DomainTools DNSDB Historical Hosts
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This playbook uses the Farsight DNSDB connector to automatically enrich Domain's found in the Microsoft Sentinel incidents. This use case describes the desire to identify all Hosts that resolved to a given Address based on a time window from a starting and stopping point in time.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | DomainTools |
| Source | View on GitHub |
Additional Documentation
DomainTools DNSDB Historical Hosts
This playbook uses the Farsight DNSDB connector to automatically enrich Domain's found in the Microsoft Sentinel incidents. This use case describes the desire to identify all Hosts that resolved to a given Address based on a time window from a starting and stopping point in time.
Table of Contents
Overview
- This playbook fetches all the IP Addresses from the incident.
- Iterates through each entity, perform logic.
- Adds the historical hosts for each entity as sentinel comments.
Prerequisites
- A DomainTool DNSDB API Key.
Deployment Instructions
- Deploy the playbooks by clicking on the "Deploy to Azure" button. This will take you to the Deploy an ARM Template wizard.
- Fill in the required parameters for deploying the playbook.
- Click "Review + create". Once the validation is successful, click on "Create".
Post-Deployment Instructions
Authorize connections
Once deployment is complete please open the logic app and follow below steps
- As a best practice, we have used the Sentinel connection in Logic Apps that use "ManagedSecurityIdentity" permissions. Please refer to this document and provide permissions to the Logic App accordingly.
- Provide connection details for the Farsight DNSDB Custom Connector.
- You could provide time fencing options, please only provide values from the list (1h,6h,12h,24h, 30d, 60d,90d,365d(Default 1h)).
- Save the Logic App. If the Logic App prompts any missing connections, please update the connections accordingly.
Configurations in Sentinel:
- Configure the analytic rules->Automated response>Automation rules to trigger this playbook.
- Configure Incident Settings , Enable create incidents.
- Configure "Microsoft Sentinel Responder" permission to this playbook, from settings>workspace settings>Access control (IAM)>Add role assignment.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊