About The Integration
Intezer connector for Microsoft Sentinel enables security teams to automate the analysis, detection, and response of threats by integrating Intezer's technology into their Microsoft Sentinel workflows.
Utilizing Intezer Automated Triage in Sentinel Workflows
Intezer's investigation data can enhance your workflows in the following ways:
- Enrichment: Intezer's assessment provides valuable information to enrich your existing tickets or cases, adding deeper context to the investigation and response process.
- Resolving False Positives: Intezer's assessment helps automatically resolve or de-prioritize tickets identified as false positives, reducing noise and allowing your team to focus on genuine threats.
- Escalation of Urgent Incidents: If Intezer determines an incident as high urgency (e.g., ransomware, potentially targeted), you can trigger immediate notifications to ensure prompt team alerting. Non-escalated alerts can be reviewed periodically.
- Remediation: Leverage Intezer's recommended remediation actions like blocking IOCs or resetting user credentials.
For more information, refer to the "Leveraging Intezer's Smart Decision Making in Your SOAR" article.
Supported Actions
Playbook 1: Update Incident - Intezer Alert Webhook
Trigger: HTTP request after Intezer finishes processing an alert.
Assuming you've connected Microsoft Defender to Intezer, this playbook triggers whenever Intezer completes alert processing. It appends a context-specific comment to the corresponding incident in Microsoft Sentinel, linking insights from Intezer.
Playbook 2: Submit Intezer Alert - Incident Triggered
Trigger: Creation of a new incident in Microsoft Sentinel.
This playbook forwards the details of a new Microsoft Sentinel incident, including associated file hashes and network artifacts, to Intezer for analysis and processing.
Playbook 3: Submit Intezer Scan File Hash - Incident Triggered
Trigger: Creation of a new incident in Microsoft Sentinel.
This playbook extracts file hashes from the Microsoft Sentinel incident, then forwards them to Intezer for in-depth analysis. A comment containing Intezer's verdict is appended back to the incident, ensuring that all relevant information is accessible in one place.
Playbook 4: Submit Intezer Scan URL - Incident Triggered
Trigger: Creation of a new incident in Microsoft Sentinel.
This playbook extracts associated URLs from the Microsoft Sentinel incident, then forwards them to Intezer for in-depth analysis. A comment containing Intezer's verdict is appended back to the incident, ensuring that all relevant information is accessible in one place.
Install Intezer Playbooks
To install the Intezer playbooks, follow the instructions in the GitHub repository.