История

Aaron Hoffman b6188e1c8e update MDE restrict indicator playbook metadata		2022-07-22 17:20:37 -04:00
..
alert-trigger	Fix more issues in validations	2022-02-27 12:32:57 +02:00
incident-trigger	update MDE restrict indicator playbook metadata	2022-07-22 17:20:37 -04:00
readme.md	Added missing readme file	2022-05-13 19:43:31 +01:00

readme.md

Restrict-MDEDomain

author: Nicholas DiCola

This playbook will take DNS entities and generate alert and block threat indicators for each domain in MDE for 90 days.

Quick Deployment

Deploy with incident trigger (recommended)

After deployment, attach this playbook to an automation rule so it runs when the incident is created.

Learn more about automation rules

Deploy with alert trigger

After deployment, you can run this playbook manually on an alert or attach it to an analytics rule so it will rune when an alert is created.

Prerequisites

For Gov Only You will need to update the HTTP action URL to the correct URL documented here
You will need to assign Microsoft Sentinel Responder role to the managed identity
You will need to grant Ti.ReadWrite permissions to the managed identity. Run the following code replacing the managed identity object id. You find the managed identity object id on the Identity blade under Settings for the Logic App.

$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
$MDEAppId = "fc780465-2017-40d4-a0c5-307022471b92"
$PermissionName = "Ti.ReadWrite" 
$MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'"
$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id

Screenshots

Incident Trigger

Alert Trigger