Automate your Sentinel incident triage

Thank you VirusTotal-bot! I’ll happily take that scan report off your hands.

Introduction

Once a security incident is raised, and triage begins, our security analysts often take very similar steps during their investigations.

Let your SIEM SOAR like an eagle

When you read and listen about Microsoft Sentinel the term “SOAR” most likely came to your attention a couple of times. But what is SOAR?

A different kind of soar

VirusTotal

One example of a common repetitive tasks is copying and pasting over evidence, like when checking the reputation of a URL, file and/or IP address. A very popular service to use for this is VirusTotal, a website created by the Spanish security company Hispasec Sistemas and launched in 2004. It has switched ownership to Google back in 2012.

VirusTotal’s homepage which let you upload and search for file hashes, URLs and IP addresses

Create a playbook

Before we can define our automation steps in Sentinel, we need to have created a playbook first.

Make sure you use the correct trigger!
The two different triggers available for Microsoft Sentinel
General overview of how the VirusTotal enrichment of incidents can look like
  1. Next, it will loop through all IP addresses and file hashes in parallel. (There might be more than one entity of each kind)
  2. Looking up IP addresses is a bit simpler than file hashes so I only had to put a VirusTotal step here and an “Add comment to incident” step, which will add the output from the scan to the incident. More on this later…
    Once your add a VirusTotal step for the first time, it will ask you for your API key. Follow these steps on the VirusTotal website to get started.
  3. With file hashes I had to implement an extra step. With Microsoft security products, like Defender for Endpoint, you generally are provided with both the SHA1 and SHA256 hashes of the files related to the incident. This means that the VirusTotal lookup will be running twice for every file, and you’ll end up with duplicate reports in your incident.
    To work around this, I’ve created an array variable right before the loop starts. The scan step will still be performed twice, but before the report is added to the incident there will be a check if this array variable already contains the report or not. If it does not contain a report then the incident in Sentinel is added and contents of the report is added to the variable. For the next run this step is skipped. Thanks to Jesper Keijzer for this tip!
The variable ‘reported_ids’ is used to determine if a scan report was already made for a particular file hash

Save the report in your incident

The results from the VirusTotal scan are saved as a comment in the incident in Sentinel. For this step we can even leverage an html formatted message to make it look nice as well.

Example VirusTotal report as a comment inside the Sentinel incident
Example of a html formatted comment. Keep in mind that JSON needs some escaping for special characters
The html formatted comment from code view might might look awkward in the workflow editor

Construct your comments in html dynamically

Constructing html inside the code view of a playbook can be a bit cumbersome as well. And because of the JSON nature of the code definition of a playbook, you need to be careful with escape character for some special character. Lastly, the message value should be formatted as one single string.

Example of an if() statement used to dynamically construct the comment message
$jsonString = (Get-Content ./logicapp-enrich-incident-virustotal-filehash-comment.html -Raw) -replace "`r`n" | ConvertTo-JsonWrite-Host $jsonString

On my Github page you’ll find all examples mentioned in this article to import and interact with yourself.

Sentinel automation rules

To automatically trigger your newly created playbook, you need to create an automation rule in Sentinel. For this you’ll need to open the “Automation” blade → “Create” → “Automation rule”:

In this example all incidents created by Defender for Endpoint will trigger a ‘Run playbook’ action (because those most likely contains file hashes and IP addresses) and also a tag ‘enriched’ will be added to the incident
By making sure your automation tasks add tags, these incidents are better visible

Conclusion

I hope this article gave a clear understanding of how Sentinel automation and playbooks with Logic App can help your security team be more efficient. I hope this sparked enough interest to get started and to try out other integrations as well.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store