Threat Intelligence Module
This post builds upon your initial installation and provides a deeper understanding of each of the modules (log apps) that make up MSTAT. See the links below for earlier posts to build your knowledge on the capabilities of each module.
You can also find all related posts by searching this blog.
The Threat Intelligence module takes the entities and does look ups for corresponding threat intelligence in Microsoft Sentinel.
This module enriches the incident comments by querying the Sentinel Threat Intelligence table with the following supported entity types of IP Addresses, Domains, URLs, and File Hashes.
Module Trigger Parameters
|AddIncidentComments||True/False (Default:True)||When set to true, the results of the query will be added to the Sentinel Incident Comments|
|Base Module Body||Body (dynamic content)||The Body should be selected from the Dynamic content of the Base-Module response|
|CheckDomains||True/False (Default:True)||Check Domain Entities for Threat Intelligence Matches|
|CheckFileHashes||True/False (Default:True)||Check File Hash Entities for Theat Intelligence Matches|
|CheckIPs||True/False (Default:True)||Check IP Entities for Threat Intelligence Matches|
|CheckURLs||True/False (Default:True)||Check URL Entities for Threat Intelligence Matches|
|LookbackInDays||(Default:14)||This defines how far back to look through the ThreatIntelligenceIndicators table in Sentinel. All active threat intel is included when looking back the default 14 days.|
Module Return Results
|AnyTIFound||true/false if any Threat Intelligence was found for any indicator type|
|DetailedResults||An array of Threat Intelligence that was matched with the incident entities|
|DomainEntitiesCount||Count of Domain Entities in Incident|
|DomainEntitiesWithTI||Count of Domain Entities with Threat Intelligence matches|
|DomainTIFound||true/false if Domain Threat Intelligence was found|
|FileHashEntitiesCount||Count of FileHash Entities in Incident|
|FileHashEntitiesWithTI||Count of FileHash Entities with Threat Intelligence matches|
|FileHashTIFound||true/false if FIleHash Threat Intelligence was found|
|IPEntitiesCount||Count of IP Entities in Incident|
|IPEntitiesWithTI||Count of IP Entities with Threat Intelligence matches|
|IPTIFound||true/false if IP Threat Intelligence was found|
|ModuleName||The internal Name of the Playbook|
|TotalTIMatchCount||Count of all Threat Intelligence matches|
|URLEntitiesCount||Count of URL Entities in Incident|
|URLEntitiesWithTI||Count of URL Entities with Threat Intelligence matches|
|URLTIFound||true/false if URL Threat Intelligence was found|
Threat Intelligence Scoring
When scoring the Threat Intelligence Module if ScorePerItem=True then the returned score will be 10 * MatchedTIItemCount * ScoreMultiplier. If ScorePerItem=False the returned score will be 10 * ScoreMultiplier if one or more matching pieces of TI is found
Obviously, the entities that match the intel feed will drive up the score. We suggest that you score all matched items. We suggest you start with 5 as the multiplier. However, look at tuning the results based on your environment.
All right. Now, we’re making even more progress and we have completed a good base installation of MSTAT. Next time, we’ll talk about the Watchlist Module focusing on VIP Users and High Valued Assets – a great way to score potential high impact incidents.
Let’s automate your SOC – Introduction to automating your Microsoft Sentinel
Automate your SOC – Let’s talk about STAT, baby – Introduction and installation of Microsoft STAT Triage
Automate your SOC – Noise is the enemy of speed – How to optimize your incidents
Automate your SOC – Risky Business – Giving your incidents a risk score
Automate your SOC – Oh, that user again? Enrich your incident with by checking user’s Sign In Risk
Automate your SOC – Rise of the machine (risk) – Tell me about the risk of the user’s device