Hi,I'm using the Microsoft ATP connector to fetch incidents from the tenant and create a case for each incidents.Incidents in Microsoft Defender have one or more alerts related, which are aggregated by Defender to create the incident. When the case is created on the SOAR, it doesn't include all the related alerts to the incident. The MS ATP integration has one action for playbook which is "ListAlerts", that would return a JSON with all the related alerts and their info (this is working fine).My question now is how can I add those alerts to the Case, below the "Alerts" section. I have been trying different actions but none of them seems to work.Am I missing something here or do I need to develop the action myself?Thanks!

Add alerts from Microsoft ATP incident to a Case

I pull alerts and the related info of the alert into my cases using the Graph API. To do it I had to create a copy and modify it to point to the API 2.0 endpoint.

you have to update the constants so that it has the correct API endpoint

GET_ALERT_URL = "https://graph.microsoft.com/v1.0/security/alerts_v2"

Then update all the pointers in MicrosoftGraphSecurityManager and datamodels.

I would suggest to try Microsoft 365 Defender connector. It will ingest all of the incident alerts as SecOps alerts, but they will be grouped into the same case based on incident id.

Additional benefit is that connector tracks changes to the alerts, so if there is additional evidence added to the alert, it will be re-ingested again.

It would make sense to use the Microsoft 365 Defender connector for ingesting alerts and the ATP integration to perform actions via playbooks on the machines? Like getting the incident/alert ID and isolate the machine?

I use both API's. For taking actions such as scanning, blocking IOC's, isolating the machine I do use the Defender API. And the built in function works very well. I have found that the Graph API has much better context about the alert that I pull in to the case.

There is also a group of Microsoft Graph Alerts that you might want to look into. We have this rule in our SIEM, and in order to enrich those you will find you need the Graph API.

$e1.metadata.log_type = "MICROSOFT_GRAPH_ALERT"

($e1.security_result.alert_state = "ALERTING"

or $e1.security_result.severity = "HIGH"

or $e1.security_result.severity = "MEDIUM"

)

It would make sense to use the Microsoft 365 Defender connector for ingesting alerts and the ATP integration to perform actions via playbooks on the machines? Like getting the incident/alert ID and isolate the machine?

Yes, you can do that.

I would suggest to try Microsoft 365 Defender connector. It will ingest all of the incident alerts as SecOps alerts, but they will be grouped into the same case based on incident id.

Additional benefit is that connector tracks changes to the alerts, so if there is additional evidence added to the alert, it will be re-ingested again.

After a few days with the 365 Defender connector. What I'm seeing is, when an alert is updated with additional evidence, it is reingested again as a new alerts instead of updating the previous one, so a single alert in Defender may become 5-6 alertas in a Case in the SOAR. Is there a way around this? Too noisy in my opinion

We are planning to add an update soon, where tracking of alerts will be optional and configurable. Planned to be released in 2-3 weeks.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded