Update readme.md

MrSharpBones · Oct 3, 2024 · 3c4bb0b · 3c4bb0b
1 parent 3da36aa
commit 3c4bb0b
Showing 1 changed file with 33 additions and 17 deletions.
diff --git a/MDTI Actor Lookup/readme.md b/MDTI Actor Lookup/readme.md
@@ -1,6 +1,6 @@
 # MDTI Actor Lookup
 
-Welcome to the **MDTI Actor Lookup** project! This repository focuses on using the MDTI API, a function app, and a logic app together to automate Threat Infrastructure Chaining.
+Welcome to the **MDTI Actor Lookup** project! This repository focuses on using the MDTI API, a function app, and a logic app together to automate Threat Infrastructure Chaining, also Copilot for Security assists us with detailed actor group information.
 
 ## Table of Contents
 
@@ -14,7 +14,30 @@ Welcome to the **MDTI Actor Lookup** project! This repository focuses on using t
 
 ## Introduction
 
-The MDTI Actor Lookup project leverages the MDTI API, a function app, and a logic app to automate the process of Threat Infrastructure Chaining. This automation helps in identifying and linking threat actors and their infrastructure efficiently.
+The MDTI Actor Lookup project leverages the MDTI API, a function app, and a logic app to automate the process of Threat Infrastructure Chaining. This automation helps in identifying and linking threat actors and their infrastructure efficiently.  There are a few requirements to be aware of before we begin:
+
+- The base requirements to use the function app will be the code, a working function app plan (in our case we're using consumption) and an MDTI API license.
+- To use the Logic App, you will need Sentinel to be deployed and generating incidents (or you could change the trigger).
+- A Copilot for Security SCU or as many as the organization requires.
+
+- **Deploying the MDTI API** - https://review.learn.microsoft.com/en-us/graph/api/resources/security-threatintelligence-overview?branch=main&branchFallbackFrom=pr-en-us-21547&view=graph-rest-1.0
+**Choosing a Function Apps plan** - https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale
+**Deploy Copilot SCUs** - https://learn.microsoft.com/en-us/copilot/security/get-started-security-copilot
+
+Seems like a lot right?  But most of these items are deployed within your environment if you're an existing Sentinel customer.
+
+**The function app will perform the following tasks:**
+
+1. For a given IOC (IP/Domain) the app will iterate through associated pdns information, for as long as the IP has been active.
+2. The MDTI reputation endpoint will provide an output of a score but also indicate if we have actor attribution to the IOC
+3. If an actor group is found, a list of the actor name(s) and the associated domain/ip will be provided.
+
+**The Logic app will perform the following tasks:**
+
+1. Take any found actor group, remove the domains and create an array
+2. Pass the groups to Copilot for Security and ask for a summary
+3. Copilot will write out a comment for each group containing a detailed summary of the group as well as look at Threat Analytics (for MDE customers) to show affected machines based on known vulnerabilities
+4. The incident will be changed to high severity and Active status.  Also the LA will add tags of the actor group name to the incident
 
 ## Features
 
@@ -24,27 +47,20 @@ The MDTI Actor Lookup project leverages the MDTI API, a function app, and a logi
 
 ## Getting Started
 
-To get started with the MDTI Actor Lookup project, you'll need to have an Azure account and the necessary permissions to deploy resources.  Also this playbook will use Copilot for Security to provide threat actor summaries, so you'll need to have at least 1 SCU configured in your tenant.  The MDTI API is a licensed feature, if you do not have the license please reach out to your account representative for purchase info and/or trial assistance.
+To get started with the MDTI Actor Lookup project, you'll need to have an Azure account and the necessary permissions to deploy resources.  Also this playbook will use Copilot for Security to provide threat actor summaries.  The MDTI API is a licensed feature, if you do not have the license please reach out to your account representative for purchase info and/or trial assistance.
 
 You can however just use the MDTI API and the function app and hook them into whichever system you'd like.  You'll lose the SOAR functionality but you'll stil get the benefit of lightning fast infra chaining.
 
-## Deployment
+## Deployment of the Function App
 
 Follow these steps to deploy the application to Azure:
 
-1. **Clone the repository**:
-    ```bash
-    git clone /~https://github.com/MrSharpBones/mdti-actor-lookup.git
-    ```
-2. **Navigate to the project directory**:
-    ```bash
-    cd mdti-actor-lookup
-    ```
-3. **Deploy to Azure**:
-    - Use the Azure portal or Azure CLI to deploy the function app and logic app.
-    - Assign the necessary names and configurations as per your requirements.
-
-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2raw.githubusercontent.com%2MrSharpBones%2MDTI%2refs%2heads%2main%2MDTI%20Actor%20Lookup%2deploy-to-azure.json)
+1. Deploy a new python based function app
+2. Gather your API information for MDTI
+3. Create a new HTTP trigger within your function app
+4. You can edit the file directly in the portal but I would recommend that you use VSCode to work with the files as there exists no way to commit the requirements.txt and other files via the UI.  https://learn.microsoft.com/en-us/azure/azure-functions/functions-develop-vs-code?tabs=node-v4%2Cpython-v2%2Cisolated-process%2Cquick-create&pivots=programming-language-python
+5. There are some parameters you need to replace within the function_app.py code, they're within the <> symbols for convienience.
+6. Once deployed you'll have generated the keys within the app, to access your app simply browse the url which will look something like https://sitename.azurewebsites.net/api/functionappname?code=<yourfunctionkey>&item=<IOC>
 
 ## Usage