auto assessment playbook with "tag indicators"

%3CLINGO-SUB%20id%3D%22lingo-sub-2840258%22%20slang%3D%22en-US%22%3Eauto%20assessment%20playbook%20with%20%22tag%20indictators%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2840258%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20anyone%20done%20any%20work%20here%20on%20the%20idea%20of%20a%20playbook%20to%20perform%20triage%20on%20Sentinel%20incidents%3F%3C%2FP%3E%3CP%3Eeg%3A%3C%2FP%3E%3CP%3EIf%20the%20incident%20contains%20a%20username%20entity%2C%20run%20these%20kql%20queries%20and%20create%20tags%20depending%20on%20the%20results.%3C%2FP%3E%3CP%3EThe%20tags%20would%20represent%20specific%20findings%20eg%3A%3C%2FP%3E%3CP%3Eusername%20has%20been%20seen%20in%205%20distinct%20alerts%20in%20the%20past%207%20days%2C%20so%20tag%20name%20%3D%20%225D-User%22%3C%2FP%3E%3CP%3EIP%20has%20been%20seen%20in%203%20distinct%20alerts%20in%20the%20past%207%20days%2C%20so%20tag%20name%20%3D%20%223D-IP%22%3C%2FP%3E%3CP%3Eusername%20is%20sensitive%2C%20so%20tag%20name%20%3D%20%22sensitive-user%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20see%20where%20I'm%20going%20here%3F%3C%2FP%3E%3CP%3EI%20want%20to%20use%20tags%20to%20create%20a%20library%20of%20common%20tags%20which%20will%20accelerate%20triage%20by%20identifying%20interesting%20indicators.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%3EEven%20if%20you%20haven't%20done%20such%20a%20playbook%20please%20share%20your%20ideas%20for%20interesting%20indicators%20that%20would%20help%20triage%20an%20incident.%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EThank%20you!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2841773%22%20slang%3D%22en-US%22%3ERe%3A%20auto%20assessment%20playbook%20with%20%22tag%20indicators%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2841773%22%20slang%3D%22en-US%22%3EExcellent%20suggestions%20thanks%20Pawel!!!!!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2840615%22%20slang%3D%22en-US%22%3ERe%3A%20auto%20assessment%20playbook%20with%20%22tag%20indicators%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2840615%22%20slang%3D%22en-US%22%3EI%20did%20something%20similar%2C%20incident%20enrichment%20to%20check%20reputation%20IP%20address%2C%20check%20IP%20safe%20watchlist%2C%20check%20if%20the%20device%20is%20Azure%20hybrid%20ad%20join%2C%20user%20agent%20during%20sign%20in%2C%20cloud%20app%2C%20I%20put%20all%20information%20to%20comment%3C%2FLINGO-BODY%3E
Contributor

Has anyone here done any work on the idea of a playbook to perform triage on Sentinel incidents?

eg:

If the incident contains a username entity, run these kql queries and create tags depending on the results.

The tags would represent specific findings eg:

username has been seen in 5 distinct alerts in the past 7 days, so tag name = "5D-User"

IP has been seen in 3 distinct alerts in the past 7 days, so tag name = "3D-IP"

username is sensitive, so tag name = "sensitive-user"

 

Do you see where I'm going here?

I want to use tags to create a library of common tags which will accelerate triage by identifying interesting indicators.

 

(I've already created such a playbook but I'm looking for more ideas to add to it)


Even if you haven't done such a playbook please share your ideas for interesting indicators that would help triage an incident.

Thank you!

 

2 Replies
I did something similar, incident enrichment to check reputation IP address, check IP safe watchlist, check if the device is Azure hybrid ad join, user agent during sign in, cloud app, I put all information to comment
Excellent suggestions thanks Pawel!!!!!