How to deal with “lack of context” issues when dealing with your endpoint alerts.
TL;DR: Download GetProcessSecurityAlerts from our GitHub account.
In a previous post, I mentioned that generating a memory dump when an alert, generated by one endpoint solution, is triggered would be a good orchestration scenario for incident response or troubleshooting use cases.
Microsoft Graph Security API
Unfortunately, monitoring alerts require a unified interface which is not often available.
Fortunately, Microsoft has been putting a lot of effort in centralizing data through a set of RESTful APIs with a solution called Microsoft Graph API which includes Microsoft Graph Security API (see whitepaper). Microsoft Graph Team is even currently running a hackathon around their Graph Security API.
Microsoft Graph Security API is an aggregated interface between client scenarios and security providers. The alerts and secure score APIs are particularly interesting for us, and we will mainly focus on the alerts API.
Graph Security API layer
Lack of Context (or missing information)
As we will see below in some scenarios, endpoint alerts often omit critical information when querying alerts to the broke which sometimes makes it hard to understand what’s going on without manually double checking a result which is a strong pain point for analysts.
This challenged is called “lack of context” in the Microsoft Graph Security API documentation and is defined as the following:
The other limitation that we will face is the lack of context. The alert contains information on the initiative events or triggers (detection of malware during a scan, suspicious authentication, etc.) and some contextual elements that the security system knows (the name and type of malware, the IP address of the post, the processes involved …). The work of investigation may require access to additional information that may not be available from this provider, but which is distributed among the different providers and which will enrich the entire context around this alert.
The reason behind “lack of context” issues is primarily due to the fact that there is no common scheme/template model between providers which sometimes (always?) make it hard for software vendors and analysts to collect and analyze data.
I tweeted some examples of alerts with “lack of context” issues returned by Microsoft Graph Security API, see below a scenario where no information on the parent process ID is retrieved.
security/alerts returns information gathered from various services, including endpoints such as ATP on events about suspicious behavior found such as:
- a suspicious PowerShell script
- a known malware
- executable hidden as a double execution file (.pdf.exe)
When an alert is raised and recovered, we are particularly interested by:
- Which machine is affected (and where is that machine)
- Which process (or driver) has been flagged as suspicious
After exploring Microsoft Graph Security API, I decided to write a small PowerShell script
GetProcessSecurityAlerts.ps1that pulls the latest alerts from specific categories containing process related information.
The scripts displays the machine information and the processes related information for (managed or unmanaged) alerts that belong to our categories of interest.
Once those information are recovered, the analyst has all the information needed to either:
- do a process memory dump (ProcDump, TaskMgr or Process Explorer)
- or a full memory dump (Comae DumpIt)
We may add a direct integration inside Comae Stardust in the future — but for now, only the PowerShell script is available. We really hope to see more endpoint vendors opening their APIs to make it easier for analysts to deal with “lack of context” challenges, especially during incident response or threat hunting engagements. Hopefully, the release of this script also helps vendors to understand the importance of stable, reliable, informative and fast memory forensics solutions as they complementary to some of their problems.
The PowerShell is available on our GitHub account and can be found at the following address: