Domain ASIM Enrichment - DomainTools Iris Enrich
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Given a domain or set of domains associated with an alert return all Iris Enrich data for those domains and adds the enrichment data to the custom table.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | DomainTools |
| Source | View on GitHub |
Additional Documentation
📄 Source: DomainTools-ASIM-DNS-Playbook/readme.md
DomainTools ASIM DNS Playbook
Table of Contents
- Overview
- Deploy DomainTools-ASIM-DNS-Playbook
- Authentication
- Prerequisites
- Deployment
- Post Deployment Steps
Overview
This playbook uses the DomainTools Iris Enrich API. It is able to get domain infrastructure information for a domain or set of domains associated with an alert. If your account is provisioned for Iris Enrich, use the Iris Enrich endpoint to return Whois, mailserver, DNS, SSL and related indicators from Iris Enrich for a given domain or set of domains. The enrichment data is saved in the custom table for further analysis.
Visit https://www.domaintools.com/integrations to request a Api key.
When a new Azure Sentinel Incident is created, and this playbook is triggered, it performs these actions:
- It fetches all the DNS entities in the Incident.
- Iterates through the DNS entities and fetches the results from Iris Enrich for each entity.
- All the details from DomainTools Iris Enrich will be saved in the custom table.
Links to deploy the DomainTools Iris Enrich Domain Playbook
Authentication
Authentication methods this connector supports: - API Key authentication
Prerequisites
- A DomainTools API Key provisioned for Iris Enrich
- DomainTools Function App should be deployed
Deployment instructions
- Deploy the playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters for deploying the playbook.
- Click "Review + create". Once the validation is successful, click on "Create".
Post-Deployment instructions
Once deployment is complete, you can change the playbook parameters to get the desired results as explained below.
- Open the Logic App in the edit mode. click on parameters
- You need to provide a "Workspace ID" and "Workspace Key", You can obtain the "Workspace ID" in the overview of your "Log Analytics Workspace" and "Workspace key" from the "Agents> Log Analytics agent instructions" section. You can use either a "Primary key" or a "Secondary key".
- Save the Logic App.
- As a best practice, we have used the Sentinel connection in Logic Apps that use "ManagedSecurityIdentity" permissions. Please refer to this document and provide permissions to the Logic App accordingly.
b. Configurations in Sentinel:
- In Azure Sentinel, analytical rules should be configured to trigger an alert with newly found Domain indicators.
- Configure the automation rules to trigger the playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊