DomainTools DNSDB Historical IP Addresses
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook uses the Farsight DNSDB connector to automatically enrich IP Addresses found in the Microsoft Sentinel incidents. This use case describes the desire to identify all Addresses used as DNS A records for a given Host based on a time window from a starting and stopping point in time.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | DomainTools |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 4 |
farsightdnsdb |
Managed | 1 | 2 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_DNS | post | /entities/dnsresolution |
— |
| Entities_-_Get_Hosts | post | /entities/host |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Add_comment_to_incident_(V3)_2 | post | /Incidents/Comment |
— |
farsightdnsdb (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| RRSet_Lookup_with_RRType_AAAA_Records | get | /lookup/rrset/name/@{encodeURIComponent(items('For_each'))}/@{encodeURIComponent('AAAA')} |
— |
| RRSet_Lookup_with_RRType_A_Records | get | /lookup/rrset/name/@{encodeURIComponent(items('For_each'))}/@{encodeURIComponent('A')} |
— |
Additional Documentation
DomainTools DNSDB Historical Addresses
This playbook uses the Farsight DNSDB connector to automatically enrich IP Addresses found in the Microsoft Sentinel incidents. This use case describes the desire to identify all Addresses used as DNS A records for a given Host based on a time window from a starting and stopping point in time.
Table of Contents
Overview
- This playbook fetches all the host and dns etities from the incident.
- Iterates through each entity, perform logic.
- Adds the historical addresses for each entity as sentinel comments.
Prerequisites
- A DomainTool DNSDB API Key.
Deployment Instructions
- Deploy the playbooks by clicking on the "Deploy to Azure" button. This will take you to the Deploy an ARM Template wizard.
- Fill in the required parameters for deploying the playbook.
- Click "Review + create". Once the validation is successful, click on "Create".
Post-Deployment Instructions
Authorize connections
Once deployment is complete please open the logic app and follow below steps
- As a best practice, we have used the Sentinel connection in Logic Apps that use "ManagedSecurityIdentity" permissions. Please refer to this document and provide permissions to the Logic App accordingly.
- Provide connection details for the Farsight DNSDB Custom Connector.
- You could provide time fencing options, please only provide values from the list (1h,6h,12h,24h, 30d, 60d,90d,365d(Default 1h)).
- Save the Logic App. If the Logic App prompts any missing connections, please update the connections accordingly.
Configurations in Sentinel:
- Configure the analytic rules->Automated response>Automation rules to trigger this playbook.
- Configure Incident Settings , Enable create incidents.
- Configure "Microsoft Sentinel Responder" permission to this playbook, from settings>workspace settings>Access control (IAM)>Add role assignment.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊