Use LogicApps and Copilot for Security to auto-process ISAC Emails

The Information Sharing and Analysis Center (ISAC) is an organization that provides a central resource for gathering information about cyber and related threats to critical infrastructure, and plays a critical role in protecting industries from emerging threats. ISAC bridges the gap between the private and public sectors, providing timely and actionable intelligence on vulnerabilities that affect critical infrastructure. However, manually processing ISAC threat bulletins can be overwhelming and slow, leaving security teams struggling to respond in a timely manner. In this article, we will explore how automation through Logic Apps and Microsoft’s Copilot for Security can streamline ISAC email processing, enabling organizations to respond to vulnerabilities faster and more effectively.

In the United States, many industries have their own ISACs and register with them. ISAC National CouncilA subset of these ISACs are as follows:

• Automotive ISAC: ISAC for the Automotive Industry
• E-ISAC: ISAC for the Electrical Industry
• FS-ISAC: ISAC for the Financial Services Industry
• Health-ISAC: ISAC for the Healthcare Industry
• ONG-ISAC: ISAC for the Oil and Gas Industry

Canada, the UK and other countries also have localized and industry-specific ISACs.

ISAC sends out threat bulletins in email format containing CVEs and other threat information. Members receiving these bulletins are expected to scan their environments for the CVEs/threats mentioned and take proactive remediation. Below is a sample threat bulletin sent by Health-ISAC (downloadable) here😞

The typical process of scanning CVEs included in ISAC requires each CVE to be manually validated against a vulnerability management tool. Due to other high priority tasks, it may take several days for security analysts to analyze the CVE after receiving the ISAC email.

Copilot, a security-focused large-scale language model (LLM), can remove manual work from this analysis by automatically converting generic ISAC bulletins into actionable information that only includes CVEs that exist in your environment. Using Logic Apps to search and parse emails, you can build an agent-type workflow that analyzes ISAC emails and converts them into actionable information. The following sections describe how to build this Logic App.

Logic App

Logic App is a low-code/no-code platform provided by Azure. 1000 connectorsThere is a lot of power in building automated workflows. This article assumes you are familiar with Logic Apps and provides guidance to help you understand building and using Logic Apps. hereThe user deploying the Logic App needs to have at least the ‘Contributor’ role in the Azure resource group where the Logic App is deployed.

The starting point of a Logic App flow is a trigger, which allows the Logic App flow to run when a trigger event occurs. In this example, we use an email trigger and configure it for a specific Outlook mailbox that receives ISAC emails.

Extracting the CVE contained in an email requires two variables: cve array, and uniqueCVEArray They are initialized individually.

Depending on the subject line of the email, further processing is determined. The conditional clause handles the situation and produces a true or branch.

Most ISAC emails have “ISAC” in the email subject line, which determines the result. It’s also a good idea to add another condition that verifies the sender’s email, as this will ensure that the Logic App only runs on legitimate ISAC emails.

If the condition evaluates to true, the Logic App continues with further execution. Most ISAC emails arrive in HTML format, and two connectors are leveraged: one extracts the HTML body (included in the JSON provided by the Outlook trigger), and the other converts the HTML document to text, as shown below.

Once the email body is extracted, we are ready to extract the CVEs. Copilot for Security can do this natively, but it is not the most efficient way to do it for large emails. Therefore, we extract the CVEs in the Logic App itself. There are several options to achieve this, but we chose the JavaScript connector.

Define a regular expression (RegEx) to identify CVEs using JavaScript.

*If your JavaScript code connector runs in a consuming logic app, you’ll need: Unified Account To run correctly

The extracted CVEs are now assigned to: cve array Although variable, if the same CVE is mentioned multiple times in the email body, it will result in duplicate entries. To remove duplicates, use: union() Turn on the feature cve array And the unique CVE is stored in another variable. uniqueCVEArrayYou are now ready to transfer your data to Copilot for Security.

The Copilot for Security Logic app connector can issue prompts and receive responses. The first prompt sends all CVEs from: uniqueCVEArray And ask Copilot to extract the CVE for you. This step is optional, but it ensures that Copilot can parse and understand the CVE you present, and that no incorrect input is provided in the downstream prompt.

The second prompt asks Copilot to show you how many CVEs are present in your environment. This prompt uses KQL to query Microsoft Defender’s Threat and Vulnerability Management (TVM) data to find CVEs. If you are using another TVM tool, you can write: Copilot API Plugin To do this, modify this prompt so that Copilot can use that tool to analyze the CVE.

*If you plan to run your Logic App frequently, it may be more efficient to convert your KQL query to a KQL plugin from an SCU consumption perspective. Alternatively, you can specify the KQL directly in the prompt. The new prompt looks like this:

“Run KQL:
DeviceTvmSoftwareVulnerabilities | Where CveId is (AllCVEs) | Summarizing count() by CveId

Here, AllCVEs is a list of all CVEs previously shown.

Once you have the CVE scan information, the following prompt asks Copilot to create a report, enriching the CVE information with data from Microsoft Defender Threat Intelligence (MDTI), and including only the CVEs discovered in your environment.

The results and enhanced data for the discovered CVEs are sent to one or more users via another email. Since Microsoft Outlook sends emails formatted in HTML format, the reports generated by Copilot now need to be converted to HTML format, and Copilot is asked to do so in the final prompt.

The final connector is to send an email via Outlook. This takes the HTML report and emails it to a specific user.

The email body contains additional details such as Copilot SessionID, CVE scan reports (excerpted from 3).^{road name} prompt) and the final HTML report (of 4)^Day prompt). The HTML report is the only report that users are interested in, but having additional fields can be helpful when you need to customize the output to fit your environment during initial deployment.

Here is the email I received from my last Outlook plugin. The report format can be easily changed by modifying 3.^{road name} And 4^Day Prompt:

This article showed how to build a Logic App that can act as an agent to process ISAC emails containing CVE information. The Logic App takes a common ISAC threat bulletin and, with the help of Copilot, transforms the common email into an actionable email that contains only the CVEs present in your environment and provides additional information about each to enrich the context.

Depending on the number of ISAC or other CVE-related emails you receive per week, this Logic App can save your security organization minutes or even hours of work.