Infoblox-IPAM-Lookup
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
The playbook will retrieve IP entities from an incident, call an API to obtain IPAM lookup data, and add this data, along with IP space and subnet information, as a comment on the incident.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Infoblox |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 9 |
http |
Built-in | 0 | 3 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_Comment_To_Incident_No_IPs_Found | post | /Incidents/Comment |
— |
| Entities_-_Get_IPs | post | /entities/ip |
— |
| Add_Comment_To_Incident_For_Empty_IP_Address_Found | post | /Incidents/Comment |
— |
| Add_Comment_That_Limit_Has_Been_Exceeded_To_100 | post | /Incidents/Comment |
— |
| Add_Comment_To_Incident_For_No_Results_Found_For_IP_Address | post | /Incidents/Comment |
— |
| Add_Comment_That_Limit_Has_Been_Exceeded_To_100_(2) | post | /Incidents/Comment |
— |
| Add_Comment_To_Incident_For_Whole_API_Response_Of_One_IP_Traversed_(V3) | post | /Incidents/Comment |
— |
| Add_Comment_To_Incident | post | /Incidents/Comment |
— |
| Add_Comment_That_Limit_Has_Been_Exceeded_To_100_(3) | post | /Incidents/Comment |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| HTTP_Request_To_Lookup_Information_For_An_IP_Space_ | GET | @{variables('base_url')}/api/ddi/v1/@{variables('ip_space_id')} |
— |
| HTTP_Request_To_Lookup_Information_For_Subnet | GET | @{variables('base_url')}/api/ddi/v1/@{variables('subnet_id')} |
— |
| HTTP_Request_To_Lookup_Information_About_An_IP_Address | GET | @{variables('base_url')}/api/ddi/v1/ipam/address |
— |
Additional Documentation
📄 Source: Infoblox IPAM Lookup/readme.md
Infoblox IPAM Lookup
Summary
The playbook will retrieve IP entities from an incident, call an API to obtain IPAM lookup data, and add this data, along with IP space and subnet information, as a comment on the incident.
Prerequisites
- User must have a valid Infoblox API Key.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- Playbook Name: Enter the playbook name here
- Infoblox API Key: Enter valid value for API Key
- Infoblox Base Url: Enter baseurl for your Infoblox instance.(e.g. https://csp.infoblox.com)
Post-Deployment instructions
a. Assign Role to add comment in incident
Assign role to this playbook.
- Go to Log Analytics Workspace →
→ Access Control → Add - Add role assignment
- Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role
- Members: select managed identity for assigned access to and add your logic app as member
- Click on review+assign
b. Configurations in Microsoft Sentinel
- In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping available for IP
- To manually run the playbook on a particular incident follow the below steps:
a. Go to Microsoft Sentinel ->
-> Incidents b. Select an incident c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option d. Click on the Run button beside this playbook
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊