Introducing Ollie

Ollie is your personal Azure Sentinel assistant! By using Ollie, you can administer Azure Sentinel from within your Teams client! Need to add a Threat Intelligence Indicator or Update a watchlist? Ollie got your covered.

Ollie is the first beta version of the Azure Sentinel assistant, which is a Teams bot to administer Azure Sentinel. It currently supports creating TI Indicators and will create an incident when a hit is found. Besides that it also allows you to update watchlists (add new items and remove current ones).

By using Ollie, you can easily administer Azure Sentinel and update Azure Sentinel resources without having to log into the Azure portal. This limits the amount of time it takes to add new TI indicators, which allows a security analyst to hunt for new threats sooner.

Threat Intelligence

Ollie allows you to easily add Threat Intelligence Indicators and will immediately search all your logs to see if this TI has been observed in the environment within the last 180 days. If a hit is found, an incident will be created for a SOC analyst to investigate.

Ollie will allow you to pick the kind of indicator you want to add (IP, URL, Filehash...) and automatically provides a form for you to fill in which all of the required properties are included. You provide the necessary details and the indicator will be added into Azure Sentinel.

After the indicator is added, Ollie will retroactively look into all of the data you have stored in Azure Sentinel and check if a match for this indicator has been found. If a hit is found, an incident will be created. Ollie automatically runs certain queries which go back into time for up to 180 days to find potential matches. This is an improvement compared to the built-in capabilities as the built-in analytic rules will only look into historical data for the last 14 days. To search the logs, the Azure Sentinel normalization schemas are used. This ensures Ollie is able to look into all of the data which resides inside of the Azure Sentinel environment and isn't limited to the default tables available. Do you have a custom data source? Just include it into the parser and Ollie will include it in his searches!

Watchlists

Watchlists are essential in every Azure Sentinel deployment. But keeping them up to date can be a big task and is often forgotten. Ollie reduces the time it takes to manage watchlists significantly. By allowing you to edit watchlists from within Teams, it just takes a few second to remove or add a new entry.

What makes it unique?

Ollie is built on top of the Teams bot framework and interacts with Azure Sentinel through a couple of APIs. In total three API's are used

  • The Azure Management API is used to edit watchlists are create incidents
  • By using the Security Graph API, we can create new indicators
  • Reading data is done through the Log Analytics API

Ollie is a great example how easily it is to automate Azure Sentinel and what flexibility the API's provide in conjunction with the rest of the Microsoft ecosystem.

The normalization schemas are used by Ollie to easily search for potential TI matches within the entire Azure Sentinel environment. By using the normalization schemas, Ollie uses an extremely powerful feature within Azure Sentinel that will boost his power in the future. If additionally data sources are onboarded into the custom parsers, Ollie automatically looks into that data as well.

What's next for Ollie?

Ollie is our very first iteration for an Azure Sentinel bot. The current implementation contains some of the mundane tasks we wanted to implement within our own Azure Sentinel environment. By using API's almost all Azure Sentinel tasks can be automated. We are interested to hear community feedback and look into expanding Ollie's feature set. Should he be able to query open incidents? Add comments? Hunt into data? The sky is the limit!

Built With

  • adaptivecards
  • api
  • azuresentinel
  • bot
  • c#
  • normalizationschema
  • teams
Share this project:

Updates