Automate your SOC – Risky Business

Giving your incidents a risk score

So, you’ve installed STAT using the deployment ARM template? Yes, ok let’s go. If not, see our tutorial on getting it installed here. Let’s start by navigating to your Logic Apps blade in the Azure portal. Here you will see that STAT installed fifteen logic apps. We will go over each in depth in coming posts. But for this post, we are going to focus on the base implementation. We will be using the following logic apps/modules: Get-AADRiskInfo, Get-MDEInsights, Get-RelatedAlerts, and Calculate-RiskScore. This will give you a good introduction to how STAT enriches and scores the incident.

The goal here is to look at the risk associated with the user and the device along with any related alerts associated with the entities identified in the incident. Remember the Base-Module gathers the entities and prepares them to be used by the modules.

The first thing we would have you do is make a copy of the “Sample-STAT-Triage” logic app by opening the logic app and then clicking the “clone” at the top of the navigation. Name the new one whatever you like. For this tutorial, I am naming mine “STAT-Base-GCC”. Then open it in the left navigation, then click on “Logic App Designer” in the left navigation. This will allow us to edit. Then let’s remove some of the existing configurations so we can show you how to add and remove modules.

Starting from the bottom, we’ll remove “Conditions” and everything below it. Click on the eclipse on the right side of each box then select delete. Then delete the “Intel” module. This is what it should look like when you’re done.

So we have the AADRisk and the MDEInsights Module. Hover over the vertical line just below the “Base Module” then click on the “+” and click “Add a parallel branch”.  

The “Choose an operation” box will appear. Type in the search “triage”, you will see the STAT modules show up below. Scroll until you find the “Microsoft Defender for Endpoint Module”. Next click into the “*BaseModuleBody”, note if your browser is not wide enough you will not see the flyout box appear, so scroll this window via the grey bar at the bottom. In the “Dynamic content” box, search by the word “base” then click the “Base Module Body”.  In the “LookbackInDays” box put “3”. Then click the drop down in the “AddIncidentComments” box and then check the “add comments to incidents” then click true. You can add more modules if you like by repeating steps in this section.

Now, let’s add in the “Risk Scoring” Module. Do this by clicking on the “+New Step” box below the three modules. The “Choose an operation” box will appear. Type “triage” in the search box and scroll to find the scoring module then click it. Next click in the “*BaseModuleBody” which as before will pop out to your right the “Dynamic content” box. Search for “base” and add the “Base Module Body”. You will see a dotted outlined box. This will be the first module we will score.

Let’s click into the “ScoringData” box then scroll and find the header “AAD Risks Module” then under that click on “Body”.  Next box lets put in the friendly name “User Risk”. Next let’s put in a scoring multiplier of “5”. Then we finish this by clicking the drop down in the “ScoringData PerItem” select “yes”.

Ok, we have scored our first module. Let’s add the remaining modules to our scoring by repeating the same steps as above for MDE and RelatedAlerts modules. Start by clicking the “+Add new item” box. This is what it should look like when you are done.

Now we’re ready to add up our scores for this incident. Click on “+New step” button. Here we will do a search for “condition”. Scroll down and in the one called “Condition Control” it is grey and looks like this picture click on it will add a “Condition” box.

In the condition box, click into the first “Choose a value” box. Up comes our “Dynamic content” box. Under “Risk Scoring Module” click on “TotalScore”. This adds the sum of scoring from our scoring algorithm from our modules. Next box to the right click the drop down and chose “is greater than or equal to”. In the third box to the right put in “50” which is our initial value of score we will either be true or false.

Now we are ready to add some action items to tag and escalate the incident. In the “True” box click on “Add an action”. Search for “Sentinel” then click on “Update incident (preview)”. Next click in the “Incident ARM id” box. Scroll and click on the “Incident ARM ID” which is a blue shield. Let’s increase the severity of the incident to “High” and change the status to “Open”. Next let’s add our first tag called “Escalated”. Click “+ Add new item” and then type in “Risk Score”. Next in the “Dynamic content” type in search “score”. Then under the heading “Risk Scoring Module” click “TotalScore”.

Let’s switch over to the “False” condition. In the “False” box, click on “Add an action”. Search for “Sentinel” then click on “Update incident (preview)”. Next click in the “Incident ARM id” box. Scroll and click on the “Incident ARM ID” which is a blue shield. Let’s change the status to “Closed”. Next let’s add our first tag called “Not Interesting”. Set “Classification reason” to “Undetermined” and Close Reason to “Closed by STAT”. Click “+ Add new item” and then type in “Risk Score”. Next in the “Dynamic content” type in search “score”. Then under the heading “Risk Scoring Module” click “TotalScore”.

**If you don’t not want to change the “STATUS” of opening or closing the incident you don’t have to. You will want to still do the tagging to see how your scoring is functioning.

Save your STAT by clicking the “Save” button up top. It should validate the logic app. If you get an error on saving check the “Connected to” at the bottom of each module in the “True/False” boxes. It should say “azuresentinel-Sample-STAT-Triage” as the managed identity for permissions. That’s it. We are done! The next step is to open Microsoft Sentinel and there we will deploy our STAT automation.

In Sentinel, go to the “Automation” blade then at the top click “Create” and select “Automation”. Name the automation “STAT-Triage-Incident-Scoring”. Leave “Trigger” set to “When incident is created” and “Conditions” so that all incidents will be evaluated. Under “Actions” select “Run playbook” from the drop down and select the name of your STAT playbook. Mine is “STAT-Base-GCC”. Let’s make sure this automation runs first in priority and change the “Order” box to “1”.  If you have other automations, you will want to reorder them as necessary.

Well done! You are now enriching and scoring all your incidents. Congrats!

Check out our previous posts in this series

Let’s automate your SOC – Introduction to automating your Microsoft Sentinel

Automate your SOC – Let’s talk about STAT, baby – Introduction and installation of Microsoft STAT Triage

Automate your SOC – Noise is the enemy of speed – How to optimize your incidents

One thought on “Automate your SOC – Risky Business