Introducing a Unified Security Operations Platform with Microsoft Sentinel and Defender XDR
Read about our announcement of an exciting private preview that represents the next step in the SOC protection and efficiency journey by bringing together the power of Microsoft Sentinel, Microsoft Defender XDR and Microsoft Security Copilot into a unified security operations platform.What's New: SOC Process Framework is Now Live in Content Hub!
I am excited to announce that the SOC Process Framework has been updated and moved into Sentinel's Content Hub for installation across multiple workbooks, watchlists, and the amazing Get-SOCActions Playbook for analyst actions to be taken during Triage and Investigation. When you click on the SOC Process Framework Tile in Content Hub, you will see the Description details, as well as the content associated with the Framework, i.e. (7) Workbooks, (12) Watchlists, (1) Playbook. By clicking on the "Install" button, you will be prompted to follow the on-screen instructions. This Content Hub Solution contains all resources for the SOC Process Framework Microsoft Sentinel Solution. The SOC Process Framework Solution is built in order to easily integrate with Microsoft Sentinel and build a standard SOC Process and Procedure Framework within your Organization. By deploying this solution, you'll be able to monitor progress within your SOC Operations and update the SOC CMMI Assessment Score. This solution consists of the following resources: Integrated workbooks interconnected into a single workbook for single pane of glass operation. One Playbook for pushing SOC Actions to your Incidents. Multiple Watchlists helping you maintain and organize your SOC efforts, including IR Planning, SOC CMMI Assessment Score, and many more. Workbooks The workbooks contained in this solution have visualizations about the SOC Progress, Procedures, and Activity and provides an overview of the overall SOC Maturity. These workbooks and their dependances are deployed for you through this solution. NOTE: Be aware that after you have installed the workbooks, you must save the workbooks and edit the Watchlist Queries and run them, so they initialize for the framework to leverage the applied watchlists. Please use the steps below to initialize the Watchlist Queries. Save Workbook's and Edit Watchlist Queries Step 1. Save and Open the Workbook, "Update SOC Maturity Score". Step 2. Edit Workbook and click the Edit button to open the pills. Step 3. Click the box next to Watchlist. Step 4. Click the pencil icon to open the Settings Context Pane. Step 5. Click the "Run Query" button to execute the query and initialize the link between the workbook and the watchlists. Step 6. Click the "Save" Icon to save these settings. Step 7. Click Done Editing in the Workbook. Step 8. Click the "Save" Icon in the Workbook to save the Workbook. Step 9. Repeat Steps for the Workbooks called out below. Repeat this process for the following Workbooks: Workbook: Update SOC IR Planning Workbook: SOC Process Framework Watchlists The watchlists contained within this solution have information that pertain to Incident Response Planning, the SOC Maturity (CMMI) Scoring, Recommended SOC Actions, and more... All of these watchlists give the customer ease of access to updating pertinent information regarding their SOC Operations and more. Playbooks Currently the only Playbook in this solution is the Get-SOCActions Playbook for delivering custom Analyst Actions to take per Incident. This allows Organizations the ability to create/add their own scripted actions they want an Analyst to take. After deploying this Solution, please see the Post-Deployment Instructions before executing the Playbook. Post-Deployment Instructions After deploying this Solution and its associated playbook, you must authorize the connections leveraged within the Playbook before running. Visit the playbook resource. Under "Development Tools" (located on the left), click "API Connections". Ensure each connection has been authorized. Note: If you've deployed the [SOC Process Framework Playbook](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SOC Process Framework/Playbooks/Get-SOCActions/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection. Now that I have covered the installation of this framework, let's get to the content updates that have been made to this solution as a whole that I know you will be excited to learn more about! This solution contains a large number of updates: 4 new workbooks outlining the growth path along the SOC Journey and best practices regarding building a SOC Team. 2 new workbooks that outline both Incident Response Planning and SOC Maturity. 12 new Watchlists from SOC Contacts to IR Planning as well as ~800 questions regarding your SOC Maturity Score. New Content in the SOC Process Framework: SOC Capability Maturity Model Integration Incident response planning SOC RaMP (Rapid Modernization Plan) SOC Part-Time Staff SOC Small Staff SOC Medium Staff SOC Large Staff SOC Framework for Microsoft 365 Defender Planning Readiness Catalog of Services Roles Develop & Test SOC Tasks Investigations Phishing Incident Automation with Shifts for Teams Additional Tools in the SOC Tools and Resources Content API Call outs to update Watchlists without leaving the Framework SOC Maturity Update SOC Incident Response Planning This solution is supported by Microsoft Support and will be updated regularly with new content. We hope you enjoy the new version of the SOC Process Framework and that it will help you to mature your businesses SOC Operations!Ticketing system integration – Alert update API
5 Minutes Low complexity In our last API blog we demonstrated how you can use Windows Defender ATP APIs to pull alerts using a simple PowerShell script. Typical use cases where pulling of alerts using APIs apply to ticketing system and SIEM integration scenarios. As a follow up to that blog, we’re going to demonstrate how you can apply it in two common integration use cases: Create tickets or alert objects in an external system (SIEM, ITSM) after pulling the alerts, and Update tickets or alert objects from an external system and have the changes reflected in Windows Defender ATP In this blog we’ll focus on updating the alert as part of a typical ticketing/SIEM integration. Integration flow The integration flow generally occurs in two steps: ticket creation then ticket update. Ticket/alert creation Windows Defender ATP - Pull alerts from Windows Defender ATP as demonstrated in the “Hello World” blog. External - Create ticket/alert object in the external system. Ticket update External – User updates the ticket/alert object in the external system. Windows Defender ATP - Update the alert in Windows Defender ATP according to changes in the external system. What are the differences from the “Hello World” blog? The app now needs the alert write permission (vs. the alert read permission we used) The customer must create the ticket using the ticketing system API We recommend storing the Windows Defender ATP alert ID as part of the ticket to enable later update of the corresponding Windows Defender ATP alert. The update command we demonstrate here should be called from the ticketing/SIEM system for every relevant change or a scheduled task should pull changes from the ticketing/SIEM system and update WDATP using the update command. Let’s get our hands dirty In this section, we’ll walk you through the following: Step 1: Add the required permission to your application Step 2: Create the ticket/alert from an external system Step 3: Update the Windows Defender ATP alert based on the change done on the external system Step 1 - Add the required permission to the application: With your Global administrator credentials, login to the Azure portal. Azure Active Directory > App registrations. Click the drop-down button and select “All apps”. Choose the application you created in the “Hello World” example. If you used the suggested name, it was “ContosoSIEMConnector”. In the application page choose: Settings > Required permissions > WindowsDefenderATP Check the checkbox near “Read and write all alerts” permission, then click Save. In the “Required permissions” page, select the “Grant permissions” button and then click “Yes”. Done! You have successfully added the required permissions to the application. Step 2 – Create the ticket/alert in the external system: Depending on the external system API or integration tool that you use, this step might be applied in various methods. However, the general idea is to periodically pull new alerts from Windows Defender ATP as demonstrated in the “hello world” blog. For each alert you should call the external system API to create a ticket. We recommend that you store the alert ID in the created object. It will be handy for Windows Defender ATP alert object update later. The following example is an update of the “Hello World” code. It demonstrates how to iterate over the alerts and shows how to get their alert ID. NOTE: Some SIEM platforms allow direct JSON file import. This is out of this blog’s scope. Copy this example to the same folder where you stored the “Hello World” scripts. Name it “Get-Alerts-And-Open-Ticket.ps1”. # Returns Alerts created in the past 4 hours. # Setting a place holder for a code to open a ticket in external ticketing system. $token = .\Get-Token.ps1 $dateTime = (Get-Date).ToUniversalTime().AddHours(-4).ToString("o") $url = "https://api.securitycenter.windows.com/api/alerts?`$filter=alertCreationTime ge $dateTime" $headers = @{ 'Content-Type' = 'application/json' Accept = 'application/json' Authorization = "Bearer $token" } $response = Invoke-RestMethod -Method Get -Uri $url -Headers $headers -ErrorAction Stop #foreach alert, get the alertId and the data that needed to open a ticket and call the ticketing system API to open the ticket foreach ($alert in $response.value){ $alertId = $alert.id $alertTitle = $alert.title #extract the rest of the data relevant to the ticket. # replace the next line with your code to open the ticket using the ticketing system's API [System.Windows.MessageBox]::Show("Alert title - $alertTitle. \nAlert ID - $alertId") } The script will display a message box with the alert title and alert ID. Run the script. You’re welcome to replace the message box code with your own ticketing system ticket creation code. Step 3 – Update the Windows Defender ATP alert according to the ticket/alert change: To simplify the API usage we created the following script called “Alert-Update.ps1”. Store it in the same folder with the other scripts (the same folder we saved the Get-Token.ps1). Alert-Update.ps1 param ( [Parameter(Mandatory=$true)] [string]$alertId, #an input parameter for the alert's ID [ValidatePattern("^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$")] #only valid email address formats are allowed [string]$assignedTo, #an input parameter for the email address we want to assign the alert to. [Parameter()] [ValidateSet('New','InProgress','Resolved')] #validate that the input contains valid status value [string]$status, #an input parameter for alert's new status. [Parameter()] [ValidateSet('Unknown','FalsePositive','TruePositive')] #validate that the input contains valid classification value [string]$classification,#an input parameter for alert's new status. [Parameter()] [ValidateSet('NotAvailable','Apt','Malware','SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other' )] #validate that the input contains valid classification value [string]$determination #an input parameter for alert's new status. ) $token = .\Get-Token.ps1 #Execute Get-Token.ps1 script to get the authorization token $url = "https://api.securitycenter.windows.com/api/alerts/$alertId" #Set the url with the current alert ID. $body = @{} if($assignedTo -ne [string]::Empty) { $body.Add("assignedTo",$assignedTo) } if($status -ne [string]::Empty) { $body.Add("status",$status) } if($classification -ne [string]::Empty) { $body.Add("classification",$classification) } if($determination -ne [string]::Empty) { $body.Add("determination",$determination) } $headers = @{ 'Content-Type' = 'application/json' Accept = 'application/json' Authorization = "Bearer $token" } $response = Invoke-WebRequest -Method Patch -Uri $url -Body ($body | ConvertTo-Json) -Headers $headers -ErrorAction Stop if($response.StatusCode -eq 200) #check the response status code { return $true #update ended successfully } else { return $false #update failed } Option 1: Push update Ticketing systems as well as SIEM systems expose extensibility interfaces to enrich the experience with custom flows. You can use the following calls to update the Windows Defender ATP alert according to the ticket changes. For example, if an analyst decides to close the ticket as a false positive. The automation code should call the following command: .\Alert-Update.ps1 -alertId 636845233049028347_-906875643 -classification FalsePositive -status Resolved For cases of alert classification and assignment change use the following command: .\Alert-Update.ps1 -alertId 636845233049028347_-906875643 -classification FalsePositive -assignedTo haim@cotoso.com Option 2: Pull update Instead of integrating the API call into the SIEM or ticketing system, you can schedule a periodical call to collect ticket changes and update the Windows Defender ATP alert. Same is true for webhooks as a callback mechanism. For both you can use the same API calls. Tip for PowerShell newbies – use the PowerShell console Intellisense to browse for different command options. Type the script name and a hyphen to get auto-completion options (see below). Conclusion: Windows Defender ATP open API exposes the building blocks for simple scenarios as well as complex multi-stage integrations. In this example we demonstrated the typical use cases where you can apply the use of APIs to create and update tickets in the context of external tools. In the future we’ll share specific product integration examples. You’re more than welcome to share your experience or integration examples. If you are interested in specific product integration examples, let us know. In the next blog, we’ll walk you through using Windows Defender ATP APIs to isolate machine from the network which can be very handy as a quick response to a high-risk security alert. Thanks! @Haim Goldshtein, security software engineer, Windows Defender ATP @Dan Michelson, program manager, Windows Defender ATPNinja Cat Giveaway: Episode 3 | Sentinel integration
For this episode, your opportunity to win a plush ninja cat is the following - Reply to this thread with: what was your favorite feature Javier presented? Oh and what does UEBA stand for? This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.
