Automated Detection and Response with Panther and Tines
To monitor for suspicious activity and gain operational awareness in the cloud, modern detection and response teams must process and analyze large volumes of log data from applications, networks, hosts, and cloud infrastructure. An end-to-end workflow typically involves analyzing logs, generating alerts, and taking action to determine whether the activity is either a true or false positive.
Historically, security teams had to manually review alerts and take steps to determine whether the activity was a real indicator of compromise. But as organizations move to the cloud and data volumes explode, adding automation can help security teams increase efficiency and scale their efforts.
In this blog post, we’ll outline how security teams can use Panther and Tines to generate real-time alerts on suspicious activity, get answers from end-users, enrich data, and leverage automation to save time to focus on the issues that matter most: improving the security of your organization.
Note: Watch our on demand webinar to learn how you can automate detection and response with Panther and Tines.
For this scenario, we’ll analyze Okta SSO logs with Panther and send an alert each time a user is granted Administrator privileges in Okta. Because SSO is the gateway for accessing internal systems, delegating Admin privileges should be highly scrutinized.
Alerts will be sent from Panther to Tines via a webhook to initiate an automated response workflow that will:
- Check whether the client IP is malicious
- Ping the user on Slack to confirm the behavior
- Depending on the user's response, create a new case and lock the account
The end-to-end workflow will look like this:
The goal of this workflow is to proactively prevent an attacker from escalating privileges and causing harm to your organization.
Collecting and Monitoring Okta Logs
The first step is to gather and analyze Okta logs. With an API token, Panther can be configured to pull this data as soon as new logs are available.
Simply add a new Source in Panther:
And add your Okta API details:
Now, Panther will poll Okta for new logs each minute. The log below is an example Okta log that we will monitor:
Once these logs have been processed and normalized by Panther, they can be queried with SQL to review similar past events so that we can understand what ‘normal’ activity looks like, and ultimately, write high-fidelity detections.
For example, if Panther is configured with Snowflake as the data store, the following query will display all previous events where an account was granted administrator privileges:
Now that we understand how to work with the data once it’s collected, let’s convert this query to a Panther real-time Python rule.
Generating High-Value Alerts
In this scenario, our objective is to generate an alert each time a new user is granted “Administrator” privileges in Okta. In the previous event, we saw the following:
- Who: Jack Naglieri is granting Organization & Application administrator
- To: Thomas Kinsella
- From: IP 188.8.131.52
In Panther, we can enable the following built-in rule to flag these events:
When True is returned from the rule() function, an alert will be generated for the security team to review.
Each alert includes a high-level overview, a summary of common attributes across all alert-generating events, and the normalized event logs that triggered the alert.
To save time and build repeatable processes for triaging alerts, a platform like Tines is utilized to automate follow-up actions that may help resolve these alerts without manual intervention.
Adding Context for Powerful Automation
To build intelligent and robust automation, Tines can use events from generated alerts to respond accordingly. In Panther, security analysts can build their detections with automation in mind by leveraging the alert_context() function to include arbitrary JSON data, such as event metadata, in the alert.
In this case, we add the following code to our rule to include in our alert the user triggering the activity (actor), the receiving user (target), metadata about the actor request (client), and all detected IPs (from Panther’s standard fields):
The generated context is appended to alert events in a key called p_alert_context, and when the JSON is loaded, looks like this:
Panther aggregates and analyzes groups of events in a single detection, so this context is helpful for the post-processing of alerts. You can include any information you’d like here, whether it’s from the relevant event or not.
These events will be transmitted to Tines with a webhook, which can be configured as a Destination within Panther and associated with our Rule either by severity or specifically with a destination override:
Now that all the pieces are in place, let’s take action on this alert with Tines!
Triaging Alerts with Automation in Tines
The first action-item after receiving an alert about privilege escalation may be to ping the user on Slack and ask them to confirm whether the activity was legitimate. If the user responds, “Yes”, then the security team might deem the action authorized and close the alert. If the user responds, “No”, the security team may escalate the incident and lock the affected user’s account.
Additionally, we can also apply a layer of threat intelligence lookups on the IP address. In Tines, workflows can be created to automate this type of incident escalation.
Tines will receive events looking like:
Next, using the drag and drop workflow builder in Tines, we can automate the following remediation actions:
- Lookup the client’s IP address in VirusTotal and GreyNoise
- If the IP is deemed malicious, ping the user on Slack to confirm their actions
- If they don't recognize the action, create a new case in the Hive and lock the account in Okta
- If they do recognize the activity, take no additional action
If the workflow's predefined requirements are met, then the user will be pinged on Slack to confirm the activity:
And if they click, “I don’t recognize this", then a case in the Hive is created, and the user account in Okta is locked out.
This is just one example workflow, but the options are endless!
Maintaining strong security as a company grows can be difficult. This problem is exacerbated by the rapidly growing scale of cloud environments. By applying automation to your security operations, you can reduce manual work, save valuable time, and decrease burnout across your SOC.
Get started today by running Panther and Tines together! Power better security outcomes across your organization and build a robust, end-to-end security pipeline using Python, SQL, and drag and drop automation workflows.