UEBA Triage

UEBA Triage leverages Azure AD - Get User Group, Azure AD - Get User Creation Date and UEBA - Add Activity to Whitelist sub-playbooks to reassess focused parameters fed by For Each action block from the UEBA Suspicious Activity Detected parent playbook. The analysis checks the presence of the User entity to continue the playbook. In addition, the playbook checks the white-listed (temporary or permanent) Users and mails it to the security team. 

1. Trigger - retrieves the parameters from the For Each action block from the UEBA Suspicious Activity Detected parent playbook to run the investigation.

2. If... Then - applies a HAS VALUE operator to check the User name.  If present, the result is fed to the Script action block. If not, the playbook stops. 

3. Script - normalizes a User name by running the Python script to convert the User name into User Principal Name (UPN) format. 

4. Parameters - retrieves the UPN and sets it as a global parameter.

5. Format - uploads a Base64 image (text format) of a Logo used in the report or email.

6. Format - generates an HTML report of the parameters for a query to read. 

7. Query - runs the query using the lookup command to check if the User and detectorId fields are in the UEBA_WHITELIST_PERM data table in order to permanently whitelist them. 

Query: Runs the query using the lookup command to check if the User and detectorId fields are in the UEBA_WHITELIST_PERM data table in order to temporarily whitelist them for a day. 

8. If... Then -applies a greater than (>) operator to check if the Users are in a permanent whitelist. If yes, the playbook terminates. If not, Users are passed to the Cases Query action block. 

9. If... Then - applies a greater than (>) operator to check if the Users are in a temporary whitelist. If yes, the playbook terminates. If not, Users are passed to the Cases Query action block. 

10. Cases Query - gets the list of Open cases where Users are artifacts. The list is in descending order sorted by severity to return the highest severity case.  

11. If... Then - applies a greater than (>) operator to check the number of open cases. If the open case is found, the result is fed to the Filter action block. Else Script action block is called.

12. Filter - if there are open cases, the Filter action block grabs the Case ID to select the highest severity open case. 

13. Parameters - retrieves the open Case ID and sets it as a global parameter.

14. Status - found a new incident which increments the open case severity by 10.

15. Case Item - adds the previously generated HTML report to the highest severity open case and feeds the report to the Add Activity to Whitelist sub playbook.

16. Script - if an open case is not found, it creates a CaseID using a Python script. 

17. Parameters - retrieves the new CaseID and sets it as a global parameter.

18. If... Then - applies a DOESNT HAVE VALUE operator to check the presence of Share entity. 

19. Case Item - if a Share entity is found, it adds the host of share as artifacts.

20. Case Item:

20.1. if a Share entity is not found, it adds the Username and Generic Text of Detector Name as artifacts.

20.2. If a Share entity is not found, it adds the Username and the activity detected as artifacts. 

Playbook - the sub-playbook Azure AD - Get User Group that uses Microsoft's Graph API to retrieve the access token and Microsoft's API to get the list of User groups used. 

Format: Formats the result from the Azure AD - Get User Group sub-playbook to extract each group into an individual list item. 

Script: Runs the Python script to find the word Admin in the groups to verify if any group in the list has administrator privileges.

If... Then: It applies an equal to (=) operator to check if User is admin. If admin, the result is fed to Status action block. If not, Add Activity to Whitelist sub playbook is called. 

Status: If User is in admin group, it increments the case severity by 40 and feeds the result to Add Activity to Whitelist sub playbook.

Case Item: Adds the previously generated HTML report in the new case and feeds them to the Azure AD Get User Creation Date sub playbook. 

Playbook: Azure AD - Get User Creation Date sub-playbook uses Microsoft's Graph API to retrieve the access token and Microsoft's API to get the User creation date and time.

If... Then: Applies a less than (<) operator to check if the User creation date is within last 7 days. If yes, the result is fed to to Status action block. If not, Add Activity to Whitelist sub playbook is called. 

Status: If creation date is less than 7, it increments the case severity by 80 and feeds the result to Add Activity to Whitelist sub playbook.

Playbook: Add Activity to Whitelist playbook uses Microsoft's APIs to authenticate Users for adding into whitelist and notify about it to the security team by sending a HTML email.

End: It maps the User from the playbook whose values can be seen from Results in Monitoring. The values are further analyzed by the security team. Likewise, the playbook results are transferred to the UEBA Suspicious Activity Detected parent playbook.