Demisto & Uptycs: Orchestrating Incident Response Activities

Orchestration engines such as Demisto give security professionals the freedom to integrate multiple services into coordinated, automated workflows.  Simple REST APIs allow the transfer of data from one application or service to another in a reliable, straight-forward manner. With the appropriate data sources, users are enabled to create workflows and reports for incident investigation and response. In removing the human element, orchestration engines can improve the overall efficiency and consistency of incident response, while freeing up time for other tasks.

Uptycs leverages the open-source osquery agent in order to acquire real-time data about nearly any facet of your infrastructure (more about osquery here). This data is streamed, aggregated, and stored in the Uptycs backend and then made accessible via our API, allowing the integration of Uptycs data with other services.

Demisto Integration

The Uptycs-Demisto integration (available here in the Demisto Integration catalog) allows customers of both solutions the use of Uptycs data within their Demisto instance. The data is presented in a standardized JSON format such that it plays nice with other integrations and grants the user the freedom to create uniquely specialized automated workflows. There are various commands built into the integration allowing the user access to this data. A “run query” command exists as a failsafe, allowing the user to run any query against the Uptycs backend for cases in which a particular out of the box command does not exist. The result is a robust framework for developing automated response playbooks based on Uptycs, or other third-party alerts.

Alert Management View in Uptycs

Uptycs Example Alerts

Demisto Incident Overview Dashboard with Uptycs Alerts

uptycs_demisto_img1


Example Incident Investigation Use Cases

Bad IP Enrichment

Public databases contain lists of many, many known threat sources.  When connections to a known Bad IP address pop up, Uptycs fires an alert notifying the user of the event.  With Demisto, a Bad IP Enrichment playbook exists which will make the appropriate API requests to return information on the connection that was opened, the process which opened the connection, the parent process of the process which opened the connection, and the child processes of said parent process all in an organized and easy to navigate format.  The user is then able to investigate the incident quickly and with confidence.

Example: Demisto Bad IP Playbook
uptycs_demisto_img2

Real-Time Global Investigation in Uptycs
Uptycs Investigation Query


Asset Tagging

With the asset tagging command in the Demisto UI, users can tag assets enrolled with Uptycs in order to run specific query packs for different asset tags. Running targeted query packs this way can be more efficient in terms of performance and data storage. A related step that could be added to Demisto playbooks is to automate the process of tagging an asset in Uptycs when an alert is generated. This would allow for subsequent execution of one or more query packs against that tag for additional data collection.

uptycs_demisto_img3

Remote Process Termination

Using the Uptycs integration the details of a process associated with an alert, including the PID, can be used as part of a workflow. Demisto’s D2 agent allows for remote execution of commands on an endpoint from the Demisto UI. This functionality allows for the immediate remediation of threats which are detected on remote endpoints. Automate the process using a playbook, so that an alert immediately causes the process which generated the alert to be terminated. 

Endless Possibilities

The breadth of endpoint telemetry Uptycs makes available combined with the ability to write custom alert rules creates an enormous potential to respond to unique situations which vary from environment to environment. We’re excited about the integration with Demisto and the flexibility it provides our shared customers. 

Topics: incident investigation, integrations

Uptycs Blog | Cloud Security Trends and Analysis

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you'll enjoy our blog enough to subscribe, share and comment.

Follow Uptycs

Subscribe for New Posts

Recommended Reads