SpyCloud Enterprise Protection for Microsoft Sentinel
Solution: SpyCloud Enterprise Protection
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Spycloud |
| Support Tier | Partner |
| Support Link | https://portal.spycloud.com |
| Categories | domains |
| Version | 3.0.1 |
| Author | SpyCloud |
| First Published | 2023-09-09 |
| Solution Folder | SpyCloud Enterprise Protection |
| Marketplace | Azure Marketplace · Popularity: ⚪ Very Low (0%) |
Cybercriminals continue to utilize stolen corporate credentials as the number one technique for account takeover (ATO). In fact, the FBI estimated that this resulted in estimated losses totaling more than $2.7 billion in 2022. SpyCloud helps prevent account takeover and ransomware attacks by identifying exposed credentials related to a company’s domains, IP addresses and emails. Through this integration, breach and malware data from SpyCloud can be loaded into Sentinel.
Contents
Data Connectors
This solution does not include data connectors.
This solution may contain other components such as analytics rules, workbooks, hunting queries, or playbooks.
Tables Used
This solution queries 1 table(s) from its content items:
| Table | Used By Content |
|---|---|
SpyCloudBreachDataWatchlist_CL |
Analytics |
Content Items
This solution includes 10 content item(s):
| Content Type | Count |
|---|---|
| Playbooks | 8 |
| Analytic Rules | 2 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| SpyCloud Enterprise Breach Detection | High | CredentialAccess | SpyCloudBreachDataWatchlist_CL |
| SpyCloud Enterprise Malware Detection | High | CredentialAccess | SpyCloudBreachDataWatchlist_CL |
Playbooks
| Name | Description | Tables Used |
|---|---|---|
| Domain Breach Data - SpyCloud Enterprise | The SpyCloud Enterprise API is able to provide breach data for a domain or set of domains associated... | - |
| Email Address Breach Data - SpyCloud Enterprise | The SpyCloud Enterprise API is able to provide breach data for a Email address or set of Email addre... | - |
| IP Address Breach Data - SpyCloud Enterprise | The SpyCloud Enterprise API is able to provide breach data for a IP address or set of IP addresses a... | - |
| Password Breach Data - SpyCloud Enterprise | The SpyCloud Enterprise API is able to provide breach data for a provided password. | - |
| SpyCloud Breach Information - SpyCloud Enterprise | This Playbook will be triggered when an spycloud breach incident is created. | - |
| SpyCloud Malware Information - SpyCloud Enterprise | This Playbook will be triggered when an spycloud malware incident is created. | - |
| SpyCloud Watachlist data - SpyCloud Enterprise | This Playbook will run daily, gets the watchlist data from SpyCloud API and saved it into the custom... | - |
| Username Breach Data - SpyCloud Enterprise | The SpyCloud Enterprise API is able to provide breach data for a username or set of usernames associ... | - |
Additional Documentation
📄 Source: SpyCloud Enterprise Protection/README.md
Table of Contents
Overview
Cybercriminals continue to utilize stolen corporate credentials as the number one technique for account takeover (ATO). In fact, the FBI estimated that this resulted in estimated losses totaling more than $2.7 billion in 2022. SpyCloud helps prevent account takeover and ransomware attacks by identifying exposed credentials related to a company’s domains, IP addresses and emails. Through this integration, breach and malware data from SpyCloud can be loaded into Sentinel.
This solution contains the following:
-
Eight playbooks,
-
Two analytics rules, and
-
One custom connector.
By identifying exposed assets that are available to criminals, enterprises can protect exposed accounts before criminals have a chance to use them for follow-on attacks These playbooks and actions are designed to meet several use cases.
Feed Usecase
| Playbook | Description |
|---|---|
| SpyCloud-Monitor-Watchlist-Data | This playbook runs on a daily basis, and fetches all the watchlist data from the SpyCloud Enterprise Protection API, parses the data, and saves the data into the custom logs table. |
This solution provides the following rules which monitor the custom log table created from the above playbook.
Analytics Rules
| Analytic Rule | Description |
|---|---|
| SpyCloud-Malware-Rule | This scheduled rule monitors the custom log table, and checks for any new malware records(severity=25). If a record is found, this analytic rule will create an incident with High Priority. |
| SpyCloud-Breach-Rule | This scheduled rule monitors the custom log table, and checks for any new breach records(severity=20). If a record is found, this analytic rule will create an incident with High Priority. |
Many actions are available when a malware incident is created from the "SpyCloud Malware Rule." It can:
- Check if the hostname is a managed asset. If no hostname exists in the record it will skip this check.
- Pull all the additional records for the specific machine ID from the appropriate endpoint and add them to the incident, if you have access to SpyCloud Compass data.
- Escalate the incident for someone to handle the malware infection.
This solution also provides a "SpyCloud Malware Playbook" template that can be used to achieve the above use case. You can add this playbook to the "SpyCloud Malware Rule" automation section.
The following actions can be taken when a breach incident is created from the "SpyCloud Breach Rule."
- Check if breached password length is >= minimum required by the organization. If not, exit the playbook.
- Check if the user is currently an active employee. If not, exit the playbook.
[Content truncated...]
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.1 | 18-07-2024 | Fixed Invalid Analytic Rule SpyCloudEnterpriseProtectionMalwareRule.yaml |
| 3.0.0 | 12-09-2023 | Initial Solution Release |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊