Illusive-SentinelIncident-Enrichment

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

Attribute	Value
Type	Playbook
Solution	Illusive Active Defense
Source	View on GitHub

⚠️ Not listed in Solution JSON: This content item was discovered by scanning the solution folder but is not included in the official Solution JSON file. It may be a legacy item, under development, or excluded from the official solution package.

Additional Documentation

📄 Source: Illusive-SentinelIncident-Enrichment/readme.md

Illusive Incident Enrichment Playbook

The Incident Enrichment playbook leverages Sentinel analytic rules to discover Illusive-based alerts and report the associated data and forensics as Sentinel incident sets.

Use this playbook to enrich Sentinel security incidents originating from Illusive with Illusive incident and forensics information. Illusive continues to enrich relevant Sentinel incidents as new events are detected. This is done using the Illusive API resource.

• Illusive Incident Enrichment Playbook
• Playbook Workflow
• Create the Illusive playbook
  • Deploy a custom template
• Connect the playbook to Azure Sentinel
• Playbook Execution
• Output
• Access and view the playbook
• Playbook retry mechanism

Playbook Workflow

1. Perform the general solution setup. (see instructions here)
2. Create the Illusive playbook.
3. Connect the playbook to Azure Sentinel

Create the Illusive playbook

Deploying the Illusive Incident Enrichment playbook requires a custom deployment template.

• The playbook should be deployed under the same resource group, subscription, and workspace as the Azure app.
• The Illusive API key should contain only the API key and no keywords such as “Bearer” or “Basic”.

Deploy a custom template

Before deploying the custom template, download the azuredeploy.json for the Incident Enrichment playbook from the GitHub repository using this link.

1. On the Azure home page, filter for Deploy a custom template.

   
   

2. Under Custom Deployment>Select a template, click Build your own template in the editor.

   
   

3. From Edit template, click Load file, load the azuredeploy.json file you downloaded, and click Save.

   
   

   
   

4. Under Custom Deployment>Basics:
   • Specify the Subscription that contains the dedicated Azure app that will run the Illusive Sentinel solution
   • Specify the Resource group that contains the Workspace where you want to install the playbook.
   • Under Instance details:

     Field	Instructions
     Region	Filled automatically based on the subscription and cannot be changed.
     Workspace Name	Specify the Azure Sentinel Workspace Name where you want to create the playbook.
     Illusive API URL Illusive API Key	Supply the authentication parameters required to access the Illusive API Important: Enter the API key without the keyword
     Azure-Sentinel Client ID: Azure-Sentinel Client Secret: Azure-Sentinel Tenant ID:	Supply the authentication parameters required to access the Azure-Sentinel API

[Content truncated...]

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Playbooks · Back to Illusive Active Defense