CiscoSDWANIntrusionLogicAPP

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

This playbook provides an end-to-end example of adding a comment in the generated incident.

Attribute Value
Type Playbook
Solution Cisco SD-WAN
Source View on GitHub

Additional Documentation

📄 Source: CiscoSDWANIntrusionLogicAPP/readme.md

Cisco SDWAN Intrusion Logic App

Summary

This playbook provides an end-to-end example of adding a comment in the generated incident.

Deployment instructions

  1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
  2. Fill in the required parameters:
    • Subscription: Azure Subscription ID which is present in the subscription tab in Microsoft Sentinel.
    • Resource Group: The Azure Resource Group name in which you want to deploy the Logic App.
    • Playbook Name: Enter the playbook name here

Deploy to Azure Deploy to Azure

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection like MicrosoftSentinel.

  1. Click the connection resource
  2. Click edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
b. Configurations in Microsoft Sentinel
  1. In Microsoft Sentinel, analytics rules should be configured to trigger an incident.
    1. Add your deployed logic app in analytic rule to be trigger on every generated incident, to do this follow below steps
      • Select the analytic rule you have deployed.
      • Click on Edit
      • Go to Automated response tab
      • Click on Add new
      • Provide name for your rule, In Actions dropdown select Run playbook
      • In second dropdown select your deployed playbook
      • Click on Apply
      • Save the Analytic rule.
    2. An incident should have the signature_id - custom entity that contains SignatureId from CiscoSyslogUTD.

Sample analytics rule query

 CiscoSyslogUTD
| where SignatureId == "1-12451"

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to Cisco SD-WAN