Cyjax Add Comment To Incident

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Content Index

This playbook is triggered via HTTP request and is designed to be used as a sub-playbook by other Cyjax playbooks (CyjaxIncidentEnrichment). It receives enrichment data (host, domain, hash, URL, Email) along with the incident ARM ID and parent playbook name. The playbook processes each data type, extracts relevant fields, formats them into HTML tables, and adds them as comments to the Microsoft Sentinel incident.

Attribute Value
Type Playbook
Solution Cyjax
Source View on GitHub

Logic App Connectors

This playbook uses 1 Logic App connector / built-in action:

Connector / Action Type Connections Actions
azuresentinel Managed 1 3
Action parameters (URLs, paths, function IDs)

azuresentinel (Managed)

Action Method Endpoint Other
Add_Comment_To_Incident_As_Comment_Character_Limit_Exceeded post /Incidents/Comment
Add_Comment_To_Incident_For_Comment_Limit_Exceeded post /Incidents/Comment
Add_Comment_for_Remaining_Data post /Incidents/Comment

Additional Documentation

📄 Source: CyjaxAddCommentToIncident/readme.md

Summary

This playbook is triggered via HTTP request and is designed to be used as a sub-playbook by other Cyjax playbooks (such as CyjaxIncidentEnrichment). It receives enrichment data for various entity types (host, domain, hash, URL, Email) along with the incident ARM ID and parent playbook name. The playbook processes each data type, extracts relevant fields, formats them into HTML tables, and adds them as comments to the Microsoft Sentinel incident.

Prerequisites

  1. This playbook is intended to be called as a sub-playbook by other Cyjax playbooks.
  2. Ensure the parent playbook (CyjaxIncidentEnrichment, etc.) is deployed and configured.
  3. Ensure you have appropriate permissions to add comments to Microsoft Sentinel incidents.

Deployment Instructions

  1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
  2. Fill in the required parameters:
    • PlaybookName: Enter the playbook name here (default: CyjaxAddCommentToIncident).

Deploy to Azure Deploy to Azure Gov

Post-Deployment Instructions

a. Authorize connections

Once deployment is complete, authorize the Microsoft Sentinel connection.

  1. Go to your logic app → API connections → Select Microsoft Sentinel connection resource.
  2. Go to General → edit API connection.
  3. Click Authorize.
  4. Sign in.
  5. Click Save.

b. Configure Parent Playbooks

Configure the parent playbooks (CyjaxIncidentEnrichment, etc.) to call this sub-playbook using its HTTP trigger URL.

  1. Go to Logic App → your Logic App → Logic app designer.
  2. Copy the HTTP POST URL from the trigger.
  3. Update the parent playbook configuration to use this URL when adding incident comments.

c. Verify Permissions

Ensure the playbook has appropriate permissions to add comments to incidents.

  1. Verify the managed identity has Microsoft Sentinel Responder role or equivalent permissions.
  2. Test the playbook by triggering it from a parent playbook with sample enrichment data.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Playbooks · Back to Cyjax