Use Case: Triage Incidents Based-on Enrichment from Threat Intelligence

By Ashwin Venugopal -

 





Scenario

A Security Operations Center (SOC) analyst should examine the assigned alerts and incidents to determine if an actual action is required. Use the information in the incident-related alerts to direct the procedure. In order to better understand what to do next, contextual information should be gathered frequently. Now, one can decide whether to escalate or resolve the issue after fully comprehending the underlying alerts and gaining insight from the involved entities. 

Steps

  • Start with Security Copilot. Retrieve the latest assigned Microsoft Defender XDR incident and summarize the alerts associated with it.

Prompt used:

What is the latest active Defender incident assigned to me ? Summarize it, including the alerts associated with it. 

  • Focus in on specific entities to get more information about them. 

Prompt used:

Elaborate on the details of this alert including the entities involved. 

  • Get more information to guide next steps. What type of actions might be next for someone with her credentials ? 

Prompt used:

Tell me more about the user entity. 

  • Use a saved hunting query to correlate entities with Sentinel incidents.

Manually activate the suggested prompt for the Natural language to Sentinel KQL plugin to run the query. 

  • Pivot the investigation to the SAP incident associated with the user from the original alert. 

Prompt used:

Elaborate on Sentinel incident and give details about the entities. 

  • Find out more about the IP address entity and examine how it was determined to be malicious. (if any).

Prompt used:

Give me more details about the IP address and why is it malicious ?

  • Create a summary report. 

Saved time in the escalation process with a summary for leadership and incident response teams.

Prompt used:

Write a report based on this investigation. Lead with your assessment of the original Defender incident and whether the threat of credential theft is real. Conclude your assessment on how that threat relates to the Sentinel incident regarding the file downloaded to a malicious IP. 

  • Pin the most useful prompts responses and edit the session name.

You have reached your goal and determined the assigned Microsoft Defender XDR incident is a real threat. By linking it to a Microsoft Sentinel incident involving an exfiltrated SAP file, you can prepare to collaborate with your escalation team. 

Conclusion

In this use case, Security Copilot aided in the prompt triage of an assigned incident. By looking into related incidents we verified that the alert called for actual action. An incident involving an IP entity connected to completed intelligence regarding the threat actor and C2 tool utilized was discovered as a result of hunt. We provided the escalation team with the information they needed to respond efficiently by sharing the session and a summary report on a concise pin board. 
























Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 3, please click  here Microsoft Sentinel Content Hub Content in Microsoft Sentinel includes any of the following types: Data connectors offer log ingestion from different sources into Microsoft Sentinel. Parsers give log formatting/transformation into ASIM formats, supporting usage across various Microsoft Sentinel content types and scenarios. Workbooks provide monitoring, visualization, and interactively with data in Microsoft Sentinel, highlighting meaningful insights for users.  Analytics rules give alerts that point to relevant SOC actions via incidents.  Hunting Queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel. Notebooks help SOC teams in using advanced hunting features in Jupyter and Azure Notebooks. Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue.  Playbooks and Azure Logic Apps Custom Connectors provide featu...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more