Threat Response with Azure Sentinel Playbooks

By Ashwin Venugopal -

 



Azure Sentinel as a SIEM & SOAR solution

Azure Sentinel is known for its Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) solution that's especially designed for hybrid environments. To alert you about any potential security threats such as attempts to access Contoso's resources from outside its infrastructure or when data from Contoso appears to be sent to a known malicious IP address, it extensively uses built-in and custom detections while also creating incidents based on these alerts. 

Azure Sentinel Playbooks

The collections of the procedures based on Azure Logic Apps that runs in response to an alert are called Security Playbooks and can also be run manually in response to your investigation of an incident or an alert can be configured to run a playbook automatically. Its ability to respond to the incidents automatically also allows you to automate some of your security operations and make your Service Organization Controls (SOC) more productive.

Azure Logic Apps

Azure Logic Apps is a cloud service that can automate the operation of your business processes and by using graphical design tool called the Logic App Designer you can arrange pre-built components into the sequence you need. You can also use the code view while writing your automated process in the JSON file.

Logic Apps Connector

Connector is used by Logic Apps to connect to the hundreds of services which is a component that provides an interface to an external service. An Azure Sentinel data connector and a Logic Apps connector are considered different in a way that an Azure Sentinel data connector connects Azure Sentinel with Microsoft Security products as well as security systems for non-Microsoft solutions; while a Logic Apps connector is a component that provides an API connection for an external service as well as allows integration of events, data, and actions across other apps, services, systems, protocols, and platforms.

What are triggers and actions?

Azure Logic Apps use triggers and actions, which are defined as follows:

  • A trigger is an event that occurs when a specific set of conditions are satisfied and can be activated automatically when the conditions are met. For example, a security incident occurs in Azure Sentinel, which is a trigger for an automated action.
  • An action is an operation that performs a task in the Logic Apps workflow and runs when a trigger activates, another action completes, or a condition is met.   

Azure Sentinel Logic Apps Connector

An Azure Sentinel playbook uses an Azure Sentinel Logic Apps connector which provides the triggers and actions that can start the playbook as well as perform defined actions. Currently, there are two triggers from Azure Sentinel Logic Apps connector:
  • When a response to an Azure Sentinel alert is triggered  
  • When Azure Sentinel incident creation rule is triggered

Note- As Azure Sentinel Logic App connector is in preview, the features described here might change in the future.

The following table lists all the current actions for the Azure Sentinel connector:

Name

Description

Add comment to incident

Adds comments to the selected incidents.

Add labels to incident

Adds labels to the selected incidents.

Alert- Get incident

Returns the incident associated with the selected alert.

Change incident description

Changes the description for the selected incident.

Change incident severity

Changes the severity for the selected incident.

Change incident status

Changes the status for the selected incident.

Change incident title (V2)

Changes the title for the selected incident.

Entities- Get Accounts

Returns a list of accounts associated with the alert.

Entities- Get FileHashes

Returns a list of file hashes associated with the alert.

Entities- Get Hosts

Returns a list of hosts associated with the alert.

Entities- Get IPs

Returns a list IPs associated with the alert.

Entities- Get URLs

Returns a list of URLs associated with the alert

Remove labels from incident

Removes the labels from the selected incident.

Actions that have (V2) or a higher number provide a new version of the action and might differ from the old functionality from the action. Some action requires integration from another connectors.

Run a Playbook on demand

Based on the incident details, to trigger specific steps as part of the investigation, or to conduct some remediation action you can easily configure playbooks to run on demand. 

Considering the scenario where suspicious users are prevented from accessing corporate resources, and as the security administrator at Contoso, you may find one false positive incident. Some users at Contoso can also access the resources over a virtual private network connection from remote computer while being connected to the office computers at the same time. Microsoft Cloud Security then receives signals and based on the vulnerability that detects potential threat from atypical travel locations, it tags the users as medium risk.

You can use a playbook that can automatically dismiss this risky user property in Azure AD.

Azure Sentinel repository on GitHub  

Azure Sentinel repository on GitHub contains ready-to-use playbooks that are defined with Azure Resource Manager (ARM template) that use Logic App Azure Sentinel triggers, to help you automate responses on incidents. For each deployment on GitHub, first of each connection must be authorized in the playbook before you edit them in Logic Apps Designer which will create an API connection to an appropriate connector and store the token as well as variables. You can easily locate the API connection in the resource group where you created the logic app.

The name of each API connection is appended with the azuresentinel prefix. You can also edit the connection in the Logic Apps Designer when you edit the logic app.

Attach a Playbook to an existing incident

After your playbook is ready, you can open the Incident page in Azure Sentinel, and then select the existing incident, you can select View full details in the details pane to explore the properties of the incident, View playbooks from the Alerts Panel, and then you can run one of the existing playbooks. After you have investigated the incident, you can also choose to run the playbook manually to respond to a security threat.   








Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more