Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This playbook will add an attackers source ip to Threat Intelligence when a new incident is opened in Microsoft Sentinel.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Dynatrace |
| Source | View on GitHub |
📄 Source: Add_DynatraceApplicationSecurityAttackSourceIpThreatIntelligence/readme.md
author: Dynatrace
This playbook uses the Dynatrace REST APIs to automatically add an attackers source IP address to Microsoft Threat Intelligence when an alert is generated by Microsoft Sentinel. You need a valid Dynatrace tenant with Application Security enabled. To learn more about the Dynatrace platform Start your free trial
** Prerequisites ** - Follow these instructions access token, the token should have Read attacks (attacks.read) scope. - [Important step]Store the Dynatrace Access Token as a secret in Azure Key vault and provide the key vault name during playbook deployment, by convention the secret name should be 'DynatraceAccessToken'.
** Post Install Notes:**
The Logic App uses a Managed System Identity (MSI) to read the Microsoft Sentinel Incident.
Assign RBAC 'Microsoft Sentinel Reader' role to the Logic App at the Resource Group level of the Log Analytics Workspace.
Assign access policy on key vault for Playbook to fetch the secret key
To create new Threat Indicators for Microsoft Threat Intelligence we leverage the Microsoft Graph Security connector, please ensure you meet the prerequisites to connect with The Microsoft Graph Security connector
Basic steps for the Microsoft Graph Security connector permissions are as follows :
Perform role assignment for the playbook managed indentity, assign the ThreatIndicators.ReadWrite.OwnedBy permission
$TenantID="[YOUR AZURE ACTIVE DIRECTORY TENANT ID]" $GraphAppId = "00000003-0000-0000-c000-000000000000" $DisplayNameOfMSI="[PLAYBOOK IDENTITY NAME]" $PermissionName = "ThreatIndicators.ReadWrite.OwnedBy" Connect-AzureAD -TenantId $TenantID $MSI = (Get-AzureADServicePrincipal -Filter "displayName eq '$DisplayNameOfMSI'") Start-Sleep -Seconds 10 $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'" $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$.Value -eq $PermissionName -and $.AllowedMemberTypes -contains "Application"} New-AzureAdServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id
Grant Admin Consent for MicrosoftGraphSecurityConnector application 2.1 Navigate to 'https://login.microsoftonline.com/[YOUR AZURE ACTIVE DIRECTORY TENANT ID]/adminconsent?client_id=c4829704-0edc-4c3d-a347-7c4a67586f3c' 2.2 Accept the requested permissions
A Microsoft Sentinel playbook is utilized by automation rules, therefore to automatically trigger this playbook you must setup a new automation rule. If you have not set permissions yet, review here
Basic steps for setup of the playbook and automation rule are as follows :
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊