Respond to high-risk/high-false positive events
Alerts related to sudo to root, password changes, user creations, and VPN authentications as well as the use of live-off-the-land tools like Powershell occur thousands of times per day. The vast majority of these events will be legitimate, however, the impact associated with a malicious occurrence could be devastating. Enterprise security teams do not have the bandwidth to investigate every one of these alarms.
With Tines you can crowd-source response dramatically increasing response coverage and staff security engagement.
Use a Webhook or IMAP agent to receive notification when a high-risk/high-false positive event occurs.
Investigate and filter
Use threat intelligence and log searches to filter obviously legitimate results, for example: has the associated IP been seen in our environment the last 30 days?, is the associated asset in an inventory?, does the user have a trouble ticket? etc.
When an event that is obviously not legitimate has been detected, use the Tines Prompt Widget to automate reach out to the employee associated with the event on channels such as IM, Email and SMS. For example: "Hi Alice, you recently used sudo on server1.example.com, if you did not perform this action, please click here."
Sound the alarm
If a user confirms the action is not associated with them, escalate to an analyst and/or automate remediation actions.