SafeTitan’s Azure-based Real-Time Response Orchestration processes has two main components: the Orchestrator and a Supported Network Monitoring Technology such as a SIEM (Security Information and Event Management).
The Orchestrator can be installed on-premise or in an cloud (Azure) environment. The Orchestrator discussed in this topic is based on an Azure installation.
The Orchestrator behaves like an API, providing integration between your SIEM and SafeTitan's Real-Time functionality. The events are pre-configured in the SIEM, such as removable storage being detected or malicious software being downloaded. The information passed to the SafeTitan cloud is minimal. It is only an identifier for the event (such as the rule name) and an identifier for the user who triggered the event (such as the user's email). The Orchestrator then integrates with your Azure AD, employs the user identifier as a lookup, and retrieves the information (typically the user's email) required by SafeTitan to respond to that user. Next, the Orchestrator determines the matching event within SafeTitan, and triggers the actions as configured.
Supported SIEM / Network Monitoring Application
In order for a network monitoring application to communicate with the Orchestrator, it must use an appropriate webhook exposed by the Orchestrator. Depending on the chosen technology, the integration with the webhook will be different:
LogRhythm alarms can be triggered based on specific criteria such as a Domain Account being created on a removable storage device being detected. When this alarm triggers, the information must be passed to the Orchestrator. In order for LogRhythm to use the webhook, it uses a feature called SmartResponse. SmartResponse allows the creation of a plugin containing a PowerShell script that accepts a collection of parameters passed from the alarm instance. The PowerShell script then passes this information to the Orchestrator.
Splunk Enterprise Security (ES) is a security information and event management (SIEM) solution. Alarms created in Splunk can be configured to forward data to a webhook when the alarm has been triggered. The webhook is configured to forward information to the Orchestrator.
Currently support for Splunk and LogRhythm is implemented and ready to use. Solutions for other technologies (such as Logpoint, MS Sentinel and DTEX Agents) are also available but may need to be customized by SafeTitan.