Google Cloud Platform BigQuery - Create Wtchlist with BigQuery Table Data
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook can be run from incident context manually or from automation rule to create a watchlist from GCP BigQuery table data.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Google Cloud Platform BigQuery |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 2 |
GCPBigQueryCustomConnector |
Custom | 1 | 2 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Watchlists_-Create_a_new_Watchlist_with_data(Raw_Content) | put | /Watchlists/subscriptions/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['ResourceGroupName'])}/workspaces/@{encodeURIComponent(triggerBody()?['workspaceId'])}/watchlists/@{encodeURIComponent(parameters('WatchlistName'))} |
— |
GCPBigQueryCustomConnector (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_Table_Data | get | /projects/@{encodeURIComponent(parameters('ProjectID'))}/datasets/@{encodeURIComponent(parameters('DatasetID'))}/tables/@{encodeURIComponent(parameters('TableID'))}/data |
— |
| Get_Table_Details | get | /projects/@{encodeURIComponent(parameters('ProjectID'))}/datasets/@{encodeURIComponent(parameters('DatasetID'))}/tables/@{encodeURIComponent(parameters('TableID'))} |
— |
Additional Documentation
📄 Source: GCPBigQueryPlaybooks/GCPBigQuery-CreateWatchlist-From-BigQueryTable/readme.md
GCPBigQuery-CreateWatchlist-From-BigQueryTable
Summary
This playbook can be run from incident context manually or from automation rule to create a watchlist from GCP BigQuery table data. The playbook performs following actions:
- Get the table details for the given table.
- Get the table data and parse the result.
- Create a watchlist with the parsed data.
- Add a comment to the incident of success/failure of action.
Prerequisites
- Prior to the deployment of this playbook, GCPBigQuery Logic App Custom Connector needs to be deployed under the same subscription.
- Refer to GCPBigQuery Logic App Custom Connector documentation for deployment instructions.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- Playbook Name
- Custom Connector Name
- GCP Project ID
- SQL Query String
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Select the Microsoft Sentinel connection resource
- Click Edit API connection blade
- Click Authorize/Provide credentials
- Click Save
- Repeat these steps for other connections
b. Configurations in Sentinel
- In Microsoft Sentinel, configure the automation rule/analytical rule to trigger the playbook. Check the documentation to learn more about automation rules.
c. Assign Playbook Microsoft Sentinel Responder Role
- Select the Playbook (Logic App) resource
- Click on Identity Blade
- Choose System assigned tab
- Click on Azure role assignments
- Click on Add role assignments
- Select Scope - Resource group
- Select Subscription - where Playbook has been created
- Select Resource group - where Playbook has been created
- Select Role - Microsoft Sentinel Contributor
- Click Save
References
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Playbooks · Back to Google Cloud Platform BigQuery