Building the Azure Sentinel Toolbox: Threat Analytics Search Browser Plug-in

There’s an almost unlimited number of actions you can take utilizing Playbooks (Logic Apps) in Azure Sentinel. You can attach a Playbook to an Analytics Rule to automate reaction to an alert or you can run Playbooks manually inside the details of an Incident.

For example, as part of my own Azure Sentinel investigations, I regularly run a Playbook to check IP addresses against the VirusTotal database for potentially nefarious connections and another Playbook that assigns the GEO-location to an IP address. Each of these write the useful information back to the Incident, enabling me to build a comprehensive set of investigatory facts to help close-out an investigation in record time.

But, for either of these, the Playbook cannot be run against just a standard data sampling query in the Logs blade in Azure Sentinel during Hunting operations. So, while I’m digging through data, and I happen to locate a strange IP address or suspect URL, I have to do some manual searching to determine the entities’ deeper connections.

For these occurrences, might I recommend a browser plug-in?

Threat Analytics Search is a browser plug-in for Chromium-based browsers (Chrome, Edge, etc.) that provides right-click capability with links to submit strings of data (like URLs, IP Addresses, etc.) to various threat indicator services.

For example, in the next image, you can see that I’m able to essentially complete the same action of the VirusTotal Playbook by highlighting the IP address in the KQL query results and submitting it directly to the VirusTotal website.

Submitting IP Address to VirusTotal

There’s a long list of available submission engines included with the stock installation, but you can modify the list including removing, reordering, and adding your own. Instructions are on the Settings page of the plug-in.

For example, as shown in the next image, I’ve also been able to add the same functionality as my other favorite IP to GEO Playbook.

Adding IP-API

Using this plug-in for your Chromium-based web browser, you can check against your favorite threat indicator service BEFORE adding an Azure Sentinel bookmark for later review, eliminating one more step in the attempt to streamline security operations.

Get the plug-in here: Threat Analytics Search

This blog post is part of an ongoing series of providing information about additional tools to help Azure Sentinel analysts streamline processes and take advantage of extra value. Have tools of your own? Let me know.

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

Author

One thought on “Building the Azure Sentinel Toolbox: Threat Analytics Search Browser Plug-in

Leave a Reply