Microsoft's strategy for allowing integration with security entities and incidents is through the use of Playbooks (Logic Apps). Any engineers who have been involved in complex automation will prefer to script instead of using workflows. The only form of automation avalable for use within the console of Sentinel are Playbooks.
A simple way to get around this limitation is by using Playbooks to pass incident or entity information directly to Azure functions by using event hubs. Event hubs are supported as triggers for function apps so when a message is delivered, a function app can act as an orchestrator in grabbing the message, inspecting the data and depending on what's in the message, forward the message to one or many different functions for actioning.
The Playbook / Logic App below is designed to be used with automated event enrichment. The workflow has a very small number of elements
The first trigger is the default for 'Microsoft Sentinel Incidents' which will allow the Playbook to be used within the Sentinel portal when selecting actions for Incidents.
My Playbook has two variables created before sending data to an Event Hub. The first variable is to set the name of the action I want to be performed with this Playbook. I create it as a distinct variable because I'll use this Playbook as a template for many different actions and I want to keep the creation of new Playbooks as simple as possible for Security Analysts.
This 'Action' property will be read by my Function App orchestrator when deciding what to do with the Incident.
The second variable is just a string that brings my action variable together with the Incident data that invoked the Playbook as a single JSON object.
My final step is to take the produced JSON, convert it to base64 to get a single string and write it to my Event Hub. My Orchestrator function app can be triggered the moment the request arrives and by decoding the base64 string, it's able to identify the request action and pass the full Incident data to whatever series of actions I want to enrich an incident.
{
"Request": "Enrich-Incident",
"Body": {
"eventUniqueId": "afcf88d4-1608-4702-abb2-efdc559523d2",
"objectSchemaType": "Incident",
"objectEventType": "Create",
"workspaceInfo": {
"SubscriptionId": "360042d9-0000-1a00-0000-64f6554a0000",
"ResourceGroupName": "rg-sentinel",
"WorkspaceName": "mysentinel"
},
"workspaceId": "afcf88d4-1608-4702-abb2-efdc559523d2",
"object": {
"id": "/subscriptions/360042d9-0000-1a00-0000-64f6554a0000/resourceGroups/rg-sentinel/providers/Microsoft.OperationalInsights/workspaces/mysentinel/providers/Microsoft.SecurityInsights/Incidents/e8065513-c580-4c20-9202-2d25592845fc",
"name": "e8065513-c580-4c20-9202-2d25592845fc",
"type": "Microsoft.SecurityInsights/Incidents",
"properties": {
"title": "Test 13",
"description": "Description",
"severity": "Medium",
"status": "New",
"owner": {
"objectId": null,
"email": null,
"assignedTo": null,
"userPrincipalName": null
},
"labels": [],
"firstActivityTimeUtc": "2023-09-04T22:08:06.868Z",
"lastActivityTimeUtc": "2023-09-04T22:08:06.868Z",
"lastModifiedTimeUtc": "2023-09-04T22:08:09.1101544Z",
"createdTimeUtc": "2023-09-04T22:08:09.1101544Z",
"incidentNumber": 160,
"additionalData": {
"alertsCount": 0,
"bookmarksCount": 0,
"commentsCount": 0,
"alertProductNames": [],
"tactics": [],
"techniques": []
},
"relatedAnalyticRuleIds": [],
"incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/360042d9-0000-1a00-0000-64f6554a0000/resourceGroups/rg-sentinel/providers/Microsoft.OperationalInsights/workspaces/mysentinel/providers/Microsoft.SecurityInsights/Incidents/e8065513-c580-4c20-9202-2d25592845fc",
"providerName": "Azure Sentinel",
"providerIncidentId": "160",
"alerts": [],
"bookmarks": [],
"relatedEntities": [],
"comments": []
}
}
}
}
- Log in to post comments