Infoblox-DHCP-Lookup

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

The playbook will retrieve IP entities from an incident, search for related DHCP data in a table, and if found, add the DHCP lookup data as a comment on the incident.

Attribute Value
Type Playbook
Solution Infoblox
Source View on GitHub

Tables Used

This content item queries data from the following tables:

Table Transformations Ingestion API Lake-Only
CommonSecurityLog ?

Additional Documentation

📄 Source: Infoblox DHCP Lookup/readme.md

Infoblox DHCP Lookup

Summary

The playbook will extract IP entities from an incident, search for corresponding latest DHCP data in a table, and if successful, append the latest DHCP lookup results as a comment on the incident.

Prerequisites

  1. CEF based Infoblox Data Connector should be configured to ingest DHCP lease related data in Microsoft Sentinel.

Deployment instructions

  1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
  2. Fill in the required parameters:
    • Playbook Name: Enter the playbook name here
    • Workspace Name: Enter name of Log Analytics Workspace where DHCP data is available
    • Lookup Time: Enter time period(in days) in which you want to search for DHCP lookup data

Deploy to Azure Deploy to Azure

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection.

  1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource
  2. Go to General -> edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
  6. Repeat steps for other connections

b. Assign Role to add comment in incident

Assign role to this playbook.

  1. Go to Log Analytics Workspace → → Access Control → Add
  2. Add role assignment
  3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role
  4. Members: select managed identity for assigned access to and add your logic app as member
  5. Click on review+assign

c. Configurations in Microsoft Sentinel

  1. In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping available for IP
  2. To manually run the playbook on a particular incident follow the below steps: a. Go to Microsoft Sentinel -> -> Incidents b. Select an incident c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option d. Click on the Run button beside this playbook

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to Infoblox