Delete Cohesity incident blobs
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook deletes the blobs on Azure storage created by an incident that is generated by Cohesity function apps.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | CohesitySecurity |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azureblob |
Managed | 1 | 2 |
azuresentinel |
Managed | 1 | 0 |
Action parameters (URLs, paths, function IDs)
azureblob (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Delete_blob_(V2) | delete | /v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/files/@{encodeURIComponent(encodeURIComponent(items('For_each')?['Path']))} |
— |
| Lists_blobs_(V2) | get | /v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/foldersV2/@{encodeURIComponent(encodeURIComponent('/cohesity-extra-parameters/',variables('heliosID'),'/'))} |
— |
Additional Documentation
📄 Source: Cohesity_Delete_Incident_Blobs/readme.md
Summary
This playbook deletes the blobs on Azure storage created by an incident that is generated by Cohesity function apps. For example, an automation rule can be created to delete the blobs used for an incident by running this playbook when the corresponding Sentinel ticket is closed.
Deployment instructions
- Click on the "Deploy to Azure" button to deploy the playbook. This step directs you to deploy an ARM Template wizard.
- Fill in the required parameters:
- Playbook Name: Enter the playbook name here.
Post-Deployment instructions
- Make sure the user that runs the playbook has the role Microsoft Sentinel Playbook Operator assigned. To assign the role,
- Under the Subscriptions tab from the Home page, choose your subscription name.
- Choose the Access Control (IAM) option from the left pane.
- Click on Add > Add Role Assignment and add Microsoft Sentinel Playbook Operator to the user.
- Authorize all connections
- Go to Logic Apps and choose your playbook
- In the Development Tools sections select API Connections. In the left pane you'll see the list of connections that you'll need to authorize
- Authorize the Azure blob storage connection by selecting it and clicking on General\Edit API Connection
- Enter your connection name, storage account and access key. You can find them by selecting your storage account here and then choosing Security+networking\Access keys).
- Authorize the Azure blob storage connection by selecting it and clicking on General\Edit API Connection
- For the playbook to run, there is a need to assign the Microsoft Sentinel Responder role to the playbook's managed identity.
- Under the Subscriptions tab from the Home page, choose your subscription name.
- Choose the Access Control (IAM) option from the left pane.
- Click on Add > Add Role Assignment and add Microsoft Sentinel Responder managed identity role to the playbook.
- (Recommendation) You can create an automation rule to delete the blobs used by a Cohesity created Sentinel incident when the incident is closed..
- In Microsoft Sentinel | Automation press +Create\Automation Rule.
- Enter an automation rule name of your choice.
- In Trigger choose When incident is updated.
- Set the following conditions using AND rule
- Analytic rule name contains All.
- Status changed to Closed.
- Description contains Helios ID.
- In Actions choose to run this playbook.
- Click Apply.
References
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊