CiscoSDWANLogicAPP
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook provides an end-to-end example of sending an email, posting a message to the Microsoft Teams channel, and creating 3rd party ticket for the suspicious activity found in the data.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Cisco SD-WAN |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 9 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azurecommunicationservicessms |
Managed | 1 | 3 |
azuresentinel |
Managed | 1 | 0 |
jira |
Managed | 1 | 0 |
jira_2 |
Managed | 0 | 3 |
outlook |
Managed | 1 | 0 |
outlook_2 |
Managed | 0 | 3 |
service-now |
Managed | 1 | 0 |
service-now_1 |
Managed | 0 | 3 |
teams |
Managed | 1 | 3 |
Action parameters (URLs, paths, function IDs)
azurecommunicationservicessms (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Send_SMS_2 | post | /v2/sms |
— |
| Send_SMS_3 | post | /v2/sms |
— |
| Send_SMS | post | /v2/sms |
— |
jira_2 (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Create_a_new_issue_(V3)_2 | post | /v3/issue |
— |
| Create_a_new_issue_(V3)_3 | post | /v3/issue |
— |
| Create_a_new_issue_(V3) | post | /v3/issue |
— |
outlook_2 (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Send_an_email_(V2)_2 | post | /v2/Mail |
— |
| Send_an_email_(V2)_3 | post | /v2/Mail |
— |
| Send_an_email_(V2) | post | /v2/Mail |
— |
service-now_1 (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Create_Record_2 | post | /api/now/v2/table/@{encodeURIComponent('ticket')} |
— |
| Create_Record_3 | post | /api/now/v2/table/@{encodeURIComponent('ticket')} |
— |
| Create_Record | post | /api/now/v2/table/@{encodeURIComponent('ticket')} |
— |
teams (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Post_message_in_a_chat_or_channel_2 | post | /beta/teams/conversation/message/poster/Flow bot/location/@{encodeURIComponent('Channel')} |
— |
| Post_message_in_a_chat_or_channel_3 | post | /beta/teams/conversation/message/poster/Flow bot/location/@{encodeURIComponent('Channel')} |
— |
| Post_message_in_a_chat_or_channel | post | /beta/teams/conversation/message/poster/@{encodeURIComponent('Flow bot')}/location/@{encodeURIComponent('Channel')} |
— |
Additional Documentation
📄 Source: CiscoSDWANLogicAPP/readme.md
Cisco SDWAN Logic App
Summary
This playbook provides an end-to-end example of sending an email, posting a message to the Microsoft Teams channel, and creating 3rd party ticket for the suspicious activity found in the data.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill the below parameters:
- Subscription: Azure Subscription ID which is present in the subscription tab in Microsoft Sentinel.
- Resource Group: The Azure Resource Group name in which you want to deploy the Logic App.
- Playbook Name: Enter the playbook name here
- 3rd_Party_Ticket_System: Select 3rd Party Ticketing System.
- Jira_Instance: Enter the URL of Jira Instance if you have selected Jira as 3rd Party Ticketing system.
- Jira_Project_Key: Enter Jira Project Key if you have selected Jira as 3rd Party Ticketing system.
- Email: Enter comma-separated email addresses on which alert details will be sent.
- From_Mobile_No: Enter the source mobile number with the Country code for sending SMS.
- To_Mobile_No: Enter the destination mobile number with the Country code for sending SMS.
- Teams_Channel_ID: Enter the ID of the Microsoft Teams channel on which alert details will be sent.
- Teams_Group_ID: Enter the ID of the Microsoft Teams channel group on which alert details will be sent.
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection like MicrosoftSentinel.
- Click the connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
b. Configurations in Microsoft Sentinel
- In Microsoft Sentinel, analytics rules should be configured to trigger an incident.
- Add your deployed logic app in analytic rule to be trigger on every generated incident, to do this follow below steps
- Select the analytic rule you have deployed.
- Click on Edit
- Go to Automated response tab
- Click on Add new
- Provide name for your rule, In Actions dropdown select Run playbook
- In second dropdown select your deployed playbook
- Click on Apply
- Save the Analytic rule.
Sample analytics rule query
- Analytic Rule : Monitor Critical IPs
CiscoSyslogUTD
| union (CiscoSDWANNetflow)
| where isnotempty(SourceIP) or isnotempty(NetflowFwSrcAddrIpv4)
| extend SourceIP = coalesce(SourceIP, NetflowFwSrcAddrIpv4)
| where ipv4_is_in_any_range(SourceIP, "172.16.101.9/24", "192.168.1.1/24", "208.67.220.220")
| summarize count() by SourceIP
- Analytic Rule : IPS Event Threshold
CiscoSyslogUTD
| where Classification == "A Network Trojan was Detected"
| summarize count() by Classification
| where count_ > 10
- Analytic Rule : Malware Events
CiscoSyslogUTD
| where isnotempty(Malware) and Malware != "None"
| distinct Malware, SourceIP
| join kind=inner (CiscoSDWANNetflow
| where isnotempty(NetflowUsername)
| summarize arg_max(TimeStamp, NetflowUsername) by NetflowFwSrcAddrIpv4
| distinct
["Username"] = NetflowUsername,
["SourceIP"] = NetflowFwSrcAddrIpv4) on SourceIP
| project Malware, SourceIP, Username
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊