ThreatConnect, Inc.®, provider of the industry’s only intelligence-driven security operations solutions has announced that it has joined the Microsoft Intelligent Security Association and will integrate Microsoft solutions with the ThreatConnect Threat Intelligence (TIP) and Security Orchestration Automation and Response (SOAR) Platform using the Microsoft Graph Security API. This integration allows ThreatConnect clients to connect with nearly any piece of Microsoft technology, including Azure Sentinel, O365, and Microsoft Defender ATP, using the Microsoft Graph Security API. The integration allows clients to retrieve alerts, perform data enrichment, gain relevant threat intelligence, and carry out incident response actions.
The Microsoft Graph Security API is a single interface that connects to Microsoft security products. Through this integration, made possible by ThreatConnect’s robust App Services capability, clients are able to subscribe to and listen for Microsoft Graph Notifications, parse these notifications for subsequent operations, and manage Graph Mail and security alerts via ThreatConnect Playbooks. Some examples of actions supported:
- Deploy Indicators to Microsoft Defender ATP and Azure Sentinel – With all of a team’s intelligence in one place, only deploy high fidelity intelligence to Microsoft Graph. When alerts are generated based on intelligence from ThreatConnect, analysts have the information they need to make faster and more informed decisions and the relevant security processes prepared for a timely response.
- Office 365 Phishing Investigation – Automatically trigger a Playbook in ThreatConnect based on a Graph Change Notification that an email has been received in a phishing mailbox in Office 365. The Playbook will then parse the email and orchestrate an investigation using a combination of ThreatConnect Intelligence, ThreatConnect’s CAL™ (Collective Analytics Layer), malware analysis tools, and data enrichment sources. If the email is suspicious or requires further remediation, a Case can be opened in ThreatConnect for an analyst investigation. Additional remediation steps can be automated via the Graph Mail API.
- Triage Graph Security Alerts – Automatically trigger a Playbook in ThreatConnect based on a Graph Change Notification for Security Alerts from Azure Sentinel, Azure Security Center, Azure Active Directory Identity Protection, Cloud App Security, Azure Advanced Threat Protection, Azure Information Protection and more. The Playbook will make a determination and either automatically resolve the alert or open a Case for further investigation. The alert can be updated with these details for tracking purposes.
“ThreatConnect enables organisations to harness threat intelligence and distill it down into actionable insights; benefit from the collective knowledge and talents across their security teams; develop and refine security processes; and enhance the efficacy of technologies across their security ecosystem,” said Andy Pendergast, Vice President of Product at ThreatConnect. “Integrating ThreatConnect with Microsoft Graph is incredibly important as it allows security teams to increase their accuracy and efficiency, and accelerate incident response processes. Leveraging our App Services and Playbooks technology, users can now dynamically respond to events in the Graph API and orchestrate operations between Microsoft products and other integrated technologies.”
This integration is now available to all current ThreatConnect clients through the ThreatConnect App Catalogue.