Blog Post

Microsoft Defender Threat Intelligence Blog
8 MIN READ

What's New: MDTI Microsoft Sentinel Playbooks

Sean_Wasonga's avatar
Sean_Wasonga
Icon for Microsoft rankMicrosoft
Mar 29, 2023

Microsoft Defender Threat Intelligence (MDTI) now has new ways to boost interoperability and help the SOC punch above its weight by responding to threats at scale. During Microsoft Secure, we introduced capabilities that help enterprise users power up automation with Microsoft Defender Threat intelligence, including an API and Microsoft Sentinel Playbooks. These new playbooks will enable defenders to tap into MDTI's raw and finished intelligence at scale to quickly boost their understanding of and automatically triage threats.

 

MDTI Sentinel Playbooks

 

MDTI Sentinel playbooks will help customers improve their MTTA (time to acknowledge) and MTTR (mean time to respond) by enriching entities within incidents and alerts. Azure Logic Apps is at the heart of Microsoft Sentinel's SOAR capability, allowing our customers and partners to create automated workflows for any scenario required in the SOC. When you create Microsoft Sentinel playbooks, you leverage a robust platform that handles billions of requests daily and drives business productivity in multiple verticals. It can integrate with almost any service or product natively, with more than 450 connectors and a growing library of security-oriented integrations.

 

Leveraging MDTI can help streamline these multiple cybersecurity tasks when conducting threat infrastructure analysis and gathering threat intelligence. MDTI's ability to aggregate and yield crucial data sources and enrich them goes hand in hand with reducing the investigation time for security analysts. Below, I will outline in detail how we can leverage these new playbooks.

 

Before we begin, users must have all three of the following to access and use the playbooks:

 

  • MDTI Premium and API license (we have a published blog about the MDTI APIs that you can read about here )
  • Microsoft Sentinel 
  • Microsoft Client Application for Authentication with the MDTI API

Note:

 

  • Please reference our “Getting Started with MDTI” blog for details regarding setting up your MDTI Premium trial.

 

What scenarios will the MDTI Sentinel Playbooks enable? We will be looking at three playbooks focused on the following areas:

 

  • Automated Triage: This playbook uses the Microsoft Defender Threat Intelligence Reputation data to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with MDTI Reputation data. If any indicators are labeled as "suspicious," the incident will be tagged as such, and its severity will be marked as "medium." If any indicators are labeled as "malicious," the incident will be tagged as such, and its severity will be marked as "high." Regardless of the reputation state, comments will be added to the incident outlining the reputation details with links to further information if applicable.

  • Enrichment via Web Component Data: This playbook automatically enriches incidents generated by Microsoft Sentinel with Web Components data that indicators found within the incident are known to be hosting. These components allow a user to understand the makeup of a webpage or the technology and services driving a specific piece of infrastructure. Pivoting on unique components can find actors' infrastructure or other sites that are compromised. Users can also understand if a website might be vulnerable to a specific attack or compromise based on the technologies that it is running.

  • Enrichment via reputation score: This playbook uses the MDTI Reputation Data to automatically enrich incidents generated by Microsoft Sentinel. Reputation information gives an analyst a decision as to whether an indicator is considered benign, suspicious, or malicious. Analysts can leverage this playbook to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious, with links back to the MDTI platform for more information.

 

Installation and Configuration of the Playbooks 

 

The following are the steps required to create, configure, and use the playbooks within Microsoft Sentinel:

 

1) Create an Azure AD client app with Permissions to the API 

2) Install the MDTI Sentinel playbooks

3) Configure the MDTI Base playbook with Azure AD Client APP credentials

4) Configure the other three MDTI playbooks (Intel Reputation, Automated Triage, and Web Components)

5) Use the playbooks within Microsoft Sentinel 

 

Creation for Azure AD client APP with MDTI API permissions

 

When configuring this playbook, you need the Azure AD App Registration credentials (ClientId/ClientSecret/TenantId) with MDTI API Permissions. These can be found on your Azure Client App page. For more details, visit the MDTI API documentation. If you have trouble accessing your account or credentials, contact your account representative or reach out to discussMDTI[@]microsoft.com.

 

Install the MDTI Sentinel playbooks

 

Customers can access these playbooks through the following methods:

 

Figure: Deploying MDTI Sentinel playbooks from Sentinel GitHub 

 

 

Solutions are packages of Microsoft Sentinel content or Microsoft Sentinel API integrations that fulfill an end-to-end product, domain, or industry vertical scenario in Microsoft Sentinel. Both solutions and standalone items are discoverable and managed from the Content Hub.

For the MDTI solution, we will be packaging the three playbooks. Users will have to install the playbooks directly for the Content Hub. To get this process started, proceed to Microsoft Sentinel Content Hub Pane and search for Microsoft Defender Threat Intelligence, then click Install and proceed with the installation procedures.

 

Figure: Microsoft Sentinel Content Hub Solution ~ MDTI preview 

 

 

After successfully installing the solution, you should see the following on the content Hub pane:

 

 

Figure:  MDTI content Hub solution Installed. 

 

* MDTI-Base playbook is mandatory to be configured for the other playbooks to be used 


Configure the MDTI base playbook with Azure AD Client APP c
redentials

 

1) Proceed to the Content Hub pane and search for the MDTI solution. Click on Manage for visibility of the four playbooks found within the solution.

2) Configure the MDTI Base playbook with the client app credentials. To do this, select the MDTI Base playbook and click Configure.

 

Figure: Configuring the MDTI-Base playbook

 

3) This should direct you to a page instructing you to Create the playbook. Proceed with that action, and you will be required to add the Client App credentials in the Parameters, which is necessary for the playbook to work successfully.

4) After adding these details, click Create and Continue to designer.

 

 

Figure: Adding Client app credentials to the MDTI-Base playbook parameters (one will need to add the ClientId/ClientSecret which we generated earlier)

 

Configure the other Three MDTI playbooks (Intel Reputation, Automated Triage, and Web Components)

 

After successfully installing the MDTI base playbook, you can now proceed to configure the other 3 playbooks found within the MDTI content hub solution. To do this,

 

1) Go to the content hub pane, look for the MDTI Solution, 

2) Select Manage and proceed to select one playbook (in this example, we will use MDTI intel reputation)

3) Proceed with the configuration process. (Repeat this action for the other playbooks MDTI -Automate -TriageMDTI-Data-WebComponents)

 

Figure: Configuring MDTI Intel Reputation playbook from MDTI content Hub Solution

 

Using the Sentinel playbooks within Microsoft Sentinel 

 

Create an automation rule

 

After successfully deploying all the playbooks, the next step is leveraging these playbooks within Microsoft Sentinel. To do this, you will need to create an automation rule. Here's how:

 

1) Navigate again to your Microsoft Sentinel workspace and click on "Automation." Then, create a new automation rule and give it a name.

2) In the "Conditions" section, select "Contains" and choose any analytic rule you have previously configured.

3) Under "Actions," select "Run Playbook" and select the MDTI playbooks. Finally, click "Apply" to create the automation rule.

 

Figure: Creation of an automation rule to trigger the MDTI Sentinel playbooks every time an incident is created 

 

Once you have deployed the logic apps, you can use them in incidents within Microsoft Sentinel. Within incidents, you can run a playbook action and run the individual playbooks on the incident for enrichment by selecting Incident actions.

 

 

Figure: running MDTI Playbooks from a Microsoft Sentinel Incident

 

The outcome from the playbook is added to the comments that are accessible from the activity Log view in the incident:

 

 

Figure: Accessing the Activity Log on a Microsoft Sentinel incident to visualize the comment added by playbooks 

 

The three playbooks and their expected outcomes are as follows:

 

1. Playbook 1: MDTI~AUTOMATED TRIAGE

 

This playbook uses the MDTI Reputation data to automatically enrich incidents generated by Microsoft Sentinel. 

 

Prerequisites

 

This playbook inherits API connections created and established within a base playbook. Ensure you have deployed MDTI-Base in this playbook. If you have trouble accessing your account or credentials, contact your account representative or reach out to discussMDTI[@]microsoft.com.

 

Below, we can see the incident's severity was changed to active, with a Malicious Tag from MDTI added in the comment. Additional details about the entity have also been included, including why it was deemed malicious.

 

Figure: Comment added from automated triage playbook showing malicious reputation as well as Severity being changed to High , Incident status changing to active

 

Figure: The severity of the incident was changed to 'High' due to the classification and a tag of MDTI Malicious was added

 

2. Playbook 2: MDTI~ WEB COMPONENT DATA

 

This playbook uses the MDTI components data to automatically enrich incidents generated by Microsoft Sentinel. 

 

Prerequisites

 

This playbook inherits API connections created and established within a base playbook. Ensure you have deployed MDTI-Base in this playbook. If you have trouble accessing your account or credentials, contact your account representative or reach out to discussMDTI[@]microsoft.com.

 

In the figure below, we see a comment added from an enriched playbook showing the infrastructure of entity 185.82.217.3. In this case, we can see a category of a command-and-control server (Cobalt Strike), giving us a major clue in our investigation.

 

Figure: Enriched incident generated from web component data, we can see the following IP hosting a command-and-control server that is synonymous with Cobalt strike activity

3. Playbook 3: MDTI~ INTEL REPUTATION

 

This playbook uses the Defender Threat MDTI Reputation Data to automatically enrich incidents generated by Microsoft Sentinel. Reputation information lets an analyst decide whether an indicator is benign, suspicious, or malicious.

Prerequisites

 

This playbook inherits API connections created and established within a base playbook. Ensure you have deployed MDTI-Base in this playbook. If you have trouble accessing your account or credentials, contact your account representative or reach out to discussMDTI[@]microsoft.com.

 

Below, we can see the comment added from the Intel Reputation playbook. This time we have entity 185.82.217.3, whose reputation score is 100 with a malicious classification. Additionally, it is part of intel profiles Cobalt Strike and Hafnium.

 

Figure: Comment showing a malicious score (100) and detection rules in relation to the score (Threat actor profiles of both Cobalt strike and HAFNIUM, as well as an ASN that exhibits suspicious behavior).

 

We Want to Hear from You!

 

Be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats. With an open dialogue, we can create a safer internet together. Learn more about MDTI.

 

 

 

Updated Nov 14, 2023
Version 7.0
  • Dean_Gross's avatar
    Dean_Gross
    Silver Contributor

    Sean_Wasonga it would be helpful if the Description for the solution in the Content Hub included the requirement for MDTI Premium. Currently, it show Free, which is somewhat misleading. 

    On a more general note, all of the Solution Descriptions should clearly describe any prerequisites so that we don't waste time trying to do something for which we don't have licenses

     

  • Update: Self-enabled MDTI Premium trials are no longer available. Please work with your Microsoft Commercial Executive or select the "Contact Sales" button on this page and fill out the form to get in touch with Microsoft sales to begin your MDTI Premium trial. 

  • I don't know why the documents around setting up the MDTI solution and using the playbooks are so bad. So you can get the threat feed setup with basically a few clicks and you have the connector working, then to use the playbooks you need to have MDTI Premium license and the MDTI API license?

     

    In the admin center those come up as $50k per year, each.

     

    I feel like I am missing something here.

     

    I need to know the permissions that app registration requires in Entra ID and also if I really need those two expensive licenses for just a few playbooks.

  • Hello Sentinel-PurpleTeam  

    A couple of important points to note:

    The Connector for MDTI facilitates the integration of MDTI Feeds into Sentinel. However, it's crucial to understand that these feeds are currently limited to the following types:

    1) MDTI OSINT IOCs and

    2) MSTIC Honeypot indicators.

    Once integrated, these feeds are directed to the threat intelligence table, enriching your ability to detect potential threats.

     

    Regarding the utilization of playbooks for enrichment purposes, it's essential to have access to the API and a Premium license. The required app permissions include Threat Intelligence Read All, as detailed in the Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn

    For those interested in exploring a trial for MDTI Premium and API access, please work with your Microsoft Commercial Executive or select the "Contact Sales" button on this page and fill out the form to get in touch with Microsoft sales to begin your MDTI Premium trial.