Enrich Dynatrace Application Security Attack Incident

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook will enriche Dynatrace Application Security Attack Incidents with additional information when new incident is opened.

Attribute	Value
Type	Playbook
Solution	Dynatrace
Source	View on GitHub

Logic App Connectors

This playbook uses 4 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	0
`keyvault`	Managed	1	1
`microsoftsentinel`	Managed	0	1
`http`	Built-in	0	1

Action parameters (URLs, paths, function IDs)

`keyvault` (Managed)

Action	Method	Endpoint	Other
Get_Dynatrace_Access_Token	get	`/secrets/@{encodeURIComponent('DynatraceAccessToken')}/value`	—

`microsoftsentinel` (Managed)

Action	Method	Endpoint	Other
Update_incident_with_tags	put	`/Incidents`	—

`http` (Built-in)

Action	Method	Endpoint	Other
Get_Dynatrace_Attack_Details	GET	`https://@{parameters('Tenant')}/api/v2/attacks/@{first(body('Parse_Incident_Alert_Custom_Body_JSON')?['attackIdentifier'])}`	—

Additional Documentation

📄 Source: Enrich_DynatraceApplicationSecurityAttackIncident/readme.md

Enrich_DynatraceApplicationSecurityAttackIncident

author: Dynatrace

This playbook uses the Dynatrace REST APIs to automatically enrich incidents created by Microsoft Sentinel. You need a valid Dynatrace tenant with Application Security enabled. To learn more about the Dynatrace platform Start your free trial

** Prerequisites **

Follow these instructions to generate a Dynatrace access token, the token should have Read attacks (attacks.read) scope.
[Important step]Store the Dynatrace Access Token as a secret in Azure Key vault and provide the key vault name during playbook deployment, by convention the secret name should be 'DynatraceAccessToken'.

** Post Install Notes:**

The Logic App uses a Managed System Identity (MSI) to update the Microsoft Sentinel Incident.

Assign RBAC 'Microsoft Sentinel Responder' role to the Logic App at the Resource Group level of the Log Analytics Workspace.

Assign access policy on key vault for Playbook to fetch the secret key

Initial Setup

A Microsoft Sentinel playbook is utilized by automation rules, therefore to automatically trigger this playbook you must setup a new automation rule. If you have not set permissions yet, review here

Basic steps for setup of the playbook and automation rule are as follows :

Go to the Automation blade in Microsoft Sentinel.
Create a new playbook from the 'Enrich Dynatrace Application Security Attack Incident' playbook template

KeyvaultName: The name of the keyvault created as pre-requisite
DynatraceTenant: xyz.dynatrace.com

Create a new automation rule

Name : Enrich Dynatrace Application Security Attack Incident
Trigger : When incident is created
Conditions : If Analytic rule name contains 'Dynatrace Application Security - Attack detection'
Actions : Run playbook EnrichDynatraceApplicationSecurityAttackIncident

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Playbooks · Back to Dynatrace