Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This playbook enriches IP data by calling the updated NetApp Ransomware Resilience enrich IP address API endpoint and asynchronously polls multiple job results.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | NetApp Ransomware Resilience |
| Source | View on GitHub |
📄 Source: NetApp-RansomwareResilience_Enrich_IP_Playbook/readme.md
This playbook enriches IP address information by retrieving detailed network interface data from the NetApp Ransomware Resilience API. It helps you investigate network-related security incidents by providing context about storage network interfaces.
When investigating a security incident involving a suspicious IP address, this playbook retrieves detailed information about the network interface from your NetApp storage systems, including associated volumes, storage VMs, and access patterns.
This playbook should be deployed THIRD, after: 1. ✅ Auth Playbook (required) 2. ✅ Async Poll Playbook (required)
Before deploying this playbook: 1. Auth Playbook must be deployed and functioning correctly 2. Async Poll Playbook must be deployed and functioning correctly 3. Valid NetApp API credentials configured
This playbook can be: - Called manually with an IP address to investigate - Integrated into automation rules triggered by Microsoft Sentinel alerts - Chained with other playbooks in your incident response workflow - Combined with Volume Snapshot or Volume Offline playbooks for remediation
Input Required:
- ip_address: The IP address you want to investigate
When you receive an alert about suspicious activity from an IP address: 1. This playbook enriches the IP with NetApp storage context 2. You identify which storage VM and volumes are exposed 3. Based on the findings, you can take protective actions using other playbooks
After deploying this playbook: 1. Test with a known valid IP address from your NetApp environment 2. Verify the enrichment data is returned correctly 3. Consider integrating it into your incident response automation rules
This enrichment playbook is a building block. You can combine it with other playbooks to create complete incident response workflows. For example: - Enrich IP → Identify volume → Take snapshot → Take volume offline
If enrichment isn't working, verify: - The Auth Playbook is returning valid tokens - The Async Poll Playbook is functioning correctly - The IP address exists in your NetApp environment - Your NetApp API endpoint is accessible
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊