Microsoft Threat Intelligence

This integration is ThreatConnect’s first AI powered LLM integration. At a high level, this integration allows ThreatConnect users to query and summarize ThreatConnect Intelligence from the copilot standalone experience. Indicators, groups and intelligence requirements can all be queried, investigated and summarized for faster research and investigations. As a delighter, users can also generate TQL queries that can help them with their research and run those directly from the Copilot standalone experience console.  Search, investigate and summarize.

Skills versus NLP

For most users, using the natural language processing on Copilot is the norm. However, since there are many plugins, sometimes the wrong plugins get chosen. Therefore, we chose to utilize the skills format in Copilot to make it easier for users to specify the ThreatConnect Plugin. Of course, the user can use either one they like. 

Some examples of how both can be used is shown below.

 Skill Prompt

/tcGetIndicators 1.1.1.1 

/tcGetGroups adversary called “Fancy Bear”

Natural language Processing Prompt 

What does ThreatConnect know about 1.1.1.1? 

What does ThreatConnect know about Fancy Bear?

Skill

 /tcGetIndicators

Searches ThreatConnect for indicator information. The results returned will usually include the indicator’s information, tags and attributes. Multiple results can also be returned in either a list or table format. 

Examples:

 /tcGetIndicators 1.2.3.4

/tcGetIndicators example@example.com 

/tcGetIndicators indicators created in the past 12 months in the source "CrowdStrike Falcon Intelligence" and has tag "Threat Type: Criminal" with at least one observation and no false positive reports

/tcGetGroups 

Searches ThreatConnect for group information.

The results returned will usually include the group’s  description, tags and attributes. Multiple results can also be returned in either a list or table format. 

Examples:

/tcGetGroups Adversary called Mustang Panda

/tcGetGroups CVE-2024-21743

/tcGetGroups malware group associated with an ip address indicator and the indicator having a tag of "Threat Type: RAT"

/tcGetGroupById 

Searches ThreatConnect for a group by Its ThreatConnect group id.  The results returned will usually include the group’s  description, tags and attributes. 

Examples:

/tcGetGroupById 1125899927003855

/tcGetIR 

Searches ThreatConnect for Intelligence requirements.

Examples:

/tcGetIRResults intel requirement IR-001-2022.1

/tcGetIRResults 

Get indicators and groups related to intelligence requirements either in local results or global results which must be specified. 

Examples:

/tcGetIRResults global results for IR-010-2022

/tcGetIRResults local  results for IR-010-2022

/tcGenerateBasicTQL

Generate ThreatConnect Query Language Queries which can be used to query a ThreatConnect instance. 

Examples:

/tcGenerateBasicTQL report that was made in february

/tcGenerateBasicTQL locate the following groups that match the names CVE-2024-5806, CVE-2024-5806, CVE-2024-6387

PromptBooks

Once clear workflows are defined using the skills above, users can then save sessions as promptbooks which can be run to save time on similar investigation tasks. Rinse and repeat. Save time.

With the Microsoft Defender for Endpoint Playbook and Service App, you can ingest alerts into ThreatConnect and then automate triage and investigative actions across your security stack. This app provides a powerful set of actions that can be leveraged within a larger security workflow orchestration or even simple automation. Immediate actions can be taken to investigate, stop, and remediate potential threats at the endpoint based on external threat intelligence. The following actions are available:

• Add Machine Tags - Action to add a tag to a machine.
• Advanced Hunting - Action for advance hunting.
• Collect Investigation Package - Action to collect investigation package for a machine. As this action may take time for a result to return, the playbook retry functionality is required for full processing and to return the binary/zip package.
• Delete All Indicators - Action to delete all indicators.
• Delete Indicators - Action to delete identified indicators.
• Get Investigation Package - Action to download an investigation package after Collect Investigation Package has been run.
• Get Alert - Action to retrieve an Alert.
• Get Investigation - Action to get an investigation.
• Get Machine - Action to get information about a machine.
• Get Machine Action - Action to get information about a machine action.
• Get Machine Related Alerts - Action to get a machine's related alerts.
• Get Machine Logged on Users - Action to get a machine's logged in users.
• Get Machine Installed Software - Action to get a machine's installed software.
• Get Machine Discovered Vulnerabilities - Action to a machines discovered vulnerabilities.
• Isolate Machine - Action to isolate a machine.
• List Indicators - Action to list indicators.
• List Machines - Action to list machines.
• Remove Machine Tags - Action to remove a tag from a machine.
• Restrict App Execution - Action to restrict an app from executing.
• Run Antivirus Scan - Action to run an antivirus scan.
• Start Investigation - Action to start an investigation.
• Stop and Quarantine File - Action to stop and quarantine a file.
• Submit Indicators - Action to submit indicators.
• Unisolate Machine - Action to unisolate a machine.
• Unrestrict App Execution - Action to allow an app to execute.
• Update Alert - Action to update an alert.

For more information, including how to choose permissions, please see here.

There is both a Playbook App and Service App for this integration. They can be found in the ThreatConnect App Catalog under the names Microsoft Defender for Endpoint (Playbook), Microsoft Defender for Endpoint Service (Custom Trigger)

The Polarity - Microsoft 365 Defender Integration allows you to search for Emails assigned to Alerts and Incidents, along with the ability to run Advanced Threat Hunting Kusto Queries on all entity types from Microsoft 365 Defender. Enabling analysts to quickly search their Defender instance for breach and alert information.

Examples

Microsoft 365 Defender Data Overview

• Email Attachment Details: When the analyst drills into the details they can get more context on the file types, who it was from and more. Enabling analysts to see the different email attachments associated with the user.
• Summary Tags: When an analyst runs a search with the Microsoft 365 Defender integration, they can quickly get context around the number of results associated with the indicator and the files caught when processing them associated with the user.

ThreatConnect has released a Playbook App and a Service App for joint Microsoft Exchange customers to leverage Microsoft Exchange Web Services (EWS). With these apps, you can automate email investigation and response actions with Microsoft Exchange using the EWS API. The EWS Service App pulls messages from an Exchange mailbox on a schedule into a target folder for processing, while the EWS Playbook App allows you to automatically monitor emails for attacks and orchestrate a response within ThreatConnect.

The EWS Playbook App integration allows these automated actions:

• Get Attachment: Action to retrieve a suspicious or flagged email attachment
• Get Message: Action to retrieve a suspicious or flagged email message
• Move Message: Action to move a suspicious or flagged message into a target folder for investigation
• Delete Message: Action to remove a suspicious or flagged message
• Search Mailboxes: Search specific email accounts for messages or attachments that breach policy or are flagged as suspicious

The EWS Service App allows the following actions:

• Pull Exchange email messages on a schedule
• Put emails in a target folder for processing

The Playbook App can be found in the ThreatConnect App Catalog listed as Microsoft Exchange Web Services (EWS), and the Service App is listed as Microsoft Exchange Web Services (EWS) Service as a Custom Trigger.

With these apps, you can automatically trigger a Playbook once you receive an email in a phishing mailbox in Office 365. The Playbook will then parse the email and any attachments and orchestrate an investigation of the email using a combination of ThreatConnect intelligence, ThreatConnect’s CAL™, malware analysis tools, and data enrichment sources. If the email is suspicious or requires further remediation, ThreatConnect can create a Case leveraging our new Workflow feature and assign it to an analyst for further investigation and remediation.
The Microsoft Graph Mail Message Playbook App allows for the following actions:

• Get Message: Get a message by folder path and message ID.
• Parse Message: Parses the notification data delivered by a subscription alert for an email.
• List Messages: List messages in a folder based on any filter criteria that are provided. The list will be unsorted, and only the first 100 results will be returned.
• List Message Attachments: List all of the attachment IDs to a message in graph.message.attachments.list.
• Copy Message: Copy a message to a new destination folder.
• Move Message: Move a message to a new destination folder.
• Update Message: Update message values.

The Microsoft Graph Mail Messages Service App monitors mailboxes for new mail and calls a playbook trigger for each mail in the mailbox. The triggered playbook is expected to move the mail to another mailbox during processing; otherwise the mail may be reprocessed during the next check interval.

These apps can be found in the ThreatConnect App Catalog under the following names: Microsoft Graph Mail Messages and Microsoft Graph Mail Messages Service

The integration between ThreatConnect and the Microsoft Graph API enables many use cases across the Microsoft portfolio. Below are apps and actions:

• Microsoft Graph Notifications: This Service App allows users to subscribe to Graph Notification webhooks.

The Microsoft Graph Notification Service subscribes to change notifications originating with the Microsoft Graph cloud services. One or more resources are subscribed to by Playbook applications, and the Playbooks are triggered when a change notification arrives for that subscription.

This app can be found in the ThreatConnect App Catalog under the name Microsoft Graph Notification Service.

You can now easily send indicators to products like Microsoft Defender ATP (Advanced Threat Protection) and Azure Sentinel using the Microsoft Graph Security Threat Indicators Playbook App or Job App. The job app allows you to send thousands of indicators in bulk (vs. tactically with the Playbook app). ThreatConnect helps to increase accuracy and efficiency in your organization by ensuring that only high-fidelity indicators are being sent to Microsoft Graph to be sent further along to products like Microsoft Defender ATP and Azure Sentinel. Once indicators have made it to these products, you can set up alerts and block actions for them. When alerts are generated based on intelligence from ThreatConnect, you’ll feel confident to make fast and informed decisions. Below are apps and use cases:

• Microsoft Graph Security Alerts: List, Get and Update Graph Security Alerts.
• Microsoft Graph Security Threat Indicators: Enables users to send Indicators from ThreatConnect into Microsoft Graph Security for alerting and blocking with target products like Azure Sentinel and Microsoft Defender ATP. Tens of thousands of indicators can be sent in bulk from ThreatConnect in Sentinel. The integration supports Indicator types of Address, Host, CIDR, URL, User Agent, Email Address, Email Subject, and File (MD5, SHA1, and SHA256), along with the relevant context for each Indicator type.

These apps can be found in the ThreatConnect App Catalog under the following names: Microsoft Graph Security Threat Indicators and Microsoft Graph Security Alerts.

With this Playbook App, you can create a channel in Microsoft Teams as part of an investigation process and then post relevant updates to the channel as the investigation unfolds. You can also use it to request permission for action or notify a user that they need to take an action. Included actions with this Playbook app are:

• Create a Channel
• Send Chat Message

This app can be found in the ThreatConnect App Catalog under the name: Microsoft Graph Teamwork.

With this Playbook App, you can get Microsoft Azure Active Directory User account information including Groups and Applications the user has access to. This information can be used for making automated decisions about the next steps to take in the investigation as well as helping you to have all the information you need without having to collect it manually. Some example use cases with this app are:

• As part of a security process, get user account information from Azure Active Directory. This information can be used for making automated decisions about next steps to take in the investigation as well as helping analysts have the information they need without having to collect it manually.
• During a security investigation, it’s often necessary to suspend a user’s account for a time period while the investigation takes place and analysts can confirm that the account is not compromised. This action can be automated as part of a Workflow or Playbook. Later in the process, the account can be unsuspended and the password can be reset automatically. Additionally, the user can be forced to reset their password at the next logon.

The following actions are available:

• Get User - Get User retrieves the properties and relationships of the user object.
• Update User - Update the properties of a user object.

This app can be found in the ThreatConnect App Catalog under the name: Microsoft Graph Users.

ThreatConnect can integrate with Microsoft Active Directory, taking advantage of Windows Remote Management and Powershell scripts. This allows the user to take a more incident response-focused approach to gather user information, running processes and other telemetry from the Windows workstation and server platforms. Other Microsoft use cases for incident response include user attribution along with Windows machine name resolution. The Phishing Use Case also works with O365 and ThreatConnect can pull user information from Azure Active Directory using Microsoft’s API.

This app can be found in the ThreatConnect App Catalog under the name: Microsoft Windows Remote Management (WinRM).

The Polarity - Microsoft SQL server allows users to quickly connect to a SQL server database. Allowing the analysts to run a SQL search to return information about different indicators.

The Polarity - Sharepoint integration searches information for related documented against Microsoft Sharepoint's APIs. Enabling analysts to quickly reference any documentation they might need to be aware of, allowing quick decisions and complete data awareness.

Examples

Sharepoint Data Overview

• Summary Tags: When searching indicators in Sharepoint, analysts can quickly reference the associated documents in Sharepoint sites that the integration is set up to search. Enabling analysts to quickly see associated documents indicators are a part of.
• Document Details: When drilling into the details of an integration analysts can quickly see information on the documents and then pivot out to view the document in Sharepoint. Allowing analysts to quickly pivot to the documents.

The Polarity - Sharepoint Enterprise integration allows freeform text searching for IPs, Hashes, domains, and emails in your Sharepoint instance and retrieves related documents.

For more information on Sharepoint, please visit: (https://products.office.com/en-us/sharepoint/collaboration).

Check out the integration in action:

The Polarity - Windows Security Events integration searches a list of pre-defined Windows security events allowing an analyst to quickly understand what the code is an how to address what might be occurring.

Examples

Windows Security Events Data Overview

• Summary Tags: When running a search with Windows Security Events, analysts can quickly understand what the code relates to, in order to quickly troubleshoot what might be occurring.
• Event Details: When drilling into the details of the integration, analysts can quickly get more context about the event. Quickly understanding what the categories and Operating systems it applies to.

The Polarity - LDAP integration enables analysts to search their active directory or LDAP authentication systems for emails and usernames. Enabling analysts to quickly understand who a user is, if they are in violation of any user policies etc. Allowing analysts to quickly make a decision on how the user might be affected, or if they are in violation of any policies.

Examples

LDAP Data Overview

• Summary Tags: Analysts can quickly understand who a user is, what policies are granted to the user and when they had last set their password all without drilling in for more information. Enabling quick triage of the user.
• User Information: When drilling into the details of the LDAP integration analysts can quickly get additional information on the user such as: their full name, when the account was created and even how long they have been locked out of the system.
• User Account Control: Analysts can also quickly see the users account control information to see if there are any special privileges granted to the account.
• Groups: Finally analysts can quickly get an understanding of what groups the user is in and drill into more information on those groups.

Polarity - RiskIQ integration allows Polarity to search RiskIQ Security Intelligence Services (SIS API) to return threat information on IPs, Domains and URLs. Enabling analysts to quickly have the context they need to make decisions.

With the Process Graph Mail Notifications Playbook template, you can quickly denote and triage malicious phishing emails.

This Playbook template can be found in the ThreatConnect App Catalog under the name: [Microsoft O365 Phishing] Process Graph Mail Notifications