RiskIQ Illuminate Content hub solution within Microsoft Sentinel

TL;DR – An overview of RiskIQ Illuminate solution available through Microsoft Sentinel Content hub.

The last few months I have been spending quite a bit of time with Microsoft Sentinel, to the point that a day hasn’t gone by that I don’t at least mumble the word ‘Sentinel’. It’s truly an impressive service and it’s quite intuitive. 

We have been receiving questions on RiskIQ and Microsoft Sentinel, specifically around the new RiskIQ Illuminate solution that is available in the Microsoft Sentinel Content hub. This blog will go through the process to configure and test this solution.

Install RiskIQ Illuminate Content hub solution

Install of the solution is just a click away, just click on ‘Install’. Yes, it’s that easy!

As you can see above the solution comes with 27 playbooks (currently). These playbooks will basically go find out if RiskIQ knows anything about the entities (hosts or IPs) associated with specific incidents. And if so, then it enriches the incident by increasing the severity, adding some useful tags, and comments with links to the information found on RiskIQ. This ensures the SOC analysts working these incidents have this very valuable information easily available when they need it.

RiskIQ Community Account

In order for the playbooks to have access to RiskIQ you will need a RiskIQ community account with access to Illuminate. Follow these steps to configure it:

1. Register to create an account on the RiskIQ community, if you don’t already have one.
2. Activate the Illuminate trial. Click on ‘Upgrade’, then follow the steps to activate the trial.
3. Once you activate the trial, you need to get your API key through the Account Settings page.

Configure Playbooks

After installation of the solution, you’ll see the RiskIQ playbooks through the Automation blade as shown below.

To ensure the playbooks have access to both RiskIQ and Sentinel you will have to ensure the associated API connections show as “connected”.

We’ll first start with the API connection to RiskIQ. Click on the “RiskIQ-Base” playbook:

Then select the API Connection ‘riskiq-shared’

Then enter the API key information you got from the RiskIQ community account settings page and save.

Now, for the rest of the playbooks you need to authorize the associated API connections. Click on the playbook, for example, “RiskIQ-Automated-Triage-Incident-Trigger”, then click on the associated API Connection as shown below:

Click to Authorize, which will prompt you to login with your user with required permissions. And don’t forget to ‘Save’.

Repeat those steps for the remaining associated API connections for the remaining playbooks.

Testing

To test the playbooks I created a watchlist that included some of the IPs that were listed as IOCs for the RiskIQ: UNC1151/GhostWriter Phishing Attacks Target Ukrainian Soldiers report.

And then I created an analytic rule that just reads from the watchlist, as shown below.

I also configured entity mapping for the IP address as shown below:

While I am here, notice that this incident (150) was automatically created with a ‘medium’ severity, since that’s what I configured in the analytic rule. Now I can run the playbooks from the incidents blade as shown below.

Or I can schedule an automation rule that will trigger the playbooks to run automatically based on a set of conditions as shown below:

For this test I am going to run the playbook manually, so I can show the incident updates.

After the playbook runs, the severity is now raised to ‘High’, there is a new tag added ‘RiskIQ Malicious’, and the status changes to ‘Active’.

Additionally, these useful comments are added to the incident:

Including a link to the associated RiskIQ article:

In the same way that I can run these playbooks at the incident level, I can also run them at the alert level, for any alert associated with the incident, as shown below. This because the solution includes both incident and alert trigger playbooks.

As with any other playbook (logic app), I can also look at the history of the runs:

And just like any other playbook (logic app) I can troubleshoot in case of issues:

Summary

Playbooks in Microsoft Sentinel are used for many different SOAR tasks. This RiskIQ Illuminate solution makes great use of these playbooks to enrich incident data that can make a SOC analyst’s life just a little bit easier. Because we know that these days every little bit counts!