AbuseIPDB Enrich Incident By IP Info

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

Once a new sentinal incident is created, this playbook gets triggered and performs the following actions: 1. Gets Information from AbuseIPDB by IP`s, provided in the alert custom entities. 2. Enriches the incident with the obtained info.

Attribute Value
Type Playbook
Solution AbuseIPDB
Source View on GitHub

Additional Documentation

📄 Source: AbuseIPDB-EnrichIncidentByIPInfo/readme.md

AbuseIPDB-EnrichIncidentByIPInfo

## Summary Once a new sentinal incident is created, this playbook gets triggered and performs the following actions: 1. Gets Information from AbuseIPDB by IP`s, provided in the alert custom entities. 2. Enriches the incident with the obtained info.


Prerequisites

  1. AbuseIPDBAPI Custom Connector has to be deployed prior to the deployment of this playbook under the same subscription.

Deployment instructions

  1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
  2. Fill in the required paramteres:
    • Playbook Name: Enter the playbook name here

Deploy to Azure Deploy to Azure

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection.

  1. Open playbook which has been deployed
  2. Click API connection on left side blade
  3. Click the Microsoft Sentinel connection resource
  4. Click edit API connection
  5. Click Authorize
  6. Sign in
  7. Click Save
  8. Repeat steps for AbuseIPDBAPI connector API Connection

b. Configurations in Sentinel

  1. In Microsoft Sentinel, analytical rules should be configured to trigger an incident.
  2. Configure the automation rules to trigger the playbook.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to AbuseIPDB