diff --git a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Automated-Triage/readme.md b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Automated-Triage/readme.md index cc4aaaa8677..919ac331a3e 100644 --- a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Automated-Triage/readme.md +++ b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Automated-Triage/readme.md @@ -4,7 +4,7 @@ This playbook uses the [Microsoft Defender Threat Intelligence](https://learn.microsoft.com/en-us/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) Reputation data to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with MDTI [Reputation](https://learn.microsoft.com/en-us/defender/threat-intelligence/reputation-scoring) data. If any indicators are labeled as "suspicious", the incident will be tagged as such and its severity will be marked as "medium". If any indicators are labeled as "malicious", the incident will be tagged as such and its severity will be marked as "high". Regardless of the reputation state, comments will be added to the incident outlining the reputation details with links to further information if applicable. ## Prerequisites -1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com. +1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com. 2. This playbook requires "Microsoft Sentinel Contributor" role to update Incidents. @@ -24,4 +24,4 @@ After deploying the playbook, you must authorize the connections leveraged. 2. Under "Development Tools" (located on the left), click "API Connections". 3. Ensure each connection has been authorized. -**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.** +**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.** diff --git a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Data-Cookies/readme.md b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Data-Cookies/readme.md index 4d17eae255f..e61f8339e97 100644 --- a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Data-Cookies/readme.md +++ b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Data-Cookies/readme.md @@ -4,7 +4,7 @@ This playbook uses the [Microsoft Defender Threat Intelligence](https://learn.microsoft.com/en-us/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) Cookies data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook in order to enrich your incidents with [Cookies](https://learn.microsoft.com/en-us/defender/threat-intelligence/data-sets#cookies) data hosted by the indicators found within the incident. Cookies are small pieces of data sent from a server to a client as the user browses the internet. These values sometimes contain a state for the application or little bits of tracking data. Defender TI highlights and indexes cookie names observed when crawling a website and allows users to dig into everywhere we have observed specific cookie names across its crawling and data collection. Cookies are also used by malicious actors to keep track of infected victims or store data to be used later. ## Prerequisites -1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach to discussMDTI[@]microsoft.com. +1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach to discussMDTI[@]microsoft.com. 2. This playbook requires "Microsoft Sentinel Contributor" role to update Incidents. ## Deployment @@ -23,4 +23,4 @@ After deploying the playbook, you must authorize the connections leveraged. 2. Under "Development Tools" (located on the left), click "API Connections". 3. Ensure each connection has been authorized. -**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.** \ No newline at end of file +**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.** \ No newline at end of file diff --git a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Data-WebComponents/readme.md b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Data-WebComponents/readme.md index c002848965a..cd24e4ccdd4 100644 --- a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Data-WebComponents/readme.md +++ b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Data-WebComponents/readme.md @@ -4,7 +4,7 @@ This playbook uses the [Microsoft Defender Threat Intelligence](https://learn.microsoft.com/en-us/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) components data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook in order to enrich your incidents with [Webcomponents](https://learn.microsoft.com/en-us/defender/threat-intelligence/data-sets#components) data hosted by the indicators found within the incident. These components allow a user to understand the makeup of a webpage or the technology and services driving a specific piece of infrastructure. Pivoting on unique components can find actors' infrastructure or other sites that are compromised. Users can also understand if a website might be vulnerable to a specific attack or compromise based on the technologies that it is running. ## Prerequisites -1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach to discussMDTI[@]microsoft.com. +1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach to discussMDTI[@]microsoft.com. 2. This playbook requires "Microsoft Sentinel Contributor" role to update Incidents. ## Deployment @@ -23,4 +23,4 @@ After deploying the playbook, you must authorize the connections leveraged. 2. Under "Development Tools" (located on the left), click "API Connections". 3. Ensure each connection has been authorized. -**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.** +**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.** diff --git a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Intel-Reputation/readme.md b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Intel-Reputation/readme.md index 50774b4be22..c5d7c4bdb5a 100644 --- a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Intel-Reputation/readme.md +++ b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Intel-Reputation/readme.md @@ -4,7 +4,7 @@ This playbook uses the [Microsoft Defender Threat Intelligence](https://learn.microsoft.com/en-us/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) Reputation Data to automatically enrich incidents generated by Microsoft Sentinel. [Reputation](https://learn.microsoft.com/en-us/defender/threat-intelligence/reputation-scoring) information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the MDTI platform for more information. ## Prerequisites -1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com. +1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com. 2. This playbook requires "Microsoft Sentinel Contributor" role to update Incidents. ## Deployment @@ -23,4 +23,4 @@ After deploying the playbook, you must authorize the connections leveraged. 2. Under "Development Tools" (located on the left), click "API Connections". 3. Ensure each connection has been authorized. -**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.** +**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.** diff --git a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-PassiveDns/readme.md b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-PassiveDns/readme.md index edc57f9e369..3c8d01b3440 100644 --- a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-PassiveDns/readme.md +++ b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-PassiveDns/readme.md @@ -3,7 +3,7 @@ ## Overview This playbook uses the [Microsoft Defender Threat Intelligence](https://learn.microsoft.com/en-us/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) Passive Dns data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook in order to enrich your incidents with [Passive Dns ](https://learn.microsoft.com/en-us/defender/threat-intelligence/data-sets#resolutions) data hosted by the indicators found within the incident. Passive DNS (PDNS) is a system of record that stores DNS resolution data for a given location, record, and timeframe. This historical resolution data set allows users to view which domains resolved to an IP address and vice versa. This data set allows for time-based correlation based on domain or IP overlap. PDNS may enable the identification of previously unknown or newly stood-up threat actor infrastructure. Proactive addition of indicators to blocklists can cut off communication paths before campaigns take place. Users will find A record resolution data within the Resolutions data set tab and will find more types of DNS records in the DNS data set tab. ## Prerequisites -1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com. +1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com. 2. This playbook requires "Microsoft Sentinel Contributor" role to update Incidents. @@ -26,4 +26,4 @@ After deploying the playbook, you must authorize the connections leveraged. 2. Under "Development Tools" (located on the left), click "API Connections". 3. Ensure each connection has been authorized. -**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.** +**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.** diff --git a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-PassiveDnsReverse/readme.md b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-PassiveDnsReverse/readme.md index ecf451b3c9b..5312614e0e1 100644 --- a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-PassiveDnsReverse/readme.md +++ b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-PassiveDnsReverse/readme.md @@ -9,7 +9,7 @@ Our Reverse DNS data includes the following: - Type: the type of infrastructure associated with the record. Potential options include Mail Servers (MX), text files (TXT), name servers (NS), CNAMES, and Start of Authority (SOA) records. - Tags: any tags applied to this artifact in the Defender TI system. ## Prerequisites -1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com. +1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com. 2. This playbook requires "Microsoft Sentinel Contributor" role to update Incidents. @@ -32,4 +32,4 @@ After deploying the playbook, you must authorize the connections leveraged. 2. Under "Development Tools" (located on the left), click "API Connections". 3. Ensure each connection has been authorized. -**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.** +**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.** diff --git a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Trackers/readme.md b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Trackers/readme.md index e495b7cba66..5202fe72bf0 100644 --- a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Trackers/readme.md +++ b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Trackers/readme.md @@ -3,7 +3,7 @@ ## Overview This playbook uses the [Microsoft Defender Threat Intelligence](https://learn.microsoft.com/en-us/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) Trackers data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook in order to enrich your incidents with [Trackers](https://learn.microsoft.com/en-us/defender/threat-intelligence/data-sets#trackers) data hosted by the indicators found within the incident. Trackers are unique codes or values found within web pages and often used to track user interaction. These codes can be used to correlate a disparate group of websites to a central entity. Often, actors will copy the source code of a victim’s website they are looking to impersonate for a phishing campaign. Seldomly will actors take the time to remove these IDs that allow users to identify these fraudulent sites using Microsoft’s Trackers data set. Actors may also deploy tracker IDs to see how successful their cyber-attack campaigns are. This is similar to marketers when they leverage SEO IDs, such as a Google Analytics Tracker ID, to track the success of their marketing campaign. ## Prerequisites -1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com. +1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com. 2. This playbook requires "Microsoft Sentinel Contributor" role to update Incidents. @@ -26,5 +26,5 @@ After deploying the playbook, you must authorize the connections leveraged. 2. Under "Development Tools" (located on the left), click "API Connections". 3. Ensure each connection has been authorized. -**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.** +**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**