After brainstorming with someone about a need for increased security for high value targets, and the lack of budget to do so, I stumbled across the connector for Windows Defender Advanced Threat Protection (ATP) in Microsoft Flow. I used it to build my scenario that provides that little bit of extra attention for the exec, without increasing the load on the SOC.
For those of you unfamiliar, Flow is a workflow automation tool that is very easy to use and allows you to build an automated (if this, then that) scenario extremely quickly. In fact, this being my first foray into Flow, it took me less than an hour to get my scenario up and running – it does help if you have a basic understanding of coding logic because then you should be very familiar with concepts such as variables, operators, loops and conditions but there is really no previous knowledge required. It has an already huge library of connectors that will allow you to build out all kinds of complex scenarios – in an easy way.
So, what’s the scenario to increase protection for the exec? When alert gets raised on a machine owned by a high value target, we will launch a workflow to take some proactive response actions and escalate to another tier – after a quick triage. The aim is to increase protection but not by increasing operational effort. It uses some lower impact response actions that should not negatively impact user experience (too much) and it promises to lower response time considerably.
Let me write this out for you, you could go out and build this yourself in minutes because it explains the logic behind it. Here we go:
1. An alert is raised inside Windows Defender ATP. This Trigger (which is a Flow concept) picks up on the alert and the Flow starts to run. You configure this trigger to run using an Azure AD account that is authorized to use the Windows Defender ATP API Connector.
2. Now it’s time for some Action (yup). We will now make sure to collect the machines involved in the alert using Get Machines and then Apply the next action (filter) un the resulting set.
3. The next action is where we need just a little help from Windows Defender ATP to make this scenario specific to execs. We will Applyto each machine object retrieved in the previous Action a filter that takes the machine tag “VIP” and add a Condition that makes it so if this value is true, perform action A else perform action B. This is where we can specialize towards that exec. I’ve configured action B to go ahead and do nothing (in fact, for demo purposes, I put in an email action that’s a catch for if I forgot to set a VIP label, it will send me the machine details so I can go over to Windows Defender ATP and configure it).
4. Now for action A. We’ve now filtered so we have the machines that have the “VIP” tag so we reduce some noise but since this could be multiple machines I need to specify I wish to focus on a single alert and deal with those individually. We add another Action (Get single alert) that retrieves a single alert in the context of the machines retrieved earlier (nested logic).
5. Ok we now have a single alert on a machine tagged “VIP”. It’s probably a good idea to leave the alert alone if it’s Informational – so we add a Condition Control that, when the Alert severity (this is called Alert "Alert severity") is not equal to the string “Informational” we go ahead and perform action A else perform action B (again, I configured an email notification to see if something went wrong in my flow but not something that should ever be triggered). If you wish to make this more specific, like Medium and High severity alerts only (ignoring Informational and Low), you can add additional Condition Controls. But, since I want to test my flow easily later on, I actually set the filter to only run on Informational alerts (I will use an EICAR test file to trigger that). For now.
6. Next up, what do we do with this alert on the exec’s machine? Well, I want to proactively perform the Collect Investigation Package Action. I select on what machine to do this (taking the Machine ID) and specify a comment.
7. Next Action is “Send an email” so my Tier 1 is notified about the alert. In the body of the message I provide some details about the machine and the alert and ask Tier 1 to perform triage (the next iteration of my Flow will use Teams instead of email!).
8. We then send out an Approval to Tier 1 asking them to qualify the alert as a true positive. We add a Condition: If the response is not Approve, we perform an Action where the alert is set to Resolved and assigned to Tier 2 (to notify them of the outcome).
9. If Yes, this means we have determined something bad is happening on this exec’s machine so let’s go ahead and take another Action: we will set the machine to Restricted App Execution mode so it is only allowed to run Microsoft signed code. So our exec is somewhat protected against further exploitation but can still use for example Office 365.
10. Last Action is to set the status of the alert to “In Progress” and then assign it to Tier 3 so they can go ahead and use Windows Defender Security Center to investigate the machine. Once you’ve finished building, you can set Flow to test mode and trigger an alert (in my case, EICAR block by Windows Defender Antivirus). You can track the execution of the flow in the portal and of course observe the changes to the alert/machine.
Actually, it’s very likely that at the end of this workflow, Automated Investigation & Response started running on the exec machine (if it were enabled). This means there’s a good chance Tier 3 only needs to look at the results of the investigation, hit the remediate button and surgically remove the threat! This is a result of "automated intelligence" with a complex and dynamic decision tree - unlike the "static" workflow automation that we just looked at. Big distinction and the real value from this "automated intelligence" comes from not just having that dynamic decision making but also the fact it will take into account the dynamics of the environment instead of trying to do the same thing over and over again.
How’s that for reducing SOC load?
Now you can get creative easily with a scenario such as this. The possibilities are staggering, and I only scratched the surface. What did you build as your first scenario…?