Within a few weeks of starting at Swimlane, our CEO Cody Cornell mentioned the Microsoft Graph Security Hackathon—put on by the Microsoft Graph Security team and DevPost. After assembling a team and a lot of hard work, we were notified yesterday that our submission earned runner up!
We were extremely excited to participate in this unique event as we were about to begin our development of our Microsoft Graph Security API bundle, and this would be the perfect opportunity for us to showcase the power of Swimlane.
After brainstorming with fellow engineers, we decided we didn’t just want to use the rich data that comes from Microsoft Graph Security APIs. We wanted to provide additional context around Graph Security Alerts so that other internal teams could utilize this information to protect their piece of an organization.
Our entry titled “Microsoft Graph Security – Security Alerts Enrichment” focuses on consuming Microsoft Graph Security API alerts. Swimlane ingests these alerts on a daily (configurable) basis. Once each alert is ingested, we then look at all values in the JSON response for any IP address, hash or URL matching several regex patterns. If any identified data is found, we then create a separate application record containing details about the Graph Security Alert.
Within our new application—which contains our extracted findings—we then perform enrichment using five different enrichment sources. We stopped at five for this hackathon, but this can be any number of enrichment sources you would like to use.
Shown here are three of the enrichment sources and their individual findings. We used our existing bundles for VirusTotal, Hybrid Analysis and ThreatMiner. These enrichment sources then return an individual threat score, as well as additional context that we can use when generating our internal threat intelligence feed.
Once all our integrations have completed on an individual record, a threat feed is generated automatically based on a predefined format. We then use our GitHub bundle to automatically append the identified information within an internal GitHub repository so that other teams can use this information for their threat hunting initiatives or to integrate into other services within an organization. The capabilities are endless.
There is a lot of information within this record, so we used the built-in GitHub built-in feature, “GitHub Pages,” to better visualize the data being appended to our files.
With our submission we knew we wanted to show the power of security orchestration and automation, but we didn’t want to leave out the crucial piece, response!
The response portion of our submission includes the capability of automatically taking identified threats over a configurable threshold and adding a firewall rule to a Palo Alto Panorama firewall’s block list.
Even if you don’t have a Palo Alto Panorama, our submission (and Swimlane) is completely customizable. This means you can add the block to any number of appliances, endpoint protection applications, proxies, etc.
We are happy that our submission was selected as the runner up in this year’s competition, and Swimlane is looking forward to future hackathon events that showcase the power of SOAR.
*** This is a Security Bloggers Network syndicated blog from Swimlane authored by Josh Rickard. Read the original post at: https://swimlane.com/blog/swimlane-hackathon-submission-2019/