Sentinel Automation Part 2: Automate CISA Known Exploited Vulnerability Notifications
The CISA Known Exploited Vulnerabilities Catalog helps organizations prioritize vulnerabilities, as an end user you want to be notified when a new vulnerability is added. This blog describes four different solutions in Microsoft Sentinel to automate the notification process, leaving you with the important task of analyzing this new threat.
The four automation solutions presented in this blog are:
- Email notifications
- Teams channel notifications
- Sentinel incidents
- Sentinel Analytics Rule
Both the Logic App and the Analytics Rule are available on GitHub.
What is the CISA Known Exploited Vulnerabilities Catalog? “The Known Exploited Vulnerabilities Catalog is developed for the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild: the Known Exploited Vulnerability (KEV) catalog. CISA strongly recommends all organizations review and monitor the KEV catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors” - Source: Cyber Security and Infrastructure Security Agency
Logic App Base
The Email-, Teams notifications and Sentinel incident creation all use the same Logic App (Playbook) base. This is done to standardize the process.
This flow consists of the following steps:
- Trigger Schedule - This executes the Logic App daily at a set time.
- Environment input - This input determines where the alert notifications need to go and what the severity of the Sentinel incident must become.
- Azure Monitor KQL Query - This query extracts the data from CISA and uses KQL (what else would you expect on this site ;) ) to determine if new vulnerabilities are added. You can further combine this query with Defender For Endpoint to only alert if a device in your environment has this active vulnerability. This can be done by using the KQL Query New Active CISA Know Exploited Vulnerability Detected.
- Check if new vulnerabilities are found - The Logic App uses a condition (read if statement) to validate the output of the KQL query. If the output contains a record an automatic notification should be triggered. If there is no output we try again tomorrow.
- Create HTML - The last step before the notifications is to create an HTML string used in the notifications. In this flow one specific HTML template is used, you could change the format for each notification type depending on your needs.
The Logic App base provides the input for the notifications, if you do not have Microsoft Sentinel or Teams the flows can be deleted from the Logic App.
Input
The Logic App Template uses 4 different input variables.
| Variable | Description |
|---|---|
| SenderToAddress | The persons that should receive a notification via mail. In case of multiple senders use a ; as a delimiter. |
| SentinelIncidentSeverity | The severity of the created Sentinel Incident. Options: Informational, Low, Medium and High. |
| TeamsChannel Email | The Microsoft Teams Channels that should be notified. In case of multiple Teams Channels use a ; as a delimiter. |
Sentinel Automation: Interested in more Sentinel automation solutions? Have a look at the Sentinel Automation Repository.
Teams Channel Email
To retrieve the unique email address of a Microsoft Teams Channel the following steps should be taken:
- Navigate to the Teams Channel in which you want to retrieve the notifications.
- Click on the three dots of the channel.
- Click on Get email address.
- Copy the listed email address.
- Past the listed email in the TeamsChannelEmail variable.
Teams Channel Emails are actively used to spread malicious content into organisations, therefore it is important to be aware of the different security settings. There are three options defined in the Advanced Settings. Depending on the use case I only advise using option 2 or 3.
- Anyone can send emails to this address - You do not want to go for this setting, as the name indicates anyone can send legitimate, but also malicious content to this channel.
- Only members of this team - The most secure option of the three, but comes with its limitations. The account with the Microsoft Teams Logic App connection must be part of this channel, this might not be wanted.
- Only members sent from these domains - Another secure option that allows whitelisted domains.
Notifications
Once the variables have been set it is time to wait for a new addition to the CISA Known Exploited Vulnerabilities Catalog, if a new vulnerability is added the notifications will look similar as seen below.
Email Notifications
Teams Notifications
Recommendation: The advice is to create a new Microsoft Teams channel to push the notifications into, by doing so you can also set the channel notifications to alert you on new entries. This allows you to respond even faster.
Sentinel Incidents
Analytics Rule
The last option discussed in this blog does not use a Logic App. This solution uses KQL to create an incident based on a Sentinel Analytics rule.
The KQL query used is shown below. The query leverages the SecurityAlert table to identify if the vulnerability has already been alert in the last 24 hours, if that is not the case then a Sentinel incident is created.
let PreviousAlertTriggers = SecurityAlert
| where TimeGenerated > ago(24h)
| where DisplayName has_all ("CVE-", "CISA Known Exploited Vulnerability Added")
| distinct DisplayName;
let KnowExploitesVulnsCISA = externaldata(CVEid: string, Vendor: string, Product: string, vulnerabilityName: string, DateAdded: datetime, Description: string, RequiredAction: string, dueDate: datetime, Notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| where DateAdded > startofday(now())
| extend DueDateinDays = datetime_diff('day', now(), dueDate)
| extend CreateIncident = iff (strcat(CVEid, " - CISA Known Exploited Vulnerability Added") in (PreviousAlertTriggers), false, true)
| where CreateIncident == true
| project DateAdded, CVEid, Vendor, Product, Description, RequiredAction, Notes, DueDateinDays
The Analytics Rule including the dynamic metadata below can be used to import it directly into Sentinel.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9531b108-1928-4ada-bd96-52308174c7f0')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9531b108-1928-4ada-bd96-52308174c7f0')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2023-12-01-preview",
"properties": {
"displayName": "CISA Known Exploited Vulnerability Added",
"description": "This analytics rule triggers when a new vulnerability has been added to the CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities).",
"severity": "Medium",
"enabled": true,
"query": "let PreviousAlertTriggers = SecurityIncident\n | where TimeGenerated > ago(24h)\n | where Title has_all (\"CVE-\", \"CISA Known Exploited Vulnerability Added\")\n | distinct Title;\nlet KnowExploitesVulnsCISA = externaldata(CVEid: string, Vendor: string, Product: string, vulnerabilityName: string, DateAdded: datetime, Description: string, RequiredAction: string, dueDate: datetime, Notes: string)[@\"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nKnowExploitesVulnsCISA\n| where DateAdded > startofday(now() - 1d)\n| extend DueDateinDays = datetime_diff('day', dueDate, now())\n| extend CreateIncident = iff (strcat(CVEid, \" - CISA Known Exploited Vulnerability Added\") in (PreviousAlertTriggers), false, true)\n| where CreateIncident == true\n| project DateAdded, CVEid, Vendor, Product, Description, RequiredAction, Notes, DueDateinDays, dueDate",
"queryFrequency": "PT10M",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [],
"techniques": [],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "P1D",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "{{CVEid}} - CISA Known Exploited Vulnerability Added",
"alertDescriptionFormat": "<div style=\"background-color: ##000000;border-left: 6px solid #f44336;\"></p style=\"padding-left: 5px\"><strong> {{CVEid}} - {{Vendor}}</strong> </p></div>\n\nVulnerabilty description: {{Description}} \n\nThis analytics rule triggers when a new vulnerability has been added to the CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities).",
"alertDynamicProperties": []
},
"customDetails": {
"CVEid": "CVEid",
"Vendor": "Vendor",
"Product": "Product"
},
"entityMappings": null,
"sentinelEntitiesMappings": [
{
"columnName": "CVEid"
}
],
"templateVersion": null,
"subTechniques": []
}
}
]
}
Questions? Feel free to reach out to me on any of my socials.