Delete Cohesity incident blobs

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

This playbook deletes the blobs on Azure storage created by an incident that is generated by Cohesity function apps.

Attribute Value
Type Playbook
Solution CohesitySecurity
Source View on GitHub

Additional Documentation

📄 Source: Cohesity_Delete_Incident_Blobs/readme.md

Summary

This playbook deletes the blobs on Azure storage created by an incident that is generated by Cohesity function apps. For example, an automation rule can be created to delete the blobs used for an incident by running this playbook when the corresponding Sentinel ticket is closed.

Deployment instructions

  1. Click on the "Deploy to Azure" button to deploy the playbook. This step directs you to deploy an ARM Template wizard. Deploy to Azure
  2. Fill in the required parameters: * Playbook Name: Enter the playbook name here.

Post-Deployment instructions

  1. Make sure the user that runs the playbook has the role Microsoft Sentinel Playbook Operator assigned. To assign the role, * Under the Subscriptions tab from the Home page, choose your subscription name. * Choose the Access Control (IAM) option from the left pane. * Click on Add > Add Role Assignment and add Microsoft Sentinel Playbook Operator to the user.

  2. Authorize all connections * Go to Logic Apps and choose your playbook * In the Development Tools sections select API Connections. In the left pane you'll see the list of connections that you'll need to authorize * Authorize the Azure blob storage connection by selecting it and clicking on General\Edit API Connection

    • Enter your connection name, storage account and access key. You can find them by selecting your storage account here and then choosing Security+networking\Access keys).

  3. For the playbook to run, there is a need to assign the Microsoft Sentinel Responder role to the playbook's managed identity. * Under the Subscriptions tab from the Home page, choose your subscription name. * Choose the Access Control (IAM) option from the left pane. * Click on Add > Add Role Assignment and add Microsoft Sentinel Responder managed identity role to the playbook.

  4. (Recommendation) You can create an automation rule to delete the blobs used by a Cohesity created Sentinel incident when the incident is closed.. * In Microsoft Sentinel | Automation press +Create\Automation Rule. * Enter an automation rule name of your choice. * In Trigger choose When incident is updated. * Set the following conditions using AND rule * Analytic rule name contains All. * Status changed to Closed. * Description contains Helios ID. * In Actions choose to run this playbook. * Click Apply.

References

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to CohesitySecurity