Create Observable - EclecticIQ
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook adds new observable in EclecticIQ based on the entities info present in Sentinel incident. If same type and value exists already, then it will update the observable and comment will be added to Sentinel's incident
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | EclecticIQ |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 6 |
EclecticIQCustomConnector |
Custom | 1 | 5 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Entities_-_Get_Accounts | post | /entities/account |
— |
| Entities_-_Get_FileHashes | post | /entities/filehash |
— |
| Entities_-_Get_Hosts | post | /entities/host |
— |
| Entities_-_Get_IPs | post | /entities/ip |
— |
| Entities_-_Get_URLs | post | /entities/url |
— |
EclecticIQCustomConnector (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Create_or_Update_Observables_-_Accounts | put | /api/v1/observables/ |
— |
| Create_or_Update_Observables-FileHash | put | /api/v1/observables/ |
— |
| Create_or_Update_Observables-Host | put | /api/v1/observables/ |
— |
| Create_or_Update_Observables-IP | put | /api/v1/observables/ |
— |
| Create_or_Update_Observables-URI | put | /api/v1/observables/ |
— |
Additional Documentation
📄 Source: EclecticIQPlaybooks/EclecticIQ-CreateObservable/readme.md
OpenCTI- Add Indicators in OpenCTI Playbook
Summary
When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs below actions
- Create or Update (if already exists) observable in EclecticIQ for each entity (Accounts, Host, IP Address, FileHash, URL) that is presented in Sentinel incident
- This playbook adds new comment to sentinel incident
Prerequisites
- EclecticIQ Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.
- API key. To get API Key, find the instructions here https://developers.eclecticiq.com/docs/authenticate#generate-api-token.
Deployment instructions
Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deplyoing an ARM Template wizard.
Fill in the required parameters:
- Playbook Name: Enter the playbook name here (Ex: EclecticIQ-CreateObservable)
- Custom Connector Name: Enter the EclecticIQ custom connector name here (Ex: EclecticIQCustomConnector)
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, you will need to authorize each connection.
- Click the Azure Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for EclecticIQ API Connection (For authorizing the EclecticIQ API connection, API Key needs to be provided)
b. Configurations in Sentinel
- In Azure sentinel analytical rules should be configured to trigger an incident with risky user account or host or URL or FileHash or IP Address.
- Configure the automation rules to trigger this playbook
c. Assign Playbook Microsoft Sentinel Responder Role
- Select the Playbook (Logic App) resource
- Click on Identity Blade
- Choose System assigned tab
- Click on Azure role assignments
- Click on Add role assignments
- Select Scope - Resource group
- Select Subscription - where Playbook has been created
- Select Resource group - where Playbook has been created
- Select Role - Microsoft Sentinel Responder
- Click Save (It takes 3-5 minutes to show the added role.)
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊