Team Cymru Scout Enrich Incident

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

This playbook will fetch and ingest IP or Domain Indicator data based on Entity mapped in Microsoft Sentinel Incident and notify to pre-defined or user customizable email id.

Attribute Value
Type Playbook
Solution Team Cymru Scout
Source View on GitHub

Additional Documentation

📄 Source: TeamCymruScoutEnrichIncident/readme.md

Summary

This playbook will fetch and ingest IP or Domain Indicator data based on Entity mapped in Microsoft Sentinel Incident and notify to pre-defined or user customizable email id.

Prerequisites

  1. User should have an outlook mail account in order to use this playbook.

Deployment instructions

  1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
  2. Fill in the required parameters: * PlaybookName: Enter the playbook name here. * UserName: Enter username of your Team Cymru Scout account. * Password: Enter password of your Team Cymru Scout account. * BaseURL: Enter Base URL of your Team Cymru Scout account. * EmailId: Enter valid comma separated email ID(s) of receiver without space. (e.g. person1@gmail.com,person2@gmail.com) * WorkspaceName: Enter the log analytics workspace name in which data will be stored for incident enrichment.

Deploy to Azure Deploy to Azure

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection. 1. Go to your logic app → API connections → Select azureloganalyticsdatacollector connection resource 2. Go to General → Edit API connection. 3. Enter Workspace ID and Workspace Key of your log analytics workspace. 4. Click Authorize 5. Sign in. 6. Click Save. 7. Repeat steps for other connections.

b. Assign Role to add a comment in the incident

After authorizing each connection, assign a role to this playbook. 1. Go to Log Analytics Workspace → your workspace → Access Control → Add 2. Add role assignment 3. Assignment type: Job function roles 4. Role: Microsoft Sentinel Contributor 5. Members: select managed identity for "assigned access to" and add your logic app as a member. 6. Click on review+assign

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to Team Cymru Scout