Microsoft Azure Sentinel 101: Automatically add TLP(Traffic Light Pattern) to Incidents with logic apps/playbooks and automation by query tagging.
Depending on your environment, you may need to TLP tag all your content, and this walk through is a good way to do it. I’ll only be going through one way using a logic app that can be used as a playbook through automation or per alert.
If you want to try another route, using automation, checkout below where we did the same type of concept, just without using a logic app.
Analytics Rule
When creating the rule, we tag it with the TLP extend statement, and define what this rule is required to have.
Logic App
The first step is building out our logic app. Below is the basics of where we create and setup our templates, then go through getting the content from the alert.
We create a new variable for each of our templates we are going to use:
<div style="background-color: #000;border-left: 3px solid #f44336;"><p style="padding: 5px">🚦 <strong style="color:#FF2B2B">TLP:RED - Not for disclosure, restricted to participants only</strong></p></div><p style="padding:3px;border:1px solid #f44336;background-color:#fefefe">Sources may use TLP:RED when information cannot be effectively acted upon without significant risk for the privacy, reputation, or operations of the organizations involved. For the eyes and ears of individual recipients only, no further.
<br>
Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.</p>
<div style="background-color: #000;border-left: 3px solid #FFC000;"><p style="padding: 5px">🚦 <strong style="color:#FFC000">TLP:AMBER+STRCIT - Limited disclosure, restricted to participants’ organization</strong></p></div><p style="padding:3px;border:1px solid #FFC000;background-color:#fefefe">Sources may use TLP:AMBER+STRICT when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organization.
<br>
Recipients may share TLP:AMBER+STRICT information only with members of their own organization on a need-to-know basis to protect their organization and prevent further harm.
</p>
<div style="background-color: #000;border-left: 3px solid #FFC000;"><p style="padding: 5px">🚦 <strong style="color:#FFC000">TLP:AMBER - Limited disclosure, restricted to participants’ organization and its clients (see Terminology Definitions).</strong></p></div><p style="padding:3px;border:1px solid #FFC000;background-color:#fefefe">Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Note that TLP:AMBER+STRICT should be used to restrict sharing to the recipient organization only.
<br>
Recipients may share TLP:AMBER information with members of their own organization and its clients on a need-to-know basis to protect their organization and its clients and prevent further harm.
</p>
<div style="background-color: #000;border-left: 3px solid #33FF00;"><p style="padding: 5px">🚦 <strong style="color:#33FF00">TLP:GREEN - Limited disclosure, restricted to the community.</strong></p></div><p style="padding:3px;border:1px solid #33FF00;background-color:#fefefe">Sources may use TLP:GREEN when information is useful to increase awareness within their wider community.
<br>
Recipients may share TLP:GREEN information with peers and partner organizations within their community, but not via publicly accessible channels. Unless otherwise specified, TLP:GREEN information may not be shared outside of the cybersecurity or cyber defense community.
</p>
<div style="background-color: #000;border-left: 3px solid #FFFFFF;"><p style="padding: 5px">🚦 <strong style="color:#FFFFFF">TLP:CLEAR - Disclosure is not limited.</strong></p></div><p style="padding:3px;border:1px solid #FFFFFF;background-color:#fefefe">
Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.
<br>
Recipients may share this information without restriction. Information is subject to standard copyright rules.
</p>From there, we get the alert(s) that have our custom
We use this function to clean up the mess for switching:
replace(replace(replace(string(body('Parse_JSON_2')?['TrafficLightProtocol']),'[',''),']',''),'"','')Next we build out the switch statement to add a comment based on what was tagged in the rule.
We could also do other events here as needed if a different TLP requires specific changes.
On the far right side, we have the default. This can be used to default tag every incident if they won’t have a TLP tag added to the query
So if you have a default then just update the compose statement to be whichever template you want as a default, or leave blank for nothing.
Automation
Lets go to the automation section and create an automation rule
From there we create the following which will tag every incident:
Incident
Now when look at the incident, we see the following being added:
—
☕ Like what you read? Did it help you?
Send some coffee and love https://buymeacoffee.com/truvis :)
Your support helps pay for licenses, research & development, and other costs that allow me to bring you new guides and content!
❗If you are new to my content, be sure to follow/connect with me on all my other socials for new ideas and solutions to complicated real world problems and jump start your career! New content drops daily/weekly along with tips and tricks :)
👉 W: https://truv.is
👉 T: https://twitter.com/thattechkitten
👉 Y: https://www.youtube.com/@TRUValueInformationSecurity
👉 G: https://github.com/truvis
👉 L: https://www.linkedin.com/in/truvisthornton
👉 M: https://medium.com/@truvis.thornton
