In response to the expanding threat surface facing identities, interoperability between identity and access management (IAM) and security operations is now understood to be a must for organizations in defending their cloud environments.
This stems from the comprehension that it is not enough to simply detect risks and active threats attempting to undermine the integrity of the IAM systems that organizations depend on for managing their identities. They need to have the data and connectivity to respond quickly and effectively.
In practice, this requires the integration of procedures and security operation tools for facilitating investigation and automating response actions. While logging and monitoring logs plays a major role in threat detection, helping to secure and maintain an organization’s security standards, not all IAM attacks leave log trails. This leaves organizations dependent solely on a SIEM or SOAR solution to catch a bad actor.
To avoid this risky gamble, organizations need to consider a product that can integrate with their SIEM, monitors multiple data sources, and performs correlation to arrive at an IOC (Incident of Compromise) through continuous monitoring.
Gartner’s recent report on identity and access management (IAM) best practices notes that threat detection and response (TDR) solutions play an important function in the emerging category of Identity Threat Detection and Response (ITDR) and can integrate with SIEM and SOAR tools to identify threats that those tools can’t spot.
In case you have missed it, Identity Threat and Detection Response (ITDR), as defined by Gartner, covers threat intelligence, best practices, a knowledge base, tools and processes to protect identity systems. It implements detection mechanisms, investigating suspect posture changes and activities, and responding to attacks to restore the integrity of the identity infrastructure.
Authomize has worked with Microsoft Sentinel to develop an integration that provides data-driven events into Microsoft Sentinel, enhancing detection controls by assisting with focus into identity alerts and providing an external source for correlation and detection logic that prioritizes identity tactics, techniques, and procedures.
Any organization wishing to build or update their security playbooks and automation to include IAM enforcement needs to consider Authomize‘s ITDR integration with Microsoft Sentinel for eradicating, recovering from, reporting, and remediating identity threats.
We help our customers to respond to threats effectively by sending IAM incidents into the response and threat-hunting processes within Microsoft Sentinel, which leverages the existing security controls in the security operations center (SOC) where Microsoft Sentinel is often deployed.
How the Integration Works
The integration is available through the Microsoft Sentinel Content Hub. This will provide a seamless integration installation experience for any customer wishing to leverage the data from Authomize in their threat-hunting processes.
Simply go to the Content Hub as shown and select Authomize to deploy the connector, incident, and parser features to your Sentinel environment (look for the Authomize logo.)
Microsoft Sentinel Content Hub (Deploy integrations from here)
There are only a few steps that will be required to finalize the configuration of your environment once the content has been deployed. The steps to follow are:
- Finalize the configuration for Authomize-Sentinel-Webhook-Receiver logic app by clicking through the connectors and applying your credentials in the logic app designer
- Go to the “When an HTTP request is received” function in the logic app designer and copy the URL
- Go to your Authomize tenant and create a webhook pointing to the URL:
4. When incidents are created in Authomize, they will turn up in Microsoft Sentinel along with the content in a custom log file.
By providing identity threat detection capabilities to your Microsoft Sentinel environment, your organization can start building identity-threat-specific playbooks to cover identity breaches and other types of attacks on identity infrastructure.
There are very few of these today in any organization and Authomize is constantly developing more ITDR security event use cases for continuous monitoring to enable better IOC capabilities within the SOC.
Over time, it is expected that tighter integrations will be made between SOC aligned activities for IAM, Cloud Infrastructure, and Cloud applications with ITDR solutions such as Authomize.
One way this is achieved today is ensuring that a SOC analyst can dive deeper as necessary into content within the Authomize platform to continue research. Any inbound incidents have referenced content back into Authomize. The following screenshot shows detail within Microsoft Sentinel with a URL back to the specific Incident within Authomize.
An analyst can now go deeper into the additional detail that may be available within the Authomize ITDR platform. This includes researching user activities against applications, IAM solutions, understanding the user relationship to other resources within the infrastructure, and ensuring that the user role is aligned correctly with corporate policy.
Authomize will continue to extend capabilities within Microsoft Sentinel to assist customers with securing identity infrastructure by providing data and context through detection and response capabilities within this space.
Learn more about integrating Authomize’s ITDR platform with Microsoft Sentinel and the rest of your SOC tools, contact us for a free assessment and demo.