Delete-Cybersixgill-Alert

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook will delete Alert on Cybersixgill portal when resective Incident is deleted in Microsoft Sentinel

Attribute	Value
Type	Playbook
Solution	Cybersixgill-Actionable-Alerts
Source	View on GitHub

Logic App Connectors

This playbook uses 3 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	0
`keyvault`	Managed	1	3
`http`	Built-in	0	2

Action parameters (URLs, paths, function IDs)

`keyvault` (Managed)

Action	Method	Endpoint	Other
Get_Cybersixgill_Client_ID	get	`/secrets/@{encodeURIComponent(parameters('Client ID key name'))}/value`	—
Get_Cybersixgill_Client_Secret	get	`/secrets/@{encodeURIComponent(parameters('Client Secret key name'))}/value`	—
Get_Cybersixgill_Organization_ID	get	`/secrets/@{encodeURIComponent(parameters('Organization ID key name'))}/value`	—

`http` (Built-in)

Action	Method	Endpoint	Other
Authenticate_Sixgill_API	POST	`https://api.cybersixgill.com/auth/token`	—
Delete_Incident_from_Cybersixgill	DELETE	`https://api.cybersixgill.com/alerts/actionable_alert/@{body('Parse_JSON')?['id']}`	—

Additional Documentation

📄 Source: DeleteCybersixgillAlert/readme.md

DeleteCybersixgillAlert

author: Loginsoft

This playbook will delete Actionable alerts in Cybersixgill Portal. When incident is deleted in Microsoft Sentinel, playbook will run and delete Actionable alerts from Portal

Prerequisites

We will need the following data to do one time setup

Cybersixgill Client ID (client_id)
Cybersixgill Client Secret (client_secret)

Client ID and Client Secret can be obtained from Cybersixgill Developer Portal

You can skip below step if you already have Client ID and Client Secret.
Visit Cybersixgill Developer Portal
Click on Create an application.
Enter Application name and brief description and optional Application image
All other fields can be left to default.
Once done click on Create the app.
Copy Client ID, Client Secret and Organization ID.

Deployment instructions

Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.

Fill in the required parameters:
- Playbook Name: Enter the playbook name here (Ex: DeleteCybersixgillAlert)
- Keyvault name : Enter the key vault name where secret key is stored.
- Client ID key name: Key name for Cybersixgill Client ID stored api secret.
- Client Secret key name: Key name for Cybersixgill Client Secret the stored api secret.
- Organization ID key name: Key name for Cybersixgill organization ID

Post-deployment

a. Authorize connections (Perform this action if needed)

Once deployment is complete, you will need to authorize each connection.

Click the Microsoft Sentinel connection resource
Click edit API connection
Click Authorize
Sign in
Click Save

b. Configurations in Sentinel

Create new automation rule, ex: CybersixgillAlertDeleteAutomationRule
- Trigger = Incident is Updated
- Condition = - Automation rule example

c. Assign Playbook Microsoft Sentinel Responder Role

Select the Playbook (Logic App) resource
Click on Identity Blade
Choose System assigned tab
Click on Azure role assignments
Click on Add role assignments
Select Scope - Resource group
Select Subscription - where Playbook has been created
Select Resource group - where Playbook has been created
Select Role - Microsoft Sentinel Responder
Click Save (It takes 3-5 minutes to show the added role.)

d. Assign access policy on key vault for Playbook to fetch the secret key

Select the Keyvault resource where you have stored the secret
Click on Access policies Blade
Click on Create
Under Secret permissions column , Select Get , List from "Secret Management Operations"
Click next to go to Principal tab and choose your deployed playbook name
Click Next leave application tab as it is .
Click Review and create
Click Create