Skip to content

Latest commit

 

History

History
 
 

MCASModule

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
azuredeploy.json
azuredeploy.json
 
 
readme.md
readme.md
 
 
returnschema.json
returnschema.json
 
 

readme.md

Get-MCASInvestigationScore

Description

This module will get the MCAS Investigation Score of the account entities of the incidient.

Suported Entity Types

  • Account

Trigger Parameters

Parameter Expected Values Description
AddIncidentComments True/False (Default:True) When set to true, the results of the query will be added to the Sentinel Incident Comments
Base Module Body Body (dynamic content) The Body should be selected from the Dynamic content of the Base-Module response
ScoreThreshold Score (integer) Minimum investigation score for a user

Return Properties

Property Description
AnalysedEntities Number of entities analyzed
AboveThreholdCount Number of accounts foud above the specified threshold
MaximumScore Maximum score found for all entities
ModuleName The internal Name of the Playbook
DetailedResults An array of user with their respective score

Sample Return

{
  "AboveThreholdCount": 0,
  "AnalyzedEntities": 1,
  "DetailedResults": [
    {
      "ThreatScore": 270,
      "UserId": "312b4fab-fa2e-43d4-9885-5a78ae6772b9",
      "UserPrincipalName": "[email protected]",
      "ThreatScoreHistory": [
        {
          "dateFormatted": "20221011",
          "dateUtc": 1665531216000,
          "score": 0,
          "percentile": 0,
          "breakdown": {}
        },
        {
          "dateFormatted": "20221010",
          "dateUtc": 1665444816000,
          "score": 0,
          "percentile": 0,
          "breakdown": {}
        }
      ]
    }
  ],
  "MaximumScore": 270,
  "ModuleName": "MCASModule"
}

Deployment

To deploy the Sentinel Triage AssistanT visit the deployment documentation.

Post Deployment

This module needs the API URL of your Microsoft Defender for Cloud Apps tenant. You can find this URL in the portal https://portal.cloudappsecurity.com/ by following these steps: image

  1. Click on the ❔ icone on the top right
  2. Click on the About item
  3. Copy the URL you see in the PORTAL URL section (note that is has the syntax https://..portal.cloudappsecurity.com). Then you can add this URL (as-is, without a trainling slash) in the logic app itself. When you edit the logic app for this module and open the designer, you can enter the URL in the first step:

image

If you do not add the URL, the module will try to determine the correct URL alone by trying all common tenant regions. This will be in a best effort mode and might not work consistently. If no valid URL can be identified, the module will fail and return a 404 error.

You also need to grant the following permissions:

  • Grant the Logic app managed identity access to the Microsoft Cloud App Security application permissions investigation.read (GrantPermissions.ps1)
  • Grant the Logic App managed identity the Microsoft Sentinel Responder RBAC role on the resource group containing Microsoft Sentinel. (GrantPermissions.ps1)

Additional Links