Enrich Dynatrace Application Security Attack with related Microsoft Defender XDR insights

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

This playbook will enrich Dynatrace Application Security Attack with related Microsoft Defender XDR insights.

Attribute Value
Type Playbook
Solution Dynatrace
Source View on GitHub

Tables Used

This content item queries data from the following tables:

Table Transformations Ingestion API Lake-Only
SecurityAlert ?

Additional Documentation

📄 Source: Enrich-DynatraceAppSecAttackMSDefenderXDR/readme.md

Enrich-DynatraceAppSecAttackMSDefenderXDR

author: Dynatrace

This playbook will Report only Microsoft Defender XDR insights related to Dynatrace Application Security Attack back to Dynatrace. You need a valid Dynatrace tenant with Application Security and Microsoft Defender XDR enabled in your enviornment to make use of this playbook. To learn more about the Dynatrace platform Start your free trial

** Prerequisites ** - Follow these instructions to generate a Dynatrace access token, the token should have Read attacks (attacks.read) and Ingest logs (logs.ingest) scopes. - [Important step]Store the Dynatrace Access Token as a secret in Azure Key vault and provide the key vault name during playbook deployment, by convention the secret name should be 'DynatraceAccessToken'.

** Post Install Notes:**

Authorize the Azure Monitor Logs API Connection associated with the logic app deployed into the ResourceGroup.

The Logic App uses a Managed System Identity (MSI) to query the Log Analytics Workspace.

Assign RBAC 'Microsoft Sentinel Reader' role to the Logic App at the Resource Group level of the Log Analytics Workspace.

Assign access policy on key vault for Playbook to fetch the secret key

Initial Setup

A Microsoft Sentinel playbook is utilized by automation rules, therefore to automatically trigger this playbook you must setup a new automation rule. If you have not set permissions yet, review here

Basic steps for setup of the playbook and automation rule are as follows :

  1. Go to the Automation blade in Microsoft Sentinel.
  2. Create a new playbook from the 'Enrich Dynatrace Application Security Attack with related Microsoft Defender XDR insights' playbook template - KeyvaultName: The name of the keyvault created as pre-requisite - DynatraceTenant: xyz.dynatrace.com
  3. Create a new automation rule - Name : Enrich Dynatrace Application Security Attack with related Microsoft Defender XDR insights - Trigger : When incident is created - Conditions : If Analytic rule name contains 'Dynatrace Application Security - Attack detection' - Actions : Run playbook EnrichDynatraceAppSecAttackMSDefenderXDR

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to Dynatrace