CiscoISE-TakeEndpointActionFromTeams
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
When a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Sends an adaptive card to the Teams channel where the analyst can choose an action to be taken. 2. Assigns a policy (policy name is provided during the deployment stage) to an endpoint (MACAddress of the endpoint is provided in the alert custom entities) depending on the action chosen in the adaptive card. 3. Changes incident status and severity depending on the action chosen in the ada
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Cisco ISE |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 12 |
teams |
Managed | 1 | 0 |
CiscoISE |
Custom | 1 | 1 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Update_incident | put | /Incidents |
— |
| Update_incident_2 | put | /Incidents |
— |
| Update_incident_3 | put | /Incidents |
— |
| Update_incident_4 | put | /Incidents |
— |
| Update_incident_5 | put | /Incidents |
— |
| Update_incident_6 | put | /Incidents |
— |
| Update_incident_7 | put | /Incidents |
— |
| Update_incident_8 | put | /Incidents |
— |
| Update_incident_9 | put | /Incidents |
— |
| Update_incident_10 | put | /Incidents |
— |
| Update_incident_11 | put | /Incidents |
— |
CiscoISE (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Assign_an_ANC_policy_to_an_endpoint | put | /ers/config/ancendpoint/apply |
— |
Additional Documentation
Summary
When a new sentinel incident is created, this playbook gets triggered and performs the following actions:
- Sends an adaptive card to the Teams channel where the analyst can choose an action to be taken.
- Assigns a policy (policy name is provided during the deployment stage) to an and point (MACAddress of the endpoint is provided in the alert custom entities) depending on the action chosen in the adaptive card.
- Changes incident status and severity depending on the action chosen in the adaptive card.
- Adds comment to the incident with information about the actions taken.
Prerequisites
- Prior to the deployment of this playbook, Cisco ISE Connector needs to be deployed under the same subscription.
- Obtain Cisco ISE ERS API credentials. Refer to Cisco ISE Custom Connector documentation.
- Obtain Teams group id and channel id.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required paramteres:
- Playbook Name: Enter the playbook name here
- Teams Group Id: Id of the Teams Group where the adaptive card will be posted
- Teams Channel Id: Id of the Teams Channel where the adaptive card will be posted
- Policy Name: Policy name to be assigned to an endpoint
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Click the Azure Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections
b. Configurations in Sentinel
- In Azure sentinel, analytical rules should be configured to trigger an incident. An incident should have the MACAddress custom entity that contains MAC address of an endpoint in Cisco ISE. It can be obtained from the corresponding field in Cisco ISE logs. Check the documentation to learn more about adding custom entities to incidents.
- Configure the automation rules to trigger the playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊