Automate your SOC – Known Badness

Threat Intelligence Module

This post builds upon your initial installation and provides a deeper understanding of each of the modules (log apps) that make up MSTAT. See the links below for earlier posts to build your knowledge on the capabilities of each module.

You can also find all related posts by searching this blog.

The Threat Intelligence module takes the entities and does look ups for corresponding threat intelligence in Microsoft Sentinel.

This module enriches the incident comments by querying the Sentinel Threat Intelligence table with the following supported entity types of IP Addresses, Domains, URLs, and File Hashes.

Module Trigger Parameters

ParameterExpected ValuesDescription
AddIncidentCommentsTrue/False (Default:True)When set to true, the results of the query will be added to the Sentinel Incident Comments
Base Module BodyBody (dynamic content)The Body should be selected from the Dynamic content of the Base-Module response
CheckDomainsTrue/False (Default:True)Check Domain Entities for Threat Intelligence Matches
CheckFileHashesTrue/False (Default:True)Check File Hash Entities for Theat Intelligence Matches
CheckIPsTrue/False (Default:True)Check IP Entities for Threat Intelligence Matches
CheckURLsTrue/False (Default:True)Check URL Entities for Threat Intelligence Matches
LookbackInDays(Default:14)This defines how far back to look through the ThreatIntelligenceIndicators table in Sentinel. All active threat intel is included when looking back the default 14 days.

Module Return Results

AnyTIFoundtrue/false if any Threat Intelligence was found for any indicator type
DetailedResultsAn array of Threat Intelligence that was matched with the incident entities
DomainEntitiesCountCount of Domain Entities in Incident
DomainEntitiesWithTICount of Domain Entities with Threat Intelligence matches
DomainTIFoundtrue/false if Domain Threat Intelligence was found
FileHashEntitiesCountCount of FileHash Entities in Incident
FileHashEntitiesWithTICount of FileHash Entities with Threat Intelligence matches
FileHashTIFoundtrue/false if FIleHash Threat Intelligence was found
IPEntitiesCountCount of IP Entities in Incident
IPEntitiesWithTICount of IP Entities with Threat Intelligence matches
IPTIFoundtrue/false if IP Threat Intelligence was found
ModuleNameThe internal Name of the Playbook
TotalTIMatchCountCount of all Threat Intelligence matches
URLEntitiesCountCount of URL Entities in Incident
URLEntitiesWithTICount of URL Entities with Threat Intelligence matches
URLTIFoundtrue/false if URL Threat Intelligence was found

Threat Intelligence Scoring

When scoring the Threat Intelligence Module if ScorePerItem=True then the returned score will be 10 * MatchedTIItemCount * ScoreMultiplier. If ScorePerItem=False the returned score will be 10 * ScoreMultiplier if one or more matching pieces of TI is found

Obviously, the entities that match the intel feed will drive up the score. We suggest that you score all matched items. We suggest you start with 5 as the multiplier. However, look at tuning the results based on your environment.

All right. Now, we’re making even more progress and we have completed a good base installation of MSTAT. Next time, we’ll talk about the Watchlist Module focusing on VIP Users and High Valued Assets – a great way to score potential high impact incidents.

Let’s automate your SOC – Introduction to automating your Microsoft Sentinel

Automate your SOC – Let’s talk about STAT, baby – Introduction and installation of Microsoft STAT Triage

Automate your SOC – Noise is the enemy of speed – How to optimize your incidents

Automate your SOC – Risky Business – Giving your incidents a risk score

Automate your SOC – Oh, that user again? Enrich your incident with by checking user’s Sign In Risk

Automate your SOC – Rise of the machine (risk) – Tell me about the risk of the user’s device

Leave a Reply