Microsoft Threat Intelligence

With the Microsoft Azure Sentinel Playbook app and Service app, you can better manage and ingest Incidents and Alerts in Azure Sentinel. ThreatConnect provides context on indicators and enables you to easily spot abnormal trends and patterns to act on them efficiently. Additionally, analysts working in Azure Sentinel can view real-time indicator enrichment, add indicators back into ThreatConnect, and record false positives. You can then tie your data to Playbooks to automate nearly any cybersecurity task and respond to threats faster directly from Azure Sentinel - as well as send data to other tools like your EDR or Network Security tools for alerting or blocking purposes. The following actions are available:

• Create Incident Comment
• Get Alert
• Get Incident
• List Alerts
• List Incidents
• Update Incident

These apps can be found in the ThreatConnect App Catalog under the names: Microsoft Azure Sentinel (Playbook), Microsoft Azure Sentinel (Custom Trigger)

With the Microsoft Defender for Endpoint Playbook and Service App, you can ingest alerts into ThreatConnect and then automate triage and investigative actions across your security stack. This app provides a powerful set of actions that can be leveraged within a larger security workflow orchestration or even simple automation. Immediate actions can be taken to investigate, stop, and remediate potential threats at the endpoint based on external threat intelligence. The following actions are available:

• Add Machine Tags - Action to add a tag to a machine.
• Advanced Hunting - Action for advance hunting.
• Collect Investigation Package - Action to collect investigation package for a machine. As this action may take time for a result to return, the playbook retry functionality is required for full processing and to return the binary/zip package.
• Delete All Indicators - Action to delete all indicators.
• Delete Indicators - Action to delete identified indicators.
• Get Investigation Package - Action to download an investigation package after Collect Investigation Package has been run.
• Get Alert - Action to retrieve an Alert.
• Get Investigation - Action to get an investigation.
• Get Machine - Action to get information about a machine.
• Get Machine Action - Action to get information about a machine action.
• Get Machine Related Alerts - Action to get a machine's related alerts.
• Get Machine Logged on Users - Action to get a machine's logged in users.
• Get Machine Installed Software - Action to get a machine's installed software.
• Get Machine Discovered Vulnerabilities - Action to a machines discovered vulnerabilities.
• Isolate Machine - Action to isolate a machine.
• List Indicators - Action to list indicators.
• List Machines - Action to list machines.
• Remove Machine Tags - Action to remove a tag from a machine.
• Restrict App Execution - Action to restrict an app from executing.
• Run Antivirus Scan - Action to run an antivirus scan.
• Start Investigation - Action to start an investigation.
• Stop and Quarantine File - Action to stop and quarantine a file.
• Submit Indicators - Action to submit indicators.
• Unisolate Machine - Action to unisolate a machine.
• Unrestrict App Execution - Action to allow an app to execute.
• Update Alert - Action to update an alert.

For more information, including how to choose permissions, please see here.

There is both a Playbook App and Service App for this integration. They can be found in the ThreatConnect App Catalog under the names Microsoft Defender for Endpoint (Playbook), Microsoft Defender for Endpoint Service (Custom Trigger)

ThreatConnect has released a Playbook App and a Service App for joint Microsoft Exchange customers to leverage Microsoft Exchange Web Services (EWS). With these apps, you can automate email investigation and response actions with Microsoft Exchange using the EWS API. The EWS Service App pulls messages from an Exchange mailbox on a schedule into a target folder for processing, while the EWS Playbook App allows you to automatically monitor emails for attacks and orchestrate a response within ThreatConnect.

The EWS Playbook App integration allows these automated actions:

• Get Attachment: Action to retrieve a suspicious or flagged email attachment
• Get Message: Action to retrieve a suspicious or flagged email message
• Move Message: Action to move a suspicious or flagged message into a target folder for investigation
• Delete Message: Action to remove a suspicious or flagged message
• Search Mailboxes: Search specific email accounts for messages or attachments that breach policy or are flagged as suspicious

The EWS Service App allows the following actions:

• Pull Exchange email messages on a schedule
• Put emails in a target folder for processing

The Playbook App can be found in the ThreatConnect App Catalog listed as Microsoft Exchange Web Services (EWS), and the Service App is listed as Microsoft Exchange Web Services (EWS) Service as a Custom Trigger.

With these apps, you can automatically trigger a Playbook once you receive an email in a phishing mailbox in Office 365. The Playbook will then parse the email and any attachments and orchestrate an investigation of the email using a combination of ThreatConnect intelligence, ThreatConnect’s CAL™, malware analysis tools, and data enrichment sources. If the email is suspicious or requires further remediation, ThreatConnect can create a Case leveraging our new Workflow feature and assign it to an analyst for further investigation and remediation.
The Microsoft Graph Mail Message Playbook App allows for the following actions:

• Get Message: Get a message by folder path and message ID.
• Parse Message: Parses the notification data delivered by a subscription alert for an email.
• List Messages: List messages in a folder based on any filter criteria that are provided. The list will be unsorted, and only the first 100 results will be returned.
• List Message Attachments: List all of the attachment IDs to a message in graph.message.attachments.list.
• Copy Message: Copy a message to a new destination folder.
• Move Message: Move a message to a new destination folder.
• Update Message: Update message values.

The Microsoft Graph Mail Messages Service App monitors mailboxes for new mail and calls a playbook trigger for each mail in the mailbox. The triggered playbook is expected to move the mail to another mailbox during processing; otherwise the mail may be reprocessed during the next check interval.

These apps can be found in the ThreatConnect App Catalog under the following names: Microsoft Graph Mail Messages and Microsoft Graph Mail Messages Service

The integration between ThreatConnect and the Microsoft Graph API enables many use cases across the Microsoft portfolio. Below are apps and actions:

• Microsoft Graph Notifications: This Service App allows users to subscribe to Graph Notification webhooks.

The Microsoft Graph Notification Service subscribes to change notifications originating with the Microsoft Graph cloud services. One or more resources are subscribed to by Playbook applications, and the Playbooks are triggered when a change notification arrives for that subscription.

This app can be found in the ThreatConnect App Catalog under the name Microsoft Graph Notification Service.

You can now easily send indicators to products like Microsoft Defender ATP (Advanced Threat Protection) and Azure Sentinel using the Microsoft Graph Security Threat Indicators Playbook App or Job App. The job app allows you to send thousands of indicators in bulk (vs. tactically with the Playbook app). ThreatConnect helps to increase accuracy and efficiency in your organization by ensuring that only high-fidelity indicators are being sent to Microsoft Graph to be sent further along to products like Microsoft Defender ATP and Azure Sentinel. Once indicators have made it to these products, you can set up alerts and block actions for them. When alerts are generated based on intelligence from ThreatConnect, you’ll feel confident to make fast and informed decisions. Below are apps and use cases:

• Microsoft Graph Security Alerts: List, Get and Update Graph Security Alerts.
• Microsoft Graph Security Threat Indicators: Enables users to send Indicators from ThreatConnect into Microsoft Graph Security for alerting and blocking with target products like Azure Sentinel and Microsoft Defender ATP. Tens of thousands of indicators can be sent in bulk from ThreatConnect in Sentinel. The integration supports Indicator types of Address, Host, CIDR, URL, User Agent, Email Address, Email Subject, and File (MD5, SHA1, and SHA256), along with the relevant context for each Indicator type.

These apps can be found in the ThreatConnect App Catalog under the following names: Microsoft Graph Security Threat Indicators and Microsoft Graph Security Alerts.

With this Playbook App, you can create a channel in Microsoft Teams as part of an investigation process and then post relevant updates to the channel as the investigation unfolds. You can also use it to request permission for action or notify a user that they need to take an action. Included actions with this Playbook app are:

• Create a Channel
• Send Chat Message

This app can be found in the ThreatConnect App Catalog under the name: Microsoft Graph Teamwork.

With this Playbook App, you can get Microsoft Azure Active Directory User account information including Groups and Applications the user has access to. This information can be used for making automated decisions about the next steps to take in the investigation as well as helping you to have all the information you need without having to collect it manually. Some example use cases with this app are:

• As part of a security process, get user account information from Azure Active Directory. This information can be used for making automated decisions about next steps to take in the investigation as well as helping analysts have the information they need without having to collect it manually.
• During a security investigation, it’s often necessary to suspend a user’s account for a time period while the investigation takes place and analysts can confirm that the account is not compromised. This action can be automated as part of a Workflow or Playbook. Later in the process, the account can be unsuspended and the password can be reset automatically. Additionally, the user can be forced to reset their password at the next logon.

The following actions are available:

• Get User - Get User retrieves the properties and relationships of the user object.
• Update User - Update the properties of a user object.

This app can be found in the ThreatConnect App Catalog under the name: Microsoft Graph Users.

ThreatConnect can integrate with Microsoft Active Directory, taking advantage of Windows Remote Management and Powershell scripts. This allows the user to take a more incident response-focused approach to gather user information, running processes and other telemetry from the Windows workstation and server platforms. Other Microsoft use cases for incident response include user attribution along with Windows machine name resolution. The Phishing Use Case also works with O365 and ThreatConnect can pull user information from Azure Active Directory using Microsoft’s API.

This app can be found in the ThreatConnect App Catalog under the name: Microsoft Windows Remote Management (WinRM).

With the Process Graph Mail Notifications Playbook template, you can quickly denote and triage malicious phishing emails.

This Playbook template can be found in the ThreatConnect App Catalog under the name: [Microsoft O365 Phishing] Process Graph Mail Notifications