Infoblox-SOC-Get-Insight-Details
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Leverages the Infoblox SOC Insights API to enrich a Microsoft Sentinel Incident triggered by an Infoblox SOC Insight & ingest Insight details into custom InfobloxInsight tables. The tables are used to build the Infoblox SOC Insights Workbook. This playbook can be configured to run automatically when an incident occurs (recommended) or run on demand.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Infoblox |
| Source | View on GitHub |
Tables Used
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
InfobloxInsightAssets_CL 🔶 |
? | ✓ | ? |
InfobloxInsightComments_CL 🔶 |
? | ✓ | ? |
InfobloxInsightEvents_CL 🔶 |
? | ✓ | ? |
InfobloxInsightIndicators_CL 🔶 |
? | ✓ | ? |
InfobloxInsight_CL 🔶 |
? | ✓ | ? |
Additional Documentation
Infoblox SOC Get Insight Details
Summary
This playbook uses the Infoblox SOC Insights API to get all the details about an SOC Insight Incident. These Incidents are triggered by the Infoblox - SOC Insight Detected analytic queries packaged as part of this solution. These queries will read your data for insights and create an Incident when one is found, hereby known as a SOC Insight Incident.
Then, you can run this playbook on those incidents to ingest many details about the Insight, placed in several custom tables prefixed with InfobloxInsight. This data also builds the Infoblox SOC Insight Workbook you can use to richly visualize and drilldown your Insights.
It will also add several tags to the SOC Insight Incident.
This playbook can be configured to run automatically when a SOC Insight Incident occurs or run on demand.
Prerequisites
- User must have a valid Infoblox API Key.
- User must have a valid Workspace ID.
- User must have a valid Workspace Key.
- User must have created an analytics rule from a rule template.
- Configure the associated automation rule as specified below:
- Go to Microsoft Sentinel → select your workspace → Automation → Create → Automation rule
- Set Automation rule name
- Condition → If:
- Incident provider → Select Microsoft Sentinel
- Analytic rule name → Select Analytic rule name created using step 4
- Action → Select Run playbook
- Select Infoblox-SOC-Get-Insight-Details playbook
- Click on Apply
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- Playbook Name: Enter the playbook name here
- Infoblox API Key: Enter valid value for API Key
- Assets Data Ingestion: Provide true if you want to enable Assets data ingestion from SOC Insights. Default is false, Allowed values are true and false.
- Comments Data Ingestion: Provide true if you want to enable Comments data ingestion from SOC Insights. Default is false, Allowed values are true and false.
- Events Data Ingestion: Provide true if you want to enable Events data ingestion from SOC Insights. Default is false, Allowed values are true and false.
- Indicators Data Ingestion: Provide true if you want to enable Indicators data ingestion from SOC Insights. Default is false, Allowed values are true and false.
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Go to your logic app -> API connections -> Select azuremonitorlogs connection resource
- Go to General -> edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections
b. Assign Role to Update in incident
Assign role to this playbook
- Go to Log Analytics Workspace → select your workspace → Access Control → Add
- Add role assignment
- Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role
- Members: select managed identity for assigned access to and add your logic app as member
- Click on review+assign
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊