Threat Response with Azure Sentinel Playbooks

By Ashwin Venugopal -

 



Azure Sentinel as a SIEM & SOAR solution

Azure Sentinel is known for its Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) solution that's especially designed for hybrid environments. To alert you about any potential security threats such as attempts to access Contoso's resources from outside its infrastructure or when data from Contoso appears to be sent to a known malicious IP address, it extensively uses built-in and custom detections while also creating incidents based on these alerts. 

Azure Sentinel Playbooks

The collections of the procedures based on Azure Logic Apps that runs in response to an alert are called Security Playbooks and can also be run manually in response to your investigation of an incident or an alert can be configured to run a playbook automatically. Its ability to respond to the incidents automatically also allows you to automate some of your security operations and make your Service Organization Controls (SOC) more productive.

Azure Logic Apps

Azure Logic Apps is a cloud service that can automate the operation of your business processes and by using graphical design tool called the Logic App Designer you can arrange pre-built components into the sequence you need. You can also use the code view while writing your automated process in the JSON file.

Logic Apps Connector

Connector is used by Logic Apps to connect to the hundreds of services which is a component that provides an interface to an external service. An Azure Sentinel data connector and a Logic Apps connector are considered different in a way that an Azure Sentinel data connector connects Azure Sentinel with Microsoft Security products as well as security systems for non-Microsoft solutions; while a Logic Apps connector is a component that provides an API connection for an external service as well as allows integration of events, data, and actions across other apps, services, systems, protocols, and platforms.

What are triggers and actions?

Azure Logic Apps use triggers and actions, which are defined as follows:

  • A trigger is an event that occurs when a specific set of conditions are satisfied and can be activated automatically when the conditions are met. For example, a security incident occurs in Azure Sentinel, which is a trigger for an automated action.
  • An action is an operation that performs a task in the Logic Apps workflow and runs when a trigger activates, another action completes, or a condition is met.   

Azure Sentinel Logic Apps Connector

An Azure Sentinel playbook uses an Azure Sentinel Logic Apps connector which provides the triggers and actions that can start the playbook as well as perform defined actions. Currently, there are two triggers from Azure Sentinel Logic Apps connector:
  • When a response to an Azure Sentinel alert is triggered  
  • When Azure Sentinel incident creation rule is triggered

Note- As Azure Sentinel Logic App connector is in preview, the features described here might change in the future.

The following table lists all the current actions for the Azure Sentinel connector:

Name

Description

Add comment to incident

Adds comments to the selected incidents.

Add labels to incident

Adds labels to the selected incidents.

Alert- Get incident

Returns the incident associated with the selected alert.

Change incident description

Changes the description for the selected incident.

Change incident severity

Changes the severity for the selected incident.

Change incident status

Changes the status for the selected incident.

Change incident title (V2)

Changes the title for the selected incident.

Entities- Get Accounts

Returns a list of accounts associated with the alert.

Entities- Get FileHashes

Returns a list of file hashes associated with the alert.

Entities- Get Hosts

Returns a list of hosts associated with the alert.

Entities- Get IPs

Returns a list IPs associated with the alert.

Entities- Get URLs

Returns a list of URLs associated with the alert

Remove labels from incident

Removes the labels from the selected incident.

Actions that have (V2) or a higher number provide a new version of the action and might differ from the old functionality from the action. Some action requires integration from another connectors.

Run a Playbook on demand

Based on the incident details, to trigger specific steps as part of the investigation, or to conduct some remediation action you can easily configure playbooks to run on demand. 

Considering the scenario where suspicious users are prevented from accessing corporate resources, and as the security administrator at Contoso, you may find one false positive incident. Some users at Contoso can also access the resources over a virtual private network connection from remote computer while being connected to the office computers at the same time. Microsoft Cloud Security then receives signals and based on the vulnerability that detects potential threat from atypical travel locations, it tags the users as medium risk.

You can use a playbook that can automatically dismiss this risky user property in Azure AD.

Azure Sentinel repository on GitHub  

Azure Sentinel repository on GitHub contains ready-to-use playbooks that are defined with Azure Resource Manager (ARM template) that use Logic App Azure Sentinel triggers, to help you automate responses on incidents. For each deployment on GitHub, first of each connection must be authorized in the playbook before you edit them in Logic Apps Designer which will create an API connection to an appropriate connector and store the token as well as variables. You can easily locate the API connection in the resource group where you created the logic app.

The name of each API connection is appended with the azuresentinel prefix. You can also edit the connection in the Logic Apps Designer when you edit the logic app.

Attach a Playbook to an existing incident

After your playbook is ready, you can open the Incident page in Azure Sentinel, and then select the existing incident, you can select View full details in the details pane to explore the properties of the incident, View playbooks from the Alerts Panel, and then you can run one of the existing playbooks. After you have investigated the incident, you can also choose to run the playbook manually to respond to a security threat.   








Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can query the log data stor
Read more