Comments (4)
Assuming we use the UPN (or the ObjectID) of the user, I'm thinking on the following checks:
- Get the user's Investigation score from MCAS (if available)
- Get the user's Risk level from AAD IP
- Get stats on the user's CAP failures
- Get stats on known IPs for the user and check them against TI
- Get the risk level of the user's devices from MDE (if available)
Not sure if calculating a score ehre make sense, but providing the output of that could help.
Open to add/remove. As it might be too many items here (the TI check could be in the other module about TI)... Going against the modular approach.
from sentinelautomationmodules.
That sounds great, I would agree with not calculating a score but instead return these as separate properties so people can make their own decisions
from sentinelautomationmodules.
It seems that the MCAS API only accept API key as an authentication method... So to get the Investigation priority (which is called the threatScore in the json) it would need 2 configuration requirements. 1 create the API key (need to be done in the GUI of the MCAS portal) and 2 store that key in a key-vault to retrieve it safely from the logic app. This Investigation priority still has value in my opinion. And we can also retrieve the history of that score. But because of the config requirement, it could be a sperate module.
from sentinelautomationmodules.
Breaking it out into a separate module may make sense, not everyone will have MCAS configured/licensed anyways
from sentinelautomationmodules.
Related Issues (20)
- [BUG] File Module - File profile function inconsistencies HOT 2
- [BUG] Issues when deploying Grant Permissions script HOT 6
- STAT Support in DoD HOT 6
- STAT v2 - Migrate MDE Module
- Deployment via Azure Lighthouse HOT 2
- STAT v2 - Update Sample Template
- Allow for use of User Assigned Managed Identity HOT 3
- STAT v2 Preview - Problems with the Sample-STAT-Triage Playbooks HOT 2
- Run playbook module error 400 bad request HOT 7
- [QUESTION] Get-MDEInsights Module Issue HOT 10
- [Feature] GrantPermissions - Fail if Connect-MgGraph or Login-AzAccount fail HOT 1
- STATv2 - Remove App Insights from Deployment
- [QUESTION] STATv2 preview without public storage account HOT 1
- [BUG] Wrong data in "ID" variable from MDE-Module - STAT v2 HOT 4
- [QUESTION] STAT V2 AAD Risk Module 403 Forbidden HOT 2
- [BUG] Deploy - Deploy/GrantPermissions.ps1 does not work HOT 8
- [BUG] MDE - Links to entities are broken HOT 2
- [BUG] Base Module - custom entity array incorrectly processed HOT 5
- [Feature] Monitor executions and consumption HOT 1
- [Feature] Suspicious Behaviour Searches
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sentinelautomationmodules.