Playbooks & Watchlists Part 1: Inform the subscription owner

liortamir · ‎Oct 19 2020

Great thanks to @Julian Gonzalez for working together on these playbooks!

Azure Security Center alerts inform the SOC about possible security attacks occurred on resources In Azure. The SOC might not have permissions to the resources which potentially been compromised, and would need the resource owner during investigation of the alert to:

Ask if they are familiar with the detected activity that happened in their resource
Ask for taking mitigation steps on their resource.

For these reasons, SOC manually would need to find the relevant contact and reach them every time a new alert is created. This process can easily become automatic, using Azure Sentinel new Watchlists feature together with playbook.

In this blogpost we generalized the problem for simplicity reasons to Subscriptions owners level, but same solution can be implemented for any specific resource.

Note: This playbook requires Azure Sentinel Incident Trigger Private Preview. A very similar solution can be implemented by creating scheduled alerts over Azure Security Center alerts, and then use the Alert trigger which is public.

This blogpost includes:

Solution summary
Prerequisites
Azure Sentinel Flow
Playbook steps explained
Setup instructions
- Create and upload your watchlist
- ARM Template deployment
- Playbook configurations
- Set automated response
Documentation reference

Solution summary

An Azure Sentinel Watchlist maps each subscription in the organization with the owner and their contact email addresses.
Watchlists-InformSubowner-IncidentTrigger Playbook is attached to Azure Security Center Incident creation rule. Everytime a new Azure Security Center alert flows to Azure Sentinel, an Azure Sentinel incident is created. The playbook then triggered, receiving the incident with the contained alerts as an input.
The playbook queries the Watchlist and finds the relevant subscription owner details.
The subscription get a Teams message and email with all the details you want them to know about the potentially compromised resource.

Quick Access to the Playbook in Azure Sentinel Playbooks repository

Prerequisites

A user or registered application with Azure Sentinel Contributor role to be used with the Azure Sentinel connector to Logic Apps.
Azure Security Center Incident Creation rule is enabled.
Private Preview of Azure Sentinel Incident Trigger.
A user to authenticate to Microsoft Teams.
A user to authenticate to Outlook.

Azure Sentinel flow

A new Azure Security Center flows to Azure Sentinel.
Azure Security Center Incident creation rule creates a new incident in Azure Sentinel.
Watchlists-InformSubOwnerAlert playbook is triggered

Playbook steps explained

When Azure Sentinel incident creation rule was triggered

Azure Sentinel incident was created. The playbook receives the incident as the input.

For Each Alert

Iterates on the alerts found in this incident (probably one) and performs the following:

Filter array to get AzureResource identifier

Azure Defender alert might have identifiers of two kinds:

- AzureResource (resourceid seen in LogAnalytics)

- LogAnalytics (information about the workspace storing the alerts).

This action result is an array of just the Azure Resource for later use.
Parse Json to get subscriptionId
Get from the Additional Data of the ASC alert the subscription id.

Run query and list results - Get Watchlist
In this step we ask Log Analytics (Azure Monitor Logs connector) to get the items of the Watchlist. Subscription, Resource Group and Resource Name are the Azure Sentinel workspace details where the watchlist is located.
We specify in the project argument which fields are relevant for our use.

Filter array to get relevant subscription owners

In this step we want to take the watchlists results and keep only ones that has the subscription we are looking for.
The Logic Apps expression (the argument on the right) is:

string(body('Parse_JSON_to_get_subscriptionId')?['properties']?['effectiveSubscriptionId'])
Post a message as the flow bot to a user
In this step we send a message in Microsoft Teams to the subscription owner with any details we want to share about the new alert.
- Send an Email
  In this step we send a message in Office 365 Outlook to the subscription owner with any details we want to share about the new alert.

Setup instructions

Create and Upload your watchlist

Create your input CSV table
In this use case I have created a simple table, where each row represents a subscription in my tenant.
I have 4 columns: SubscriptionId, SubscriptionName, OwnerName, OwnerEmail.
I created the table using Office 365 Excel, and then saved it as a CSV file (save as).
Upload your table
1. In Azure Sentinel, go to Watchlists.
2. Click on Add new
3. Fill in the required details.
  Note that the Alias will be used to query this watchlist in the playbook query step.
4. Add the CSV file
5. Review and create.

Playbook deployment instructions

Open the link to the playbook. Scroll down on the page and Click on “Deploy to Azure” or "Deploy to Azure Gov" button depending on your need.
Fill the parameters:
1. Basics
  Fill the subscription, resource group and location Sentinel workspace is under.
2. Settings
  1. Playbook name - this is how you'll find the playbook in your subscription
  2. User name (will affect the names of the API connections resources)
3. Check the terms and conditions and click purchase.
4. The ARM template, contains the Logic App workflow (playbook) and API connections is now deploying to Azure. When finished, you will be taken to the Azure ARM Template summary page.
5. Click on the Logic Apps name. you will be taken to the Logic Apps resource of this playbook.

Confirm API connections

On the left menu, click on API connections.
For each product being used in this playbook, click on the connection name.
Click on Authorize to log in with your user, and don't forget to save.

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs