To address a challenge as big as cybersecurity, ThreatConnect and Microsoft partner to help keep organizations secure. Together we are making a safer world.
This integration is ThreatConnect’s first AI powered LLM integration. At a high level, this integration allows ThreatConnect users to query and summarize ThreatConnect Intelligence from the copilot standalone experience. Indicators, groups and intelligence requirements can all be queried, investigated and summarized for faster research and investigations. As a delighter, users can also generate TQL queries that can help them with their research and run those directly from the Copilot standalone experience console. Search, investigate and summarize.
Skills versus NLP
For most users, using the natural language processing on Copilot is the norm. However, since there are many plugins, sometimes the wrong plugins get chosen. Therefore, we chose to utilize the skills format in Copilot to make it easier for users to specify the ThreatConnect Plugin. Of course, the user can use either one they like.
Some examples of how both can be used is shown below.
Skill Prompt
/tcGetIndicators 1.1.1.1
/tcGetGroups adversary called “Fancy Bear”
Natural language Processing Prompt
What does ThreatConnect know about 1.1.1.1?
What does ThreatConnect know about Fancy Bear?
Skill
/tcGetIndicators
Searches ThreatConnect for indicator information. The results returned will usually include the indicator’s information, tags and attributes. Multiple results can also be returned in either a list or table format.
Examples:
/tcGetIndicators 1.2.3.4
/tcGetIndicators example@example.com
/tcGetIndicators indicators created in the past 12 months in the source "CrowdStrike Falcon Intelligence" and has tag "Threat Type: Criminal" with at least one observation and no false positive reports
/tcGetGroups
Searches ThreatConnect for group information.
The results returned will usually include the group’s description, tags and attributes. Multiple results can also be returned in either a list or table format.
Examples:
/tcGetGroups Adversary called Mustang Panda
/tcGetGroups CVE-2024-21743
/tcGetGroups malware group associated with an ip address indicator and the indicator having a tag of "Threat Type: RAT"
/tcGetGroupById
Searches ThreatConnect for a group by Its ThreatConnect group id. The results returned will usually include the group’s description, tags and attributes.
Examples:
/tcGetGroupById 1125899927003855
/tcGetIR
Searches ThreatConnect for Intelligence requirements.
Examples:
/tcGetIRResults intel requirement IR-001-2022.1
/tcGetIRResults
Get indicators and groups related to intelligence requirements either in local results or global results which must be specified.
Examples:
/tcGetIRResults global results for IR-010-2022
/tcGetIRResults local results for IR-010-2022
/tcGenerateBasicTQL
Generate ThreatConnect Query Language Queries which can be used to query a ThreatConnect instance.
Examples:
/tcGenerateBasicTQL report that was made in february
/tcGenerateBasicTQL locate the following groups that match the names CVE-2024-5806, CVE-2024-5806, CVE-2024-6387
PromptBooks
Once clear workflows are defined using the skills above, users can then save sessions as promptbooks which can be run to save time on similar investigation tasks. Rinse and repeat. Save time.
With the Microsoft Azure Sentinel Playbook app and Service app, you can better manage and ingest Incidents and Alerts in Azure Sentinel. ThreatConnect provides context on indicators and enables you to easily spot abnormal trends and patterns to act on them efficiently. Additionally, analysts working in Azure Sentinel can view real-time indicator enrichment, add indicators back into ThreatConnect, and record false positives. You can then tie your data to Playbooks to automate nearly any cybersecurity task and respond to threats faster directly from Azure Sentinel - as well as send data to other tools like your EDR or Network Security tools for alerting or blocking purposes. The following actions are available:
Create Incident Comment
Get Alert
Get Incident
List Alerts
List Incidents
Update Incident
These apps can be found in the ThreatConnect App Catalog under the names: Microsoft Azure Sentinel (Playbook), Microsoft Azure Sentinel (Custom Trigger)
With the Microsoft Defender for Endpoint Playbook and Service App, you can ingest alerts into ThreatConnect and then automate triage and investigative actions across your security stack. This app provides a powerful set of actions that can be leveraged within a larger security workflow orchestration or even simple automation. Immediate actions can be taken to investigate, stop, and remediate potential threats at the endpoint based on external threat intelligence. The following actions are available:
Add Machine Tags - Action to add a tag to a machine.
Advanced Hunting - Action for advance hunting.
Collect Investigation Package - Action to collect investigation package for a machine. As this action may take time for a result to return, the playbook retry functionality is required for full processing and to return the binary/zip package.
Delete All Indicators - Action to delete all indicators.
Delete Indicators - Action to delete identified indicators.
Get Investigation Package - Action to download an investigation package after Collect Investigation Package has been run.
Get Alert - Action to retrieve an Alert.
Get Investigation - Action to get an investigation.
Get Machine - Action to get information about a machine.
Get Machine Action - Action to get information about a machine action.
Get Machine Related Alerts - Action to get a machine's related alerts.
Get Machine Logged on Users - Action to get a machine's logged in users.
Get Machine Installed Software - Action to get a machine's installed software.
Get Machine Discovered Vulnerabilities - Action to a machines discovered vulnerabilities.
Isolate Machine - Action to isolate a machine.
List Indicators - Action to list indicators.
List Machines - Action to list machines.
Remove Machine Tags - Action to remove a tag from a machine.
Restrict App Execution - Action to restrict an app from executing.
Run Antivirus Scan - Action to run an antivirus scan.
Start Investigation - Action to start an investigation.
Stop and Quarantine File - Action to stop and quarantine a file.
Submit Indicators - Action to submit indicators.
Unisolate Machine - Action to unisolate a machine.
Unrestrict App Execution - Action to allow an app to execute.
Update Alert - Action to update an alert.
For more information, including how to choose permissions, please see here.
There is both a Playbook App and Service App for this integration. They can be found in the ThreatConnect App Catalog under the names Microsoft Defender for Endpoint (Playbook), Microsoft Defender for Endpoint Service (Custom Trigger)
ThreatConnect has released a Playbook App and a Service App for joint Microsoft Exchange customers to leverage Microsoft Exchange Web Services (EWS). With these apps, you can automate email investigation and response actions with Microsoft Exchange using the EWS API. The EWS Service App pulls messages from an Exchange mailbox on a schedule into a target folder for processing, while the EWS Playbook App allows you to automatically monitor emails for attacks and orchestrate a response within ThreatConnect.
The EWS Playbook App integration allows these automated actions:
Get Attachment: Action to retrieve a suspicious or flagged email attachment
Get Message: Action to retrieve a suspicious or flagged email message
Move Message: Action to move a suspicious or flagged message into a target folder for investigation
Delete Message: Action to remove a suspicious or flagged message
Search Mailboxes: Search specific email accounts for messages or attachments that breach policy or are flagged as suspicious
The EWS Service App allows the following actions:
Pull Exchange email messages on a schedule
Put emails in a target folder for processing
The Playbook App can be found in the ThreatConnect App Catalog listed as Microsoft Exchange Web Services (EWS), and the Service App is listed as Microsoft Exchange Web Services (EWS) Service as a Custom Trigger.
With these apps, you can automatically trigger a Playbook once you receive an email in a phishing mailbox in Office 365. The Playbook will then parse the email and any attachments and orchestrate an investigation of the email using a combination of ThreatConnect intelligence, ThreatConnect’s CAL™, malware analysis tools, and data enrichment sources. If the email is suspicious or requires further remediation, ThreatConnect can create a Case leveraging our new Workflow feature and assign it to an analyst for further investigation and remediation. The Microsoft Graph Mail Message Playbook App allows for the following actions:
Get Message: Get a message by folder path and message ID.
Parse Message: Parses the notification data delivered by a subscription alert for an email.
List Messages: List messages in a folder based on any filter criteria that are provided. The list will be unsorted, and only the first 100 results will be returned.
List Message Attachments: List all of the attachment IDs to a message in graph.message.attachments.list.
Copy Message: Copy a message to a new destination folder.
Move Message: Move a message to a new destination folder.
Update Message: Update message values.
The Microsoft Graph Mail Messages Service App monitors mailboxes for new mail and calls a playbook trigger for each mail in the mailbox. The triggered playbook is expected to move the mail to another mailbox during processing; otherwise the mail may be reprocessed during the next check interval.
These apps can be found in the ThreatConnect App Catalog under the following names: Microsoft Graph Mail Messages and Microsoft Graph Mail Messages Service
The integration between ThreatConnect and the Microsoft Graph API enables many use cases across the Microsoft portfolio. Below are apps and actions:
Microsoft Graph Notifications: This Service App allows users to subscribe to Graph Notification webhooks.
The Microsoft Graph Notification Service subscribes to change notifications originating with the Microsoft Graph cloud services. One or more resources are subscribed to by Playbook applications, and the Playbooks are triggered when a change notification arrives for that subscription.
This app can be found in the ThreatConnect App Catalog under the name Microsoft Graph Notification Service.
You can now easily send indicators to products like Microsoft Defender ATP (Advanced Threat Protection) and Azure Sentinel using the Microsoft Graph Security Threat Indicators Playbook App or Job App. The job app allows you to send thousands of indicators in bulk (vs. tactically with the Playbook app). ThreatConnect helps to increase accuracy and efficiency in your organization by ensuring that only high-fidelity indicators are being sent to Microsoft Graph to be sent further along to products like Microsoft Defender ATP and Azure Sentinel. Once indicators have made it to these products, you can set up alerts and block actions for them. When alerts are generated based on intelligence from ThreatConnect, you’ll feel confident to make fast and informed decisions. Below are apps and use cases:
Microsoft Graph Security Alerts: List, Get and Update Graph Security Alerts.
Microsoft Graph Security Threat Indicators: Enables users to send Indicators from ThreatConnect into Microsoft Graph Security for alerting and blocking with target products like Azure Sentinel and Microsoft Defender ATP. Tens of thousands of indicators can be sent in bulk from ThreatConnect in Sentinel. The integration supports Indicator types of Address, Host, CIDR, URL, User Agent, Email Address, Email Subject, and File (MD5, SHA1, and SHA256), along with the relevant context for each Indicator type.
These apps can be found in the ThreatConnect App Catalog under the following names: Microsoft Graph Security Threat Indicators and Microsoft Graph Security Alerts.
With this Playbook App, you can create a channel in Microsoft Teams as part of an investigation process and then post relevant updates to the channel as the investigation unfolds. You can also use it to request permission for action or notify a user that they need to take an action. Included actions with this Playbook app are:
Create a Channel
Send Chat Message
This app can be found in the ThreatConnect App Catalog under the name: Microsoft Graph Teamwork.
With this Playbook App, you can get Microsoft Azure Active Directory User account information including Groups and Applications the user has access to. This information can be used for making automated decisions about the next steps to take in the investigation as well as helping you to have all the information you need without having to collect it manually. Some example use cases with this app are:
As part of a security process, get user account information from Azure Active Directory. This information can be used for making automated decisions about next steps to take in the investigation as well as helping analysts have the information they need without having to collect it manually.
During a security investigation, it’s often necessary to suspend a user’s account for a time period while the investigation takes place and analysts can confirm that the account is not compromised. This action can be automated as part of a Workflow or Playbook. Later in the process, the account can be unsuspended and the password can be reset automatically. Additionally, the user can be forced to reset their password at the next logon.
The following actions are available:
Get User - Get User retrieves the properties and relationships of the user object.
Update User - Update the properties of a user object.
This app can be found in the ThreatConnect App Catalog under the name: Microsoft Graph Users.
ThreatConnect can integrate with Microsoft Active Directory, taking advantage of Windows Remote Management and Powershell scripts. This allows the user to take a more incident response-focused approach to gather user information, running processes and other telemetry from the Windows workstation and server platforms. Other Microsoft use cases for incident response include user attribution along with Windows machine name resolution. The Phishing Use Case also works with O365 and ThreatConnect can pull user information from Azure Active Directory using Microsoft’s API.
This app can be found in the ThreatConnect App Catalog under the name: Microsoft Windows Remote Management (WinRM).