Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Security Operations

How to Query HaveIBeenPwned Using an Azure Sentinel Playbook

Azure Sentinel News Editor by Azure Sentinel News Editor
December 29, 2020
in Security Operations
0
With new release, CrowdStrike targets Google Cloud, Azure and container adopters
2.2kViews
800 Shares Share on Facebook Share on Twitter

I’ve known Troy Hunt for a number of years and his contributions to the security and privacy industry have been hugely valuable and much appreciated by the masses.

HaveIBeenPwned is a great resource developed and maintained by Troy. It provides the ability to query against its database to expose domains or user accounts that have been caught up in any of the number of reported industry data breaches. Wouldn’t it be nice, then, to have this data available for your Azure Sentinel investigations?

Fortunately, Troy provides an API for his service.

There’s quite a bit more that I’ll be working on for this solution – particularly parsing out details to include in the Incident – but initially I’ve provided an Azure Sentinel Playbook that takes email addresses associated with an Incident and submits them through the API and returns a quick note to the Comments tab in the Incident as to whether or not the email address (or addresses) has been compromised.

Whew! This account was not compromised…for now…

You can get the Playbook from GitHub here with full Deploy to Azure capability: https://github.com/rod-trent/SentinelPlaybooks/tree/master/HaveIBeenPwned-Email

NOTE: The HaveIBeenPwned API is not free. There’s a nominal $3.50 per month recurring fee to continue using it, but you can also just pay for a single month to determine if it’s valuable enough to continue using it. The single month usage is also a handy option if your organization has recently been breached and you need to determine which accounts are compromised. To get the API key, go here: https://haveibeenpwned.com/API/Key

Once you have your API key, you need to adjust the Playbook. The second step of the Playbook is where your API is recorded as a variable. Input your API key in the Value field.

Enter your own API key

Also, don’t forget to jump through each step to make sure you’ve made the proper connections. And, please…don’t forget to expand out the For each loop and locate each connection in there. I don’t know about you, but that one always gets me.

Make all the connections

So, I’ve provided the logic all packaged together. You simply deploy it, connect your accounts, obtain and input your API and you’re off and running. But I hope you take the time to look through the logic. There’s some good lessons here for how to utilize variables to create your dynamic content.

Reference: https://azurecloudai.blog/2020/08/24/how-to-query-haveibeenpwned-using-an-azure-sentinel-playbook/

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

What’s new: Microsoft Teams connector in Public Preview
Security Operations

AMA for Azure Sentinel on the Microsoft Security Insights Podcast and Twitch Stream

January 25, 2021
What’s new: Microsoft Teams connector in Public Preview
Security Operations

How to Setup a Managed Identity for the Azure Sentinel Logic App Connector

January 21, 2021
Microsoft suspends 18 Azure accounts tied to China-based hackers
Security Operations

Azure Sentinel Daily Task: Hunting Queries and Bookmarks

January 1, 2021
Next Post
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

How to Keep Track of Your Higher Cost Azure Sentinel Tables Using KQL

Microsoft is quietly becoming a cybersecurity powerhouse

How to Prohibit an Azure Sentinel Analyst from Editing a Playbook

Microsoft suspends 18 Azure accounts tied to China-based hackers

Building the Azure Sentinel Toolbox: MyEventLog

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Making Security More Intelligent, Microsoft Releases Azure Sentinel

Advancing Azure service quality with artificial intelligence: AIOps

3 months ago
Security Unlocked—A new podcast exploring the people and AI that power Microsoft Security solutions

Security Unlocked—A new podcast exploring the people and AI that power Microsoft Security solutions

3 months ago
New analytics to help Azure-based Sentinel identify threats

Microsoft Fixed an Azure Security Vulnerability before Researchers Could Report It

3 months ago
Open Systems Augments its Cybersecurity Capabilities With Acquisition of Leading Microsoft Azure Sentinel Expert

Hunting Threats on Linux with Azure Sentinel

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Trending

What’s new: Microsoft Teams connector in Public Preview
AI & ML

Azure Sentinel Weekly Newsletter

by Azure Sentinel News Editor
March 1, 2021
0

I’ve sensed this for a while now, but a few days ago it really hit me —...

What’s new: Microsoft Teams connector in Public Preview

How to Generate Azure Sentinel Incidents for Testing

February 26, 2021
What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • Azure Sentinel Weekly Newsletter March 1, 2021
  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News