SOAR
93 TopicsSentinel permissions for playbook
Can someone advice me what permissions are needed to be able authorize Sentinel to run playbooks here? I currently have on the whole resource group where are playbooks as well as Sentinel workspace. I dont see anything to chose from though. Logic app controbutor Microsoft Sentinel Automation Contributor Microsoft sentinel Contributor Moreover Despite the access when creating automation rule I got following error Do you please know 1) what permissions additional I need toGive Sentinel permissions to run playbooks Microsoft Sentinel requires explicit permissions for automation rules to automatically run playbooks 2) what permissions additionally I need to be able to create automation rule with playbook in it? Thank you6.4KViews0likes10CommentsThreat Intelligence Indicators in Microsoft Sentinel
Hello Microsoft Community, This is my first post and I hope it will be helpful for those who are trying to understand how the Threat Intelligence (TI) Indicators feature works on Microsoft and especially in Microsoft Sentinel. But before that, I would like to share my own experience. Working with a lot of customers I have had a big number of questions about how to automate the purging process of stale TI indicators from Sentinel. There is a way to do it manually, but if you have thousands of them, it will be a tough task to remove only one hundred at a time. I decided to automate this process and started investigating different kinds of automation (Graph API, PowerShell, etc.). After some investigation, the API command that allows to get a list of all indicators stored in Microsoft tenant was found. This one: GEThttps://graph.microsoft.com/beta/security/tiIndicators. And I decided to build a Logic App that will get all TI indicators, extract their IDs and then remove each of them by running DELETEhttps://graph.microsoft.com/beta/security/tiIndicators/{id}. Unfortunately, when I was testing it, I stuck with the situation when I was getting nothing even though I have more than one thousand indicators in my test environment. Trying to search on forums, asking questions I got no answers and decided to open a case for Microsoft Support. I really appreciate Microsoft Support team for providing a professional and fast response and explanation. Now, I will try to explain a little bit how the TI backend works on Microsoft. Let’s move to the technical part. 1.TI indicators ingestion There are a few ways to ingest TI indicators. The first one is to use a built-in TAXII connector. There are plenty of them. You can use, for example, Anomali, IBM X-Force, Pulsedive, and others. The configuration is simple, based on Microsoft you only need to get the TAXII server API Root and Collection ID, and then enable the Threat Intelligence - TAXII data connector in Microsoft Sentinel. The second way is to build a playbook that will pull TI indicators from a TI provider and push them into Sentinel Using Graph Security API. There is a great playbook for pulling TI indicators from Alien Vault:Azure-Sentinel/Playbooks/Get-AlienVault_OTX at master · Azure/Azure-Sentinel (github.com) Such kinds of playbooks require minor configuration and can be deployed from GitHub. The third way for adding TI indicators is flat file import. This feature is currently in Private Preview and will be available soon for the Public. Sentinel administrators will be able to import indicators from a CSV or JSON file. And the last way is manual creation. This is a good option only if you have a few indicators to add and have no time to write scripts and build automation. One more important thing to mention is the fact that Graph Security API serves Threat Intelligence by TenantID and AppID (the application ID that uploads the TI through GSA and was configured in Azure AD). If the TI indicators were uploaded using one application (AppID) and then queried with another application (AppID), the data will not be returned. For example, if you use the playbook mentioned above, you should Register an application in your Azure AD to ingest indicators. Then you will not be able to query those indicators with another application, for example, with Microsoft Graph Explorer. You must use the same application to get the list of indicators you uploaded. 2.TI indicators storing Based on Microsoft, when using thetiIndicatorsentity, you must specify the Microsoft security solution you want to utilize the indicators for via thetargetProductproperty and define the action (allow, block, or alert) to which the security solution should apply the indicators via the action property. In the playbook for pulling indicators from GitHub, we have the following parameter: “targetProduct” that should be “Azure Sentinel”. Yes, Azure and not Microsoft Sentinel. By setting this parameter, we configure the playbook to ingest logs into Sentinel Log Analytics Workspace and so we will be able to process the ingested indicators later. In Logs under Microsoft Sentinel, a new table is created “ThreatIntelligenceIndicator”. This is our final diagram for Microsoft Sentinel: TI indicators are not stored only in the Sentinel LAW. There are also stored in Microsoft backend with a retention period of 1 year or if deleted via the API. For Log Analytics Workspace the retention period is usually configured by a customer and data is there until deleted. 3.TI indicators pulling As well as for ingesting indicators, there are a few ways for pulling them from Microsoft backend and from Log Analytics Workspace. It was mentioned previously that to pull indicators from Microsoft Graph backend you should use Microsoft Security Graph API with the same Application and Tenant ID. Otherwise, you will get nothing. You should also pay attention to the expiration date of the ingested certificates. If you try to get a specific indicator(s) and get nothing, probably it has been expired and removed from the Graph backend. Use this resourceGraph Explorer | Try Microsoft Graph APIs - Microsoft Graphto test the API. Pulling TI indicators from Sentinel Log Analytics Workspace is simpler. You need to open a Sentinel LAW and get them by running a KQL query.For example, this one: ThreatIntelligenceIndicator | project TimeGenerated, Description, IndicatorId | top 100 by IndicatorId This KQL will show you the first 100 indicators by IndicatorID. Don’t forget to set a date under “Time range”. You can also use built-in queries to protect your environment or build your own queries based on your company requirements. The last way to see TI indicators ingested into your Sentinel is by opening Threat Intelligence page in Microsoft Sentinel. This page will provide you with details for each indicator, allow you to remove them (only 100 at a time) and edit their details. Summary Microsoft's security ecosystem has a huge number of capabilities that help organizations to protect their environments from modern security threats. And TI indicators is only one piece of the puzzle called Threat Intelligence. It is important to understand how this feature works to gain the best results from it. I hope the information provided in this article will be helpful for the community and will allow to understand how the Microsoft TI works better. If you have any questions or suggestions for the text, I will be glad to hear them. There is an amazing webinar Threat Intelligence published by Microsoft Team:Cyber Threat Intelligence Demystified in Microsoft Sentinel - YouTube You can also find the article on LinkedIn:Threat Intelligence Indicators in Microsoft Sentinel | LinkedIn6.3KViews1like3CommentsSOAR - Automatically closing incidents from Microsoft Defender for Office
Hi All, I am trying to leverage Microsoft Sentinel's SOAR capabilities to automatically close false positive alerts from Microsoft Defender for Office. The particular policy I want to address now is the "Phish delivered due to IP allow policy", so we get a lot of false positive alerts whenever MDO misclassifies an email, so I want to suppress these in Sentinel. My thought process was to create a playbook (using Logic App), to get the incident and capture the 'message ID' entity. So, for everyMessage ID, I want to write a KQL query to search that ID from Sentinel logs, see if predefined fields are matched, then close the incident if matched, else notify the team. Right now, this is what I have: I am honestly stuck here. The Microsoft Sentinel Instance does not have a Cluster URL, I need to query it directly not via Azure Data Explorer. May you please assist me. Is there an easier way to get this automated response in place? Thank you.6.2KViews0likes6CommentsHow to Prevent Duplicate Incidents from Being Generated due to Long Data Look Back
Hey everyone, We are facing an issue with regards to our rules on Sentinel and that is when we create a rule and, in its logic,we configure the query to lookup data from longer times, say the last 14 days, this rule is going to get triggered whenever when it sees the same event during that 14 days again and again whenever the query runs,and it is going to create the same incident (with different ID). For example, the event X has happened today. The query detects it,and the rule generates an incident for it. We then analyse and finally close this incident. If our query runs for example every 2 hours, on the next run, since the rules lookup data from the past 14 days, it again sees the event X and it is going to create another incident with the same attributes for it only with a different incident ID. And the alert grouping does not work here since doesn't work on closedalerts. Sincewe need the rule to lookup the past 14 days, is there any wayto prevent the creation of the same incidents on each query run for the same events? Thank you so much in advance for your kind help.Solved6KViews0likes5CommentsError when running playbook Block-AADUser-Alert
Hello, I have personal account and I am trying Microsoft Sentinel. My senario is when user account (not admin) changes his authentication method, an alert is triggered and then I run built-in playbookBlock-AADUser-Alert to disable this account. I get following error when running this playbook: { "error": { "code": "Request_ResourceNotFound", "message": "Resource '[\"leloc@hoahung353.onmicrosoft.com\"]' does not exist or one of its queried reference-property objects are not present.", "innerError": { "date": "2022-05-13T03:06:46", "request-id": "84bab933-eb79-4352-9bdf-e6d5444a1798", "client-request-id": "84bab933-eb79-4352-9bdf-e6d5444a1798" } } } I have tried to assign all required permissions (User.Read.All,User.ReadWrite.All,Directory.Read.All,Directory.ReadWrite.All), authorized api connection,.. but it can not solve the issue. Would anyone help advise how to solve ? Is it because of personal account ? Best Regards, AnSolved5.8KViews0likes29CommentsRun query for multiple IP
I am trying to run the query in the logic app for a security incident in sentinel. what I expect this query to do is give the result of multiple IP associated with the incident. SigninLogs |where UserPrincipalName contains "Account Name" and IPaddress =="A list of IPs associated with the alert " and DeviceDetails.isCompliant == True |summarize by UserPrincalName,IPAddress,tostring(DeviceDetail) Error: ExpressionEvaluationFailed. The execution of template action 'For_each_3' failed: the result of the evaluation of 'foreach' expression '@body('Entities_-_Get_IPs')' is of type 'Object'. The result must be a valid array.5.2KViews0likes4CommentsOfficeActivity - Rare and potentially high-risk Office operations and automation
Hi, We are receiving a number of "OfficeActivity - Rare and potentially high-risk Office operations" alerts for users who are setting up mailbox GrantSendOnBehaveOf and creating mail moving rules. Wondered what modifications to the analytic rule people have made to reduce the noise or any automation to ask the end user if they made the reported change (maybe with some verification to confirm the end user). Regards Mike4.9KViews0likes4CommentsSentinel went missing yesterday
Greetings I few weeks ago a set up a fresh Log Analytics workspace and purchased Sentinel for it. Both are set up as PayGo for now. Yesterday when I came to work I was greeted by the error message "Workspace (my workspace)not found or does not have Microsoft Sentinel. Please select a different workspace and try again".The left menus of Sentinel are visible and I can access the logs in the workspace just fine byt Sentinel is gone. The error summary doesn't give me any further information like error codes and so on. Kind'a hard when I just spent the most part of a week setting up all the data connectors and analytic templates. Anyone have any ideas? /Fredrik4KViews0likes8CommentsBlock-AADUser - Azure Sentinel Playbook
Hi, I am a security Engineer and I have just started using Sentinel and Logic Apps for the first time. I have been adding various out of the box playbooks etc and triggering them in my lab. One playbook I am keen to see working isBlock-AADUser/ This is available on githubhttps://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser I have followed the post deployment steps 1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity - 2. Assign API permissions to the managed identity so that we can search for user's manager. You can find the managed identity object ID on the Identity blade under Settings for the Logic App. If you don't have Azure AD PowerShell module, you will have to install it and connect to Azure AD PowerShell module. I am confused at part 3 instruction 3. Open the playbook in the Logic App Designer and authorize Azure AD and Office 365 Outlook Logic App connections Does this simply mean within the login app that I need to connect using an account that has permissions in both Azure and Office365 or do I need to ad additional steps into the playbook to connect this playbook to office365 or azure?3.6KViews0likes2Comments