Deploying the Base Module of Microsoft Sentinel Triage Assistant (STAT) for Enhanced Incident Response Efforts

To begin, it’s important to note that there is a very good automation solution named Microsoft Sentinel Triage Assistant (STAT) created by Brian Delaney and Pierre Audonnet. This solution contains multiple modules that are designed to help incident response teams more effectively triage and respond to security incidents. The full solution is available for deployment here.

In this blog post, we will focus on discussing the process of deploying the base module of the Microsoft Sentinel Triage Assistant (STAT) to enhance incident response efforts by enriching entity data in Microsoft Sentinel Incidents.

The base module of STAT extracts entity data from Microsoft Sentinel Incidents and enriches it by adding additional information and context to the entities such as reputation, geographic location, and other relevant data. This enriched data is then added as a comment in the incident’s comment section, providing more detailed and actionable information for incident response teams to use in their investigations. The base module of STAT currently supports the following entity types: Accounts, IPs, Hosts, Files, FileHashes, DNS Domains, and URLs. By deploying the base module, incident response teams can automate the process of gathering and enriching entity data, saving time and resources.

To begin the process of deploying the base module, the first step is to download the ARM template from here. Once the ARM template is downloaded. To deploy the base module using the ARM template, you need to go to the Azure Portal, and then search for and select “Deploy a custom template.” Next, select “Build your own template in the editor” and upload the ARM template that you downloaded earlier. After the template is uploaded, click on “Save” to start the deployment process. As shown in below screenshot.

The next step is to select the Subscription, Resource group, and Region, and rename the playbook. Review the information and click “Create” to start the deployment process.

Once the deployment is complete, a logic app and Azure API connection will be deployed. As shown in below screenshot.

To ensure the playbook has the necessary permissions and roles, scripts must be run in Azure Cloud Shell. These scripts assign the required permissions and roles to the managed identity of the logic app. Be sure to replace the placeholders in the script with the correct information for your deployment.

Connect-AzureAD

# Enter depolyed logic app manged identity Object ID, subscrition ID and resource group details below:
$MIGuid = ""
$SubscriptionId = ""
$ResourceGroupName = ""

$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid 
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$PermissionName1 = "User.Read.All"
$PermissionName2 = "Reports.Read.All"
$PermissionName3 = "RoleManagement.Read.Directory"
$SentinelRoleName = "Microsoft Sentinel Responder"
 
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id
 
$AppRole2 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName2 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole2.Id
 
$AppRole3 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName3 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole3.Id

New-AzRoleAssignment -ObjectId $MIGuid -RoleDefinitionName $SentinelRoleName -Scope /subscriptions/$SubscriptionId/resourcegroups/$ResourceGroupName

To run the playbook on demand for specific incidents, another logic app can be created, called “Call-Base-Module-Playbook.” This logic app calls the base module logic app. Follow the below screenshot to create a simple logic app that will call base module logic app.

Finally, assign the Microsoft Sentinel Playbook Operator or Microsoft Sentinel Responder role to the managed identity of the logic app “Call-Base-Module-Playbook”. After assigning the role, test the playbook on incident. The playbook will comment on the enriched data about entities in the incident’s comment section.

Please note that this is a test environment, so the incident used in this demonstration is not include all supported entities. In a real-world scenario, the base module of STAT would extract and enrich data for all supported entities in an incident.

In conclusion, the base module of the Microsoft Sentinel Triage Assistant (STAT) can enhance incident response efforts by automating the process of enriching entity data in incidents and commenting them. By following the steps outlined in this post, organizations can deploy the base module and improve their incident response process.