This workflow template automates the handling of high-level CNC threats detected on a network by integrating Torq with Armis and other security tools. Upon receiving an alert from Armis about a CNC DNS query, the workflow gathers relevant information from Armis, SentinelOne, Microsoft Intune, and Active Directory. It then opens a Jira issue with the compiled details and prompts via Slack to disable the user's AD account and add the device to the 'Intune Patch Immediately' group. Based on the approval response, it executes the disable and move actions or updates the Jira issue accordingly. This template streamlines the incident response process, ensuring swift and coordinated action against network security threats.
Trigger
Armis
Optional Triggers
Webhook
Use Cases
Remediate Network Security Alerts
Workflow Breakdown
Receive alert from Armis on a detected CNC DNS query
Pull relevant information from Armis/SentinelOne/Microsoft Intune/Active Directoy
Open a Jira issue with the gathered data
Ask to disable the users Active Directory account and move the device into the Intune Patch Immediately group
If approved, disable the AD account and move the device into the Intune Group
If not approved or the device is already in the Intune group, update Jira issue and via Slack
Vendors
Slack, Scripting, Utils, SentinelOne, Microsoft Outlook, Microsoft Azure AD, Microsoft 365, Jira Cloud, Armis
Workflow Output
Jira issue and Slack communication about the issue
Tips
Modify the first workflow variable step with the relevant information for your tenant","For the PowerShell credentials use the secrets store and update each step as appropriate