Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Incident Response

Playbooks & Watchlists Part 2: Automate incident response for Deny-list/Allow-list

Azure Sentinel News Editor by Azure Sentinel News Editor
November 12, 2020
in Incident Response, Security Ochestration & Automated Response, SOAR
0
Playbooks & Watchlists Part 2: Automate incident response for Deny-list/Allow-list
6.7kViews

Great Thanks to @Julian Gonzalez  for working together on the playbooks templates!

In the previous article, Playbooks & Watchlists Part 1: Inform the subscription owner I have presented one scenario of using Watchlists in Playbooks. I also presented some best practices: how to query a watchlist using Azure Monitor Logs connector, and also how to use the output data.

In this blogpost I’ll present another interesting use case and some new ways to work with the Watchlists data.

Allow-listing is a strategy for allowing certain identities or sources to access sensitive resources or to exclude them from security protections. An example for such scenario can be a set of IP addresses which might trigger new alerts, but known to the SOC as coming from approved sources. In a case where a new alert consists only approved IPs as its entities, we might want to save the analysts time and auto close the incident.

Of course, more steps and actions can be taken and added to this playbook for other steps taken in this case by the SOC. Also, the same practice can be adopted for Deny-list scenarios.

Quick access to the playbook in Azure Sentinel Github repository

This blogpost includes:

  • Solution summary
  • Prerequisites
  • Playbook steps explained
  • Setup instructions
    • Create and upload your watchlist
    • ARM Template deployment
    • Playbook configurations
    • Set automated response
  • Documentation reference

Solution summary

  • An Azure Sentinel Watchlist lists all approved IP addresses.
  • Watchlist-CloseIncidentKnownIPs Playbook is attached to an analytic rule that attaches IPs to the outcome alerts.
  • Everytime a new alert of this analytic rule is created, the playbook is triggered, receiving the alert with the contained alerts as an input.
  • For each IP entity in this alert, the playbook queries the Watchlist includes it.
    • In case the IP is in the Watchlist, it will be added to “Safe IPs” array.
    • Else, it will be added to “Not Safe IPs” array.
  • A informative HTML comment will be written to the incident that contains this alert, to inform about the IPs in each category.
  • If all IPs were found safe, the incident will be closed with Benign Positive classification reason.

Prerequisites

A user or registered application with Azure Sentinel Contributor role to be used with the Azure Sentinel connector to Logic Apps.

Playbook steps explained

When a response to an Azure Sentinel alert is triggered

Azure Sentinel alert was created. The playbook receives the alert as the input.

Initialize variables

This actions stores values to be used later in the playbook:

  • Watchlist name is a variable of type string, will be used for the Log Analytics query
  • Safe/not safe IPs are variables of type array, will be used to store the found IPs

Entities – Get IPs

This action takes all the entities found in the alert and parses only the IPs with their special fields ready to be used as dynamic values in later actions.

For Each IP

Iterates on the IPs found in this alert and performs the following:

  • Run query and list results – Get Watchlist
    In this step we ask Log Analytics (Azure Monitor Logs connector) to get the items of the Watchlist. Subscription, Resource Group and Resource Name are the Azure Sentinel workspace details where the watchlist is located.
    I used the following query:
    _GetWatchlist(@{variables(‘WatchlistName’)})
    | extend IpAddress = tostring(parse_json(WatchlistItem).IpAddress)
    | where IpAddress == ”@{items(‘For_each’)?[‘Address’]}”
  • Condition
    In this step I check the length of the response array from the query, using the Logic apps expression length(collection). If it is greater then 0, we have found the IP in the watchlist.
    Therefor, we will add this IP to the Safe array; otherwise, to the not safe.

Add a comment to the incident
In this step we audit the information collected so far: a list of safe IPs found in the Watchlist, a side to a list of unknown IPs.

Condition

Finally, we want to check if there is any IP which found as not safe. This step checks if our “not safe” array is empty. If so, we will close the incident.

Change Incident Status
Closes the incident with Benign Positive classification reason.

Setup instructions

Create and Upload your watchlist

  1. Create your input CSV table
    In this use case I have created a simple table, where each row represents an ip address.
    I created the table using Office 365 Excel, and then saved it as a CSV file (save as).
  2. Upload your table

    1. In Azure Sentinel, go to Watchlists.
    2. Click on Add new

  1. Fill in the required details.
    Note that the Alias will be used to query this watchlist in the playbook query step.
  2. Add the CSV file
  3. Review and create.

Playbook deployment instructions

 

  1. Open the link to the playbook.  Scroll down on the page and Click on “Deploy to Azure” or “Deploy to Azure Gov” button depending on your need.
  2. Fill the parameters:
    1. Basics
      Fill the subscription, resource group and location Sentinel workspace is under.
    2. Settings
      1. Playbook name – this is how you’ll find the playbook in your subscription
      2. User name (will affect the names of the API connections resources)
    3. Check the terms and conditions and click purchase.
    4. The ARM template, contains the Logic App workflow (playbook) and API connections is now deploying to Azure. When finished, you will be taken to the Azure ARM Template summary page.
    5. Click on the Logic Apps name. you will be taken to the Logic Apps resource of this playbook.

Confirm API connections

On the left menu, click on API connections.
For each product being used in this playbook, click on the connection name – in our case, it is only the Azure Sentinel connection.
Click on Authorize to log in with your user, and don’t forget to save.

Documentation Reference

  • Azure Sentinel Logic Apps connector
Tags: Azure SentinelAzure Sentinel APIAzure Sentinel ConnectorPlaybooksWatchlists
Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

Wipro launches advanced cloud SOC services using Microsoft Azure Sentinel
Incident Response

Azure Sentinel Rare Occurrences Incidents Generated After Setup

December 30, 2020
What’s new: Microsoft Teams connector in Public Preview
Incident Response

Adding MBAM/Bitlocker Logs to Azure Sentinel

December 30, 2020
Introducing the Microsoft Azure Modular Datacenter
Incident Response

Azure Sentinel: Sending an Email Each Morning with the List of Daily Incidents Created

December 29, 2020
Next Post
What’s New: Entity Insights for Convenient Investigation Checks is Now in Public Preview

What’s New: Entity Insights for Convenient Investigation Checks is Now in Public Preview

Monitoring your Logic Apps Playbooks in Azure Sentinel

Monitoring your Logic Apps Playbooks in Azure Sentinel

New Azure Kubernetes Service (AKS) Security Workbook

New Azure Kubernetes Service (AKS) Security Workbook

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

AttackIQ integrates Security Optimization Platform with Microsoft Azure Sentinel cloud-native SIEM platform

Why Microsoft’s Azure Arc Is A ‘Value Proposition’

3 months ago
Microsoft suspends 18 Azure accounts tied to China-based hackers

Azure Sentinel Daily Task: Hunting Queries and Bookmarks

2 months ago
Microsoft is quietly becoming a cybersecurity powerhouse

Ingesting Auditd (configured for PAM TTY Session Key Logging) into Azure Sentinel

3 months ago
Azure Stack and Azure Arc for data services from Blog Posts – SQLServerCentral

Azure Sentinel Side-by-Side with QRadar

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

Improved Azure Portal View Makes Switching Between Azure Sentinel LAWs Easier

How to Use Azure Sentinel to Protect Against the Exchange Zero-day

How to Deploy an Analytics Rule to Azure Sentinel from the GitHub Repository

Azure Sentinel Weekly Newsletter

How to Generate Azure Sentinel Incidents for Testing

Azure Sentinel Notebooks Loses It’s Preview Tag

Trending

With new release, CrowdStrike targets Google Cloud, Azure and container adopters
SIEM

Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA

by Azure Sentinel News Editor
March 5, 2021
0

Deploying collateral from our GitHub repository to your Azure Sentinel instance is very similar in that it...

Vectra AI and Microsoft partner on security integration

How to Take Advantage of the New Virus Total Logic App Connector for Your Azure Sentinel Playbooks

March 4, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository

March 3, 2021
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Improved Azure Portal View Makes Switching Between Azure Sentinel LAWs Easier

March 3, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

How to Use Azure Sentinel to Protect Against the Exchange Zero-day

March 3, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA March 5, 2021
  • How to Take Advantage of the New Virus Total Logic App Connector for Your Azure Sentinel Playbooks March 4, 2021
  • How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository March 3, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News