test
More

    Sentinel IP Enrichment with AbuseIPDB

    Cybersecurity threats and attacks are initiated on a continuous basis from almost every corner of the globe. Identifying and tracking these attacks is a core task for most security professionals. IP address data is one of the most effective weapons that professionals and organizations have in their arsenal to identify cyber threats and shut down malicious activity.

    Microsoft Sentinel provides a number of ways to perform IP enrichment and investigation. We’re going to look at using the AbuseIPDB service to automatically enrich incidents with details about the IP addresses in the incident. AbuseIPDB is a project dedicated to helping track malicious activity. It provides a central blacklist for security teams, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online.

    We will deploy an Azure Logic App that enriches the Incident and then configure Sentinel Automation Rules to generate a Comment with details about the IP addresses in the Incident.

    1. Create AbuseIPDB Account

    Go to https://www.abuseipdb.com/ and create a Free account. After you verify your account, you can create an API Key. Save the key for later.

    Graphical user interface, text, application

Description automatically generated

    2. Install Playbooks

    Navigate to the Content Hub in Microsoft Sentinel and find the AbuseIPDB solution.

    Graphical user interface, application

Description automatically generated

    Install the AbuseIPDB solution.

    Graphical user interface, text, application, email

Description automatically generated

    After installing, go back into Sentinel, and navigate to Automation > Playbook Templates. Find the AbuseIPDB Enrich Incident by IP Info playbook template.

    Graphical user interface, application

Description automatically generated

    Click on the playbook template, and in the Prerequisites, click on the Deploy Custom Connector to Azure link. Deploy the connector into the same Resource Group as Sentinel.

    Graphical user interface, text, application, email

Description automatically generated

    Graphical user interface, text, application, email

Description automatically generated

    After creating the Connector go back to the Playbook Templates and click Create Playbook.

    Graphical user interface, text, application, email

Description automatically generated

    Ensure the correct Subscription and Resource Group are selected. You can leave the Playbook name as the default. Unless you need enhanced logging, you don’t need to enable Log Analytics or Service Environment. Click Next: Parameters.

    Graphical user interface, text, application, email

Description automatically generated

    Leave the Name with the default value.

    Graphical user interface, text, application, chat or text message

Description automatically generated

    Click Review and Create on the Connections page.

    Graphical user interface, text, application, email

Description automatically generated

    There should be no errors on the Review and Create screen; click Create and Continue to designer.

    Graphical user interface, text, application, email

Description automatically generated

    3. Configure Playbook

    You will need to create a Managed Identity. Click Identity under the Settings section of the Logic App menu. Change the Status to On and click Save.

    Graphical user interface, text, application

Description automatically generated

    Once saved, you will see a button under Permissions. Click the Azure Role Assignments button.

    Graphical user interface, text, application, chat or text message

Description automatically generated

    Click Add Role Assignment. Select the Resource Group as the Scope, and select the Sentinel subscription and Resource Group. You need to select Contributor to allow the Logic App to update Incidents. Click Save.

    Graphical user interface, text

Description automatically generated with medium confidence

    Go back to the Logic App Designer. Click the first Connection to Microsoft Sentinel, add New Connection, and click the link for Connect with Managed Identity. Name the Connection and click Create.

    Graphical user interface, text, application, email

Description automatically generated

    Click the second Sentinel Connection and change the Connection to use the Managed Identity connection you just created.

    Graphical user interface, text, application, email

Description automatically generated

    Click on Check each IP in AbuseIPDB. Click on Connections. Click on the exclamation mark to update the Connection. Name the connection, and paste in the API Key from your AbuseIPDBAPI account that you created in the first step.

    Graphical user interface, text, application, email

Description automatically generated

    Click on the Append Result to Result List section. I’ve modified the default values to be more concise for investigations. Its also easier to navigate in an Incident. You can copy and paste the value below.

    {

    “Country”: @{body(‘AuseIPDB_CHECK_Endpoint’)?[‘data’]?[‘countryName’]},

    “abuseConfidenceScore”: @{body(‘AuseIPDB_CHECK_Endpoint’)?[‘data’]?[‘abuseConfidenceScore’]},

    “ipAddress”: @{body(‘AuseIPDB_CHECK_Endpoint’)?[‘data’]?[‘ipAddress’]},

    “isp”: @{body(‘AuseIPDB_CHECK_Endpoint’)?[‘data’]?[‘isp’]},

    “lastReportedAt”: @{body(‘AuseIPDB_CHECK_Endpoint’)?[‘data’]?[‘lastReportedAt’]},

    “totalReports”: @{body(‘AuseIPDB_CHECK_Endpoint’)?[‘data’]?[‘totalReports’]},

    “usageType”: @{body(‘AuseIPDB_CHECK_Endpoint’)?[‘data’]?[‘usageType’]}

    }

    Graphical user interface, text, application, email

Description automatically generated

    Click on the last Connections section. Change the Connection to the Managed Identity. Then modify the Comment Message. Remove the first Outputs, which is the logo, and remove the Header, just keep the HTML table output.

    Graphical user interface, text, application, email

Description automatically generated

    Click Save

    Graphical user interface, application

Description automatically generated

    4. Test the Playbook

    Go the Incident and find an Incident with an IP Address entity. From the Actions menu click Run Playbook, and select the AbuseIPDB Playbook.

    Graphical user interface, application

Description automatically generated

    Go to the Comments section and confirm a Comment was made.

    Graphical user interface, text, application

Description automatically generated

    5. Automate the Playbook Runs

    The easiest way to enable Playbook Automation is to go to open Incidents and select an Incident with IP Entites. Click Create Automation Rule.

    Graphical user interface, application, Word

Description automatically generated

    Modify the Conditions to remove the IP or Account conditions. Change the Actions to Run the new Playbook. Update the Rule Expiration to as far out as makes sense.

    Graphical user interface, text, application, email

Description automatically generated

    As new Incidents get created that match the Automation Rule, the Logic App will rule and update the Incident with IP information. During incident triage, an analyst can quickly review IP information and help assess threats faster.

    Recent Articles

    Security Trends – Q2 2024

    Small businesses are under increasing cyberattack threat. The global cost of cybercrime is predicted to skyrocket, reaching a staggering $23.84 trillion by...

    Basic Microsoft 365 Security Improvements

    Overview Securing Microsoft 365 tenants involves implementing various measures to protect data, prevent unauthorized access, and mitigate potential...

    Cyber Security Trends for 2024

    Summary The state of cybersecurity in 2024 reflects a dynamic and complex landscape shaped by technological advancements,...

    Content Filtering with Microsoft Defender for Endpoint

    Why is Content Filtering Important? Web content filtering is a critical element of a comprehensive information security strategy.

    Migrating to Azure AD Authentication Methods

    Azure AD Authentication Changes On September 30th, 2024, the legacy multifactor authentication and...

    Related Stories

    0 0 vote
    Article Rating
    Subscribe
    Notify of
    guest
    0 Comments
    Inline Feedbacks
    View all comments

    Stay on op - Ge the daily news in your inbox

    0
    Would love your thoughts, please comment.x
    ()
    x