Information Sharing and Analysis Center (ISAC) is an organization that provides a central resource for gathering information on cyber and related threats to critical infrastructure and plays an important role in safeguarding industries from emerging threats. By bridging the gap between private and public sectors, ISACs provide timely and actionable intelligence on vulnerabilities that impact critical infrastructure. However, manually processing the ISAC threat bulletins can be overwhelming and slow, leaving security teams scrambling to respond in time. This document explores how leveraging automation through Logic Apps and Microsoft's Copilot for Security can streamline ISAC email processing, empowering organizations to respond to vulnerabilities faster and more effectively.
In the US, several industries have their own ISACs which are registered with the National Council of ISACs, a subset of these ISACs are given below:
Canada, the UK, and other countries also have localized and industry-specific ISACs for their regions.
ISACs send out threat bulletins in email format which contain CVEs and other threat intel. The receiving members of these bulletins are expected to scan their environment for the mentioned CVEs/threat intel thus allowing for proactive remediation. Below is a sample of a threat bulletin sent by Health-ISAC (available for download here😞
The normal process of scanning CVEs contained in an ISAC requires each CVE to be manually verified against the vulnerability management tool. Other high-priority work can prevent the security analysts from analyzing the CVEs till several days after receiving the ISAC email.
As a large language model (LLM) focused on security, Copilot can take the manual effort out of this analysis by auto converting the generic ISAC bulletin into actionable information that only includes the CVEs that exist in your environment. With the help of Logic Apps to retrieve and parse out the email, an agent type workflow that analyzes the ISAC email and converts it to actionable information can be built. In the next section we will discuss how to build this Logic App.
Logic App
Logic App is a low-code / no-code platform provided in Azure. With it’s over 1000 connectors, it has tremendous capabilities in building automated workflows. This article assumes familiarity with Logic Apps and to get more understanding on building and using Logic Apps, documentation is available here. The user deploying a Logic App needs at least a ‘Contributor’ role in the Azure resource group to which the Logic App is being deployed.
The starting point of the Logic App flow is the trigger that allows a Logic App flow to be executed when the trigger event has occurred. In our example, we use an email trigger and configure it for the specific Outlook mailbox that receives the ISAC email.
To extract the CVEs contained in the email, we will need 2 variables, cveArray, and uniqueCVEArray which are initialized separately.
The subject of the email will determine if it should be processed further. A conditional clause handles the situation, resulting in a true or branch.
Most ISAC emails will have “ISAC” in the email subject which is what determines the outcome. Adding another condition that checks the sender’s email is also recommended as it further ensures that the Logic App runs for a legitimate ISAC email only.
If the conditions have evaluated to true, we continue further execution in the Logic App. Most ISAC emails arrive in HTML format, and two connectors are leveraged. One to extract the HTML body (which is contained in a JSON provided by the Outlook trigger) and another to convert the HTML document to text as shown below:
Once the email body is extracted, we are ready to extract the CVEs. Copilot for Security can natively perform this task however, it’s not the most efficient method with large emails. Hence, we extract the CVEs in the Logic App itself. There are many options to accomplish this, we have chosen the JavaScript connector:
We define a Regular Expression (RegEx) with JavaScript to identify CVEs:
*Note that if the JavaScript Code connector is run in a consumption Logic App, it will need an integration account to run correctly.
The extracted CVEs are now assigned to cveArray variable, however if the same CVE is mentioned multiple times in the email body it will have repeated entries. To remove the duplicates we use the union() function on cveArray and the unique CVEs are then stored in another variable uniqueCVEArray. The data is now ready to send to Copilot for Security.
The Copilot for Security Logic App connector can issue prompts and receive responses. The first prompt will send all CVEs from uniqueCVEArray and ask Copilot to extract those CVEs. While not mandatory, this step ensures that Copilot parses out and understands the CVEs to be presented and prevents wrong input to be provided to downstream prompts.
The second prompt asks Copilot to show how many of the CVEs are present in the environment. This prompt uses KQL to query Microsoft Defender’s Threat and Vulnerability Management (TVM) data to find the CVEs. If you are using another TVM tool you can write a Copilot API plugin for it and modify this prompt to allow Copilot to analyze the CVEs using your specific tool.
*Note that if the Logic App is going to be run frequently, it is more efficient from an SCU consumption perspective to convert the KQL query into a KQL plugin. Or you can also specify the KQL directly in the prompt, where the new prompt is shown below:
"Execute the KQL:
DeviceTvmSoftwareVulnerabilities | where CveId in (AllCVEs) | summarize count() by CveId
where AllCVEs is the list of all CVEs shown previously"
Once we have the CVE scan information our next prompt requests Copilot to write a report and enrich the CVE information with data from Microsoft Defender Threat Intelligence (MDTI) and only include the CVEs that were found in the environment.
The results of the CVE’s found and its enriched data will be sent as another email to one or more users. Microsoft Outlook sends formatted emails in HTML format so now we need to convert the report generated by Copilot to HTML format, and in our last prompt we ask Copilot to do just that.
Our last connector is for sending the email via Outlook. This takes the HTML report and sends it as an email to specific users.
Note that in the body of the email we included additional details like Copilot SessionID, the CVE scan report (from the 3rd prompt) and the last HTML report (from 4th prompt). The HTML report is the only one that users are interested in, but having those additional fields helps in initial deployment where you may need to tweak the output to customize it for your environment.
The email received from the last Outlook plugin is shown below. The report format can be easily changed by modifying the 3rd and 4th prompts:
In this article, we showed how to build a Logic App that can act as an agent to process ISAC emails containing CVE information. The Logic App takes a generic ISAC threat bulletin, and with help from Copilot converts the generic email to an actionable email that contains only the CVEs that are present in your environment and enriches the context by providing more information on each.
Depending on the number of ISAC or other CVE-related emails received per week, this Logic App can save several minutes to hours of work for a security organization.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.