Merge pull request #2265 from rinure-msft/master

Pull Request - SOC Process Framework Workbook and Get-SOCActions Playbook
2021-05-21 12:17:57 +12:00 · 2021-05-21 12:17:57 +12:00 · c382e7b782
--- a/Playbooks/Get-SOCActions/Get-SOCActions.json
+++ b/Playbooks/Get-SOCActions/Get-SOCActions.json
@ -0,0 +1,300 @@
+{
+    "definition": {
+        "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+        "actions": {
+            "Alert_-_Get_incident": {
+                "inputs": {
+                    "host": {
+                        "connection": {
+                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                        }
+                    },
+                    "method": "get",
+                    "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
+                },
+                "runAfter": {},
+                "type": "ApiConnection"
+            },
+            "Condition_2": {
+                "actions": {
+                    "Add_comment_to_incident_(V3)": {
+                        "inputs": {
+                            "body": {
+                                "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
+                                "message": "<p>@{outputs('Compose')}</p>"
+                            },
+                            "host": {
+                                "connection": {
+                                    "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                                }
+                            },
+                            "method": "post",
+                            "path": "/Incidents/Comment"
+                        },
+                        "runAfter": {
+                            "Compose": [
+                                "Succeeded"
+                            ]
+                        },
+                        "type": "ApiConnection"
+                    },
+                    "Compose": {
+                        "inputs": "<html><body>\n<h3>Incident Analysis Procedures</h3>\n<strong>Recommended Actions:</strong>\n<p><strong>Step 1: Group Events for Analysis</strong>\nThe Primary Analyst should review all events/Alerts in the Incident where necessary. \nIf analysis on any of the events/Alerts is expected to take longer than 5 - 15 minutes, the Primary Analyst will escalate the Incident to \"Open Incident\" by tagging it for review by the Secondary Analyst.\n\n<strong>Step 2: Understanding the Attack</strong>\nThe Primary Analyst should gather and understand the full context of the Incident. \nUse Bookmarks to record the following information (this will be added to the Incident TimeLine as an annotation/evidence): Identify Source IP / Destination IP Addresses.\n\n<strong>Step 3: Analyze and Assess the Impact of the Attack</strong>\nThe Analysts should investigate any Attack by using any/all internal and external tools and resources.</p>\n\n<p style=\"margin-left: 40px\"><strong>Additionally, all Analysts should be prepared to answer the following:</strong>\n   - Was the attempt successful?\n   - How many hosts are involved?\n   - Was the IP blocked by the FW or Proxy?\n   - Were any Customers impacted?\n<strong>What was the origin and/or details about the attacker IP?</strong>\n   - WhoIs, Domain tools\n   - Country, ISP, Business (what is the net block)\n<strong>What was attacked?</strong>\n   - DMZ\n   - Corporate systems\n   - Database(s)\n   - Application(s) - Web?\n<strong>What did they do (or try to do)?</strong>\n   - Identify all date-time-groups (DTG), attack timeline (fast/slow), time of day in source IP time zone.\n   - Identify a series of subtle events or rash of attacks (fast/slow)\n   - Same time of day vs. various times\n<strong>Where did they attack from?</strong>\n   - Identify the IP address of attacked system(s), external/internal/DMZ, applications, open ports, vulnerabilities, and usernames (if any).\n<strong>Why did they do it?</strong>\n   - Identify the purpose of the attack. Targeted or random?\n   - Web Defacement\n   - Admin access\n   - Reconnaissance\n   - Dos/DDoS or other outage\n<strong>How did they go about it?</strong>\n   - Identify the tool used (vulnerability scanner, port scanner), hand crafted, type of attack (buffer overflow, SQL injection, format string), protocol used, flags set, or other details.</p>\n\n<p><strong>Step 4: Determine What Action is Needed</strong> Depending on the severity of the event, an analyst may need to report the Incident in several manners. \nThe outcome of the analysis should prompt the analyst to perform one or more of the following actions. \nOnce one of the below actions are taken, the Incident should be tagged using the appropriate annotation/tagging as detailed in the Event Triage Workflow Procedures.\n<strong>Workflow Proceedures:</strong>\n   - Update/Tag/Close Incident(s)\n   - Report Incidents/Alerts/Events/Bookmarks in Shift Logs\n   - Escalate Incident(s) to IR Team - Use Tagging in Incident\n</p></body></html>",
+                        "runAfter": {},
+                        "type": "Compose"
+                    }
+                },
+                "else": {
+                    "actions": {
+                        "For_each": {
+                            "actions": {
+                                "Condition": {
+                                    "actions": {},
+                                    "else": {
+                                        "actions": {
+                                            "Add_comment_to_incident_(V3)_2": {
+                                                "inputs": {
+                                                    "body": {
+                                                        "incidentArmId": "@body('Alert_-_Get_incident')?['id']",
+                                                        "message": "<p>@{outputs('Compose_HTML_Output_False')}</p>"
+                                                    },
+                                                    "host": {
+                                                        "connection": {
+                                                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                                                        }
+                                                    },
+                                                    "method": "post",
+                                                    "path": "/Incidents/Comment"
+                                                },
+                                                "runAfter": {
+                                                    "Compose_HTML_Output_False": [
+                                                        "Succeeded"
+                                                    ]
+                                                },
+                                                "type": "ApiConnection"
+                                            },
+                                            "Compose_HTML_Output_False": {
+                                                "inputs": "<html><body>\n<h3>Alert: @{items('For_each')['Alert']}</h3>\n<p><strong>Recommended Actions:</strong></p>\n<p>@{items('For_each')['A1']}\n@{items('For_each')['A2']}\n@{items('For_each')['A3']}\n@{items('For_each')['A4']}\n@{items('For_each')['A5']}\n@{items('For_each')['A6']}\n@{items('For_each')['A7']}\n@{items('For_each')['A8']}\n@{items('For_each')['A9']}\n@{items('For_each')['A10']}\n@{items('For_each')['A11']}\n@{items('For_each')['A12']}\n@{items('For_each')['A13']}\n@{items('For_each')['A14']}\n@{items('For_each')['A15']}\n@{items('For_each')['A16']}\n@{items('For_each')['A17']}\n@{items('For_each')['A18']}\n@{items('For_each')['A19']}\n</p></body></html>",
+                                                "runAfter": {},
+                                                "type": "Compose"
+                                            }
+                                        }
+                                    },
+                                    "expression": {
+                                        "and": [
+                                            {
+                                                "equals": [
+                                                    "@empty(items('For_each')['Alert'])",
+                                                    true
+                                                ]
+                                            }
+                                        ]
+                                    },
+                                    "runAfter": {},
+                                    "type": "If"
+                                }
+                            },
+                            "foreach": "@body('Parse_JSON')",
+                            "runAfter": {
+                                "Parse_JSON": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "Foreach"
+                        },
+                        "Parse_JSON": {
+                            "inputs": {
+                                "content": "@body('Run_query_and_list_results')?['value']",
+                                "schema": {
+                                    "items": {
+                                        "properties": {
+                                            "A1": {
+                                                "type": "string"
+                                            },
+                                            "A10": {
+                                                "type": "string"
+                                            },
+                                            "A11": {
+                                                "type": "string"
+                                            },
+                                            "A12": {
+                                                "type": "string"
+                                            },
+                                            "A13": {
+                                                "type": "string"
+                                            },
+                                            "A14": {
+                                                "type": "string"
+                                            },
+                                            "A15": {
+                                                "type": "string"
+                                            },
+                                            "A16": {
+                                                "type": "string"
+                                            },
+                                            "A17": {
+                                                "type": "string"
+                                            },
+                                            "A18": {
+                                                "type": "string"
+                                            },
+                                            "A19": {
+                                                "type": "string"
+                                            },
+                                            "A2": {
+                                                "type": "string"
+                                            },
+                                            "A3": {
+                                                "type": "string"
+                                            },
+                                            "A4": {
+                                                "type": "string"
+                                            },
+                                            "A5": {
+                                                "type": "string"
+                                            },
+                                            "A6": {
+                                                "type": "string"
+                                            },
+                                            "A7": {
+                                                "type": "string"
+                                            },
+                                            "A8": {
+                                                "type": "string"
+                                            },
+                                            "A9": {
+                                                "type": "string"
+                                            },
+                                            "Alert": {
+                                                "type": "string"
+                                            },
+                                            "Date": {
+                                                "type": "string"
+                                            },
+                                            "LastUpdatedTimeUTC": {
+                                                "type": "string"
+                                            },
+                                            "_DTItemId": {
+                                                "type": "string"
+                                            }
+                                        },
+                                        "required": [
+                                            "_DTItemId",
+                                            "LastUpdatedTimeUTC",
+                                            "A1",
+                                            "A10",
+                                            "A11",
+                                            "A12",
+                                            "A13",
+                                            "A14",
+                                            "A15",
+                                            "A16",
+                                            "A17",
+                                            "A18",
+                                            "A19",
+                                            "A2",
+                                            "A3",
+                                            "A4",
+                                            "A5",
+                                            "A6",
+                                            "A7",
+                                            "A8",
+                                            "A9",
+                                            "Alert",
+                                            "Date"
+                                        ],
+                                        "type": "object"
+                                    },
+                                    "type": "array"
+                                }
+                            },
+                            "runAfter": {},
+                            "type": "ParseJson"
+                        }
+                    }
+                },
+                "expression": {
+                    "and": [
+                        {
+                            "equals": [
+                                "@empty(body('Run_query_and_list_results')?['value'])",
+                                true
+                            ]
+                        }
+                    ]
+                },
+                "runAfter": {
+                    "Run_query_and_list_results": [
+                        "Succeeded"
+                    ]
+                },
+                "type": "If"
+            },
+            "Run_query_and_list_results": {
+                "inputs": {
+                    "body": "_GetWatchlist('SocRA') | where Alert == \"@{triggerBody()?['AlertDisplayName']}\"",
+                    "host": {
+                        "connection": {
+                            "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
+                        }
+                    },
+                    "method": "post",
+                    "path": "/queryData",
+                    "queries": {
+                        "resourcegroups": "",
+                        "resourcename": "",
+                        "resourcetype": "Log Analytics Workspace",
+                        "subscriptions": "",
+                        "timerange": "@{utcNow()}"
+                    }
+                },
+                "runAfter": {
+                    "Alert_-_Get_incident": [
+                        "Succeeded"
+                    ]
+                },
+                "type": "ApiConnection"
+            }
+        },
+        "contentVersion": "1.0.0.0",
+        "outputs": {},
+        "parameters": {
+            "$connections": {
+                "defaultValue": {},
+                "type": "Object"
+            }
+        },
+        "triggers": {
+            "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
+                "inputs": {
+                    "body": {
+                        "callback_url": "@{listCallbackUrl()}"
+                    },
+                    "host": {
+                        "connection": {
+                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                        }
+                    },
+                    "path": "/incident-creation"
+                },
+                "type": "ApiConnectionWebhook"
+            }
+        }
+    },
+    "parameters": {
+        "$connections": {
+            "value": {
+                "azuremonitorlogs": {
+                    "connectionId": "/subscriptions/52548e0f-10c5-4ffa-8b5b-831eedda9f82/resourceGroups/GBB_LogicApps/providers/Microsoft.Web/connections/azuremonitorlogs-1",
+                    "connectionName": "azuremonitorlogs-1",
+                    "id": "/subscriptions/52548e0f-10c5-4ffa-8b5b-831eedda9f82/providers/Microsoft.Web/locations/eastus/managedApis/azuremonitorlogs"
+                },
+                "azuresentinel": {
+                    "connectionId": "/subscriptions/52548e0f-10c5-4ffa-8b5b-831eedda9f82/resourceGroups/GBB_LogicApps/providers/Microsoft.Web/connections/azuresentinel-1",
+                    "connectionName": "azuresentinel-1",
+                    "id": "/subscriptions/52548e0f-10c5-4ffa-8b5b-831eedda9f82/providers/Microsoft.Web/locations/eastus/managedApis/azuresentinel"
+                }
+            }
+        }
+    }
+}
--- a/Playbooks/Get-SOCActions/readme.md
+++ b/Playbooks/Get-SOCActions/readme.md
@ -0,0 +1,11 @@
+#Get-SOCActions
+author: Rin Ure
+
+This playbook will provide users with Recommended SOC Actions using a .csv file that they upload into a WatchList and give it the the Alias of "SocRA". This also contains steps an Analyst should consider taking when an Analytic has not been onboarded to the WatchList .csv file.
+
+<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FGet-SOCActions%2Fazuredeploy.json" target="_blank">
+    <img src="https://aka.ms/deploytoazurebutton""/>
+</a>
+<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FGet-SOCActions%2Fazuredeploy.json" target="_blank">
+<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
+</a>
--- a/Workbooks/Images/Preview/SOC
+++ b/Workbooks/Images/Preview/SOC
--- a/Workbooks/Images/Preview/SOC
+++ b/Workbooks/Images/Preview/SOC
--- a/Workbooks/Images/Preview/SOC
+++ b/Workbooks/Images/Preview/SOC
--- a/Workbooks/Images/Preview/SOC
+++ b/Workbooks/Images/Preview/SOC
--- a/Workbooks/Images/Preview/SOCProcessFrameworkCoverImage1Black.png
+++ b/Workbooks/Images/Preview/SOCProcessFrameworkCoverImage1Black.png
--- a/Workbooks/Images/Preview/SOCProcessFrameworkCoverImage1White.png
+++ b/Workbooks/Images/Preview/SOCProcessFrameworkCoverImage1White.png
--- a/Workbooks/Images/Preview/SOCProcessFrameworkCoverImage2Black.png
+++ b/Workbooks/Images/Preview/SOCProcessFrameworkCoverImage2Black.png
--- a/Workbooks/Images/Preview/SOCProcessFrameworkCoverImage2White.png
+++ b/Workbooks/Images/Preview/SOCProcessFrameworkCoverImage2White.png
--- a/Workbooks/SOCProcessFramework.json
+++ b/Workbooks/SOCProcessFramework.json
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@ -1350,5 +1350,18 @@
    "templateRelativePath": "ExchangeCompromiseHunting.json",
    "subtitle": "",
    "provider": "Microsoft"
+  },
+  {
+    "workbookKey": "SOCProcessFramework",
+    "logoFileName": "Azure_Sentinel.svg",
+    "description": "Built by Microsoft's Sentinel GBB's - This workbook contains years of SOC Best Practices and is intended to help SOCs mature and leverage industry standards in Operationalizing their SOC in using Azure Sentinel. It contains Processes and Procedures every SOC should consider and builds a high level of operational excellence.",
+    "dataTypesDependencies": [],
+    "dataConnectorsDependencies": [],
+    "previewImagesFileNames": ["SOCProcessFrameworkCoverImage1White.png", "SOCProcessFrameworkCoverImage1Black.png", "SOCProcessFrameworkCoverImage2White.png", "SOCProcessFrameworkCoverImage2Black.png"],
+    "version": "1.0",
+    "title": "SOC Process Framework",
+    "templateRelativePath": "SOCProcessFramework.json",
+    "subtitle": "",
+    "provider": "Azure Sentinel Community"
  }
 ]
--- a/docs/AZSentinelProcessHierarchySOC.png
+++ b/docs/AZSentinelProcessHierarchySOC.png
--- a/docs/Assess_and_Contain.png
+++ b/docs/Assess_and_Contain.png
--- a/docs/DocumentationCreateUpdateProcess.png
+++ b/docs/DocumentationCreateUpdateProcess.png
--- a/docs/EmailExample.png
+++ b/docs/EmailExample.png
--- a/docs/ExampleShiftLogEntry.png
+++ b/docs/ExampleShiftLogEntry.png
--- a/docs/Incident
+++ b/docs/Incident
--- a/docs/Incident
+++ b/docs/Incident
--- a/docs/IncidentTraigeWorkflow.png
+++ b/docs/IncidentTraigeWorkflow.png
--- a/docs/Mobilize.png
+++ b/docs/Mobilize.png
--- a/docs/OneNoteAnalystPage.png
+++ b/docs/OneNoteAnalystPage.png
--- a/docs/PostMortem.png
+++ b/docs/PostMortem.png
--- a/docs/Procedure
+++ b/docs/Procedure
--- a/docs/RemediateRecover.png
+++ b/docs/RemediateRecover.png
--- a/docs/SOCAnalystActionsByAlert.csv
+++ b/docs/SOCAnalystActionsByAlert.csv
@ -0,0 +1,29 @@
+Alert,A1,A2,A3,A4,A5,A6,A7,A8,A9,A10,A11,A12,A13,A14,A15,A16,A17,A18,A19,Date
+Suspicious PowerShell Command Line,1. Examine the PowerShell command line to understand what commands were executed. Note: the content may need to be decoded if it is Base64-encoded.,"2. Search the script for more indicators to investigate - for example IP addresses (potential C&C servers), target computers etc.",3. Explore the timeline of this and other related machines for additional suspect activities around the time of the alert.,4. Look for the process that invoked this PowerShell run and their origin. Consider submitting any suspect files in the chain for deep analysis for detailed behavior information.,5. Escalate and contact your incident response team for potential forensics analysis and remediation.,,,,,,,,,,,,,,,2/24/2021
+An Anamolous Scheduled Task was Created,"1. Validate the alert, collect artifacts, and determine scope.",2. Inspect the file or URL/IP for suspicious characteristics – is it digitally signed? How prevalent is it? Where is it located? Do the domain registration and hosting history look normal?,3. Review the machine timeline for suspicious activities that may have occurred before and after the time of the alert.,4. Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.,5. Submit relevant files for deep analysis and review resulting detailed behavioral information.,6. If alert characteristics and machine behavioral evidence constitute a true positive escalate and contact your incident response team for potential forensic analysis and remediation or contact Microsoft support for investigation and remediation services.,,,,,,,,,,,,,,2/24/2021
+Initiate containment & mitigation,1. Record all relevant artifacts to be used in mitigation rules and as new threat intel.,2. Contact the user to check if the observed behavior was intended.,3. Update AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.,"4. Ensure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.","5. If credential theft is suspected, reset all relevant users passwords.",6. Disconnect the machine from the network to prevent any threat attack progression.,7. Block communication with relevant URLs or IPs at the organization’s perimeter.,"8. If initial investigation confirms suspicions, escalate and contact your incident response team for forensic analysis or contact Microsoft support for investigation and remediation services.",,,,,,,,,,,,2/24/2021
+An Uncommon File was Created and Added to a Run Key,1. Examine the file in question. Do you recognize it?,2. Check the machine timeline for the machine in question. Do you see evidence of a breach?,3. Update AV signatures and run a full scan. This may uncover previously undetected indicators of compromise.,"4. If you determine this may be an attack, reset all relevant user passwords, disconnect the machine from the network to prevent any threat attack progression, escalate, and contact your incident response team for potential forensics analysis and remediation.",5. Work with your incident response team and Remove the registry key and file in question or contact Microsoft support for investigation and remediation services.,,,,,,,,,,,,,,,2/24/2021
+PowerShell dropped a Suspicious File on the Machine,1. Investigate the machine timeline for any other indicators around the time of this alert.,"2. Validate contextual information about the relevant components such as file prevalence, other machines it was observed on etc.","3. Run a full malware scan on the machine, this may reveal additional related components.",4. Consider submitting the relevant file(s) for deep analysis for detailed behavioral information.,"5. If initial investigation confirms suspicions, escalate and contact your incident response team for forensic analysis or contact Microsoft support for investigation and remediation services.",,,,,,,,,,,,,,,2/24/2021
+Device tried to access a phishing site,1. Investigate the machine timeline for any other indicators around the time of this alert.,"2. Validate contextual information about the relevant components such as file prevalence, other machines it was observed on etc.","3. Run a full malware scan on the machine, this may reveal additional related components.",4. Consider submitting the relevant file(s) for deep analysis for detailed behavioral information.,"5. If initial investigation confirms suspicions, escalate and contact your incident response team for forensic analysis or contact Microsoft support for investigation and remediation services.",,,,,,,,,,,,,,,2/24/2021
+MDE detected malware,1. Validate the alert and scope the suspected breach.,"2. Find related machines, network addresses, and files in the incident graph.",3. Check for other suspicious activities in the machine timeline.,"4. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.",5. Submit relevant files for deep analysis and review file behaviors.,6. Identify unusual system activity with system owners.,"7. If you have validated the alert, contain and mitigate the breach.","8. Record relevant artifacts, including those you need in mitigation rules.",9. Stop suspicious processes. Block prevalent malware files across the network.,10. Isolate affected machines.,"11. Identify potentially compromised accounts. If necessary, reset passwords and decommission accounts.","12. Block relevant emails, websites, and IP addresses. Remove attack emails from mailboxes.",13. Update antimalware signatures and run full scans.,14. Make sure the machine is completely updated and all your software has the latest patch.,"15. Deploy the latest security updates for Windows, web browsers, and other applications.","16. Escalate - Contact your incident response team, or contact Microsoft support for investigation and remediation services. NOTE: If you don’t have an incident response team, contact Microsoft Support for architectural remediation and forensic.",17. Aditional Actions to Consider - Install and run Microsoft’s Malicious Software Removal Tool (see https://www.microsoft.com/download/malicious-software-removal-tool-details.aspx),18. Aditional Actions to Consider - Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run at login (see https://technet.microsoft.com/sysinternals/bb963902.aspx).,19. Aditional Actions to Consider - Run Process Explorer and try to identify unknown running processes (see https://technet.microsoft.com/sysinternals/bb896653.aspx).,2/24/2021
+Internal Brute-Force Attack,1. Check with account owners to determine if the logon attempts were legitimate.,"2. Review processes responsible for the logon attempts. If the processes are unfamiliar and corresponding executables are not signed system files, submit the files for deep analysis and review detailed behavioral information from the analysis results.",3. Review the machine timeline for any suspicious activities that have occurred around the time of the alert. Identify and review other affected machines.,"4. If the attempts were malicious, review all successful attempts from the affected accounts. Contain and mitigate the breach—stop suspicious processes, isolate affected machines, decommission compromised accounts or reset their passwords, block IP addresses and URLs, and install security updates.","5. Escalate and contact your incident response team, or contact Microsoft support for forensic analysis and remediation services.",,,,,,,,,,,,,,,2/24/2021
+Unusual sequence of failed logons,1. Validate and scope the alert.,2. Check the source of the failed logon attempts. Contact system and account owners to identify unexpected activity.,3. Check other machines for suspicious network communications from the same location.,4. Check the timelines of all involved machines for other suspicious activities.,"5. Check the process tree of all involved machines for unfamiliar processes. Check files for prevalence, their locations, and digital signatures.",6. Submit relevant files for deep analysis and review file behaviors.,"7. Contain and mitigate the breach. Stop suspicious processes, isolate affected machines, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.","8. Escalate - Contact your incident response team, or contact Microsoft support for investigation and remediation services.",,,,,,,,,,,,2/24/2021
+Impossible Travel Activity,1. Validate and scope the alert.,2. Check the source of the failed logon attempts for the user. Contact system and account owners to identify unexpected activity.,3. Check the location where the performed failed sign in activities came from. Check whether they originated outside of the users standard login location and how long before a login was noticed from their normal location. Within how many minutes?,"4. Check If the IP addresses are known and safe, add them in the IP address range page to improve the accuracy of the alerts. Otherwise if Malicious, add them to the ThreatIntelligence as Indicators/IOCs.","5. Escalate and contact your incident response team, or contact Microsoft support for forensic analysis and remediation services.",,,,,,,,,,,,,,,2/24/2021
+Suspicious Attachment Opened,1. Validate the alert.,2. Inspect the attachment. Review the process that opened it and its behaviors.,3. Check for other suspicious activities in the machine timeline.,"4. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.",5. Submit relevant files for deep analysis and review file behaviors.,6. Identify unusual system activity with system owners.,"7. Scope the incident. Find related machines, network addresses, and files in the incident graph.","8. Contain and mitigate the breach. Stop suspicious processes, isolate affected machines, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.","9. Escalate - Contact your incident response team, or contact Microsoft support for investigation and remediation services.",,,,,,,,,,,2/24/2021
+Password Spray,"1. Use Cloud Authentication - In the cloud, we see billions of sign-ins to Microsoft systems every day. Our security detection algorithms allow us to detect and block attacks as they’re happening. Because these are real time detection and protection systems driven from the cloud, they are available only when doing Azure AD authentication in the cloud (including Pass-Through Authentication).","2. If your using AAD, then your covered with Smart Lockout. If your using ADFS, enable Smart Lockout - https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection.",3. Use Attack Simulator to proactively evaluate your security posture and make adjustments - https://techcommunity.microsoft.com/t5/microsoft-security-and/announcing-the-public-preview-of-attack-simulator-for-office-365/ba-p/162412.,"4. Work with your Identity Global Admin and Enable MFA. A password is the key to accessing an account, but in a successful password spray attack, the attacker has guessed the correct password. To stop them, we need to use something more than just a password to distinguish between the account owner and the attacker. The three ways to do this are below:",4a. Risk-based MFA.,4b. Always-on MFA.,4c. Azure MFA as Primary Auth.,"5. NOTE: We strongly recommend enabling always-on multi-factor authentication for all admins in your organization, especially subscription owners and tenant admins. Seriously, go do this right now. For the best experience for the rest of your users, we recommend risk-based multi-factor authentication, which is available with Azure AD Premium P2 licenses. Otherwise, use Azure MFA for cloud authentication and ADFS. In ADFS, upgrade to ADFS on Windows Server 2016 to use Azure MFA as primary authentication, especially for all your extranet access.","6. Escalate and contact your incident response team, or contact Microsoft support for forensic analysis and remediation services.",,,,,,,,,,,2/24/2021
+Anonomous IP Address,"1. This risk event type indicates sign-ins from an anonymous IP address (e.g. Tor browser, anonymizer VPNs). Such IP addresses are commonly used by actors who want to hide their login telemetry (IP address, location, device, etc.) for potentially malicious intent. For more information - https://go.microsoft.com/fwlink/?linkid=2016442",2. Validate that the IP Address is Malicious.,3. Run Playbook Get-IPReputation - This pulls down known malicious info about the IP from VirusTotal.,"4. If no results return, IP is not listed. Validate the login with the User.","5. If results from VT are malicious, run VT Query in Sentinel.","6. Create a Bookmark, assign entities.",7. Attach Bookmark to current Incident.,8. Make notes of what known IOC's are associated with the IP Address.,9. Validate the login with the User if this step hasnt been done already.,"10. After validation, if the login was malicious, have the user reset their password.","11. Escalate - Contact your incident response team, or contact Microsoft support for investigation and remediation services.",,,,,,,,,2/24/2021
+Adaptive application control policy violation was audited,1. Review the list of applications that were run.,2. Review the application control policy that is applied to this machine by visiting the Adaptive Application Controls section in the Azure Security Center portal.,"3. Review the list of existing rules in each of the rule collections (publisher/path/hash), and identify the rules that have triggered an audit event for the above applications.","4. If you have identified a rule that should allow the above applications to run, review the users that ran them.","5. In case you wish to allow them and change the application control policy applied to this machine policy group, make sure to add them to the appropriate rules that you have identified in step #3. Otherwise - contact the specific user and escalate this alert for further investigation.","6. If the above applications are not currently allowed by one of the rules that you have identified in step #3, and in case that you wish to allow them, make sure to add a new rule to this machine policy group.",,,,,,,,,,,,,,2/24/2021
+Port Scan Detected,"1. Network scans may indicate legitimate activity, for example a new network device or new functionality on a device. Scanning activity may also be malicious.","2. For example the source device performing the scan may be carrying out network reconnaissance in order to test for and leverage potential vulnerabilities. If this succeeds, system configuration data and other critical information retrieved can be sent to attackers.","3. If the source device is an approved scanner, define it as a Scanning Device.","4. Escalate and contact your incident response team, or contact Microsoft support for forensic analysis and remediation services.",,,,,,,,,,,,,,,,2/24/2021
+Traffic detected from IP addresses recommended for blocking,1. Click the link: Investigate in Azure Defender.,2. Review the IP addresses and determine if they should be communicating with the virtual machine.,"3. Enforce the hardening rule recommended by Security Center which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly.","4. Escalate and contact your incident response team, or contact Microsoft support for forensic analysis and remediation services.",,,,,,,,,,,,,,,,2/25/2021
+Sign-in for different Locations than Subsidiaries,1. Click https://portal.azure.com/?#blade/Microsoft_AAD_IAM/SecurityMenuBlade/RiskyUsers.,2. Review the IP addresses and determine if typically logins using that IP.,3. Validate the login with the User.,4. Confirm User has been Compromised.,5. Escalate to your Incident Response Team or Resolve as False Positive and dismiss the Alert and downgrade the User Risk.,,,,,,,,,,,,,,,2/26/2021
+Email messages containing malware removed after delivery,1. Validate and scope the alert.,"2. Find related mailboxes, sender addresses, and files in the incident graph.",3. Validate the malware was removed from the users email.,4. Confirm the scope by looking up the sender under Campains,5. Open Campaign Report to validate findings.,6. Save Campaign Report as Evidence to Incident.,7. Escalate to your IR Team or Resolve by Soft Deleting any remaining Email with malware attached.,,,,,,,,,,,,,2/26/2021
+Email reported by user as malware or phish,1. Validate and scope the alert.,"2. Find related mailboxes, sender addresses, and files in the incident graph.",3. Validate the malware was removed from the users email.,4. Confirm the scope by looking up the sender under Campains,5. Open Campaign Report to validate findings.,6. Save Campaign Report as Evidence to Incident.,7. Escalate to your IR Team or Resolve by Soft Deleting any remaining Email with malware attached. ,,,,,,,,,,,,,2/26/2021
+Suspicious authentication activity,1. Enforce the use of strong passwords and do not re-use them across multiple resources and services,"2. In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges.","3. In case this is an Azure Virtual Machine, lock down access to it using network JIT","4. Contact your incident response team, or contact Microsoft support for investigation and remediation services.",,,,,,,,,,,,,,,,3/10/2021
+Suspicious attachment opened,1. Validate the alert.,2. Inspect the attachment. Review the process that opened it and its behaviors.,3. Check for other suspicious activities in the machine timeline.,"4. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.",5. Submit relevant files for deep analysis and review file behaviors.,6. Identify unusual system activity with system owners.,"7. Scope the incident. Find related machines, network addresses, and files in the incident graph.","8. Contain and mitigate the breach. Stop suspicious processes, isolate affected machines, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.","9. Escalate to your incident response team, or contact Microsoft support for investigation and remediation services.",,,,,,,,,,,3/10/2021
+A malicious file was detected based on indication provided by O365,1. Validate the alert and scope the suspected breach.,"2. Find related machines, network addresses, and files in the incident graph.",3. Check for other suspicious activities in the machine timeline.,"4. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.",5. Submit relevant files for deep analysis and review file behaviors.,6. Identify unusual system activity with system owners.,"7. If you have validated the alert, contain and mitigate the breach.","8. Record relevant artifacts, including those you need in mitigation rules.",9. Stop suspicious processes. Block prevalent malware files across the network.,10. Isolate affected machines.,"11. Identify potentially compromised accounts. If necessary, reset passwords and decommission accounts.","12. Block relevant emails, websites, and IP addresses. Remove attack emails from mailboxes.",13. Update antimalware signatures and run full scans.,14. Make sure the machine is completely updated and all your software has the latest patch.,"15. Deploy the latest security updates for Windows, web browsers, and other applications.","16. Escalate - Contact your incident response team, or contact Microsoft support for investigation and remediation services.",17. Aditional Actions to Consider - Install and run Microsoft’s Malicious Software Removal Tool (see https://www.microsoft.com/download/malicious-software-removal-tool-details.aspx),18. Aditional Actions to Consider - Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run at login (see https://technet.microsoft.com/sysinternals/bb963902.aspx).,19. Aditional Actions to Consider - Run Process Explorer and try to identify unknown running processes (see https://technet.microsoft.com/sysinternals/bb896653.aspx).,3/10/2021
+'Phonzy' malware was prevented,1. Collect artifacts and determine scope.,"2. Review the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs).",3. Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.,4. Submit relevant files for deep analysis and review resulting detailed behavioral information.,5. Submit undetected files to the MMPC malware portal.,6. Initiate containment & mitigation.,7. Contact the user to verify intent and initiate local remediation actions as needed.,8. Update AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.,"9. Ensure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.","10. If credential theft is suspected, reset all relevant users passwords.",11. Block communication with relevant URLs or IPs at the organization’s perimeter.,"12. Escalate - Contact your incident response team, or contact Microsoft support for investigation and remediation services.",,,,,,,,3/10/2021
+'EICAR_Test_File' malware was prevented,1. Collect artifacts and determine scope.,"2. Review the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs).",3. Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.,4. Submit relevant files for deep analysis and review resulting detailed behavioral information.,5. Submit undetected files to the MMPC malware portal.,6. Initiate containment & mitigation.,7. Contact the user to verify intent and initiate local remediation actions as needed.,8. Update AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.,"9. Ensure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.","10. If credential theft is suspected, reset all relevant users passwords.",11. Block communication with relevant URLs or IPs at the organization’s perimeter.,"12. Escalate - Contact your incident response team, or contact Microsoft support for investigation and remediation services.",,,,,,,,3/18/2021
+'Genasom' ransomware was prevented,1. Collect artifacts and determine scope.,"2. Review the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs).",3. Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.,4. Submit relevant files for deep analysis and review resulting detailed behavioral information.,5. Submit undetected files to the MMPC malware portal.,6. Initiate containment & mitigation.,7. Contact the user to verify intent and initiate local remediation actions as needed.,8. Update AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.,"9. Ensure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.","10. If credential theft is suspected, reset all relevant users passwords.",11. Block communication with relevant URLs or IPs at the organization’s perimeter.,"12. Escalate - Contact your incident response team, or contact Microsoft support for investigation and remediation services.",,,,,,,,3/18/2021
+'WannaCrypt' ransomware was prevented,1. Collect artifacts and determine scope.,"2. Review the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs).",3. Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.,4. Submit relevant files for deep analysis and review resulting detailed behavioral information.,5. Submit undetected files to the MMPC malware portal.,6. Initiate containment & mitigation.,7. Contact the user to verify intent and initiate local remediation actions as needed.,8. Update AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.,"9. Ensure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.","10. If credential theft is suspected, reset all relevant users passwords.",11. Block communication with relevant URLs or IPs at the organization’s perimeter.,"12. Escalate - Contact your incident response team, or contact Microsoft support for investigation and remediation services.",,,,,,,,3/18/2021
+Connection to a custom network indicator,1. Check the destination address. Note that this alert can be triggered by safe or reputable addresses in your custom indicator list.,"2. Review the process that initiated the connection. If the process is unfamiliar and the executable not a signed system file, submit the file for deep analysis and review detailed behavioral information from the analysis results. Initiate an antivirus scan to find previously undetected malware.","3. If you've confirmed this activity to be malicious, contain and mitigate the breach. Stop suspicious processes, isolate affected machines, decommission compromised accounts or reset their passwords, block IP addresses and URLs, and install security updates.","4. Escalate - Contact your incident response team, or contact Microsoft support for investigation and remediation services.",,,,,,,,,,,,,,,,3/18/2021
+Post-delivery detection of suspicious attachment,1. Validate the alert.,2. Inspect the attachment. Review the process that opened it and its behaviors.,3. Check for other suspicious activities in the machine timeline.,"4. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.",5. Submit relevant files for deep analysis and review file behaviors.,6. Identify unusual system activity with system owners.,"7. Scope the incident. Find related machines, network addresses, and files in the incident graph.","8. Contain and mitigate the breach. Stop suspicious processes, isolate affected machines, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.","9. Escalate - Contact your incident response team, or contact Microsoft support for investigation and remediation services.",,,,,,,,,,,3/18/2021
--- a/docs/Watch_and_Monitor.png
+++ b/docs/Watch_and_Monitor.png