Enrich Dynatrace Application Security Attack with related Microsoft Sentinel Security Alerts

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

This playbook will enrich Dynatrace Application Security Attack with related Microsoft Sentinel Security Alerts.

Attribute	Value
Type	Playbook
Solution	Dynatrace
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
SecurityAlert	VendorName == "Dynatrace"	✓	✗	✓

Logic App Connectors

This playbook uses 4 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
azuremonitorlogs	Managed	1	1
azuresentinel	Managed	1	0
keyvault	Managed	1	1
http	Built-in	0	2

Action parameters (URLs, paths, function IDs)

azuremonitorlogs (Managed)

Action	Method	Endpoint	Other
Get_Related_Security_Alerts	post	/queryData	—

keyvault (Managed)

Action	Method	Endpoint	Other
Get_Dynatrace_Access_Token	get	/secrets/@{encodeURIComponent('DynatraceAccessToken')}/value	—

http (Built-in)

Action	Method	Endpoint	Other
Get_Dynatrace_Attack_Details	GET	https://@{parameters('Tenant')}/api/v2/attacks/@{first(body('Parse_Incident_Alert_Custom_Body_JSON')?['AttackIdentifier'])}	—
Ingest_Dynatrace_Log_Entries	POST	https://@{parameters('Tenant')}/api/v2/logs/ingest	—

Additional Documentation

📄 Source: Enrich-DynatraceAppSecAttackWithSecurityAlerts/readme.md

Enrich-DynatraceAppSecAttackWithSecurityAlerts

author: Dynatrace

This playbook will Report all Microsoft Sentinel Security Alerts related to a Dynatrace Application Security Attack back to Dynatrace. You need a valid Dynatrace tenant with Application Security enabled, you will also need to install the relevant Microsoft Sentinel Connectors which would generated security alerts consumed by this playbook. To learn more about the Dynatrace platform Start your free trial

** Prerequisites **

• Follow these instructions to generate a Dynatrace access token, the token should have Read attacks (attacks.read) and Ingest logs (logs.ingest) scopes.
• [Important step]Store the Dynatrace Access Token as a secret in Azure Key vault and provide the key vault name during playbook deployment, by convention the secret name should be 'DynatraceAccessToken'.

** Post Install Notes:**

Authorize the Azure Monitor Logs API Connection associated with the logic app deployed into the ResourceGroup.

The Logic App uses a Managed System Identity (MSI) to query the Log Analytics Workspace.

Assign RBAC 'Microsoft Sentinel Reader' role to the Logic App at the Resource Group level of the Log Analytics Workspace.

Assign access policy on key vault for Playbook to fetch the secret key

Initial Setup

A Microsoft Sentinel playbook is utilized by automation rules, therefore to automatically trigger this playbook you must setup a new automation rule. If you have not set permissions yet, review here

Basic steps for setup of the playbook and automation rule are as follows :

1. Go to the Automation blade in Microsoft Sentinel.
2. Create a new playbook from the 'Enrich Dynatrace Application Security Attack with related Microsoft Sentinel Security Alerts' playbook template

• KeyvaultName: The name of the keyvault created as pre-requisite
• DynatraceTenant: xyz.dynatrace.com

3. Create a new automation rule

• Name : Enrich Dynatrace Application Security Attack with related Microsoft Sentinel Security Alerts
• Trigger : When incident is created
• Conditions : If Analytic rule name contains 'Dynatrace Application Security - Attack detection'
• Actions : Run playbook EnrichDynatraceAppSecAttackWithSecurityAlerts

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Playbooks · Back to Dynatrace