RiskIQ, an External Attack Surface Management (EASM) company that Microsoft acquired last year, helps customers assess and monitor all of their areas of potential attack across their enterprise. This covers not only endpoints but also multiple cloud environments, SaaS platforms, and in the supply chain as well. It identifies vulnerable assets, remediating them before attackers have the chance to gain entry. It also offers excellent global threat intelligence—crowd-sourced from a large and diverse community of security researchers, with additional analysis from machine learning. If you integrate RiskIQ’s External Attack Surface Management (EASM) with Microsoft Sentinel (formerly called Azure Sentinel), you’ve got two of the fastest and most comprehensive security protections working together.
There’s a guide that Microsoft published to connect the two, but it’s outdated—from back before Microsoft even acquired RiskIQ. So if you’re looking to integrate them, here are updated instructions on how to do so.
Integrate External Attack Surface Management with Microsoft Sentinel
- Get a free community account at RiskIQ Community Edition.
- Go to the GitHub playbook page: Azure-Sentinel/Solutions/RiskIQ/Playbooks at master · Azure/Azure-Sentinel · GitHub
- The Deploy to Azure button is broken on most of the playbooks, so you’ll need to import the JSON files manually. Scroll down and select deploy.json to get the raw JSON:
- In the Azure Portal, select Deploy a Custom Template and then Build your own template in the editor:
- Delete the default text and paste in the Raw JSON file, and then save.
- For playbooks with both Incident and Alert JSON files, append ‘Incident’ or ‘Alert’ to the Playbook name—otherwise the second import will overwrite the first.
- When you create the RiskIQ API connector in your first Logic Apps Playbook, make sure you use the Organization API key:
- After you’ve created at least one Incident playbook, go back to Sentinel and add the playbook automation to the Analytics rule template Create incidents based on Azure Active Directory Identity Protection.
- Next, generate an incident in Sentinel by downloading the Tor Browser (on a spare device, not your corporate laptop) and try to log in to one of your accounts. Enter a bad password 5 times and then sign in with your actual password. Then Deny the MFA request. (This is getting fun, right?)
And now you will have lovely Threat Intelligence automatically added in the comments of the incident!
Using EASM with Microsoft Sentinel
Once you’ve got this configured, you can use Microsoft Sentinel’s built-in automation framework with your analytics rules to enhance context for the investigation of incidents. The playbook will query the RiskIQ passive DNS database and retrieve any domains from the last 30 days that were associated with the IP address from the security alert. Then it will add this information to the resulting security incident, providing the security team with additional context for triaging the incident.
More About External Attack Surface Management (EASM)
Attack Surface Management (ASM) has been around for a while, but technology research firm Gartner recently began specifying External Attack Surface Management to emphasize the growing level of threat from outside an organization. Thus, EASM is an emerging product that helps organizations identify risks in internet-facing assets and external systems that may otherwise go unnoticed. The large shift to remote work has broadened this vulnerability: IP addresses used are constantly changing and Shadow IT is common. Security teams don’t always know what’s happening with the organization’s surfaces.
This makes it very difficult to monitor and protect all of the potential spots of attack without a tool like External Attack Surface Management. EASM offers continuous monitoring, real-time discovery, analysis of assets, prioritization of risks, and integrated remediation.
For more about External Attack Surface Management in video form, see this overview by RiskIQ’s Steve Ginty.