TritonPlayook

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

Author: Amit Sheps and Lior Tamir

Attribute	Value
Type	Playbook
Solution	GitHub Only
Source	View on GitHub

Associated Connectors

The following connectors provide data for this content item:

Connector	Solution
CefAma	Common Event Format
VirtualMetricDirectorProxy	VirtualMetric DataStream
VirtualMetricMSSentinelConnector	VirtualMetric DataStream
VirtualMetricMSSentinelDataLakeConnector	VirtualMetric DataStream

Solutions: Common Event Format, VirtualMetric DataStream

Logic App Connectors

This playbook uses 7 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuremonitorlogs`	Managed	1	3
`azuresentinel`	Managed	1	10
`excelonlinebusiness`	Managed	1	2
`office365`	Managed	1	2
`teams`	Managed	1	2
`wdatp`	Managed	1	1
`http`	Built-in	0	2

Action parameters (URLs, paths, function IDs)

`azuremonitorlogs` (Managed)

Action	Method	Endpoint	Other
Run_query_and_list_results_-_Remote_Access_connections	post	`/queryData`	—
Get_all_logs_from_the_attacker_machine_2	post	`/queryData`	—
Get_all_logs_from_the_attacker_machine	post	`/queryData`	—

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Entities_-_Get_IPs	post	`/entities/ip`	—
Close_incident_with_reason_-_Sent_from_Engineering_Station	put	`/Case/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/@{encodeURIComponent(triggerBody()?['workspaceId'])}/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['ResourceGroupName'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(triggerBody()?['object']?['properties']?['incidentNumber'])}/Status/@{encodeURIComponent('Closed')}`	—
Resolve_incident_-_Authorized_PC	put	`/Case/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/@{encodeURIComponent(triggerBody()?['workspaceId'])}/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['ResourceGroupName'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(triggerBody()?['object']?['properties']?['incidentNumber'])}/Status/@{encodeURIComponent('Closed')}`	—
Change_incident_severity_to_critical	put	`/Case/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/@{encodeURIComponent(triggerBody()?['workspaceId'])}/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['ResourceGroupName'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(triggerBody()?['object']?['properties']?['incidentNumber'])}/Severity/@{encodeURIComponent('Critical')}`	—
Change_incident_severity_to_high	put	`/Case/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/@{encodeURIComponent(triggerBody()?['workspaceId'])}/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['ResourceGroupName'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(triggerBody()?['object']?['properties']?['incidentNumber'])}/Severity/@{encodeURIComponent('High')}`	—
Enrich_incident_with_investigation_details	put	`/Comment/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/@{encodeURIComponent(triggerBody()?['workspaceId'])}/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['ResourceGroupName'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(triggerBody()?['object']?['properties']?['incidentNumber'])}`	—
Enrich_the_incident_with_the_logs_2	put	`/Comment/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/@{encodeURIComponent(triggerBody()?['workspaceId'])}/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['ResourceGroupName'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(triggerBody()?['object']?['properties']?['incidentNumber'])}`	—
Raise_incident_severity_to_high_2	put	`/Case/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/@{encodeURIComponent(triggerBody()?['workspaceId'])}/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['ResourceGroupName'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(triggerBody()?['object']?['properties']?['incidentNumber'])}/Severity/@{encodeURIComponent('High')}`	—
Enrich_the_incident_with_the_logs	put	`/Comment/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/@{encodeURIComponent(triggerBody()?['workspaceId'])}/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['ResourceGroupName'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(triggerBody()?['object']?['properties']?['incidentNumber'])}`	—
Raise_incident_severity_to_high	put	`/Case/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/@{encodeURIComponent(triggerBody()?['workspaceId'])}/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['ResourceGroupName'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(triggerBody()?['object']?['properties']?['incidentNumber'])}/Severity/@{encodeURIComponent('High')}`	—

`excelonlinebusiness` (Managed)

Action	Method	Endpoint	Other
Get_a_row_-_Look_for_IP_address_in_Authorized_PCs	get	`/drives/@{encodeURIComponent('')}/files/@{encodeURIComponent('')}/tables/@{encodeURIComponent('{}')}/items/@{encodeURIComponent(encodeURIComponent(items('For_each_2')?['Address']))}`	—
Get_a_row	get	`/drives/@{encodeURIComponent('b!79ydF-l5akakWEPLRYRmfwN1MtPhqNZHoIJxp6doXEZZX9DLHdm8T6FXj7AHSJ6i')}/files/@{encodeURIComponent('01QES7VSN32ZDFMJSCJBAJ2F3EHL2BXONF')}/tables/@{encodeURIComponent('Table1')}/items/@{encodeURIComponent(encodeURIComponent(items('For_each_2')?['Address']))}`	—

`office365` (Managed)

Action	Method	Endpoint	Other
Notify_by_email_to_stakeholders_2	post	`/v2/Mail`	—
Notify_by_email_to_stakeholders	post	`/v2/Mail`	—

`teams` (Managed)

Action	Method	Endpoint	Other
Send_a_Teams_message_to_the_SOC_for_critical_IT-OT_threat	post	`/v3/beta/teams/@{encodeURIComponent('teamsid')}/channels/@{encodeURIComponent('channel')}/messages`	—
Send_a_Teams_message_to_the_SOC_for_IT-OT_threat	post	`/v3/beta/teams/@{encodeURIComponent('teamid')}/channels/@{encodeURIComponent('channelid')}/messages`	—

`wdatp` (Managed)

Action	Method	Endpoint	Other
Actions_-_Isolate_machine	post	`/api/machines/@{encodeURIComponent('machineID')}/isolate`	—

`http` (Built-in)

Action	Method	Endpoint	Other
HTTP_-_get_machine_by_IP_address	GET	`https://api.securitycenter.windows.com/api/machines/findbyip(ip='@{first(body('Run_query_and_list_results_-_Remote_Access_connections')?['value'])?['SourceIp']}',timestamp=@{utcNow()})`	—
Gather_all_PC_alerts_in_MDATP	GET	`https://api.securitycenter.windows.com/api/ips/@{items('For_each_2')?['Address']}/alerts`	—

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Playbooks