Skip to main content
All CollectionsTemplatesIntermediate
Handle High Level CNC Threat Detected on Network (Armis) - Workflow Template
Handle High Level CNC Threat Detected on Network (Armis) - Workflow Template

Receive alert from Armis on a CNC DNS query, pull details about the device, open Jira issue, and alert the channel or user via Slack/Email

Updated over a week ago

This workflow template automates the handling of high-level CNC threats detected on a network by integrating Torq with Armis and other security tools. Upon receiving an alert from Armis about a CNC DNS query, the workflow gathers relevant information from Armis, SentinelOne, Microsoft Intune, and Active Directory. It then opens a Jira issue with the compiled details and prompts via Slack to disable the user's AD account and add the device to the 'Intune Patch Immediately' group. Based on the approval response, it executes the disable and move actions or updates the Jira issue accordingly. This template streamlines the incident response process, ensuring swift and coordinated action against network security threats.

Trigger

Armis

Optional Triggers

Webhook

Use Cases

Remediate Network Security Alerts

Workflow Breakdown

  1. Receive alert from Armis on a detected CNC DNS query

  2. Pull relevant information from Armis/SentinelOne/Microsoft Intune/Active Directoy

  3. Open a Jira issue with the gathered data

  4. Ask to disable the users Active Directory account and move the device into the Intune Patch Immediately group

  5. If approved, disable the AD account and move the device into the Intune Group

  6. If not approved or the device is already in the Intune group, update Jira issue and via Slack

Vendors

Slack, Scripting, Utils, SentinelOne, Microsoft Outlook, Microsoft Azure AD, Microsoft 365, Jira Cloud, Armis

Workflow Output

Jira issue and Slack communication about the issue

Tips

Modify the first workflow variable step with the relevant information for your tenant","For the PowerShell credentials use the secrets store and update each step as appropriate

Did this answer your question?