Microsoft Defender Threat Intelligence (Defender TI) now has new ways to boost interoperability and help the SOC punch above its weight by responding to threats at scale. During Microsoft Secure, we introduced capabilities that help enterprise users power up automation with Microsoft Defender Threat intelligence, including an API and Microsoft Sentinel Playbooks. These new playbooks will enable defenders to tap into Defender TI's raw and finished intelligence at scale to quickly boost their understanding of and automatically triage threats.
Defender TI Sentinel Playbooks
Defender TI Sentinel playbooks will help customers improve their MTTA (time to acknowledge) and MTTR (mean time to respond) by enriching entities within incidents and alerts. Azure Logic Apps is at the heart of Microsoft Sentinel's SOAR capability, allowing our customers and partners to create automated workflows for any scenario required in the SOC. When you create Microsoft Sentinel playbooks, you leverage a robust platform that handles billions of requests daily and drives business productivity in multiple verticals. It can integrate with almost any service or product natively, with more than 450 connectors and a growing library of security-oriented integrations.
Leveraging Defender TI can help streamline these multiple cybersecurity tasks when conducting threat infrastructure analysis and gathering threat intelligence. Defender TI's ability to aggregate and yield crucial data sources and enrich them goes hand in hand with reducing the investigation time for security analysts. Below, I will outline in detail how we can leverage these new playbooks.
Before we begin, users must have all three of the following to access and use the playbooks:
- Defender TI Premium and API license (we have a published blog about the Defender TI APIs that you can read about here )
- Microsoft Sentinel
- Microsoft Client Application for Authentication with the Defender TI API
Note:
- You can sign up for a Defender TI Premium license trial here
- You can sign up for a Defender TI API license trial here
What scenarios will the Defender TI Sentinel Playbooks enable? We will be looking at three playbooks focused on the following areas:
- Automated Triage: This playbook uses the Microsoft Defender Threat Intelligence Reputation data to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with Defender TI Reputation data. If any indicators are labeled as "suspicious," the incident will be tagged as such, and its severity will be marked as "medium." If any indicators are labeled as "malicious," the incident will be tagged as such, and its severity will be marked as "high." Regardless of the reputation state, comments will be added to the incident outlining the reputation details with links to further information if applicable.
- Enrichment via Web Component Data: This playbook automatically enrichES incidents generated by Microsoft Sentinel with Web Components data that indicators found within the incident are known to be hosting. These components allow a user to understand the makeup of a webpage or the technology and services driving a specific piece of infrastructure. Pivoting on unique components can find actors' infrastructure or other sites that are compromised. Users can also understand if a website might be vulnerable to a specific attack or compromise based on the technologies that it is running.
- Enrichment via reputation score: This playbook uses the Defender TI Reputation Data to automatically enrich incidents generated by Microsoft Sentinel. Reputation information gives an analyst a decision as to whether an indicator is considered benign, suspicious, or malicious. Analysts can leverage this playbook to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious, with links back to the Defender TI platform for more information.
Installation and Configuration of the Playbooks
The following are the steps required to create, configure, and use the playbooks within Microsoft Sentinel:
1) Create an Azure AD client app with Permissions to the API
2) Install the Defender TI Sentinel playbooks
3) Configure the Defender TI Base playbook with Azure AD Client APP credentials
4) Configure the other three Defender TI playbooks (Intel Reputation, Automated Triage, and Web Components)
5) Use the playbooks within Microsoft Sentinel
Creation for Azure AD client APP with Defender TI API permissions
When configuring this playbook, you need the Azure AD App Registration credentials (ClientId/ClientSecret/TenantId) with Defender TI API Permissions. These can be found on your Azure Client App page. For more details, visit the Defender TI API documentation. If you have trouble accessing your account or credentials, contact your account representative or reach out to discussMDTI[@]microsoft.com.
Install the Defender TI Sentinel playbooks
Customers can access these playbooks through the following methods:
- Microsoft Sentinel GitHub : Azure-Sentinel/Solutions/Microsoft Defender Threat Intelligence/Playbooks at master · Azure/Azure-Se...
Figure: Deploying MDTI Sentinel playbooks from Sentinel GitHub
- Microsoft Sentinel Content Hub Solution (Microsoft Defender Threat Intelligence Solution)
Solutions are packages of Microsoft Sentinel content or Microsoft Sentinel API integrations that fulfill an end-to-end product, domain, or industry vertical scenario in Microsoft Sentinel. Both solutions and standalone items are discoverable and managed from the Content Hub.
For the Defender TI solution, we will be packaging the three playbooks. Users will have to install the playbooks directly for the Content Hub. To get this process started, proceed to Microsoft Sentinel Content Hub Pane and search for Microsoft Defender Threat Intelligence, then click Install and proceed with the installation procedures.
Figure: Microsoft Sentinel Content Hub Solution ~ Defender TI preview
After successfully installing the solution, you should see the following on the content Hub pane:
Figure: Defender TI content Hub solution Installed.
* Defender TI-Base playbook is mandatory to be configured for the other playbooks to be used
Configure the Defender TI base playbook with Azure AD Client APP credentials
1) Proceed to the Content Hub pane and search for the Defender TI solution. Click on Manage for visibility of the four playbooks found within the solution.
2) Configure the Defender TI Base playbook with the client app credentials. To do this, select the Defender TI Base playbook and click Configure.
Figure: Configuring the Defender TI-Base playbook
3) This should direct you to a page instructing you to Create the playbook. Proceed with that action, and you will be required to add the Client App credentials in the Parameters, which is necessary for the playbook to work successfully.
4) After adding these details, click Create and Continue to designer.
Figure: Adding Client app credentials to the MDTI-Base playbook parameters (one will need to add the ClientId/ClientSecret which we generated earlier)
Configure the other Three Defender TI playbooks (Intel Reputation, Automated Triage, and Web Components)
After successfully installing the Defender TI base playbook, you can now proceed to configure the other 3 playbooks found within the Defender TI content hub solution. To do this,
1) Go to the content hub pane, look for the Defender TI Solution,
2) Select Manage and proceed to select one playbook (in this example, we will use Defender TI intel reputation)
3) Proceed with the configuration process. (Repeat this action for the other playbooks Defender TI -Automate -Triage, Defender TI-Data-WebComponents)
Figure: Configuring Defender TI Intel Reputation playbook from Defender TI content Hub Solution
Using the Sentinel playbooks within Microsoft Sentinel
Create an automation rule
After successfully deploying all the playbooks, the next step is leveraging these playbooks within Microsoft Sentinel. To do this, you will need to create an automation rule. Here's how:
1) Navigate again to your Microsoft Sentinel workspace and click on "Automation." Then, create a new automation rule and give it a name.
2) In the "Conditions" section, select "Contains" and choose any analytic rule you have previously configured.
3) Under "Actions," select "Run Playbook" and select the Defender TI playbooks. Finally, click "Apply" to create the automation rule.
Figure: Creation of an automation rule to trigger the Defender TI Sentinel playbooks every time an incident is created
Once you have deployed the logic apps, you can use them in incidents within Microsoft Sentinel. Within incidents, you can run a playbook action and run the individual playbooks on the incident for enrichment by selecting Incident actions.
Figure: running Defender TI Playbooks from a Microsoft Sentinel Incident
The outcome from the playbook is added to the comments that are accessible from the activity Log view in the incident:
Figure: Accessing the Activity Log on a Microsoft Sentinel incident to visualize the comment added by playbooks
The three playbooks and their expected outcomes are as follows:
1. Playbook 1: DEFENDER TI~AUTOMATED TRIAGE
This playbook uses the Defender TI Reputation data to automatically enrich incidents generated by Microsoft Sentinel.
Prerequisites
This playbook inherits API connections created and established within a base playbook. Ensure you have deployed Defender TI-Base in this playbook. If you have trouble accessing your account or credentials, contact your account representative or reach out to discussMDTI[@]microsoft.com.
Below, we can see the incident's severity was changed to active, with a Malicious Tag from Defender TI added in the comment. Additional details about the entity have also been included, including why it was deemed malicious.
Figure: Comment added from automated triage playbook showing malicious reputation as well as Severity being changed to High , Incident status changing to active
Figure: The severity of the incident was changed to 'High' due to the classification and a tag of MDTI Malicious was added
2. Playbook 2: DEFENDER TI~ WEB COMPONENT DATA
This playbook uses the Defender TI components data to automatically enrich incidents generated by Microsoft Sentinel.
Prerequisites
This playbook inherits API connections created and established within a base playbook. Ensure you have deployed Defender TI-Base in this playbook. If you have trouble accessing your account or credentials, contact your account representative or reach out to discussMDTI[@]microsoft.com.
In the figure below, we see a comment added from an enriched playbook showing the infrastructure of entity 185.82.217.3. In this case, we can see a category of a command-and-control server (Cobalt Strike), giving us a major clue in our investigation.
Figure: Enriched incident generated from web component data, we can see the following IP hosting a command-and-control server that is synonymous with Cobalt strike activity
3. Playbook 3: DEFENDER TI~ INTEL REPUTATION
This playbook uses the Defender Threat Defender TI Reputation Data to automatically enrich incidents generated by Microsoft Sentinel. Reputation information lets an analyst decide whether an indicator is benign, suspicious, or malicious.
Prerequisites
This playbook inherits API connections created and established within a base playbook. Ensure you have deployed Defender TI-Base in this playbook. If you have trouble accessing your account or credentials, contact your account representative or reach out to discussMDTI[@]microsoft.com.
Below, we can see the comment added from the Intel Reputation playbook. This time we have entity 185.82.217.3, whose reputation score is 100 with a malicious classification. Additionally, it is part of intel profiles Cobalt Strike and Hafnium.
Figure: Comment showing a malicious score (100) and detection rules in relation to the score (Threat actor profiles of both Cobalt strike and HAFNIUM, as well as an ASN that exhibits suspicious behavior).
We Want to Hear from You!
Be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how Defender TI is helping your team stay on top of threats. With an open dialogue, we can create a safer internet together. Learn more about Defender TI and try it today.