IronNet_UpdateSentinelIncidents

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

author: IronNet

Attribute Value
Type Playbook
Solution IronNet IronDefense
Source View on GitHub

⚠️ Not listed in Solution JSON: This content item was discovered by scanning the solution folder but is not included in the official Solution JSON file. It may be a legacy item, under development, or excluded from the official solution package.

Additional Documentation

📄 Source: IronNet_UpdateSentinelIncidents/readme.md

author: IronNet

This playbook is used to keep IronDefense and Azure Sentinel in sync by triggering on any new IronDefense alert notifications that is added to a Sentinel incident and updating the incident's status and classification based on the IronDefense alert.

Prerequisites

  1. Configure the IronNet IronDefense data connector.
  2. Create an analytic rule using the "Create Incidents from IronDefense" rule template.

Deployment Instructions

  1. Click the "Deploy to Azure" button to open the ARM template wizard to deploy this playbook.
    Deploy to Azure Deploy to Azure
  2. Enter template parameters. Use the IronVue user credentials for IronAPI.

Playbook Execution

  1. The Playbook execution begins with an Alert triggered due to the IronDefense Alert activity
  2. This Alert contains the actions taken by the IronDefense Alert
  3. These actions will have the information about the status, classification and severity of the Irondefense Alert
  4. These details will be picked from the IronDefense and update to its corresponding Sentinel Incidents
  5. The Alerts from IronDefense will be the Events associated with the Sentinel Incidents
  6. The Status, Classification and Severity of the Irondefense Alert will be updated as the Sentinel Incident's status, classification and severity respectively
  7. The Sentinel Incident's "custom details" will be consisting of IronDefense Analyst rating, AlertCreatedTime and IronDefenseAlertId fields
  8. The Sentinel Incident's comments will be updated with the comments raised by users for IronDome Notifications

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to IronNet IronDefense