Firework integration with Azure Sentinel: Leveraging new SOAR capabilities
For any modern cybersecurity team, gathering system logs in a centralized location is insufficient and only one step in the process. In order to keep up with the pace of incoming information, automation is crucial. Microsoft Azure is recognizing this with Sentinel’s recent development in offering a platform that not only aggregates and ingests logs from multiple sources, but now allows full orchestration and automation of response processes.
Noise reduction through risk score is only the first step
So far, Firework users received alerts by email and could prioritize them using our automated scoring system, assigning higher scores to information deemed more critical. Human reviewing however remained a bottleneck for organizations with a large digital footprint or limited resources (a standard for most security teams). Ingesting Firework alerts with Azure Sentinel relieves a lot of pressure from response teams by setting alerts, automation rules and playbooks that automates the parsing of incoming logs, creation of alerts or incidents, and even manage the whole lifecycle of the incident, without the need of manual action. Let’s have a look at a few specific use cases we have developed.
Firework integration with Azure Sentinel use cases
Employees and Customers leaked credentials warning
Our first use case is one that only a subset of our customers have integrated into their production environment. Although almost all would like to do so, most lack the resources required either in time or technical skills. With Firework’s leaked password database, you are warned whenever an employee or customer’s email has been associated with a known data breach. However, once you receive the notification, it is time consuming to warn the owner of each email.
Our Sentinel Playbook automates this whole process, by sending a warning email to the owner of the email address to warn of a possible breach. It is even possible to connect to your AD to get more information on the account, and automate the closing of the alert upon password change. You no longer have to manage leaked credentials, and all your employees will be warned in a timely manner.
Forgotten open port on sensitive infrastructure
Whether on the cloud or on premises, enterprises with large infrastructures often put in place strict regulations when deploying new resources. However, we have yet to meet a cloud and infrastructure team that isn’t overwhelmed by requests, which means that controlling and perfectly keeping track of privileges given is an almost impossible task.
That is why, at Flare Systems, we often rely on a concept popularized by Ronald Reagan during the cold war: “trust but verify”. We have seen numerous instances where “weird” ports (8080, 8888, 9200, etc) on customer infrastructures are being opened for anywhere between a few minutes to a few weeks, without security or infrastructure teams being notified.
Monitoring your IP ranges in Firework means receiving alerts when new ports or hosts are available from the public internet, directly to your Azure Sentinel instance for near-instantaneous remediation of the risk. For example, in addition to warning the infrastructure team, it is possible to automatically (and maybe temporarily) restrict the security group relating to this specific instance.
Other use cases
Similarly, when Firework finds an API key that belongs to your organization and is currently available publicly, you can set Playbooks to trigger your internal mechanism to disable API keys.
Since Firework monitors publicly available cloud buckets on Azure (as well as AWS), an alert warning of a publicly available Azure bucket storage, playbooks could be set to automatically restrict public access to the given resources, if certain criteria are met.
Next up in Firework integrations pipeline
Recognizing how useful integrations with SIEM, SOAR and ticketing systems can be for customers, we are committed to adding more of these to Firework. We are prioritizing the systems that are used by most of our customers. Feel free to reach out to learn more about our roadmap and potential partnerships.