The SIEM is a great central aggregate for case data and analytics, but also has the ability to give your team back valuable time if you take advantage of automation. The more automation you can build into a SIEM, the more time you save.
LogRhythm’s SmartResponse™ integrates with project-management tools, such as Wrike and service-ticketing systems such as ServiceNow or SysAid, to create automated responses and ease your team’s workload.
Let’s take a look at how the LogRhythm platform can automate project management to increase your security team’s overall efficiency.
Integrating a SIEM with Project Management Tools
Security teams often have to work with other groups within the organization and prioritize the triage of events against their regular project workload. Naturally, they will need a way to manage projects and ensure that objectives are met in accordance with the expectations of their business. To this goal, many organizations adopt project-management tools in an attempt to help streamline and track workload. However, when a team does not have a project manager on staff, significant additional workload can fall on each member of the team.
Without a project manager, team members become responsible for documenting investigations in the case, updating the project tracker, prioritizing, planning, maintaining timelines, and so forth. There must be an easier way to track and account for this work without spending so much valuable time to do so. The LogRhythm Labs and Office of the CISO teams use Wrike for project management. One of the benefits of Wrike is that it comes with a great application programming interface (API) that allows us to automate our workflows. Combine this with the LogRhythm platform, and we get a SIEM that can handle basic project management tasks, while maintaining full visibility across the management and technical disciplines.
Wrike Powershell Script
There are a few aspects to this SmartResponse integration. First, is the standard Wrike PowerShell script. This provides the ability to use Wrike in Application Mode, test your API key, search for administrative users, and most importantly, create and assign tasks. See the PowerShell script below:
Click images to enlarge
Figure 1: Wrike PowerShell Script Integrated with Daily Alarm and Case Work
You can tie this PowerShell script to any SIEM alarm, so that as events arise in the SIEM, tasks are dynamically generated for specific team members or whole teams. This is great for users who are not often in the SIEM, but may be called upon to perform tasks such as analyzing malware samples or communicating a change.
Figure 2: SmartResponse Action Properties Includes Wrike PowerShell Script Command
The Wrike PowerShell script is particularly useful when integrated with Daily Alarm and Case Work— normally as a back-end process for when highly specific events occur.
Figure 3: Project Management Task Created for A Phishing Attack or A Highly Specific Event
The Wrike SmartResponse integration provides automation capabilities that allow you to dynamically create, track, and manage projects and tasks with very little overhead for the team.
Using these automation tools at LogRhythm, we’ve been able to save time, accurately track our work, and meet deadlines. We can also maintain full visibility into what is being worked on, up through the reporting structure.
SmartResponse can also be integrated with service ticketing systems such as Service Now and SysAid to help automate your service ticketing process and ease IT workload. Building automation into your SIEM will give your security team back much needed time and increase overall operational efficiency.