CiscoISE-SuspendGuestUser
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
When a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. For each Account in the incident suspends user in Cisco ISE by its name. 2. Adds comment to the incident with information about suspended users.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Cisco ISE |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 2 |
CiscoISE |
Custom | 1 | 1 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Entities_-_Get_Accounts | post | /entities/account |
— |
CiscoISE (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Suspend_guest_user_by_name | put | /ers/config/guestuser/suspend/name/@{encodeURIComponent(item()['Name'])} |
— |
Additional Documentation
📄 Source: CiscoISE-SuspendGuestUser/readme.md
Summary
When a new sentinel incident is created, this playbook gets triggered and performs the following actions:
- For each Account in the incident suspends user in Cisco ISE by its name.
- Adds comment to the incident with information about suspended users.
Prerequisites
- Prior to the deployment of this playbook, Cisco ISE Connector needs to be deployed under the same subscription.
- Obtain Cisco ISE ERS API credentials. Refer to Cisco ISE Custom Connector documentation.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required paramteres:
- Playbook Name: Enter the playbook name here
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Click the Azure Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections
b. Configurations in Sentinel
- In Azure sentinel, analytical rules have to be configured to trigger an incident with risky user account. In the Entity maping section of the analytics rule creation workflow, user's name has to be mapped to Name identitfier of the Account entity type. Check the documentation to learn more about mapping entities.
- Configure the automation rules to trigger the playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊