Investigate and Respond to Suspicious User Activity

Accelerate response to suspicious user behavior by triggering validation and workflows from behavior alerts. Keep systems secure with automated quarantine of impacted accounts.

Workflow Investigate and Respond to Suspicious User Activity

TLDR: Investigation and Response to Suspicious User Activity

  • Suspicious user & entity behavior monitoring and response is the process of identifying potentially malicious threats caused by users/endpoints actions
  • Detecting suspicious user or entity activity is accomplished by identifying changes in user behavior that are creating a risk to the organization
  • UEBA and next generation SIEM platforms help identify this behavior, using techniques like machine learning, network activity monitoring, rules and signature matching and other advanced analytics
  • Rapid response is essential for mitigating organization-wide compromise Response may include tasks like validating activity with a user, checking the activity source against known malicious sources, and auditing records

What is Suspicious User Activity Response?

When suspicious activity is identified, security teams must act quickly before an attacker can gain a foothold. At the same time, it’s important to allow valid behavior and not block users from executing critical work. Modern UEBA/Next Gen SIEM products offer a range of advanced tools for identifying suspicious activity, but security teams still need to execute a process for responding to these alerts and either allowing the action, or taking steps to block a potential threat.

Some of the steps include:

  • Data collection of user activity from various sources such as Okta, Azure AD, other IDPs
  • Validate user activity directly with the user via various channels such as Slack, Team, Email, phone, etc.
  • Trigger automatic remediation upon activity validation (e.g., sign the user out from several platforms at once, reset user password, trigger MFA, etc.)

Benefits of Automating Suspicious User Activity Response

  • Reduce the volume of events and burden on security analysts by automating validation and response workflows directly with end users
  • Improve efficiency and consistency of the investigation and response with a solution that can easily and quickly integrate with the internal business tools
  • Automatically block/react to high risk events received from your UEBA/Next Gen SIEM solutions

How Torq Automates Suspicious User Activity Response

  • Easily connect UEBA/Next Gen SIEM solutions in minutes, and trigger workflows or launch interactive security bots in response to new alerts
  • Automate contacting the user across multiple systems (slack/teams/email) to validate its actions
  • Create time based workflows that can be triggered if a user’s action can’t be validated
  • Sign out the user from all platforms
  • Reset the user’s credentials
  • Automatically quarantine users or devices pending further verification, then restore access automatically once verification is complete, keeping systems secure throughout
  • Automatically enrich the UEBA investigation data from external systems or Threat Intelligence platforms and provide it to the analyst via a ticket or collaboration tools
  • Update network, endpoint, cloud and other policies automatically or via an interactive workflow that allow for remediation with approvals and tracking interactions with collaborations and ticketing systems
  • Trigger workflows directly from existing systems , such as:
    • IDP: Okta, Azure AD
    • IAAS: AWS, Azure, GCP
    • SAAS applications
    • + more

Start Automating in Minutes

With Torq, any security professional of any skill level can easily connect multiple tools into an automated workflow that can be run as needed — triggered from an alert, or according to a schedule. Get started automating today! Zero coding or API knowledge required.