Custom Security Automation & Orchestration

Elevate your security posture and operational efficiency with bespoke automation solutions designed by Kocho. We specialize in crafting and implementing security workflows that integrate seamlessly with your existing environment, particularly leveraging Azure Logic Apps and Azure Functions.

Automate Your Security Playbooks

Our custom automation services focus on streamlining critical security tasks, allowing your team to respond faster and more consistently to threats. Examples of security workflows we build include:

Entra ID Actions: Automate user account management like disabling accounts, resetting passwords, or revoking sessions based on security triggers.
Firewall Rule Management: Dynamically create or update firewall rules (e.g., in Azure Firewall, NSGs, or third-party firewalls via API) to block malicious IPs or open necessary ports for specific operations.
Microsoft Defender Indicator Creation: Automatically generate custom threat indicators (IPs, URLs, file hashes) in Microsoft Defender for Endpoint based on alerts from Sentinel or other threat feeds.
Machine Isolation & Investigation: Trigger automated isolation of potentially compromised endpoints using Defender for Endpoint capabilities, and initiate data collection scripts.
Threat Intelligence Enrichment: Automatically enrich security alerts with data from various threat intelligence platforms (e.g., VirusTotal, AbuseIPDB) to provide analysts with immediate context.
Incident Response Orchestration: Chain multiple security actions together to form comprehensive response playbooks, such as blocking an IP, isolating a host, and notifying the security team simultaneously.

Collaborative Development: Logic Apps & Azure Functions

We believe in a partnership approach. Our experts work closely with your team to understand your specific security challenges and operational needs. We then design and build robust automation solutions, primarily using:

Azure Logic Apps: For visually designing and orchestrating complex workflows that connect various services and APIs without extensive coding.
Azure Functions: For executing custom code (PowerShell, Python, C#, etc.) to perform specific tasks that might not be available as pre-built connectors in Logic Apps, or for more complex data manipulation.

This combination provides flexibility and power, ensuring the automation fits your exact requirements.

Example: Automated Defender Indicator Creation

Below is a conceptual representation of a Logic App we might build to automatically create a "Block" indicator in Microsoft Defender for Endpoint when triggered by a new security incident (e.g., from Microsoft Sentinel).

Logic App Snippet: Creating a Defender Indicator

// This Logic App is triggered by an HTTP request (e.g., from Sentinel)
// It receives incident details and the indicator to block.

// Action: HTTP POST to Microsoft Defender API
{
  "inputs": {
    "uri": "https://api.securitycenter.windows.com/api/indicators",
    "method": "POST",
    "headers": { "Content-Type": "application/json" },
    "body": {
      "action": "AlertAndBlock",
      "application": "Created by: Sentinel Playbook",
      "description": "Blocked from Incident ID: @{triggerBody()?['incidentNo']}",
      "expirationTime": "@{addDays(utcNow(), 90)}", // Block for 90 days
      "indicatorType": "@{triggerBody()?['artifactType']}", // e.g., "IpAddress", "Url"
      "indicatorValue": "@{triggerBody()?['indicatorValue']}", // The actual IP or URL
      "severity": "Informational",
      "title": "Block: @{triggerBody()?['indicatorValue']} (Incident: @{triggerBody()?['incidentNo']})"
    },
    "authentication": { // Uses Managed Identity for secure authentication
      "audience": "https://api.securitycenter.windows.com",
      "type": "ManagedServiceIdentity"
    }
  }
}
// The Logic App then checks the response and can notify or log the outcome.

This snippet illustrates the core action of the Logic App defined in your example.json. The full Logic App includes triggers, parsing, and conditional responses.

Seamless Integration with Lumina: Your Interactive Security Hub

Lumina acts as the crucial user interface for these powerful automations, bringing notifications, approval requests, and status updates directly into your Microsoft Teams environment. This ensures your security team can make informed decisions and take action swiftly, right where they collaborate.

Workflow Example: Automated Malicious IP Blocking via Lumina

Here's how Kocho SOC, Lumina, and our custom automation work together to respond to a threat (e.g., a malicious IP 123.45.67.89). Click the buttons to navigate the flow:

Step 1: Kocho SOC Verifies Alert

An alert is triggered (e.g., from Microsoft Sentinel). The Kocho Security Operations Center (SOC) first investigates and validates the alert. We ensure it's a true positive and warrants action before initiating any automated response or requesting client approval. This crucial human validation step prevents unnecessary actions and ensures accuracy.

Kocho SOC Analyst: "Investigating alert for IP 123.45.67.89... Confirmed malicious activity. Preparing for client notification and action."

Step 2: Lumina Asks for Client Approval

Following an alert (e.g., from Microsoft Sentinel), Lumina posts an interactive card to Microsoft Teams, requesting approval from the SOC to block the malicious IP 123.45.67.89.

Lumina Bot: ACTION REQUIRED: Approve Firewall Block for IP 123.45.67.89
Incident: INC-00125
Details: Malicious IP 123.45.67.89 communicating with SRV-FIN-01.
[Approve Block] [Decline Block]

Step 3: Automation Kicks In (Logic App for Azure Firewall)

Upon approval via the Lumina card, Lumina triggers a pre-configured Azure Logic App. This Logic App takes the malicious IP and automatically creates a 'Deny' rule on your Azure Firewall.

Conceptual Logic App Action: Block IP in Azure Firewall

// Action: Create or Update Azure Firewall Rule
{
  "inputs": {
    "host": {
      "connection": { "name": "@parameters('$connections')['azurefirewall']['connectionId']" }
    },
    "method": "put",
    "body": {
      "properties": {
        "priority": 150, // Example priority
        "action": { "type": "Deny" },
        "rules": [
          {
            "name": "Block_Malicious_IP_@{triggerBody()?['ipAddress']}",
            "protocols": [ "Any" ],
            "sourceAddresses": [ "@{triggerBody()?['ipAddress']}" ],
            "destinationAddresses": [ "*" ], // Or specific internal ranges
            "destinationPorts": [ "*" ]
          }
        ]
      }
    },
    "path": "/subscriptions/@{appsetting('AzureSubscriptionId')}/resourceGroups/@{appsetting('FirewallResourceGroup')}/providers/Microsoft.Network/azureFirewalls/@{appsetting('AzureFirewallName')}/networkRuleCollections/AutomatedBlocks_Lumina?api-version=2023-05-01"
  }
}

Step 4: Confirmation in Lumina

Once the firewall rule is successfully applied, the Logic App notifies Lumina. The original card in Teams is updated (or a new card is posted) confirming that the IP has been blocked, who approved it, and when the action was completed.

Lumina Bot: ✅ ACTION COMPLETE: IP 123.45.67.89 Blocked
Incident: INC-00125
Firewall rule 'Block_Malicious_IP_123.45.67.89' created.
Approved by: Demo User at 10:35 AM

Enhanced Visibility with Sentinel Workbooks

To complement these automation workflows, we also design and build custom Microsoft Sentinel Workbooks. These interactive dashboards provide clear visibility into the performance and outcomes of your security automations, track key metrics, and help you demonstrate the value of your automated security operations.

Key Benefits of Custom Security Automation

Rapid Threat Response: Significantly reduce the time between detection and containment.
Consistent Execution: Ensure security playbooks are executed accurately every time, minimizing human error.
SOC Efficiency: Free up your security analysts from repetitive tasks to focus on complex threat hunting and investigation.
Scalability: Handle increasing alert volumes without a proportional increase in manual effort.
Improved Security Posture: Proactively strengthen your defenses by automating preventative actions and responses.

Partner with Kocho to transform your security operations with intelligent, bespoke automation.