Intro to Microsoft Sentinel Triage Assistant (STAT)
We wanted to jump right in to help you automate your security operations by introducing the Microsoft Sentinel Triage Assistant or STAT for short. STAT is built on a series of Azure Logic Apps which can be integrated into Microsoft Sentinel, Azure Active Directory, and the 365 Defender suite of tools. During the coming weeks/months, Andrea and I will guide you through STAT in detail providing you with actions you can immediately leverage. We hope you comment and reach out to us to share your needs and ideas. We will focus on the following solutions and outcomes:
- Reduce time to deploy automations.
- Provide a modular deployment so you can leverage any number of modules or create your own.
- Build a risk scoring system that can help escalate or resolve an incident.
- Increase analyst efficiency by enriching the incident with investigation data.
- Assigning tasks to the analyst so Tier1/2 can perform recommended steps for faster resolution.
So why STAT and not just use the playbooks built into Sentinel? Many of Sentinel’s playbook templates focus on Notification, Incident Enrichment and Remediation which are very useful. But this project focuses on the triage and analysis of an incident so you will know if an incident truly requires action. If we conclude that an incident is “low quality” (likely a benign positive), we can be close or lower the severity through automation. If an incident is determined to be of “higher” quality, we can raise the severity, assign it to an analyst or even trigger a remediation task.
The first step in STAT is the Base Module. This module prepares the entity data for additional STAT modules. Once the Base Module has been called, the triage modules analyze the entities that are part of the incident. The triage modules will return an easy to use, well documented result so you can quickly make decisions about how to handle an incident.
Below, you can see a quick overview of the modules included in STAT. In subsequent posts, we will dive into each module.
- Base Module – Normalizes Entities from Incident
- Scoring Module – Calculates cumulative risk score from scorable modules
- AADRiskModule – Retrieves the risk level of users in Azure Active Directory Identity Protection and MFA Failures along with MFA Fraud
- MDEModule – Returns device risk score and exposure level from Defender for Endpoint
- RelatedAlerts – Finds related alerts for each entity
- MCASModule – Retrieves investigation score from Defender for Cloud Apps
- Files Module – Provides a MD5/SHA1/SHA25 Hash Analysis
- WatchlistModule – Checks entities matching Sentinel Watchlist(s)
- TIModule – Checks entities for matching threat intelligence in Sentinel
- UEBAModule – Checks User Entity Behavior Analytics events and investigation priority
- OOFModule – Check Office 365 Mailbox to see if user is out of office
- RunPlaybook – Allows you to call another logic app
- KQLModule – Run custom KQL queries against Microsoft Sentinel, Azure Data Explorer or Microsoft 365 Advanced Hunting
Finally, after scoring we will show you how to enrich and take action on each incident:
- Enrich by adding comments to incident
- Tag incident with Score
- Apply Tags based on score – Closed or Escalated
- Add Tasks to Escalate Incidents
- Open or Close Incident
- Kick off Remediation Logic/Automation
See you next time, when we will dive into the Base Module! Happy Hunting – Andrea and Mike
Check the next post in this series: Lets Get STAT installed!