MDTI-Data-Cookies
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This playbook uses the MDTI Components data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook in order to enrich your incidents with Cookies data hosted by the indicators found within the incident. These values sometimes contain a state for the application or little bits of tracking data. Defender TI highlights and indexes cookie names observed when crawling a website and a
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Microsoft Defender Threat Intelligence |
| Source | View on GitHub |
Additional Documentation
📄 Source: MDTI-Data-Cookies/readme.md
Overview
This playbook uses the Microsoft Defender Threat Intelligence Cookies data set to automatically enrich Microsoft Sentinel incidents. It extracts Host and IP entities from new incidents and queries the MDTI Cookies data (dataset reference) to identify cookie names observed for the related infrastructure. The playbook then adds formatted comments to the incident summarizing any cookies discovered so analysts can quickly pivot for deeper investigation. Cookies can contain application state, tracking identifiers, or values abused by adversaries for persistence or victim correlation.
Key Capabilities
- Automatically triggers on new Sentinel incidents (incident creation trigger).
- Collects Host and IP entities (up to the limits of the incident payload).
- Queries MDTI Cookies data via Microsoft Graph (Managed Identity auth).
- Generates per-host and per-IP HTML tables summarizing cookie observations.
- Adds structured comments back to the originating incident.
Prerequisites
- Microsoft Defender Threat Intelligence (MDTI) Premium license enabled for the tenant.
- One of the following Azure AD roles (to grant Graph application permissions to the playbook's Managed Identity): Security Administrator, Global Administrator, or Privileged Role Administrator.
Deployment Parameters
| Name | Description | Default |
|---|---|---|
| PlaybookName | Name of the Logic App (playbook) | MDTI-Data-Cookies |
| MDTI-BaseUrl | MDTI Graph API base URL (must start with https://) | https://graph.microsoft.com |
| Api-Version | MDTI Graph API version | v1.0 |
Deploy to Azure
Post-Deployment Steps
1. Assign Microsoft Graph Permission (ThreatIntelligence.Read.All) to Managed Identity
To allow the playbook to query Microsoft Defender Threat Intelligence data, you must grant the managed identity of the playbook the ThreatIntelligence.Read.All application permission in Microsoft Graph. Follow these steps:
- Ensure you have the necessary Azure AD permissions (Security Administrator, Global Administrator, or Privileged Role Administrator).
- Open the Azure Cloud Shell or use a local PowerShell session with the Microsoft Graph module installed.
- Run the following commands, replacing
'MDTI-Data-Cookies'with your playbook's name if different:
# Install the Microsoft Graph module for interacting with Microsoft Graph APIs
Install-Module Microsoft.Graph -Scope CurrentUser -AllowClobber -Force
Import-Module Microsoft.Graph
# Authenticate to Microsoft Graph using Managed Identity
Connect-MgGraph -Identity
# Retrieve the Microsoft Graph Service Principal
$graphSp = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'"
# Find the ThreatIntelligence.Read.All role
$role = $graphSp.AppRoles | Where-Object { $_.Value -eq 'ThreatIntelligence.Read.All' -and $_.AllowedMemberTypes -contains 'Application' }
# Define the Logic App name (update if different)
$logicAppName = 'MDTI-Data-Cookies'
$logicAppSp = Get-MgServicePrincipal -Filter "displayName eq '$logicAppName'"
# Assign the ThreatIntelligence.Read.All role to the Logic App's Managed Identity
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $logicAppSp.Id `
-PrincipalId $logicAppSp.Id `
-ResourceId $graphSp.Id `
-AppRoleId $role.Id
# Confirm the role assignment
Write-Host "Permission assigned successfully to Logic App ${logicAppName}."
2. Authorize Connections
After deployment, authorize all connections:
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save Repeat steps for all connections.
3. Assign Microsoft Sentinel Responder Role to Playbook
This playbook uses a managed identity, which must have the Microsoft Sentinel Responder role assigned in the Sentinel instances to enable adding comments.
- Select the Playbook resource.
- In the left menu, click Identity.
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
↑ Back to Playbooks · Back to Microsoft Defender Threat Intelligence