Close Cohesity Helios Incident
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook closes the corresponding Cohesity DataHawk (Helios) ticket.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | CohesitySecurity |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 0 |
keyvault |
Managed | 1 | 1 |
http |
Built-in | 0 | 1 |
Action parameters (URLs, paths, function IDs)
keyvault (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_secret | get | /secrets/@{encodeURIComponent('ApiKey')}/value |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| HTTP | PUT | https://helios.cohesity.com/v2/mcm/alert-service/alerts/@{variables('helioID')}/state |
— |
Additional Documentation
📄 Source: Cohesity_Close_Helios_Incident/readme.md
Cohesity Close Helios Incident Playbook
Summary
This playbook closes the Cohesity Data Cloud alert. Remember: It works only if you have installed the Function Apps and have received a few incidents that require closure.
Deployment Instructions
- Click on the "Deploy to Azure" button to deploy the playbook. This step directs you to deploy an ARM Template wizard.
- Fill the required parameters:
- Playbook Name: Enter the playbook name here.
Post-deployment Instructions
- The user who runs the playbook must have the role Microsoft Sentinel Playbook Operator. To assign the role:
- Under the Subscriptions tab from the Home page, choose your subscription name.
- Choose the Access Control (IAM) option from the left pane.
- Click on Add > Add Role Assignment and add Microsoft Sentinel Playbook Operator to the user.
- Grant KeyVault permissions to your playbook. Follow the steps below.
- Go to Key vaults and choose your keyvault, which starts from cohesitypro and is followed by a sequence of letters and numbers, for example, cohesityprofnxj32cucakwk.
- On the right pane, select Access Policies and click +Create.
- Choose Get permission in the Secret Permissions section and press Next.
- Enter your playbook name and press Next.
- Press Next and then Create to finish granting permissions.
Troubleshooting
- If your API key expired, then you have to replace it with a new one.
- Create the Cohesity Data Cloud API key:
- Go to the Cohesity Data Cloud login page.
- Enter your credentials and select Log In. The Summary page is displayed.
- Navigate to Settings > Access Management. The Users tab is displayed.
- Select Add API Key. The API Key Details is displayed.
- Enter a name for the API key.
- Select Save.
- Go to Key vaults and choose your keyvault, which starts from cohesitypro and is followed by a sequence of letters and numbers, for example, cohesityprofnxj32cucakwk.
- Assign the API Key secret to the API Key value from the previous step. Now your API key is securely saved in the Microsoft Azure KeyVault.
- If you see the Forbidden error message in the Keyvault block when you run the playbook, you can authorize it manually.
- Choose your app (playbook) in the Logic Apps.
- Authorize your KeyVault connection by selecting it and clicking on General\Edit API Connection.
- Click on the Authorize button and select the appropriate account. Enter your key vault name if prompted. You can find your key vault name here.
- Note: If you can't authorize the connections using the steps above, then you can follow the steps below. * Open your playbook in Development Tools\Logic App Designer * Click on the connection block. * Click on the Change connection link in the right pane. * Create a new connection or choose a different one or authorize the one that is marked with an "i" sign.
References
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊