Skip to content

Add comments containing Microsoft Defender exposure level to Microsoft Sentinel incidents

Notifications You must be signed in to change notification settings

Accelerynt-Security/AS-Incident-Host-Exposure-Level

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
 
 
 
 
 
 

Repository files navigation

AS-Incident-Host-Exposure-Level

Author: Accelerynt

For any technical questions, please contact info@accelerynt.com

Deploy to Azure Deploy to Azure Gov

This playbook is intended to be run from a Microsoft Sentinel Incident. It will match the Hosts from a Microsoft Sentinel Incident with Microsoft Defender Machines and add each Machine's exposure level as a comment on the Microsoft Sentinel Incident.

ExposureLevel_Demo

Prerequisites

After deployment, you will need to give the system assigned managed identity the "Microsoft Sentinel Contributor" role. This will enable it to add comments to incidents. Run the following commands in PowerShell, replacing the managed identity object id and resource group name. You can find the managed identity object id on the Identity blade under Settings for the Logic App.

ExposureLevel_Prereq

You will not need to run the Install-Module if this has been done before. More documentation on this module can be found here:

https://learn.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-9.3.0

Install-Module -Name Az
Connect-AzAccount
New-AzRoleAssignment -ObjectId <logic app managed identity object id> -RoleDefinitionName "Microsoft Sentinel Contributor" -ResourceGroupName "<logic app resource group name>"

Deployment

To configure and deploy this playbook:

Open your browser and ensure you are logged into your Microsoft Sentinel workspace. In a separate tab, open the link to our playbook on the Accelerynt Security GitHub Repository:

https://github.com/Accelerynt-Security/AS-Incident-Host-Exposure-Level

Deploy to Azure Deploy to Azure Gov

Click the “Deploy to Azure” button at the bottom and it will bring you to the custom deployment template.

In the Project Details section:

  • Select the “Subscription” and “Resource Group” from the dropdown boxes you would like the playbook deployed to.

In the Instance Details section:

  • Playbook Name: This can be left as "AS-Incident-Host-Exposure-Level" or you may change it.

Towards the bottom, click on “Review + create”.

ExposureLevel_Deploy_1

Once the resources have validated, click on "Create".

ExposureLevel_Deploy_2

The resources should take around a minute to deploy. Once the deployment is complete, you can expand the "Deployment details" section to view them. Click the one corresponding to the Logic App.

ExposureLevel_Deploy_3

Click on the “Edit” button. This will bring us into the Logic Apps Designer.

ExposureLevel_Deploy_4

Expand the step labeled "Condition - Check for Hosts". The sixth step labeled "Connections" uses a wdatp connection, which is responsible for communicating with Microsoft Defender. Before the playbook can be run, this connection will either need to be authorized, or an existing authorized connection may be alternatively selected for each.

ExposureLevel_Deploy_5

To validate the wdatp connection created for this playbook, expand the "Connections" step and click the exclamation point icon next to the name matching the playbook.

ExposureLevel_Deploy_6

When prompted, sign in to validate the connection.

ExposureLevel_Deploy_7

Running the Playbook

To run this playbook from a Microsoft Sentinel incident, navigate to Microsoft Sentinel:

https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel

Select a workspace and then click the "Incidents" menu option located under "Threat management". Select an incident with compromised host entities.

Click on the "Action" list button on the bottom right of the screen and select "Run playbook".

ExposureLevel_Run_1

From the "Run playbook on incident" view, type "AS-Incident-Host-Exposure-Level" into the search bar, then click run.

ExposureLevel_Run_2

About

Add comments containing Microsoft Defender exposure level to Microsoft Sentinel incidents

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published