AWS Athena - Execute Query and Get Results
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
When a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. It executes the query specified during playbook setup on given database. 2. Downloads the query result and adds as a comment to the incident.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | AWSAthena |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 1 |
function |
Built-in | 0 | 4 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
function (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| GetQueryResults | POST | — | functionId=[concat(variables('AWSAthenaFuntionAppId'), '/functions/GetQueryResults')] |
| GetQueryExecution | POST | — | functionId=[concat(variables('AWSAthenaFuntionAppId'), '/functions/GetQueryExecution')] |
| StartQueryExecution | POST | — | functionId=[concat(variables('AWSAthenaFuntionAppId'), '/functions/StartQueryExecution')] |
| GetQueryExecution_again | POST | — | functionId=[concat(variables('AWSAthenaFuntionAppId'), '/functions/GetQueryExecution')] |
Additional Documentation
📄 Source: AWSAthenaPlaybooks/AWSAthena-GetQueryResults/readme.md
AWSAthena-GetQueryResults
Summary
When a new sentinel incident is created, this playbook gets triggered and performs the following actions:
- It executes the query specified during playbook setup on given database.
- Downloads the query result and adds as a comment to the incident.
Prerequisites
- Prior to the deployment of this playbook, AWS Athena API Function App Connector needs to be deployed under the same subscription.
- Refer to AWS Athena API Function App Connector documentation to obtain AWS Access Key ID, Secret Access Key and Region.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- Playbook Name
- Data Catlog (e.g. AwsDataCatalog)
- Database (e.g. testdb)
- Output Location (e.g. s3://test-bucket/)
- Query String (e.g. select * from testtable)
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections
b. Assign Playbook Microsoft Sentinel Responder Role
- Select the Playbook (Logic App) resource
- Click on Identity Blade
- Choose System assigned tab
- Click on Azure role assignments
- Click on Add role assignments
- Select Scope - Resource group
- Select Subscription - where Playbook has been created
- Select Resource group - where Playbook has been created
- Select Role - Microsoft Sentinel Responder
- Click Save (It takes 3-5 minutes to show the added role.)
c. Function App Settings Update Instructions
Refer to AWS Athena API Function App Connector documentation for Function App Application Settings (Access Key ID, Secret Access Key and Region) update instruction.
References
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊