CiscoUmbrella-AssignPolicyToIdentity

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

This playbook provides an automated way to associate an identity to an existing policy in Cisco Cloud Security. For more details, click here.

Additional Documentation

📄 Source: CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/readme.md

When a new sentinel incident is created, this playbook gets triggered and performs the following actions

Assigns a new DNS or web policy (PolicyId is provided on the playbook deployment step) to an identity (originId of the identity provided in the alert custom entities).
Adds comment to the incident with information about the assigned policies.

Login to Cisco Cloud Security dashboard and navigating to Admin-->API Keys. Create New API Key if not already created and select the appropriate "Key Scope" with Read/Write permission. Store "Api Key" and "Key Secret" to a safe place. This "Api Key" is a "Client Id" and "Key Secret" is a "Secret" used for this Playbook.
Store the "Api Key" and "Key Secret" from previous step to Key vault Secrets.
To obtain the Organization ID and Policy ID, press F12 or right-click on the page and select 'Inspect' in your browser on the Cisco Cloud Security dashboard page. Then, navigate to the 'Policies' section and click on the 'All Policies' tab. Now open the 'Network' tab and search with 'policy'. Open the 'Response' tab of the request to get the Policy ID and Organization ID as shown in the screenshot below.

NOTE: The ID and OrganizationID values in the screenshot below are for illustration purposes only and are not intended for actual use.

To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
Fill in the required parameters:
- Playbook Name: Enter the playbook name here.
- Cisco Cloud Security Organization Id: Organization id in Cisco Cloud Security.
- Cisco Cloud Security Policy Id: ID of the DNS or web policy to act upon.
- Keyvault name: Name of the key vault where secrets are stored.
- Cloud Security API Client Id Key Name: Name of the Secrets field from Keyvault where Cisco Cloud Security "API Key" value is stored.
- Cloud Security API Secret Key Name: Name of the Secrets field from Keyvault where Cisco Cloud Security "Key Secret" value is stored.
- Host End Point: Default is "api.umbrella.com" and is used for any API call to Cisco Cloud Security REST API's.

Once deployment is complete, authorize each connection.

Click the Microsoft Sentinel connection resource
Click edit API connection
Click Authorize
Sign in
Click Save
Repeat steps for Cisco Cloud Security Network Device Management connector API Connection. Provide your key and the secret for authorizing.

In Microsoft sentinel, analytical rules should be configured to trigger an incident. An incident should have the originId custom entity. OriginId is an Umbrella-wide unique identifier for this traffic source (origin). It can be obtained from the corresponding field in Cisco Cloud Security logs. Check the documentation to learn more about adding custom entities to incidents.
Configure the automation rules to trigger the playbook.

[Content truncated...]

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊