The HYAS Insight Logic Apps connector for Microsoft Azure Sentinel was announced and generally available in October and is already accelerating threat investigations for enterprises using Azure Sentinel. One nifty feature of Azure Sentinel that helps automate processes is playbooks. Playbooks in Azure Sentinel are a collection of procedures that can be run in response to an alert. A security playbook can help you automate and orchestrate a response and can be run manually or set to run automatically when specific alerts are triggered. While you can build your own playbooks inside Azure Sentinel, HYAS has now published preconfigured playbooks that you can use to enrich Azure Sentinel with HYAS reference information to help simplify and automate investigations.  

HYAS and Azure Sentinel Empower Security Teams

For those that have not explored it, Azure Sentinel is a cloud-native, next-generation SIEM that transforms how security teams triage incidents in their organizations. Security teams can quickly be up, running, and responding to alerts to supercharge threat investigations and automate incident response at scale.

HYAS has a huge data lake of accumulated knowledge around adversary infrastructure that can inform and accelerate investigations. HYAS Insight connects specific attack instances and campaigns to billions of historical and real-time indicators of compromise approximately 3X faster than conventional approaches, dramatically increasing efficiency and delivering critical results with the speed required by modern businesses.

To simplify and streamline using the HYAS Insight integration for Azure Sentinel, we created a series of 13 playbooks covering a variety of scenarios. The new playbooks are available at https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks and cover the following scenarios:

SCENARIO

PLAYBOOK TEMPLATE NAME

Retrieve Current WHOIS Information for domain

Enrich-Sentinel-Incident-HYAS-Insight-Domain-Current-WHOIS

Retrieve Historic WHOIS Information for domain

Enrich-Sentinel-Incident-HYAS-Insight-Domain-Historic-WHOIS

Retrieve Passive DNS Information for domain

Enrich-Sentinel-Incident-HYAS-Insight-Domain-Passive-DNS

Retrieve Geo Information for IPv4 address

Enrich-Sentinel-Incident-HYAS-Insight-IPv4-Device-Geo

Retrieve Geo Information for IPv6 address

Enrich-Sentinel-Incident-HYAS-Insight-IPv6-Device-Geo

Retrieve Dynamic DNS Information for IP address

Enrich-Sentinel-Incident-HYAS-Insight-IP-Dynamic-DNS

Retrieve Passive DNS Information for IP address

Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-DNS

Retrieve Passive Hash Information for IP address

Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-Hash

Retrieve Sinkhole Information for IP address

Enrich-Sentinel-Incident-HYAS-Insight-IP-Sinkhole

Retrieve SSL certificate Information for IP address

Enrich-Sentinel-Incident-HYAS-Insight-IP-SSL-Certificate

Retrieve Dynamic DNS Information for email address

Enrich-Sentinel-Incident-HYAS-Insight-Email-Dynamic-DNS

Retrieve Historic WHOIS Information for email address

Enrich-Sentinel-Incident-HYAS-Insight-Email-Historic-WHOIS

Retrieve Historic WHOIS Information for phone number

Enrich-Sentinel-Incident-HYAS-Insight-Phone-Number-Historic-WHOIS

 Importing HYAS Insight Playbook Templates for Azure Sentinel

You can use the Microsoft instructions available from https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks#instructions-for-deploying-a-custom-template for deploying the HYAS Insight playbook templates.

 

Enjoy automating and speeding your investigations with these new playbooks for Azure Sentinel! To learn more about HYAS Insight and the integration with Azure Sentinel, read the solution brief or request a demo (we LOVE giving demos!).