Google Cloud Platform BigQuery - Query BigQuery Table

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Content Index

This playbook can be run from incident context manually or from automation rule to query the GCP BigQuery table and enrich the incident with results.

Attribute Value
Type Playbook
Solution Google Cloud Platform BigQuery
Source View on GitHub

Logic App Connectors

This playbook uses 2 Logic App connectors / built-in actions:

Connector / Action Type Connections Actions
azuresentinel Managed 1 1
GCPBigQueryCustomConnector Custom 1 1
Action parameters (URLs, paths, function IDs)

azuresentinel (Managed)

Action Method Endpoint Other
Add_comment_to_incident_(V3) post /Incidents/Comment

GCPBigQueryCustomConnector (Custom)

Action Method Endpoint Other
Run_Query_Job post /projects/@{encodeURIComponent(parameters('ProjectID'))}/queries

Additional Documentation

📄 Source: GCPBigQueryPlaybooks/GCPBigQuery-GetQueryResults/readme.md

GCPBigQuery-GetQueryResults

Summary

This playbook can be run from incident context manually or from automation rule to query the GCP BigQuery table and enrich the incident with query results. The playbook performs following actions:

  1. Runs the SQL query as Query job and gets the result.
  2. Parse the result and format as table.
  3. Add the result as comment to the incident.



Prerequisites

  1. Prior to the deployment of this playbook, GCPBigQuery Logic App Custom Connector needs to be deployed under the same subscription.
  2. Refer to GCPBigQuery Logic App Custom Connector documentation for deployment instructions.

Deployment instructions

  1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
  2. Fill in the required parameters:
    • Playbook Name
    • Custom Connector Name
    • GCP Project ID
    • SQL Query String

Deploy to Azure Deploy to Azure

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection.

  1. Select the Microsoft Sentinel connection resource
  2. Click Edit API connection blade
  3. Click Authorize/Provide credentials
  4. Click Save
  5. Repeat these steps for other connections

b. Configurations in Sentinel

  1. In Microsoft Sentinel, configure the automation rule/analytical rule to trigger the playbook. Check the documentation to learn more about automation rules.

c. Assign Playbook Microsoft Sentinel Responder Role

  1. Select the Playbook (Logic App) resource
  2. Click on Identity Blade
  3. Choose System assigned tab
  4. Click on Azure role assignments
  5. Click on Add role assignments
  6. Select Scope - Resource group
  7. Select Subscription - where Playbook has been created
  8. Select Resource group - where Playbook has been created
  9. Select Role - Microsoft Sentinel Responder
  10. Click Save

References

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Playbooks · Back to Google Cloud Platform BigQuery