Microsoft Defender Threat Intelligence (MDTI) now has new ways to boost interoperability and help the SOC punch above its weight by responding to threats at scale. During Microsoft Secure, we introduced capabilities that help enterprise users power up automation with Microsoft Defender Threat intelligence, including an API and Microsoft Sentinel Playbooks. These new playbooks will enable defenders to tap into MDTI's raw and finished intelligence at scale to quickly boost their understanding of and automatically triage threats.
MDTI Sentinel Playbooks
MDTI Sentinel playbooks will help customers improve their MTTA (time to acknowledge) and MTTR (mean time to respond) by enriching entities within incidents and alerts. Azure Logic Apps is at the heart of Microsoft Sentinel's SOAR capability, allowing our customers and partners to create automated workflows for any scenario required in the SOC. When you create Microsoft Sentinel playbooks, you leverage a robust platform that handles billions of requests daily and drives business productivity in multiple verticals. It can integrate with almost any service or product natively, with more than 450 connectors and a growing library of security-oriented integrations.
Leveraging MDTI can help streamline these multiple cybersecurity tasks when conducting threat infrastructure analysis and gathering threat intelligence. MDTI's ability to aggregate and yield crucial data sources and enrich them goes hand in hand with reducing the investigation time for security analysts. Below, I will outline in detail how we can leverage these new playbooks.
Before we begin, users must have all three of the following to access and use the playbooks:
- MDTI Premium and API license (we have a published blog about the MDTI APIs that you can read about here )
- Microsoft Sentinel
- Microsoft Client Application for Authentication with the MDTI API
Note:
- Please reference our “Getting Started with MDTI” blog for details regarding setting up your MDTI Premium trial.
What scenarios will the MDTI Sentinel Playbooks enable? We will be looking at three playbooks focused on the following areas:
- Automated Triage: This playbook uses the Microsoft Defender Threat Intelligence Reputation data to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with MDTI Reputation data. If any indicators are labeled as "suspicious," the incident will be tagged as such, and its severity will be marked as "medium." If any indicators are labeled as "malicious," the incident will be tagged as such, and its severity will be marked as "high." Regardless of the reputation state, comments will be added to the incident outlining the reputation details with links to further information if applicable.
- Enrichment via Web Component Data: This playbook automatically enriches incidents generated by Microsoft Sentinel with Web Components data that indicators found within the incident are known to be hosting. These components allow a user to understand the makeup of a webpage or the technology and services driving a specific piece of infrastructure. Pivoting on unique components can find actors' infrastructure or other sites that are compromised. Users can also understand if a website might be vulnerable to a specific attack or compromise based on the technologies that it is running.
- Enrichment via reputation score: This playbook uses the MDTI Reputation Data to automatically enrich incidents generated by Microsoft Sentinel. Reputation information gives an analyst a decision as to whether an indicator is considered benign, suspicious, or malicious. Analysts can leverage this playbook to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious, with links back to the MDTI platform for more information.
Installation and Configuration of the Playbooks
The following are the steps required to create, configure, and use the playbooks within Microsoft Sentinel:
1) Create an Azure AD client app with Permissions to the API
2) Install the MDTI Sentinel playbooks
3) Configure the MDTI Base playbook with Azure AD Client APP credentials
4) Configure the other three MDTI playbooks (Intel Reputation, Automated Triage, and Web Components)
5) Use the playbooks within Microsoft Sentinel
Creation for Azure AD client APP with MDTI API permissions
When configuring this playbook, you need the Azure AD App Registration credentials (ClientId/ClientSecret/TenantId) with MDTI API Permissions. These can be found on your Azure Client App page. For more details, visit the MDTI API documentation. If you have trouble accessing your account or credentials, contact your account representative or reach out to discussMDTI[@]microsoft.com.
Install the MDTI Sentinel playbooks
Customers can access these playbooks through the following methods:
- Microsoft Sentinel GitHub : Azure-Sentinel/Solutions/Microsoft Defender Threat Intelligence/Playbooks at master · Azure/Azure-Sentinel (github.com)
Figure: Deploying MDTI Sentinel playbooks from Sentinel GitHub
- Microsoft Sentinel Content Hub Solution (Microsoft Defender Threat Intelligence Solution)
Solutions are packages of Microsoft Sentinel content or Microsoft Sentinel API integrations that fulfill an end-to-end product, domain, or industry vertical scenario in Microsoft Sentinel. Both solutions and standalone items are discoverable and managed from the Content Hub.
For the MDTI solution, we will be packaging the three playbooks. Users will have to install the playbooks directly for the Content Hub. To get this process started, proceed to Microsoft Sentinel Content Hub Pane and search for Microsoft Defender Threat Intelligence, then click Install and proceed with the installation procedures.
Figure: Microsoft Sentinel Content Hub Solution ~ MDTI preview
After successfully installing the solution, you should see the following on the content Hub pane:
Figure: MDTI content Hub solution Installed.
* MDTI-Base playbook is mandatory to be configured for the other playbooks to be used
Configure the MDTI base playbook with Azure AD Client APP credentials
1) Proceed to the Content Hub pane and search for the MDTI solution. Click on Manage for visibility of the four playbooks found within the solution.
2) Configure the MDTI Base playbook with the client app credentials. To do this, select the MDTI Base playbook and click Configure.
Figure: Configuring the MDTI-Base playbook
3) This should direct you to a page instructing you to Create the playbook. Proceed with that action, and you will be required to add the Client App credentials in the Parameters, which is necessary for the playbook to work successfully.
4) After adding these details, click Create and Continue to designer.
Figure: Adding Client app credentials to the MDTI-Base playbook parameters (one will need to add the ClientId/ClientSecret which we generated earlier)
Configure the other Three MDTI playbooks (Intel Reputation, Automated Triage, and Web Components)
After successfully installing the MDTI base playbook, you can now proceed to configure the other 3 playbooks found within the MDTI content hub solution. To do this,
1) Go to the content hub pane, look for the MDTI Solution,
2) Select Manage and proceed to select one playbook (in this example, we will use MDTI intel reputation)
3) Proceed with the configuration process. (Repeat this action for the other playbooks MDTI -Automate -Triage, MDTI-Data-WebComponents)
Figure: Configuring MDTI Intel Reputation playbook from MDTI content Hub Solution
Using the Sentinel playbooks within Microsoft Sentinel
Create an automation rule
After successfully deploying all the playbooks, the next step is leveraging these playbooks within Microsoft Sentinel. To do this, you will need to create an automation rule. Here's how:
1) Navigate again to your Microsoft Sentinel workspace and click on "Automation." Then, create a new automation rule and give it a name.
2) In the "Conditions" section, select "Contains" and choose any analytic rule you have previously configured.
3) Under "Actions," select "Run Playbook" and select the MDTI playbooks. Finally, click "Apply" to create the automation rule.
Figure: Creation of an automation rule to trigger the MDTI Sentinel playbooks every time an incident is created
Once you have deployed the logic apps, you can use them in incidents within Microsoft Sentinel. Within incidents, you can run a playbook action and run the individual playbooks on the incident for enrichment by selecting Incident actions.
Figure: running MDTI Playbooks from a Microsoft Sentinel Incident
The outcome from the playbook is added to the comments that are accessible from the activity Log view in the incident:
Figure: Accessing the Activity Log on a Microsoft Sentinel incident to visualize the comment added by playbooks
The three playbooks and their expected outcomes are as follows:
1. Playbook 1: MDTI~AUTOMATED TRIAGE
This playbook uses the MDTI Reputation data to automatically enrich incidents generated by Microsoft Sentinel.
Prerequisites
This playbook inherits API connections created and established within a base playbook. Ensure you have deployed MDTI-Base in this playbook. If you have trouble accessing your account or credentials, contact your account representative or reach out to discussMDTI[@]microsoft.com.
Below, we can see the incident's severity was changed to active, with a Malicious Tag from MDTI added in the comment. Additional details about the entity have also been included, including why it was deemed malicious.
Figure: Comment added from automated triage playbook showing malicious reputation as well as Severity being changed to High , Incident status changing to active
Figure: The severity of the incident was changed to 'High' due to the classification and a tag of MDTI Malicious was added
2. Playbook 2: MDTI~ WEB COMPONENT DATA
This playbook uses the MDTI components data to automatically enrich incidents generated by Microsoft Sentinel.
Prerequisites
This playbook inherits API connections created and established within a base playbook. Ensure you have deployed MDTI-Base in this playbook. If you have trouble accessing your account or credentials, contact your account representative or reach out to discussMDTI[@]microsoft.com.
In the figure below, we see a comment added from an enriched playbook showing the infrastructure of entity 185.82.217.3. In this case, we can see a category of a command-and-control server (Cobalt Strike), giving us a major clue in our investigation.
Figure: Enriched incident generated from web component data, we can see the following IP hosting a command-and-control server that is synonymous with Cobalt strike activity
3. Playbook 3: MDTI~ INTEL REPUTATION
This playbook uses the Defender Threat MDTI Reputation Data to automatically enrich incidents generated by Microsoft Sentinel. Reputation information lets an analyst decide whether an indicator is benign, suspicious, or malicious.
Prerequisites
This playbook inherits API connections created and established within a base playbook. Ensure you have deployed MDTI-Base in this playbook. If you have trouble accessing your account or credentials, contact your account representative or reach out to discussMDTI[@]microsoft.com.
Below, we can see the comment added from the Intel Reputation playbook. This time we have entity 185.82.217.3, whose reputation score is 100 with a malicious classification. Additionally, it is part of intel profiles Cobalt Strike and Hafnium.
Figure: Comment showing a malicious score (100) and detection rules in relation to the score (Threat actor profiles of both Cobalt strike and HAFNIUM, as well as an ASN that exhibits suspicious behavior).
We Want to Hear from You!
Be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats. With an open dialogue, we can create a safer internet together. Learn more about MDTI.