ElasticSearch-EnrichIncident
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook search in Elastic Search for based on the entities (Account, Host, IP, FileHash, URL) present result to Microsoft Sentinel incident
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Elastic Search |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 7 |
ElasticSearchCustomConnector |
Custom | 1 | 6 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Add_comment_to_incident_(V3)_2 | post | /Incidents/Comment |
— |
| Entities_-_Get_Accounts | post | /entities/account |
— |
| Entities_-_Get_FileHashes | post | /entities/filehash |
— |
| Entities_-_Get_Hosts | post | /entities/host |
— |
| Entities_-_Get_IPs | post | /entities/ip |
— |
| Entities_-_Get_URLs | post | /entities/url |
— |
ElasticSearchCustomConnector (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Run_Search_Account | post | /@{encodeURIComponent(variables('ElasticIndex'))}/_search |
— |
| Run_Search_FileHash | post | /@{encodeURIComponent(variables('ElasticIndex'))}/_search |
— |
| Run_Search_Host | post | /@{encodeURIComponent(variables('ElasticIndex'))}/_search |
— |
| Run_Search | post | /@{encodeURIComponent(variables('ElasticIndex'))}/_search |
— |
| Run_Search_URL | post | /@{encodeURIComponent(variables('ElasticIndex'))}/_search |
— |
| Search_Shards | get | /@{encodeURIComponent('*')}/_search_shards |
— |
Additional Documentation
📄 Source: ElasticSearchPlaybooks/ElasticSearch-EnrichIncident/readme.md
Summary
When a new Azure Sentinel incident is created, this playbook gets triggered and performs below actions
- For each Entity (Accounts, Host, IP Address, FileHash, URL) available in Sentinel incident, it searches for a match in Elastic Search
- If it finds the match, this playbook adds a rich comment to the incident with all the collected information
Prerequisites
- Elastic Search Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.
- API key. To get API Key, login into your Elastic Search instance / Kibana and navigate to API Keys and generated key.To get Elastic Search API key, follow the instructions in the documentation.
Deployment instructions
Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deplyoing an ARM Template wizard.
Fill in the required paramteres:
- Playbook Name: Enter the playbook name here (Ex: ElasticSearch-EnrichIncident)
- Custom Connector Name: Enter the Elastic Search custom connector name here (Ex: ElasticSearchCustomConnector)
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, you will need to authorize each connection.
- Click the Azure Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for Elastic Search Api Connection (For authorizing the Elastic Search API connection, API Key needs to be provided)
b. Configurations in Sentinel
- In Azure sentinel analytical rules should be configured to trigger an incident with risky user account or host or URL or FileHash or IP Address.
- Configure the automation rules to trigger this playbook
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊