Enrich Incident - EclecticIQ
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook perform look up into EclecticIQ for the entities (Account, Host, IP, FileHash, URL) present result to Microsoft Sentinel incident
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | EclecticIQ |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 6 |
EclecticIQCustomConnector |
Custom | 1 | 5 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Entities_-_Get_Accounts | post | /entities/account |
— |
| Entities_-_Get_FileHashes | post | /entities/filehash |
— |
| Entities_-_Get_Hosts | post | /entities/host |
— |
| Entities_-_Get_IPs | post | /entities/ip |
— |
| Entities_-_Get_URLs | post | /entities/url |
— |
EclecticIQCustomConnector (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_Observables | get | /api/v1/observables |
— |
| Get_Observables_FileHash | get | /api/v1/observables |
— |
| Get_Observables_-_Hosts | get | /api/v1/observables |
— |
| Get_Observables_-_IP | get | /api/v1/observables |
— |
| Get_Observables_-_URL | get | /api/v1/observables |
— |
Additional Documentation
📄 Source: EclecticIQPlaybooks/EclecticIQ-EnrichIncident/readme.md
ElasticSearch-EnrichIncident Playbook
Summary
When a new Azure Sentinel incident is created, this playbook gets triggered and performs below actions
- For each Entity (Accounts, Host, IP Address, FileHash, URL) available in Sentinel incident, it performs lookup for a match in EclecticIQ
- If it finds the match, this playbook adds a rich comment to the incident with all the collected information
Prerequisites
- EclecticIQ Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.
- API key. To get API Key, find the instructions here https://developers.eclecticiq.com/docs/authenticate#generate-api-token.
Deployment instructions
Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deplyoing an ARM Template wizard.
Fill in the required parameters:
- Playbook Name: Enter the playbook name here (Ex: EclecticIQ-EnrichIncident)
- Custom Connector Name: Enter the EclecticIQ Custom connector name here (Ex: EclecticIQCustomConnector)
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, you will need to authorize each connection.
- Click the Azure Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for EclecticIQ API Connection (For authorizing the EclecticIQ API connection, API Key needs to be provided)
b. Configurations in Sentinel
- In Azure sentinel analytical rules should be configured to trigger an incident with risky user account or host or URL or FileHash or IP Address.
- Configure the automation rules to trigger this playbook
c. Assign Playbook Microsoft Sentinel Responder Role
- Select the Playbook (Logic App) resource
- Click on Identity Blade
- Choose System assigned tab
- Click on Azure role assignments
- Click on Add role assignments
- Select Scope - Resource group
- Select Subscription - where Playbook has been created
- Select Resource group - where Playbook has been created
- Select Role - Microsoft Sentinel Responder
- Click Save (It takes 3-5 minutes to show the added role.)
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊