Scroll Top

How to detect and handle technical account misuse incidents?

You can create a correlation rule in your SIEM to detect a login attempt from different than usual client IP which could mean a breach or a misuse.

Technical accounts are quite often used for API access. You can create a correlation rule in your SIEM to detect a login attempt from different than usual client IP which could mean a breach or a misuse.

Let’s create a SOAR workflow to handle these alerts. In this scenario we want to automatically ask technical account owner to confirm the account usage.

It starts with case created by SIEM. It contains username, hostname and client IP.

It’s our new workflow.

Let’s go through nodes used by the workflow.

Get observables / Pass username

Take observables from the case and select username.

Read binary file / Spreadsheet file

Read list of tech accounts and their owners. Can be replaced by database query.

Select username

Match username from the case and the file.

Get tasks and Update task

Get tasks from the case and change status of the task „Verify activity with relevant system administrators”.

Send email

Send email to account owner with confirmation link.

If administrator confirms technical account usage then SOAR runs supporting workflow „Trigger – Unauthorized login”. The first node starts the workflow when a webhook is called. Then status of the task becomes completed.

If administrator doesn’t confirm technical account usage within wait time period then the task „Verify activity with relevant system administrators” isn’t completed.

After that SOAR sends email notification „Unauthorized login not confirmed”. Some may say „Unauthorized login” isn’t automatic workflow because it begins with Start node. Best practice is to build small and modular playbooks which are easier to maintain. Energy SOAR executes workflows using global trigger. It starts appropriate workflows when case created events