-
Notifications
You must be signed in to change notification settings - Fork 59
Modules
Automation Modules make it easier to perform routine triage tasks by using a preconfigured modules to retrieve and present data from your environment.
- Base Module
- Azure Active Directory Risks
- File Insights
- Kusto Query Language (KQL)
- Microsoft Defender for Cloud Apps (MCAS)
- Microsoft Defender for Endpoint
- Office 365 Out of Office
- Microsoft Sentinel Related Alerts
- Microsoft Sentinel Threat Intelligence
- Microsoft Sentinel User Entity Behavior Analytics
- Microsoft Sentinel Watchlists
- Risk Scoring
- Run Playbook
- Create Incident
The Base module processes incident or alert data and prepares it for consumption by other modules. This includes enriching entity data with Entra ID lookups and IP data with Geo location information. The base module must be called before any other modules in this solution as it performs important data enrichment and normalization activities that the other modules will use.
- Account
- IP
- Host
- File
- FileHash
- DnsDomain
- URL
| Parameter | Expected Values | Description |
|---|---|---|
| AddAccountComment | True/False (Default:True) | Add comment to Sentinel incident with account enrichments |
| AddIPComment | True/False (Default:True) | Add comment to Sentinel incident with IP enrichments |
| EnrichIPsWithGeoData | True/False (Default:True) | When set to true, IP address entities will be returned with Geo enrichment data such as Country, City and LAT/LONG |
| Incident or Alert Body | Trigger Body (dynamic content) | Carries the body of the Sentinel Incident or Alert trigger data to the STAT function |
| MultiTenantConfig | For cross tenant deployments, this carries the necessary tenant information (see MSSP) | |
| VersionCheckType | Major/Minor/Build/None (Default:Build) | Configures what type of STAT updates you will be notified about or disables all notifications |
The Azure Active Directory Risks module will retrieve the level of risk of the users in Azure AD Identity Protection as well as MFA Fraud Reports and MFA Failures.
The File Insights module will check if the entities are found as email attachments and will run the FileProfile() function on the provided hashes.
The KQL module allows you to run custom KQL queries against Microsoft Sentinel or Microsoft 365 Security Advanced Hunting using the entity data from the Microsoft Sentinel incident.
The Microsoft Defender for Cloud Apps module will get the MCAS Investigation Score of the account entities of the incidient.
The Microsoft Defender for Endpoint module will return the risk score and exposure level from Microsoft Defender for Endpoint of all the machines on which a user logged on interactively and for all machines with specified IP addresses.
The Out Of Office module takes user entity data and determines if the user has an Out of Office message set on their Office 365 mailbox.
The Related Alerts module takes the incident entity data and determines if other alerts about those same entities exist in Microsoft Sentinel within a specified timeframe.
The Threat Intelligence module takes the incident entities and allows you to cross refernce them against data in the ThreatIntelligenceIndicator table.
The UEBA module allows you to take user entity data and lookup those users in the BehaviorAnalytics table to identity activities performed by the user that deviate from their previous patterns of behavior.
The Microsoft Sentinel Watchlists module allows you to compare entity data from an incident against a watchlist to determine if that entity is present. This supports watchlists containing columns with UserPrincipalNames, IP Addresses, or CIDR address blocks.
The Risk Scoring module takes the output from other STAT modules to calculate a relative risk score. This score can then be consumed by the calling Logic app to define different outcomes based on the score returned.
The Run Playbook module can be used to invoke other Microsoft Sentinel Playbooks. In situations where you are analyzing an incident using STAT, under certain conditions you may want to initiate other playbooks instead of incorporating the logic of those playbooks into your main STAT triage playbooks. This module allows you to reuse other playbooks as needed during an incident triage.
Allows for the creation of Sentinel incidents from a Sentinel alert where an incident does not already exist. This is useful when triaging large volumes of low quality alerts to determine which should be elevated to an incident.