Enrich Dynatrace Application Security Attack with related Microsoft Defender XDR insights

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

This playbook will enrich Dynatrace Application Security Attack with related Microsoft Defender XDR insights.

Attribute	Value
Type	Playbook
Solution	Dynatrace
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
SecurityAlert	ProductName in "Azure Active Directory Identity Protection,Azure Advanced Threat Protection,Azure Security Center,Microsoft 365 Defender,Microsoft Cloud App Security,Microsoft Defender Advanced Threat Protection,Office 365 Advanced Threat Protection"	✓	✗	✓

Logic App Connectors

This playbook uses 4 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
azuremonitorlogs	Managed	1	1
azuresentinel	Managed	1	0
keyvault	Managed	1	1
http	Built-in	0	2

Action parameters (URLs, paths, function IDs)

azuremonitorlogs (Managed)

Action	Method	Endpoint	Other
Get_MSDefender365_Security_Alerts	post	/queryData	—

keyvault (Managed)

Action	Method	Endpoint	Other
Get_Dynatrace_Access_Token	get	/secrets/@{encodeURIComponent('DynatraceAccessToken')}/value	—

http (Built-in)

Action	Method	Endpoint	Other
Get_Dynatrace_Attack_Details	GET	https://@{parameters('Tenant')}/api/v2/attacks/@{first(body('Parse_Incident_Alert_Custom_Body_JSON')?['AttackIdentifier'])}	—
Ingest_Dynatrace_Log_Entries	POST	https://@{parameters('Tenant')}/api/v2/logs/ingest	—

Additional Documentation

📄 Source: Enrich-DynatraceAppSecAttackMSDefenderXDR/readme.md

Enrich-DynatraceAppSecAttackMSDefenderXDR

author: Dynatrace

This playbook will Report only Microsoft Defender XDR insights related to Dynatrace Application Security Attack back to Dynatrace. You need a valid Dynatrace tenant with Application Security and Microsoft Defender XDR enabled in your enviornment to make use of this playbook. To learn more about the Dynatrace platform Start your free trial

** Prerequisites **

• Follow these instructions to generate a Dynatrace access token, the token should have Read attacks (attacks.read) and Ingest logs (logs.ingest) scopes.
• [Important step]Store the Dynatrace Access Token as a secret in Azure Key vault and provide the key vault name during playbook deployment, by convention the secret name should be 'DynatraceAccessToken'.

** Post Install Notes:**

Authorize the Azure Monitor Logs API Connection associated with the logic app deployed into the ResourceGroup.

The Logic App uses a Managed System Identity (MSI) to query the Log Analytics Workspace.

Assign RBAC 'Microsoft Sentinel Reader' role to the Logic App at the Resource Group level of the Log Analytics Workspace.

Assign access policy on key vault for Playbook to fetch the secret key

Initial Setup

A Microsoft Sentinel playbook is utilized by automation rules, therefore to automatically trigger this playbook you must setup a new automation rule. If you have not set permissions yet, review here

Basic steps for setup of the playbook and automation rule are as follows :

1. Go to the Automation blade in Microsoft Sentinel.
2. Create a new playbook from the 'Enrich Dynatrace Application Security Attack with related Microsoft Defender XDR insights' playbook template

• KeyvaultName: The name of the keyvault created as pre-requisite
• DynatraceTenant: xyz.dynatrace.com

3. Create a new automation rule

• Name : Enrich Dynatrace Application Security Attack with related Microsoft Defender XDR insights
• Trigger : When incident is created
• Conditions : If Analytic rule name contains 'Dynatrace Application Security - Attack detection'
• Actions : Run playbook EnrichDynatraceAppSecAttackMSDefenderXDR

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Playbooks · Back to Dynatrace