Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Using Azure Playbooks to import text-based threat indicators to Azure Sentinel
Published May 14 2020 10:55 AM 7,926 Views
Microsoft

Introduction

Azure Sentinel provides two built in data connectors for importing threat intelligence, the Threat Intelligence – TAXII data connector, and the Threat Intelligence – Platforms data connector. These data connectors are suitable for most use cases – as explained in our previous detailed blog. However, some open source threat intelligence is shared as text-based files which cannot be accessed directly from these data connectors. This blog describes how to use Azure Sentinel Playbooks to obtain text-based threat indicators from an online source, and import them directly into the ThreatIntelligenceIndicator table where they can be used by all the built-in Sentinel analytics templates to generate security incidents.

 

The Playbooks described in this post were created to allow Azure Sentinel customers to import Microsoft’s COVID-19 related threat indicators published on GitHub. However, these Playbooks can easily be modified to point to any other source of a text-based indicator feed.

 

Playbook architecture

These Azure Sentinel Playbooks work in tandem to read indicators from a source location and import the indicators to the ThreatIntelligenceIndicator table in Logs. Let’s take a closer look at the functionality of each Playbook.

 

Playbook 1 (C19IndicatorProcessor)

C19IndicatorProcessor Playbook performs the following steps:

  • Triggered on a defined schedule
  • Reads the indicators from GitHub
  • Transforms the indicators from the text-based source to the appropriate tiIndicator JSON format
  • Uses the Batch action to send the indicators to the second Playbook (C19ImportToSentinel)
 

Figure1.jpg

 

 

Playbook 2 (C19ImportToSentinel)

C19ImportToSentinel Playbook performs the following steps:

  • Begins with a Batch Messages trigger to receive indicators sent by the first Playbook (C19IndiatorProcessor) and groups the indicators into batches of 10
  • Submits each batch of indicators to Azure Sentinel using the Microsoft Graph Security Logic App connector

Figure2.jpg

 

 

Deploy the Playbooks to Azure Sentinel

The Playbook templates can be downloaded from GitHub at this location. It is important to deploy the C19ImportToSentinel Playbook before deploying the C19IndicatorProcessor playbook. Since these Playbooks rely on the Batch action, there is a natural dependency created between the two Playbooks. The C19IndicatorProcessor Playbook has a reference to the Batch endpoint published by the C19ImportToSentinel Playbook.

 

Follow these steps to deploy the two Playbooks to your Azure Sentinel instance.

1.  Open the Azure portal and search for and select, Deploy a custom template.

Figure3.jpg

 

2.  Select, Build your own template in the editor from the list of options.

3.  In the Edit template window, replace the default JSON with the contents of the C19ImportToSentinel.json template file and select Save.

4.  In the Custom deployment window, select the Resource Group where you have your Azure Sentinel instance, and under Settings, input your user name which will be used to deploy the Playbook, and select Purchase.

Note: It is highly recommended to leave the Playbook Name to the default setting. However, if you rename the Playbook you will need to reference this new name when deploying the second Playbook.

Note: While the confirmation button is labeled Purchase, there is no charges associated with obtaining these Playbooks.

5.  After a minute or two the Playbook will be visible under Azure Sentinel Playbooks.

6.  Repeat these same steps (1-5) for the C19IndicatorProcessor Playbook with the only difference being on step (4) there is an additional option under Settings where you will input the name you used for the first Playbook you deployed.

Figure4.jpg

Once deployed there is a final configuration step to import the threat indicators. The C19ImportToSentinel includes an action to submit the indicators to Azure Sentinel using the Microsoft Graph Security API. In order to receive the indicators in your Azure Sentinel instance, you will need to enable the Threat Intelligence - Platforms data connector.

Figure5.jpg

 

Also, you will need to open the C19ImportToSentinel Playbook and configure the connection for the Submit multiple tiIndicators action as shown below.

Figure6.jpg

 

Configuring this connection you will be asked to login to Azure Active Directory and consent for the permissions needed for the Playbook to submit threat indicators to the Graph Security API. You need to authenticate with as a user with an Azure Active Directory Limited Administrator Role of Global Administrator.

 

 

Summary

Once deployed to your Azure Sentinel instance, these Playbooks will operate in tandem to import indicators on a regular schedule so you will always have the latest threat intelligence data provided by the source. This post covered an example source from Microsoft for COVID-19 indicators hosted on GitHub but you can easily modify the HTTP action to point to a different text-based indicator feed, and update the Select action to parse the original text-based feed into tiIndicators format for import into Azure Sentinel.

4 Comments
Brass Contributor

Hi @Jason Wescott ,

 

Thanks for sharing this playbook. Looks very interesting.

 

I tried deploying the C19ImportToSentinel json file but apparently it contains features not supported in Australia East region.

Message is:

"The resource group is in a location that is not supported by one or more resources in the template. Please choose a different resource group."
Do you know of any specific content that could be blocking it?

 

Would you be able to share all the contents for each of the steps on the playbook so we can try replicating them one by one and find out what might not be supported?

 

Thanks,
Caio

Microsoft

Hi @caiodaruizcorrea, I messaged you directly to investigate what you are seeing.

 

Thanks,
Jason

Brass Contributor

@Jason Wescott - Please could you advise what are the bare minimum amount of permissions to get this woking on its own dedicated account? 

Microsoft

@TS-noodlemctwoodle the account used to set up the Submit Multiple Indicators action requires an Azure Active Directory role of Global Administrator, Security Administrator, or Security Reader.

 

Thanks,

Jason

Version history
Last update:
‎Nov 02 2021 05:55 PM
Updated by: