Restore From Last Cohesity Snapshot
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook restores the latest good Data Hawk (Helios) snapshot.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | CohesitySecurity |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 4 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azureblob |
Managed | 1 | 6 |
azuresentinel |
Managed | 1 | 0 |
keyvault |
Managed | 1 | 1 |
http |
Built-in | 0 | 1 |
Action parameters (URLs, paths, function IDs)
azureblob (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_cid_from_blob_content | get | /v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath |
— |
| Get_entity_id_from_blob_content | get | /v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath |
— |
| Get_job_id_from_blob_content | get | /v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath |
— |
| Get_job_instance_id_from_blob_content | get | /v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath |
— |
| Get_job_start_time_usecs_from_blob_content | get | /v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath |
— |
| Get_object_from_blob_content | get | /v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath |
— |
keyvault (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_secret | get | /secrets/@{encodeURIComponent('ApiKey')}/value |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| HTTP | POST | https://helios.cohesity.com/irisservices/api/v1/public/restore/recover |
— |
Additional Documentation
Summary
This playbook restores the latest good Data Hawk (Helios) snapshot. It’s recommended for running by Backup Admins only after they make sure that the existing data is compromised, and rollback to the previous snapshot, even at the expense of data loss, is really required. Please beware: It's operable only if you have installed the Function Apps and received some incidents that need an action on affected data.
Deployment instructions
- Deploy the playbook by clicking on the "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters:
- Playbook Name: Enter the playbook name here.
Post-Deployment instructions
- Make sure the user that runs the playbook has the role Microsoft Sentinel Playbook Operator assigned. To assign the role,
- Under the Subscriptions tab from the Home page, choose your subscription name.
- Choose the Access Control (IAM) option from the left pane.
- Click on Add > Add Role Assignment and add Microsoft Sentinel Playbook Operator to the user.
- Authorize all connections
- Go to Logic Apps and choose your playbook
- In the Development Tools sections select API Connections. In the left pane you'll see the list of connections that you'll need to authorize
- Authorize the Azure blob storage connection by selecting it and clicking on General\Edit API Connection
- Enter your connection name, storage account and access key. You can find them by selecting your storage account here and then choosing Security+networking\Access keys).
- Authorize the Azure blob storage connection by selecting it and clicking on General\Edit API Connection
- Grant KeyVault permissions to your playbook
- Go to Key vaults and choose your keyvault, which starts from cohesitypro and is followed by a sequence of letters and numbers, e.g. cohesityprofnxj32cucakwk.
- On the right pane, select Access Policies and click +Create.
- Choose Get permission in the Secret Permissions section and press Next.
- Enter your playbook name and press Next.
- Press Next and then Create to finish granting permissions.
- (Recommendation) Limit access rights to this playbook to only Backup Admins because this playbook rolls back customer data that can result in a loss of important data if used without a good reason.
- From the Microsoft Sentinel navigation menu, select Settings.
- In the Settings blade, select the Settings tab and expand Playbook Permissions.
- Select Configure Permissions to open the Manage Permissions panel.
- Select the required resource group and click Apply.
- Select Done.
Troubleshooting
- If your API key expired, then you need to replace it with a new one.
- Create the Cohesity Helios API key:
- Go to the Cohesity Helios login page.
- Enter your credentials and select Log In. The Summary page is displayed.
- Navigate to Settings > Access Management. The Users tab is displayed.
- Select Add API Key. The API Key Details is displayed.
- Enter a name for the API key.
- Select Save.
- Go to Key vaults and choose your keyvault, which starts from cohesitypro and is followed by a sequence of letters and numbers, e.g. cohesityprofnxj32cucakwk.
- Assign the ApiKey secret to the API Key value from the previous step. Now your API key is securely saved in the Azure KeyVault.
- If you see the Forbidden error message in the Keyvault block when you run the playbook, you can always authorize it manually.
- Choose your app in the Logic Apps
- Authorize your KeyVault connection by selecting it and clicking on General\Edit API Connection
- Press the Authorize button and select the appropriate account. Enter your key vault name if prompted. You can find your key vault name here.
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊