CiscoUmbrella-BlockDomain
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | CiscoUmbrella |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 2 |
ciscoumbrellaenforcement |
Managed | 0 | 1 |
CiscoUmbrellaEnforcementAPI |
Custom | 1 | 0 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Entities_-_Get_URLs | post | /entities/url |
— |
ciscoumbrellaenforcement (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Block_domain | post | /1.0/events |
— |
Additional Documentation
📄 Source: CiscoUmbrellaPlaybooks/CiscoUmbrella-BlockDomain/readme.md
Summary
When a new sentinel incident is created, this playbook gets triggered and performs the following actions
- Obtains domains from URL entities in the incident.
- Optionally adds these domains to a customer's domain lists using Cisco Cloud Security Enforcement API.
- Adds comment to incident with information about posted domains.
Prerequisites
- Prior to the deployment of this playbook, Cisco Cloud Security Enforcement Connector needs to be deployed under the same subscription.
- Obtain Cisco Cloud Security API credentials. Refer to Cisco Cloud Security Enforcement Custom Connector documentation.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- Playbook Name: Enter the playbook name here
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for Cisco Cloud Security Enforcement connector API Connection. Provide your key and the secret for authorizing.
b. Configurations in Sentinel
- In Microsoft sentinel, analytical rules should be configured to trigger an incident with a malicious URL. In the Entity mapping section of the analytics rule creation workflow, malicious URL should be mapped to Url identifier of the URL entity type. Check the documentation to learn more about mapping entities.
- Configure the automation rules to trigger the playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊