Akamai Guardicore Incident-Enrichment — one-click bootstrap
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Deploys the entire Akamai Guardicore incident-enrichment stack in one shot: Storage Account + GuardicoreConnectionSlots Azure Table, Data Collection Endpoint (or reuses an existing one), Data Collection Rule, two custom log tables, two Logic Apps (trigger playbook + recurrence runner), and the role assignments the Logic Apps' managed identities need to write to the DCR and the storage account. After deployment, the only manual step is wiring the trigger playbook to a Microsoft Sentinel automatio
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Akamai Guardicore |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 0 |
azuretables |
Managed | 1 | 1 |
http |
Built-in | 0 | 9 |
Action parameters (URLs, paths, function IDs)
azuretables (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Try_insert_slot | post | /Tables/@{encodeURIComponent('GuardicoreConnectionSlots')}/entities |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Post_manifest | POST | @{concat(parameters('DataCollectionEndpoint'), '/dataCollectionRules/', parameters('DataCollectionRuleImmutableId'), '/streams/Custom-GuardicoreProcessedIncidents_CL?api-version=2023-01-01')} |
— |
| Authenticate_to_Guardicore | POST | @{concat(parameters('GuardicoreUrl'), '/api/v3.0/authenticate')} |
— |
| Claim_pending_slot | GET | @{concat(parameters('TablesEndpoint'), '/GuardicoreConnectionSlots()')} |
— |
| Atomic_claim | PUT | @{concat(parameters('TablesEndpoint'), '/GuardicoreConnectionSlots(PartitionKey=''', outputs('Capture_claimed_row')['PartitionKey'], ''',RowKey=''', outputs('Capture_claimed_row')['RowKey'], ''')')} |
— |
| Fetch_page | GET | @{concat(parameters('GuardicoreUrl'), '/api/v3.0/connections')} |
— |
| Post_chunk | POST | @{concat(parameters('DataCollectionEndpoint'), '/dataCollectionRules/', parameters('DataCollectionRuleImmutableId'), '/streams/Custom-GuardicoreEnrichingConnections_CL?api-version=2023-01-01')} |
— |
| Mark_completed | PUT | @{concat(parameters('TablesEndpoint'), '/GuardicoreConnectionSlots(PartitionKey=''', outputs('Capture_claimed_row')['PartitionKey'], ''',RowKey=''', outputs('Capture_claimed_row')['RowKey'], ''')')} |
— |
| Mark_failed_or_retry_on_pagination_error | PUT | @{concat(parameters('TablesEndpoint'), '/GuardicoreConnectionSlots(PartitionKey=''', outputs('Capture_claimed_row')['PartitionKey'], ''',RowKey=''', outputs('Capture_claimed_row')['RowKey'], ''')')} |
— |
| Mark_failed_or_retry_on_post_error | PUT | @{concat(parameters('TablesEndpoint'), '/GuardicoreConnectionSlots(PartitionKey=''', outputs('Capture_claimed_row')['PartitionKey'], ''',RowKey=''', outputs('Capture_claimed_row')['RowKey'], ''')')} |
— |
Additional Documentation
📄 Source: readme.md
Guardicore Incident Enrichment
Author: Akamai Guardicore
This solution ships two Logic Apps that enrich Microsoft Sentinel incidents
with Guardicore connection data. When an incident is created, the trigger
playbook extracts IP entities, computes three 5-minute time slots around the
incident time, and writes slot manifest rows to Microsoft Sentinel. A companion
recurrence-triggered runner Logic App polls a small Azure Storage Table for
due slots, fetches Guardicore /api/v3.0/connections for each slot's window
- IP filter, and ingests the results to a second Microsoft Sentinel custom log table.
There is no Azure Function App - both Logic Apps run natively. Ingestion goes through a Data Collection Rule using the Logic Apps' system-assigned managed identity; no workspace shared key is required.
Quick deploy (recommended)
The single template azuredeploy.json at this folder bootstraps everything:
the Storage Account + work queue table, a Data Collection Endpoint (or
reuses an existing one), the Data Collection Rule, the two custom log
tables, both Logic Apps, and the role assignments. Click below, fill in the
form (workspace name + Guardicore credentials), and click Create.
The Deploy form has three steps:
- Microsoft Sentinel workspace - pick the workspace name (and its resource group if it's not the same as the deployment RG); optionally paste a resource ID for an existing Data Collection Endpoint to reuse.
- Guardicore credentials - management URL (https only, regex-checked),
service-account username, password (
securestring). - Advanced (optional) - override default playbook / runner / storage account names. Leave blank for sensible defaults.
Two manual steps after deploy
The portal can't fully automate two final touches. Both take ~30 seconds.
1. Authorize the Microsoft Sentinel managed-API connection
The trigger playbook deploys a Microsoft.Web/connections resource for
azuresentinel, configured to authenticate as the playbook's
system-assigned managed identity. Azure requires a one-time interactive
"Authorize" click before the connection is usable.
- Resource group -> find connection
azuresentinel-Guardicore-ProcessIncidentEnrichment. - Edit API connection -> confirm Authentication Type is Managed Identity -> click Authorize -> Save.
If you skip this, every trigger run fails at the Microsoft Sentinel webhook step
with Unauthorized.
2. Wire the playbook to a Microsoft Sentinel automation rule
The trigger playbook only fires when a Microsoft Sentinel automation rule routes an incident to it.
- Microsoft Sentinel -> workspace -> Configuration -> Automation.
- Create -> Automation rule.
- Name:
Guardicore: enrich on incident creation. Trigger: When incident is created. Conditions: leave blank for "all incidents" or scope to severity / analytic rule. - Actions: Run playbook -> select
Guardicore-ProcessIncidentEnrichment-> grant permissions when prompted. - Save.
If your Microsoft Sentinel workspace lives in a different resource group than the
deployment, you may also need to grant the trigger playbook's managed
identity the Microsoft Sentinel Responder role on the workspace
(the consolidated template grants Monitoring Metrics Publisher on the
DCR and Storage Account Contributor on the storage account
automatically; the Microsoft Sentinel role is workspace-scoped and the consolidated
template can't grant it cross-RG safely).
Verify
Trigger a test incident with at least one IP entity and wait ~7 minutes (5-minute slot wait + up to one 2-minute runner tick):
GuardicoreProcessedIncidents_CL
| where TimeGenerated > ago(15m)
| take 10
GuardicoreEnrichingConnections_CL
| where TimeGenerated > ago(15m)
| take 10
If either is empty after 15 minutes:
- Check Logic App run history for
Guardicore-ProcessIncidentEnrichmentandGuardicore-EnrichmentRunnerfor failed actions. - Confirm the
Monitoring Metrics Publisherrole assignment is in place
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊