What’s New: MDTI Microsoft Sentinel Playbooks

Microsoft Defender (MDTI) now has new ways to boost interoperability and help the SOC punch above its weight by responding to threats at scale. During Microsoft Secure, we introduced capabilities that help enterprise users power up with Microsoft Defender , including an API and Microsoft Sentinel Playbooks. These new playbooks will enable defenders to tap into MDTI's raw and finished intelligence at scale to quickly boost their understanding of and automatically triage threats.

MDTI Sentinel Playbooks

MDTI Sentinel playbooks will help customers improve their MTTA (time to acknowledge) and MTTR (mean time to respond) by enriching entities within incidents and alerts. Azure Logic Apps is at the heart of Microsoft Sentinel's SOAR capability, allowing our customers and partners to create automated workflows for any scenario required in the SOC. When you create Microsoft Sentinel playbooks, you leverage a robust platform that handles billions of requests daily and drives business productivity in multiple verticals. It can integrate with almost any service or product natively, with more than 450 connectors and a growing library of security-oriented integrations.

Leveraging MDTI can help streamline these multiple cybersecurity tasks when conducting threat infrastructure analysis and gathering . MDTI's ability to aggregate and yield crucial data sources and enrich them goes hand in hand with reducing the investigation time for security analysts. Below, I will outline in detail how we can leverage these new playbooks.

Before we begin, users must have all three of the following to access and use the playbooks:

Note:

  • Please reference our “Getting Started with MDTI” blog for details regarding setting up your MDTI Premium trial.

What scenarios will the MDTI Sentinel Playbooks enable? We will be looking at three playbooks focused on the following areas:

  • Automated Triage: This playbook uses the Microsoft Defender Threat Intelligence Reputation data to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with MDTI Reputation data. If any indicators are labeled as “suspicious,” the incident will be tagged as such, and its severity will be marked as “medium.” If any indicators are labeled as “malicious,” the incident will be tagged as such, and its severity will be marked as “high.” Regardless of the reputation state, comments will be added to the incident outlining the reputation details with links to further information if applicable.
  • Enrichment via Web Component Data: This playbook automatically enriches incidents generated by Microsoft Sentinel with Web Components data that indicators found within the incident are known to be hosting. These components allow a user to understand the makeup of a webpage or the technology and services driving a specific piece of infrastructure. Pivoting on unique components can find actors' infrastructure or other sites that are compromised. Users can also understand if a website might be vulnerable to a specific attack or compromise based on the technologies that it is running.
  • Enrichment via reputation score: This playbook uses the MDTI Reputation Data to automatically enrich incidents generated by Microsoft Sentinel. Reputation information gives an analyst a decision as to whether an indicator is considered benign, suspicious, or malicious. Analysts can leverage this playbook to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious, with links back to the MDTI platform for more information.

Installation and Configuration of the Playbooks 

The following are the steps required to create, configure, and use the playbooks within Microsoft Sentinel:

1) Create an client app with Permissions to the API 

2) Install the MDTI Sentinel playbooks

3) Configure the MDTI Base playbook with Client APP credentials

4) Configure the other three MDTI playbooks (Intel Reputation, Automated Triage, and Web Components)

5) Use the playbooks within Microsoft Sentinel 

Creation for client APP with MDTI API permissions

When configuring this playbook, you need the Azure AD App Registration credentials (ClientId/ClientSecret/TenantId) with MDTI API Permissions. These can be found on your Azure Client App page. For more details, visit the MDTI API documentation. If you have trouble accessing your account or credentials, contact your account representative or reach out to discussMDTI[@]microsoft.com.

Install the MDTI Sentinel playbooks

Customers can access these playbooks through the following methods:

Sean_Wasonga_1-1680099875220.png

Figure: Deploying MDTI Sentinel playbooks from Sentinel GitHub 

Solutions are packages of Microsoft Sentinel content or Microsoft Sentinel API integrations that fulfill an end-to-end product, domain, or industry vertical scenario in Microsoft Sentinel. Both solutions and standalone items are discoverable and managed from the Content Hub.

For the MDTI solution, we will be packaging the three playbooks. Users will have to install the playbooks directly for the Content Hub. To get this process started, proceed to Microsoft Sentinel Content Hub Pane and search for Microsoft Defender Threat Intelligence, then click Install and proceed with the installation procedures.

Sean_Wasonga_0-1679939069643.png

Figure: Microsoft Sentinel Content Hub Solution ~ MDTI preview 

After successfully installing the solution, you should see the following on the content Hub pane:

Sean_Wasonga_0-1680006880762.png

Figure:  MDTI content Hub solution Installed. 

* MDTI-Base playbook is mandatory to be configured for the other playbooks to be used 

Configure the MDTI base playbook with Azure AD Client APP credentials

1) Proceed to the Content Hub pane and search for the MDTI solution. Click on Manage for visibility of the four playbooks found within the solution.

2) Configure the MDTI Base playbook with the client app credentials. To do this, select the MDTI Base playbook and click Configure.

Sean_Wasonga_0-1680007712653.png

Figure: Configuring the MDTI-Base playbook

3) This should direct you to a page instructing you to Create the playbook. Proceed with that action, and you will be required to add the Client App credentials in the Parameters, which is necessary for the playbook to work successfully.

4) After adding these details, click Create and Continue to designer.

Sean_Wasonga_0-1680098192725.png

Figure: Adding Client app credentials to the MDTI-Base playbook parameters (one will need to add the ClientId/ClientSecret which we generated earlier)

Configure the other Three MDTI playbooks (Intel Reputation, Automated Triage, and Web Components)

After successfully installing the MDTI base playbook, you can now proceed to configure the other 3 playbooks found within the MDTI content hub solution. To do this,

1) Go to the content hub pane, look for the MDTI Solution, 

2) Select Manage and proceed to select one playbook (in this example, we will use MDTI intel reputation)

3) Proceed with the configuration process. (Repeat this action for the other playbooks MDTI -Automate -TriageMDTI-Data-WebComponents)

Sean_Wasonga_1-1680008650425.png

Figure: Configuring MDTI Intel Reputation playbook from MDTI content Hub Solution

Using the Sentinel playbooks within Microsoft Sentinel 

Create an rule

After successfully deploying all the playbooks, the next step is leveraging these playbooks within Microsoft Sentinel. To do this, you will need to create an rule. Here's how:

1) Navigate again to your Microsoft Sentinel workspace and click on “Automation.” Then, create a new automation rule and give it a name.

2) In the “Conditions” section, select “Contains” and choose any analytic rule you have previously configured.

3) Under “Actions,” select “Run Playbook” and select the MDTI playbooks. Finally, click “Apply” to create the automation rule.

Sean_Wasonga_4-1679939410910.png

Figure: Creation of an automation rule to trigger the MDTI Sentinel playbooks every time an incident is created 

Once you have deployed the logic apps, you can use them in incidents within Microsoft Sentinel. Within incidents, you can run a playbook action and run the individual playbooks on the incident for enrichment by selecting Incident actions.

Sean_Wasonga_0-1680015446198.png

Figure: running MDTI Playbooks from a Microsoft Sentinel Incident

The outcome from the playbook is added to the comments that are accessible from the activity Log view in the incident:

Sean_Wasonga_1-1680015602682.png

Figure: Accessing the Activity Log on a Microsoft Sentinel incident to visualize the comment added by playbooks 

The three playbooks and their expected outcomes are as follows:

1. Playbook 1: MDTI~AUTOMATED TRIAGE

This playbook uses the MDTI Reputation data to automatically enrich incidents generated by Microsoft Sentinel. 

Prerequisites

This playbook inherits API connections created and established within a base playbook. Ensure you have deployed MDTI-Base in this playbook. If you have trouble accessing your account or credentials, contact your account representative or reach out to discussMDTI[@]microsoft.com.

Below, we can see the incident's severity was changed to active, with a Malicious Tag from MDTI added in the comment. Additional details about the entity have also been included, including why it was deemed malicious.

Sean_Wasonga_8-1679939872168.png

Figure: Comment added from automated triage playbook showing malicious reputation as well as Severity being changed to High , Incident status changing to active

Sean_Wasonga_9-1679939916095.png

Figure: The severity of the incident was changed to ‘High' due to the classification and a tag of MDTI Malicious was added

2. Playbook 2: MDTI~ WEB COMPONENT DATA

This playbook uses the MDTI components data to automatically enrich incidents generated by Microsoft Sentinel. 

Prerequisites

This playbook inherits API connections created and established within a base playbook. Ensure you have deployed MDTI-Base in this playbook. If you have trouble accessing your account or credentials, contact your account representative or reach out to discussMDTI[@]microsoft.com.

In the figure below, we see a comment added from an enriched playbook showing the infrastructure of entity 185.82.217.3. In this case, we can see a category of a command-and-control server (Cobalt Strike), giving us a major clue in our investigation.

Sean_Wasonga_12-1679940996863.png

Figure: Enriched incident generated from web component data, we can see the following IP hosting a command-and-control server that is synonymous with Cobalt strike activity

3. Playbook 3: MDTI~ INTEL REPUTATION

This playbook uses the Defender Threat MDTI Reputation Data to automatically enrich incidents generated by Microsoft Sentinel. Reputation information lets an analyst decide whether an indicator is benign, suspicious, or malicious.

Prerequisites

This playbook inherits API connections created and established within a base playbook. Ensure you have deployed MDTI-Base in this playbook. If you have trouble accessing your account or credentials, contact your account representative or reach out to discussMDTI[@]microsoft.com.

Below, we can see the comment added from the Intel Reputation playbook. This time we have entity 185.82.217.3, whose reputation score is 100 with a malicious classification. Additionally, it is part of intel profiles Cobalt Strike and Hafnium.

Sean_Wasonga_2-1680015999244.png

Figure: Comment showing a malicious score (100) and detection rules in relation to the score (Threat actor profiles of both Cobalt strike and HAFNIUM, as well as an ASN that exhibits suspicious behavior).

We Want to Hear from You!

Be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats. With an open dialogue, we can create a safer internet together. Learn more about MDTI.

 

This article was originally published by Microsoft's Defender Threat Intelligence Blog. You can find the original article here.