IP Enrichment - DomainTools Parsed Whois
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook uses the DomainTools Parsed Whois API. Given a ip address or set of ip addresses associated with an incident, return Whois information data for the extracted ip addresess as comments to the incident.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | DomainTools |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 8 |
function |
Built-in | 0 | 1 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_IPs | post | /entities/ip |
— |
| Add_Parsed_WhoIs_data_to_Incident_Comments | post | /Incidents/Comment |
— |
| Add_basic_Parsed_WhoIs_data_to_Incident_Comments | post | /Incidents/Comment |
— |
| Add_parsed_whois_contacts_to_incident_Comments | post | /Incidents/Comment |
— |
| Add_parsed_whois_networks_to_incident_Comments | post | /Incidents/Comment |
— |
| Add_parsed_whois_routes_data_to_incident_comments | post | /Incidents/Comment |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Add_refferral_servers_comments_to_incident_comments | post | /Incidents/Comment |
— |
function (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| ParsedWhois | — | — | functionId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/', variables('Functionappname'), '/functions/ParsedWhois')] |
Additional Documentation
DomainTools IP Address Enrichment Playbook
Table of Contents
- Overview
- Deploy DomainTools-IP-Address-Playbook
- Authentication
- Prerequisites
- Deployment
- Post Deployment Steps
Overview
This playbook uses the DomainTools Parsed Whois API. It is able to provide whois information for a IP or set of IPs associated with an incident.
Visit https://www.domaintools.com/integrations to request a Api key.
When a new Azure Sentinel Incident is created, and this playbook is triggered, it performs these actions:
- It fetches all the IP entities in the Incident.
- Iterates through the IP entities and fetches the results from Parsed Whois for each entity.
- All the details from DomainTools Parsed Whois will be added as comments in a tabular format.
Links to deploy the DomainTools IP Address Playbook
Authentication
Authentication methods this connector supports:
Prerequisites
- A DomainTools API Key
- DomainTools Function App should be deployed
Deployment instructions
- Deploy the playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters for deploying the playbook.
- Click "Review + create". Once the validation is successful, click on "Create".
Post-Deployment instructions:
- As a best practice, we have used the Sentinel connection in Logic Apps that use "ManagedSecurityIdentity" permissions. Please refer to this document and provide permissions to the Logic App accordingly.
b. Configurations in Sentinel:
- In Azure Sentinel, analytical rules should be configured to trigger an incident with risky IP Address indicators.
- Configure the automation rules to trigger the playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊