Domain Enrichment - DomainTools Iris Enrich
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Given a domain or set of domains associated with an incident return all Iris Enrich data for those domains as comments in the incident.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | DomainTools |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 5 |
function |
Built-in | 0 | 1 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_Iris_Enrich_Table_to_Incident_Comments | post | /Incidents/Comment |
— |
| Add_Error_to_Incident_Comments | post | /Incidents/Comment |
— |
| Entities_-_Get_DNS | post | /entities/dnsresolution |
— |
| Entities_-_Get_Hosts | post | /entities/host |
— |
| Entities_-_Get_URLs | post | /entities/url |
— |
function (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| EnrichDomain | — | — | functionId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/', variables('Functionappname'), '/functions/EnrichDomain')] |
Additional Documentation
DomainTools Iris Enrich Domain Playbook
Table of Contents
- Overview
- Deploy DomainTools-Iris-Enrich-Playbook
- Authentication
- Prerequisites
- Deployment
- Post Deployment Steps
Overview
This playbook uses the DomainTools Iris Enrich API, which we recommend over Iris Investigate for high-volume API lookup activities. It is able to provide domain infrastructure information for a domain or set of domains associated with an incident. If your account is provisioned for Iris Enrich, use the Iris Enrich endpoint to return Whois, mailserver, DNS, SSL and related indicators from Iris Enrich for a given domain or set of domains.
Visit https://www.domaintools.com/integrations to request a Api key.
When a new Azure Sentinel Incident is created, and this playbook is triggered, it performs these actions:
- It fetches all the Host/DNS/URL entities in the Incident.
- Iterates through the Host/DNS/URL entities and fetches the results from Iris Enrich for each entity.
- All the details from DomainTools Iris Enrich will be added as comments in a tabular format.
Links to deploy the DomainTools Iris Enrich Domain Playbook
Authentication
Authentication methods this connector supports:
Prerequisites
- A DomainTools API Key provisioned for Iris Enrich
- DomainTools Function App should be deployed
Deployment instructions
- Deploy the playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters for deploying the playbook.
- Click "Review + create". Once the validation is successful, click on "Create".
Post-Deployment instructions.
- As a best practice, we have used the Sentinel connection in Logic Apps that use "ManagedSecurityIdentity" permissions. Please refer to this document and provide permissions to the Logic App accordingly.
b. Configurations in Sentinel:
- In Azure Sentinel, analytical rules should be configured to trigger an incident with risky Domain indicators.
- Configure the automation rules to trigger the playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊