most of the playbooks, so you'll need to import the JSON files manually. Scroll down and select deploy.json to get the raw JSON:
- In the Azure Portal, select Deploy a Custom Template and then Build your own template in the editor:
- Delete the default text and paste in the Raw JSON file, and then save.
- For playbooks with both Incident and Alert JSON files, append 'Incident' or 'Alert' to the Playbook name---otherwise the second import will overwrite the first.
- When you create the RiskIQ API connector in your first Logic Apps Playbook, make sure you use the Organization API key:
- After you've created at least one Incident playbook, go back to Sentinel and add the playbook automation to the Analytics rule template Create incidents based on Azure Active Directory Identity Protection.
- Next, generate an incident in Sentinel by downloading the Tor Browser (on a spare device, not your corporate laptop) and try to log in to one of your accounts. Enter a bad password 5 times and then sign in with your actual password. Then Deny the MFA request. (This is getting fun, right?)
Using EASM with Microsoft Sentinel
Once you've got this configured, you can use Microsoft Sentinel's built-in automation framework with your analytics rules to enhance context for the investigation of incidents. The playbook will query the RiskIQ passive DNS database and retrieve any domains from the last 30 days that were associated with the IP address from the security alert. Then it will add this information to the resulting security incident, providing the security team with additional context for triaging the incident.More About External Attack Surface Management (EASM)
Attack Surface Management (ASM) has been around for a while, but technology research firm Gartner recently began specifying External Attack Surface Management to emphasize the growing level of threat from outside an organization. Thus, EASM is an emerging product that helps organizations identify risks in internet-facing assets and external systems that may otherwise go unnoticed. The large shift to remote work has broadened this vulnerability: IP addresses used are constantly changing and Shadow IT is common. Security teams don't always know what's happening with the organization's surfaces. This makes it very difficult to monitor and protect all of the potential spots of attack without a tool like External Attack Surface Management. EASM offers continuous monitoring, real-time discovery, analysis of assets, prioritization of risks, and integrated remediation. For more about External Attack Surface Management in video form, see this overview by RiskIQ's Steve Ginty.Stay connected. Join the Infused Innovations email list!
Share this
You May Also Like
These Related Posts
Forrester Wave Gives Azure Sentinel a Leader Placement
Forrester Wave Gives Azure Sentinel a Leader Placement
January 11, 2021
3
min read
Forrester Finds Over 200% ROI in Azure Sentinel After Three Years
Forrester Finds Over 200% ROI in Azure Sentinel After Three Years
November 30, 2020
3
min read
Easily Moving from CrowdStrike to Microsoft Defender for Endpoint
Easily Moving from CrowdStrike to Microsoft Defender for Endpoint
July 22, 2024
4
min read
No Comments Yet
Let us know what you think