MDTI-Automated-Triage

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

This playbook uses the MDTI Reputation data to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with MDTI reputation data. If any indicators are labeled as 'suspicious', the incident will be tagged as such and its severity will be marked as 'medium'. If any indicators are labeled as 'malicious', the incident will be tagged as such and its severity will be marked as 'high'. Regardless of the reputation state, comments will be added to t

Attribute Value
Type Playbook
Solution Microsoft Defender Threat Intelligence
Source View on GitHub

Additional Documentation

📄 Source: MDTI-Automated-Triage/readme.md

Overview

This playbook uses the Microsoft Defender Threat Intelligence Reputation data to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with MDTI Reputation data. If any indicators are labeled as "suspicious", the incident will be tagged as such and its severity will be marked as "medium". If any indicators are labeled as "malicious", the incident will be tagged as such and its severity will be marked as "high". Regardless of the reputation state, comments will be added to the incident outlining the reputation details with links to further information if applicable.

Prerequisites

  1. Microsoft Defender Threat Intelligence (MDTI) Premium license enabled on your tenant.
  2. Security Administrator, Global Administrator, or Privileged Role Administrator role in Azure AD to assign the required API permissions to the playbook's Managed Identity.

Deployment

Playbook Parameters

Name Description Default Value
PlaybookName Name of the playbook MDTI-Automated-Triage
MDTI-BaseUrl Base URL for MDTI API https://graph.microsoft.com
Api-Version API version for MDTI API v1.0

Post-Deployment Instructions

1. Assign ThreatIntelligence.Read.All Permission to Playbook's Managed Identity

To allow the playbook to query Microsoft Defender Threat Intelligence data, you must grant the managed identity of the playbook the ThreatIntelligence.Read.All application permission in Microsoft Graph. Follow these steps:

  1. Ensure you have the necessary Azure AD permissions (Security Administrator, Global Administrator, or Privileged Role Administrator).
  2. Open the Azure Cloud Shell or use a local PowerShell session with the Microsoft Graph module installed.
  3. Run the following commands, replacing 'MDTI-Automated-Triage' with your playbook's name if different:
# Install and import Microsoft Graph module if not already present
Install-Module Microsoft.Graph -Scope CurrentUser -AllowClobber -Force
Import-Module Microsoft.Graph # It takes a minute to import


# Connect to Microsoft Graph with the required scopes
Connect-MgGraph -Identity

# Get the Microsoft Graph service principal
$graphSp = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'"

# Get the App Role ID for ThreatIntelligence.Read.All
$role = $graphSp.AppRoles | Where-Object { $_.Value -eq "ThreatIntelligence.Read.All" -and $_.AllowedMemberTypes -contains "Application" }

$logicAppName = 'MDTI-Data-Cookies'   # Change if different
# Get your Logic App's managed identity service principal
$logicAppSp = Get-MgServicePrincipal -Filter "displayName eq 'MDTI-Automated-Triage'"

# Assign the permission to the Logic App's managed identity
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $logicAppSp.Id `
    -PrincipalId $logicAppSp.Id `
    -ResourceId $graphSp.Id `
    -AppRoleId $role.Id

Write-Host "Permission assigned successfully to Logic App ${logicAppName}."

2. Authorize Connections

After deployment, authorize all connections:

  1. Click the Microsoft Sentinel connection resource
  2. Click edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save Repeat steps for all connections.

3. Assign Microsoft Sentinel Contributor Role to Playbook

This playbook uses a managed identity, which must have the Microsoft Sentinel Contributor role assigned in the Sentinel instances to enable adding comments.

  1. Select the Playbook resource.
  2. In the left menu, click Identity.
  3. Under Permissions, click Azure role assignments.
  4. Click Add role assignment (Preview).

[Content truncated...]

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to Microsoft Defender Threat Intelligence