Automate Project Management with SmartResponse

The SIEM is a great central aggregate for case data and analytics, but also has the ability to give your team back valuable time if you take advantage of automation. The more automation you can build into a SIEM, the more time you save.

LogRhythm’s SmartResponse™ integrates with project-management tools, such as Wrike and service-ticketing systems such as ServiceNow or SysAid, to create automated responses and ease your team’s workload.

Let’s take a look at how the LogRhythm platform can automate project management to increase your security team’s overall efficiency.

Integrating a SIEM with Project Management Tools

Security teams often have to work with other groups within the organization and prioritize the triage of events against their regular project workload. Naturally, they will need a way to manage projects and ensure that objectives are met in accordance with the expectations of their business. To this goal, many organizations adopt project-management tools in an attempt to help streamline and track workload.   However, when a team does not have a project manager on staff, significant additional workload can fall on each member of the team.

Without a project manager, team members become responsible for documenting investigations in the case, updating the project tracker, prioritizing, planning, maintaining timelines, and so forth. There must be an easier way to track and account for this work without spending so much valuable time to do so.   The LogRhythm Labs and Office of the CISO teams use Wrike for project management. One of the benefits of Wrike is that it comes with a great application programming interface (API) that allows us to automate our workflows. Combine this with the LogRhythm NextGen SIEM Platform, and we get a SIEM that can handle basic project management tasks, while maintaining full visibility across the management and technical disciplines.

Wrike Powershell Script

There are a few aspects to this SmartResponse integration. First, is the standard Wrike PowerShell script. This provides the ability to use Wrike in Application Mode, test your API key, search for administrative users, and most importantly, create and assign tasks. See the PowerShell script below:

.INSTALL
Obtain an API token from the Wrike and hardcode / append during function calls: https://www.wrike.com/frontend/apps/index.html#/api
 
.SYNOPSIS
Open Wrike in Application Mode in Chrome

Create new tasks

Integrate with automation tools and dynamically generate tasks

.USAGE
Ensure that you have the Wrike functions imported

    PS C:\> Import-Module .\wrike.ps1

Open Wrike in Chrome's Application Mode

    PS C:\> wrike

Interact with the Wrike API

    PS C:\> invoke-wrike -connectionTest -accessToken <api key>

    PS C:\> invoke-wrike -adminSearch -accessToken <api key>

    PS C:\> invoke-wrike -newTask <"Task Title"> -user <"assigned user (first name)"> -folder <"where to add that task?"> -accessToken <api key>

Hardcode variables for quick access from the command line

    PS C:\> invoke-wrike -newTask <"Task Title">

Click images to enlarge

Figure 1: Wrike PowerShell Script Integrated with Daily Alarm and Case Work

Figure 1: Wrike PowerShell Script Integrated with Daily Alarm and Case Work

You can tie this PowerShell script to any SIEM alarm, so that as events arise in the SIEM, tasks are dynamically generated for specific team members or whole teams. This is great for users who are not often in the SIEM, but may be called upon to perform tasks such as analyzing malware samples or communicating a change.

Figure 2: SmartResponse Action Properties Includes Wrike PowerShell Script Command

Figure 2: SmartResponse Action Properties Includes Wrike PowerShell Script Command

The Wrike PowerShell script is particularly useful when integrated with Daily Alarm and Case Work— normally as a back-end process for when highly specific events occur.

Figure 3: Project Management Task Created for A Phishing Attack or A Highly Specific Event

Figure 3: Project Management Task Created for A Phishing Attack or A Highly Specific Event

The Wrike SmartResponse integration provides automation capabilities that allow you to dynamically create, track, and manage projects and tasks with very little overhead for the team.

Using these automation tools at LogRhythm, we’ve been able to save time, accurately track our work, and meet deadlines. We can also maintain full visibility into what is being worked on, up through the reporting structure.

SmartResponse can also be integrated with service ticketing systems such as Service Now and SysAid to help automate your service ticketing process and ease IT workload. Building automation into your SIEM will give your security team back much needed time and increase overall operational efficiency.

“Your Online Project Management Software.” Wrike. N.p., n.d. Web. 13 July 2017.
“ITSM, Service Desk Software, Help Desk Software.” SysAid. N.p., n.d. Web. 13 July 2017.
“Work at Lightspeed.” ServiceNow. N.p., n.d. Web. 13 July 2017.