Infoblox-SOC-Import-Indicators-TI

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

Imports each Indicator of a Microsoft Sentinel Incident triggered by an Infoblox SOC Insight into the ThreatIntelligenceIndicator table. You must run the Infoblox-SOC-Get-Insight-Details playbook on a SOC Insight Incident before running this playbook.

Attribute	Value
Type	Playbook
Solution	Infoblox
Source	View on GitHub

Logic App Connectors

This playbook uses 3 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
azuremonitorlogs	Managed	1	2
azuresentinel	Managed	1	0
http	Built-in	0	2

Action parameters (URLs, paths, function IDs)

azuremonitorlogs (Managed)

Action	Method	Endpoint	Other
Get_Domains	post	/queryDataV2	—
Get_IPs	post	/queryDataV2	—

http (Built-in)

Action	Method	Endpoint	Other
Send_IPs_to_Sentinel	POST	https://graph.microsoft.com/beta/security/tiIndicators	—
Send_Domains_to_Sentinel	POST	https://graph.microsoft.com/beta/security/tiIndicators	—

Additional Documentation

📄 Source: Infoblox SOC Import Indicators TI/readme.md

• Summary
• Prerequisites
• Deployment instructions
• Post-Deployment instructions

Summary

This playbook imports each Indicator of an SOC Insight Incident into the ThreatIntelligenceIndicator table you can use as threat intelligence.

You must run the Infoblox-SOC-Get-Insight-Details playbook on the SOC Insight Incident before running this playbook.

This playbook can be configured to run automatically when a SOC Insight Incident occurs or run on demand.

Prerequisites

1. Workspace Name
2. Entra ID Application Secret
3. Client ID
4. Tenant ID

Deployment instructions

1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
2. Fill in the required parameters:
   • Playbook Name: Enter the playbook name here
   • Workspace Name: Enter workspace name in which Incident is created
   • Entra ID Application Secret: Enter value for Entra ID Application Secret
   • Client ID: Enter value for Application (Client) ID
   • Tenant ID: Enter value for Directory (Tenant) ID

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection.

1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource
2. Go to General -> edit API connection
3. Click Authorize
4. Sign in
5. Click Save
6. Repeat steps for other connections

b. Assign Role to Update in incident

Assign role to this playbook

1. Go to Log Analytics Workspace → select your workspace → Access Control → Add
2. Add role assignment
3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role
4. Members: select managed identity for assigned access to and add your logic app as member
5. Click on review+assign

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Playbooks · Back to Infoblox