Cyjax Ad Hoc Enrichment
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook is triggered via HTTP request and is designed to get IOC value from workbook provided by user and fetch it's related data from Cyjax and Ingest it into Log Analytics Workspace which will be used to populate Ad Hoc dashboard.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Cyjax |
| Source | View on GitHub |
Tables Used
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
CyjaxAdHocEnrichment_CL 🔶 |
? | ✓ | ? |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azureloganalyticsdatacollector |
Managed | 1 | 1 |
keyvault |
Managed | 1 | 1 |
http |
Built-in | 0 | 1 |
Action parameters (URLs, paths, function IDs)
azureloganalyticsdatacollector (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Send_Data_To_Log_Analytics_Workspace | post | /api/logs |
— |
keyvault (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_Cyjax_API_Key | get | /secrets/@{encodeURIComponent('Cyjax-API-Key')}/value |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| HTTP_Request_To_Fetch_IOC_Enrichment_Data_From_Cyjax | GET | @{variables('base_url')}/@{variables('api_version')}/indicator-of-compromise/enrichment |
— |
Additional Documentation
📄 Source: CyjaxAdHocEnrichment/readme.md
Summary
This playbook is triggered via HTTP request from the Cyjax workbook and is designed to fetch IOC (Indicator of Compromise) data based on user-provided values. It retrieves related threat intelligence data from the Cyjax API and ingests it into Log Analytics Workspace, which is then used to populate the Ad Hoc dashboard in the Cyjax workbook.
Prerequisites
- Obtain a Cyjax API key and store it in Azure Key Vault as a secret named 'Cyjax-API-Key'.
- Create or identify an Azure Key Vault and note its name and Tenant ID.
- Ensure you have a Log Analytics Workspace configured for Microsoft Sentinel.
Deployment Instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- PlaybookName: Enter the playbook name here (default: CyjaxAdHocEnrichment).
- CyjaxBaseUrl: Base URL for the Cyjax API (default: https://api.cymon.co).
- KeyVaultName: Name of the Azure Key Vault where the Cyjax API key is stored.
- TenantId: Microsoft Entra ID Tenant ID where the Key Vault is located.
Post-Deployment Instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Go to your logic app → API connections → Select Keyvault connection resource.
- Go to General → edit API connection.
- Click Authorize.
- Sign in.
- Click Save.
- Repeat steps for Log Analytics Data Collector connection.
b. Add Access policy in Keyvault
Add access policy for the playbook's managed identity to read secrets from Key Vault.
- Go to logic app → your logic app → identity → System assigned Managed identity and copy Object (principal) ID.
- Go to keyvaults → your keyvault → Access policies → create.
- Select Get and List permissions for Secrets. Click next.
- In the principal section, search by copied object ID. Click next.
- Click review + create.
c. Configure Workbook Integration
Configure the Cyjax workbook to call this playbook with the HTTP POST URL.
- Go to Logic App → your Logic App → Logic app designer.
- Copy the HTTP POST URL from the trigger.
- Configure the Cyjax workbook Ad Hoc Enrichment tab to use this URL for triggering IOC enrichment queries.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊