MDTI-Data-PassiveDns

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

This playbook enriches Microsoft Sentinel incidents by querying Microsoft Defender Threat Intelligence Passive DNS data for related host and IP entities.

Attribute Value
Type Playbook
Solution Microsoft Defender Threat Intelligence
Source View on GitHub

Additional Documentation

📄 Source: MDTI-PassiveDns/readme.md

Overview

This playbook uses the Microsoft Defender Threat Intelligence Passive DNS data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook to enrich your incidents with Passive DNS data hosted by the indicators found within the incident. Passive DNS (PDNS) is a system of record that stores DNS resolution data for a given location, record, and timeframe. This historical resolution data set allows users to view which domains resolved to an IP address and vice versa. This data set allows for time-based correlation based on domain or IP overlap. PDNS may enable the identification of previously unknown or newly stood-up threat actor infrastructure. Proactive addition of indicators to blocklists can cut off communication paths before campaigns take place. Users will find A record resolution data within the Resolutions data set tab and will find more types of DNS records in the DNS data set tab.

Key Capabilities

Prerequisites

  1. Microsoft Defender Threat Intelligence (MDTI) Premium license enabled for the tenant. If you have trouble accessing your account or your credentials, contact your account representative (mdtidiscussion[@]microsoft.com).
  2. One of the following Azure AD roles (to grant Graph application permissions to the playbook's Managed Identity): Security Administrator, Global Administrator, or Privileged Role Administrator.

Deployment Parameters

Name Description Default
PlaybookName Name of the Logic App (playbook) MDTI-Data-PassiveDns
MDTI-BaseUrl MDTI Graph API base URL (must start with https://) https://graph.microsoft.com
Api-Version MDTI Graph API version v1.0

Deploy to Azure

Deploy to Azure Deploy to Azure Gov

Post-Deployment Steps

1. Assign Microsoft Graph Permission (ThreatIntelligence.Read.All) to Managed Identity

To allow the playbook to query Microsoft Defender Threat Intelligence data, you must grant the managed identity of the playbook the ThreatIntelligence.Read.All application permission in Microsoft Graph. Follow these steps:

  1. Ensure you have the necessary Azure AD permissions (Security Administrator, Global Administrator, or Privileged Role Administrator).
  2. Open the Azure Cloud Shell or use a local PowerShell session with the Microsoft Graph module installed.
  3. Run the following commands, replacing 'MDTI-Data-PassiveDns' with your playbook's name if different:

```powershell

Install the Microsoft Graph module for interacting with Microsoft Graph APIs

Install-Module Microsoft.Graph -Scope CurrentUser -AllowClobber -Force Import-Module Microsoft.Graph

Authenticate to Microsoft Graph using Managed Identity

Connect-MgGraph -Identity

Retrieve the Microsoft Graph Service Principal

$graphSp = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'"

Find the ThreatIntelligence.Read.All role

$role = $graphSp.AppRoles | Where-Object { $.Value -eq 'ThreatIntelligence.Read.All' -and $.AllowedMemberTypes -contains 'Application' }

Define the Logic App name (update if different)

$logicAppName = 'MDTI-Data-PassiveDns' $logicAppSp = Get-MgServicePrincipal -Filter "displayName eq '$logicAppName'"

Assign the ThreatIntelligence.Read.All role to the Logic App's Managed Identity

[Content truncated...]

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to Microsoft Defender Threat Intelligence