Besides watchlists, Ollie also manages Threat Intelligence (TI) Indicators. TI indicators can be added to provide additional information about current attacks in order to identify potential attacks which might have been unnoticed by your existing security systems. Besides the ability to easily add new Threat Intelligence Indicators, Ollie will also search your logs in order to verify if the indicator has been spotted within your environment for the last 90 days. If a hit was found, an Microsoft Sentinel incident will be automatically created for the SOC to investigate.
Behind the scenes
Ollie is natively built on top of Azure PaaS solutions for it’s hosting and interacts with Microsoft Sentinel through API’s. Ollie consists of the following Azure components:
In order to interact with Microsoft Sentinel watchlists and add Threat Intelligence indicators (which is done through the Microsoft Security Graph API) an app registration needs to be created with permissions to update Microsoft Sentinel watchlists and add new TI indicators.
As anybody with access to the bot can create new Threat Intelligence Indicators, you need to ensure the Teams application is properly secured and cannot be used by unauthorized users. Within the Teams Admin Center, the application needs to be uploaded as a custom application.
Depending on your Teams configuration, this application could be available to every user within your tenant. It is recommended to scope the application to a subset of users by using a permission policy. Such a policy will ensure only authorized users can access Ollie to interact with Microsoft Sentinel.
What makes Ollie unique, is the way it searches for hits of TI indicators. Normally, scheduled analytic rules are available which will compare all TI indicators with your logs, if any hits are found an incident will be created. Unfortunately, analytic rules can only have a lookup period of 14 days, which means it can only retrieve data from the past 14 days. This means an incident will not be created when an indicator appeared longer than 14 days ago. In order to solve this issue, Ollie uses to Log Analytics API to query for any hits within the last 90 days. To support a wide range of data sources (including custom data), the searches are run by using normalization schemas.
Normalization schemas are Microsoft Sentinel’s way of using one query to search multiple tables at once. By using these schemas, it’s easy to search a wide range of sources without needing to update queries for every source. If you want to use a custom data sources, just expand the parser and Ollie will include it in its next searches!
Looking forward to feedback!
During our efforts within the Microsoft Sentinel hackathon, we created an initial MVP for the Microsoft Sentinel assistant. We still have lots of ideas to expand it’s capabilities, this includes the ability to manage analytic rules, orchestrate incidents by interacting with Playbooks and execute hunting queries from your Teams client. If you have any feedback or insights, feel free to leave a comment or contact me through social media.
At The Collective, we constantly push the boundaries of technology. Looking for a partner that helps your organizations to achieve more through secure and innovative technologies, solutions and services?