Use Case #4: Email Integration
Exchange/Email servers are a vital part of implementing automated response actions as one of the most common entry points for malicious/unknown entities into customers’ environments. The SOC is enabled with these response actions to prevent and mitigate any potential threat that can be identified through various tool-based detections and/or user reported phish emails.
In this use case automation, users from the customer environment are setup with a reporting process where they can easily report specific emails to the SOC which can be further analyzed, triaged, and investigated using the tools within the SOC. Once identified as malicious or harmful, the SOC can trigger actions to remove similar emails from across the environment and avoid other user compromise.
Typical Actions
- Search for similar emails across inboxes
- Block sender with matching message ID
Default Playbooks
- Exchange Email integration (use-case specific)
Base Workflow
What is Needed
- Mail address
- Mail server address
- Other Graph API details:
- Client ID, secret value, and Directory ID
- Refresh Token
- This step needs to be completed with customer support since it requires the SOAR team to hop on a call with the customer. With OAuth, the time limit to share refresh token is limited to 10 minutes.
Available Vendors
- Exchange
- Office365 (Exchange Online)
- Mimecast
- Symantec
- Trend Micro Cloud Application Security
- ... more on Updated Integration List for Chronicle SOAR
How to Get Started
Two Options:
- You can work with your dedicated Customer Success Manager, and they will coordinate with the SOAR Team in getting this Automation built out for you.
- Send an email to socir@cyflare.com and specify what integration you would like to leverage for automation to be built out.
- The SOAR Team will process your request and get back to you with the criteria we need and meet with any customer to further explain and validate any questions they may have.
Related Articles
Use Case #6: Isolate Endpoint
For mEDR customers, this automation use case is meant to provide immediate response actions when dealing with endpoint-specific threats that could originate from various source tools. This automation use case collects information from the reported ...Use Case #5: Scan/Remediate/Rollback Endpoint
For mEDR customers, this automation use case is meant to provide immediate response actions when dealing with endpoint-specific threats that could originate from various source tools. This automation use case collects information from the reported ...Use Case #2: Network Isolation
The SOC can take network-based response actions by utilizing API response actions on network appliances. These include firewall, routers, management devices, etc. Typical Actions Isolate/Quarantine endpoint(s) from network Terminate network sessions ...Use Case #1: Firewall Policy Update
Firewall response actions are the best way to deal with noisy public IPs attempting to ping/connect to external public-facing servers in the customer’s environment. This can also help respond to potential malicious IPs very quickly through automated ...Use Case #3: Disable User Account
Active Directory response actions is intended to be utilized when a high probably user compromise incident has been identified by the SOC. The account or device associated with the incident needs to be disabled immediately to avoid further spread ...