Censys Add Incident Comment

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

Attribute	Value
Type	Playbook
Solution	Censys
Source	View on GitHub

Logic App Connectors

This playbook uses 2 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azureloganalyticsdatacollector`	Managed	1	3
`azuresentinel`	Managed	1	8

Action parameters (URLs, paths, function IDs)

`azureloganalyticsdatacollector` (Managed)

Action	Method	Endpoint	Other
Send_Each_Host_Data	post	`/api/logs`	—
Send_Web_Property_Data	post	`/api/logs`	—
Send_certificate_data	post	`/api/logs`	—

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Add_comment_to_incident_(V3)_3	post	`/Incidents/Comment`	—
Add_comment_to_incident_(V3)_1	post	`/Incidents/Comment`	—
Add_comment_to_incident_(V3)_2	post	`/Incidents/Comment`	—
Add_comment_to_incident_(V3)_5	post	`/Incidents/Comment`	—
Add_comment_to_incident_(V3)_6	post	`/Incidents/Comment`	—
Add_comment_to_incident_(V3)_7	post	`/Incidents/Comment`	—
Add_comment_to_incident_(V3)_8	post	`/Incidents/Comment`	—
Add_comment_to_incident_(V3)	post	`/Incidents/Comment`	—

Additional Documentation

📄 Source: CensysAddIncidentComment/readme.md

Summary

This playbook is triggered via HTTP request and is designed to be used as a sub-playbook by other Censys playbooks (CensysIncidentEnrichment, CensysEntityEnrichmentHost, CensysEntityEnrichmentCertificate, CensysEntityEnrichmentWebProperty, CensysAlertEnrichment). It receives enrichment data (host, web_property, certificate) along with the incident ARM ID and parent playbook name. The playbook processes each data type, extracts relevant fields (IP, autonomous system, WHOIS, location, DNS, services, threats, vulnerabilities, labels, software), formats them into HTML tables, and adds them as comments to the Microsoft Sentinel incident. It handles comment character limits (splitting into multiple comments if needed) and enforces a maximum of 100 comments per incident. The enrichment data is also ingested into Azure Log Analytics custom tables (Incident_Enrich_Host_Data_CL, Incident_Enrich_WebProperty_Data_CL, Incident_Enrich_Certificate_Data_CL) for historical analysis. The playbook includes comprehensive error handling and returns appropriate HTTP responses.

Prerequisites

This playbook is intended to be called as a sub-playbook by other Censys playbooks.
Ensure the parent playbook (CensysEnrichment, CensysEntityEnrichmentHost, etc.) is deployed and configured.
The Log Analytics workspace must be configured to receive custom logs.

Deployment Instructions

To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
Fill in the required parameters:
- PlaybookName: Enter the playbook name here (default: CensysAddIncidentComment).

Post-Deployment Instructions

a. Authorize connections

Once deployment is complete, authorize each connection.

Go to your logic app → API connections → Select Microsoft Sentinel connection resource.
Go to General → Edit API connection.
Click Authorize.
Sign in.
Click Save.
Repeat steps for Log Analytics Data Collector connection.

b. Configure parent playbooks

Configure the parent playbooks to call this sub-playbook using its HTTP trigger URL.

Go to Logic App → your Logic App → Logic app designer.
Copy the HTTP POST URL from the trigger.
Use this URL in parent playbooks (CensysEnrichment, CensysEntityEnrichmentHost, etc.) to invoke this sub-playbook.

c. Permissions

Ensure the playbook has appropriate permissions to add comments to incidents.

Go to Log Analytics workspace → Access control (IAM) → Add role assignment.
Select Microsoft Sentinel Contributor role.
Select Managed identity and choose the playbook's identity.
Click Save.