Use Case #2: Automated Notification System (ANS)

Use Case #2: Automated Notification System (ANS)

The SOC can now integrate with specific messaging/notification tools that can generate automated notification within the customer environment for pre-defined alerting scenarios. The automated notifications will be quite generic and are designed to notify clients of critical alerts in a more urgent fashion that works for your team. CyFlare will not be customizing the details of these as this notification is intended to redirect you to the original ticket escalated so you can work with the SOC team to remediate.

Pre-Defined Scenarios for ANS

Default Notification:
  1. All Critical Priority Escalation
Optional Opt-In Notifications:
  1. High or Medium Priority Alerts
  2. Escalations that involve another Response Action being executed
  3. Specific Alerts upon request.

Tools Available

  1. Slack
  2. Microsoft Teams
  3. XMatters

Integrations Under Development

  1. PagerDuty
  2. SMS
  3. If you have an integration not shown, please reach out if interested in ANS.

Slack Integration

  1. Creating a Slack Application with the following permissions/credentials is the first step:
For detailed version of what the SOC needs, please follow Slack Documentation for SOAR.
  1. SOC Requirements
    1. API Token - Can be fetched after an app is created, under “OAuth and Permissions” tab on the Slack app.
    2. Channel or User ID: This is the channel/user that will be receiving notifications from the SOC.
  2. Configuring the Slack App
    1. Enter all the necessary information about the app: 
      1. Display information determines how the app shows when sending automated notifications to a specific channel.
    2. Under OAuth Permissions:
      1. Create the OAuth token (to be shared with the SOC).
      2. Under Scopes, add the permissions mentioned on the following page Slack App Permissions.
    3. Restrict API Usage:
      1. For added security, the SOC recommends that we only allow the slack app to communicate to specific SOAR IPs and avoid unnecessary public-facing access for the app.
      2. For this step, please reach out to the SOC as socir@cyflare.com or you CSM for further assistance, as you will need to know what IPs to allow for.

Microsoft Teams Integrations

SOC Requirements:
  1. Client ID (Application ID) 
  2. Client Secret
  3. Tenant ID (Directory ID) 
    1. For more detailed information on how to configure the Entra app, please follow SOAR Documentation for Teams.
  4. Team Name
  5. Channel Name

xMatters Integration

SOC Requirements:
  1. URL
    1. Example Format: https://<fqdn>.hosted.xmatters.com/api/xm/1/forms/<id>/triggers
  2. Username / Password
Note: xMatters is a custom-built integration by the CyFlare SOAR Team within Chronicle, thus there is no SOAR Documentation to share for this. For any additional questions or assistance related to the xMatters integration the CyFlare team is willing to work with you.

How to get started?

Two Options:
  1. You can work with your dedicated Customer Success Manager, and they will coordinate with the SOAR Team in getting this Automation built out for you. 
  2. Send an email to socir@cyflare.com and specify what integration you would like to leverage for automation to be built out. 
    1. The SOAR Team will process your request and get back to you with the criteria we need and meet with any customer to further explain and validate any questions they may have. 

    • Related Articles

    • Use Case #4: Email Integration 

      Exchange/Email servers are a vital part of implementing automated response actions as one of the most common entry points for malicious/unknown entities into customers’ environments. The SOC is enabled with these response actions to prevent and ...

    • Use Case #6: Isolate Endpoint

      For mEDR customers, this automation use case is meant to provide immediate response actions when dealing with endpoint-specific threats that could originate from various source tools. This automation use case collects information from the reported ...

    • Use Case #5: Scan/Remediate/Rollback Endpoint

      For mEDR customers, this automation use case is meant to provide immediate response actions when dealing with endpoint-specific threats that could originate from various source tools. This automation use case collects information from the reported ...

    • Use Case #1: Firewall Policy Update

      Firewall response actions are the best way to deal with noisy public IPs attempting to ping/connect to external public-facing servers in the customer’s environment. This can also help respond to potential malicious IPs very quickly through automated ...

    • Use Case #3: Disable User Account

      Active Directory response actions is intended to be utilized when a high probably user compromise incident has been identified by the SOC. The account or device associated with the incident needs to be disabled immediately to avoid further spread ...