*Note: This article was compiled and posted on behalf of Paul Bergson, Matt Lopinto, and Brian Delaney. I personally did not create or write this content.*
As a Microsoft Cloud Solution Architect-Engineer, I am providing the following guidance to assist customers in deploying the STAT tool. These recommendations are based on my experiences and the challenges encountered within Azure environments.
Please note that the guidance I provide is not an official statement or directive from Microsoft. For official guidance on Azure, it is recommended to refer to the top-level Microsoft sites where official information is posted. The document also includes specific URLs that provide official details on certain topics.
It's important to emphasize that the guidance I offer is intended to support enterprise customers and provide insights based on my expertise and experience. For any official information or updates, it is always best to refer to the authoritative Microsoft sources.
The Microsoft Sentinel Triage Assistant (STAT) is a Logic Apps Custom Connector designed to streamline incident-based automation within Microsoft Sentinel playbooks. It leverages a library of Automation Modules, enabling the execution of complex automation tasks in a consistent and effortless manner directly from the Logic Apps Connector.
The primary purpose of this tool is to facilitate the initiation of your automation journey and demonstrate the range of possibilities it offers. By engaging with automation and Logic Apps, users can gain familiarity with the concepts and leverage this example to expand their automation capabilities.
This tool is freely available on GitHub and has been developed by Brian Delaney.
Open an internet browser and point it to:
Following are a couple of screen grabs during the deployment phase:
After completing the initial deployment phase, it is necessary to update the Role-Based Access Control (RBAC) settings within Azure. Follow the steps below to accomplish this task:
It is worth noting that the reason behind the modules being commented out is unclear. However, it is imperative to uncomment them before proceeding with the execution of the PowerShell script.
The installation process begins with the installation of the required PowerShell modules. Once the installation is complete, as the tool attempts to establish the connection, it will prompt you to authenticate your credentials.
Provide the required authentication details, such as your Azure account credentials, to proceed with the authentication process.
By authenticating your credentials, you ensure a secure and authorized connection between the tool and Azure, enabling seamless communication and access to Azure resources.
This concludes the RBAC update.
The optional “Restrict Calls to STAT Coordinator (optional)” was not run.
If you would like to see what Logic Apps were installed, just drill down to the Sentinel à Automation and select the “Active Playbooks” tab.
After the installation process, the system will have a basic setup in place. Now, it's time to leverage the installed modules and incorporate them into the automation workflow.
The automation is implemented through the creation of "triage" playbooks in Logic Apps. These playbooks serve as the foundation for automating the desired actions. The STAT connector, on the other hand, utilizes connectors to Logic Apps on the backend to process the incoming requests.
To effectively utilize the installed modules in the automation process, follow these steps:
By leveraging the modules and integrating them into the Logic Apps playbooks, you can harness the power of automation and streamline various tasks and processes within your environment.
To enable the STAT tool to process Sentinel Incidents, it is necessary to define Automation rules. These rules govern the behavior of the STAT tool and determine the conditions under which it will be triggered. In the example provided, the automation rule is configured to trigger the STAT tool for every generated Incident.
Here's how the automation rule in this example is set up:
By configuring the automation rule in this example, the STAT tool will be triggered automatically for every Incident that occurs. I am not recommending this configuration, only showing it for demonstration purposes.
Note: To ensure proper configuration of the automation, it is recommended to temporarily disable this rule. Failure to do so may result in the automation running without the system being completely configured correctly, leading to potential issues during the processing of new incidents within your Microsoft Sentinel environment.
By disabling the rule until the automation is fully configured and tested, you can prevent any unintended consequences. This allows you to take the necessary time to ensure that the automation is set up correctly, including all necessary modules, connections, and conditions, before enabling the rule.
Disabling the rule during the configuration phase helps ensure that the automation operates smoothly once it is enabled, minimizing the risk of any errors or unexpected behavior. It is best practice to verify that the automation is configured correctly and functioning as intended before activating the rule.
At this writing there were 13 available modules. Details describing what each does can be found within the GitHub site.
The use of this tool will require the user to modify any of the parameters that are currently set and/or additional modules and configure those parameters. Looking at my example there are two modules loaded.
The AAD Risks and Kusto Query Language (KQL) Modules, along with other modules, provide detailed information about their functions on the GitHub site. (#2) You can refer to the GitHub documentation for more information on these modules.
In particular, the variable "AddIncidentComments" plays a crucial role. When set to true, it enables the module to retrieve output and update the "Comments" section of the incident being processed by the STAT tool.
To incorporate a new module into the Logic app "Sample-STAT-Triage," you will need to add a "Parallel processing module." This addition will enable parallel execution of multiple modules within the Logic app.
Once the new module has been added, it is necessary to forward the obtained results to the "Risk Scoring Module." However, it is important to note that the parallel task is currently not forwarding the results. To address this, a re-arrangement of a couple of modules is required.
To ensure proper forwarding of results in the parallel task, follow these steps:
By re-arranging the modules within the parallel task, you will establish the proper forwarding of results to the "Risk Scoring Module."
Note how this “New step”, creates a branch connection between the different modules.
This will now allow the results from the new module to be forwarded on like the previous modules.
The final product can be seen below with the new module now being able to be a part of the logic flow.
Go back following the same process and add any additional modules you might want.
Once you have added any desired modules to the automation workflow, the next step is to facilitate the scoring of the Incident/Alert. This scoring functionality is handled by the "Risk Scoring Module."
The "Risk Scoring Module" incorporates two modules that work together to calculate a risk value. Each module has its own set of variables defined in the "Module body," which include:
The values generated by the included modules are summed up within this module to obtain a final total. This total value is then passed along to the subsequent "Condition" module. The dynamic variable "TotalScore" holds this calculated final value.
Since the module “Microsoft Defender for Cloud Apps” was added, we can add a new scoring multiplier to the module.
The "Condition" module serves as the decision-making point for determining how a new incident will be updated. This module directs the updating process to either a "True" process or a "False" process, based on specific criteria or conditions.
The purpose of the "Condition" module is to evaluate certain parameters or variables associated with the incident and make a determination on which process to trigger. If the conditions are met, the module will direct the flow to the "True" process. If the conditions are not met, it will direct the flow to the "False" process.
By utilizing the "Condition" module, you can dynamically control the updating process of new incidents based on predefined conditions, allowing for automated and efficient incident management.
Looking at the “Condition” module itself, the true or false value is generated by the weight that the user puts on the “TotalScore” importance.
In this example, all elements are intentionally updated to ensure comprehensive processing. This approach is adopted because the KQL query itself will always identify at least one incident (itself) during the process. Additionally, other modules incorporated in the workflow can contribute to incrementing the value of the TotalScore. Keeping the value at 1 does not accurately reflect the intended functionality; it was set to this value purely for demonstration purposes.
The objective of this example is to showcase the potential updates and demonstrate the impact of various modules on the TotalScore. By forcing updates on all components and allowing modules to contribute to the TotalScore, a more meaningful and illustrative example is generated.
When the “Condition” module (True) is the receiver in the process, the following occurs:
When the “Condition” module (False) is the receiver in the process, the following occurs:
Once you have completed the development of this automation process and are satisfied with its functionality, it is recommended to re-enable the automation rule if it was previously disabled during the testing phase.
To test the effectiveness of the automation, you can simulate a few fake attack signals. Although I have a couple of examples that I use for testing purposes, I am unable to provide the details or demonstrate the process due to company policy restrictions.
By examining the "Incidents" blade within the platform, you can observe the results of running the same attacks with both the automation rule enabled and disabled. From the included screengrab, you can clearly see that when no automation is implemented, the two "Incidents" (generated from different hosts) have a severity level of "Low" and "Medium." However, when the automation is enabled and executed, the severity level of these incidents is elevated to "High." Additionally, the "Status" field indicates that the incidents are now marked as "Active" with the automation-updated incidents.
By comparing the results, it becomes evident how the automation process enhances the severity and status of incidents, highlighting the efficiency and impact of the implemented automation.
To review the comments of an "Incident" that has been updated by the automation rule, follow these steps:
In this example, a KQL query was executed as part of the automation process. The results generated by the KQL query are populated in the "Comment" section of the incident. These comments provide valuable information and insights regarding the incident, allowing for a better understanding of the actions performed by the automation rule.
By examining the comments associated with the updated incident, you can gain further visibility into the specific details and outcomes of the automation processes, specifically the results obtained from the execution of the KQL query.
To look at an example where multiple modules scored an alert.
Customers are naturally concerned about the cost implications when new features are introduced to a service or product. With the integration of Logic Apps in this solution, let's explore a scenario where five distinct STAT-based playbooks are utilized. If we divide the total base module runs of 7,590 runs by 5 playbooks, equaling 1518 incidents impacted. This activity was at a cost of just $15 (CAN) or $11 (US). The efficiency and affordability offered by Logic Apps reassure customers about cost while optimizing workflows and processes, resulting in increased productivity and a remarkable return on investment.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.