Illusive-SentinelIncident-Enrichment

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

Attribute	Value
Type	Playbook
Solution	Illusive Active Defense
Source	View on GitHub

⚠️ Not listed in Solution JSON: This content item was discovered by scanning the solution folder but is not included in the official Solution JSON file. It may be a legacy item, under development, or excluded from the official solution package.

Logic App Connectors

This playbook uses 2 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
azuresentinel	Managed	1	6
http	Built-in	0	5

Action parameters (URLs, paths, function IDs)

azuresentinel (Managed)

Action	Method	Endpoint	Other
Add_Illusive_Incident_details_to_Sentinel_Incident_comment	post	/Incidents/Comment	—
Update_Sentinel_Incident_with_Critical_severity_and_Closed_status	put	/Incidents	—
Update_Sentinel_Incident_with_Critical_severity_and_existing_tag	put	/Incidents	—
Update_Sentinel_Incident_with_Critical_severity_and_no_tag	put	/Incidents	—
Update_Sentinel_Incident_with_Non_Critical_severity_and_Closed_status	put	/Incidents	—
Update_Sentinel_Incident_with_Severity_and_Status	put	/Incidents	—

http (Built-in)

Action	Method	Endpoint	Other
Get_Events_of_an_Illusive_Incident	GET	@{parameters('Illusive Base URL')}/api/v1/incidents/events?incident_id=@{variables('Illusive Incident Id')}	—
Get_the_Triggering_Process_Information	GET	@{parameters('Illusive Base URL')}/api/v1/forensics/triggering_process_info?event_id=@{max(variables('Event Id'))}	—
Generate_the_token_for_Azure_Sentinel_Incident	POST	https://login.microsoftonline.com/@{parameters('Azure Tenant Id')}/oauth2/token	—
Get_Illusive_Incident_Details	GET	@{parameters('Illusive Base URL')}/api/v2/incidents/incident?incident_id=@{variables('Illusive Incident Id')}	—
Get_Sentinel_Incident_with_the_Title	GET	https://management.azure.com@{parameters('ResourceGroup')}/providers/Microsoft.OperationalInsights/workspaces/@{parameters('Workspace_Name')}/providers/Microsoft.SecurityInsights/incidents?api-version=2020-01-01&$filter=properties/title eq 'Illusive Incident: @{variables('Illusive Incident Id')}'	—

Additional Documentation

📄 Source: Illusive-SentinelIncident-Enrichment/readme.md

Illusive Incident Enrichment Playbook

The Incident Enrichment playbook leverages Sentinel analytic rules to discover Illusive-based alerts and report the associated data and forensics as Sentinel incident sets.

Use this playbook to enrich Sentinel security incidents originating from Illusive with Illusive incident and forensics information. Illusive continues to enrich relevant Sentinel incidents as new events are detected. This is done using the Illusive API resource.

• Illusive Incident Enrichment Playbook
  • Playbook Workflow
  • Create the Illusive playbook
    • Deploy a custom template
  • Connect the playbook to Azure Sentinel
  • Playbook Execution
  • Output
  • Access and view the playbook
  • Playbook retry mechanism

Playbook Workflow

1. Perform the general solution setup. (see instructions here)
2. Create the Illusive playbook.
3. Connect the playbook to Azure Sentinel

Create the Illusive playbook

Deploying the Illusive Incident Enrichment playbook requires a custom deployment template.

• The playbook should be deployed under the same resource group, subscription, and workspace as the Azure app.
• The Illusive API key should contain only the API key and no keywords such as “Bearer” or “Basic”.

Deploy a custom template

Before deploying the custom template, download the azuredeploy.json for the Incident Enrichment playbook from the GitHub repository using this link.

1. On the Azure home page, filter for Deploy a custom template.

   
   

2. Under Custom Deployment>Select a template, click Build your own template in the editor.

   
   

3. From Edit template, click Load file, load the azuredeploy.json file you downloaded, and click Save.

   
   

   
   

4. Under Custom Deployment>Basics:
   • Specify the Subscription that contains the dedicated Azure app that will run the Illusive Sentinel solution
   • Specify the Resource group that contains the Workspace where you want to install the playbook.
   • Under Instance details:

     Field	Instructions
     Region	Filled automatically based on the subscription and cannot be changed.
     Workspace Name	Specify the Azure Sentinel Workspace Name where you want to create the playbook.
     Illusive API URL Illusive API Key	Supply the authentication parameters required to access the Illusive API Important: Enter the API key without the keyword
     Azure-Sentinel Client ID: Azure-Sentinel Client Secret: Azure-Sentinel Tenant ID:	Supply the authentication parameters required to access the Azure-Sentinel API

[Content truncated...]

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Playbooks · Back to Illusive Active Defense