Infoblox-SOC-Import-Indicators-TI

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

Imports each Indicator of a Microsoft Sentinel Incident triggered by an Infoblox SOC Insight into the ThreatIntelligenceIndicator table. You must run the Infoblox-SOC-Get-Insight-Details playbook on a SOC Insight Incident before running this playbook.

Attribute Value
Type Playbook
Solution Infoblox
Source View on GitHub

Additional Documentation

📄 Source: Infoblox SOC Import Indicators TI/readme.md

Summary

This playbook imports each Indicator of an SOC Insight Incident into the ThreatIntelligenceIndicator table you can use as threat intelligence.

You must run the Infoblox-SOC-Get-Insight-Details playbook on the SOC Insight Incident before running this playbook.

This playbook can be configured to run automatically when a SOC Insight Incident occurs or run on demand.

Prerequisites

  1. Workspace Name
  2. Entra ID Application Secret
  3. Client ID
  4. Tenant ID

Deployment instructions

  1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
  2. Fill in the required parameters:
    • Playbook Name: Enter the playbook name here
    • Workspace Name: Enter workspace name in which Incident is created
    • Entra ID Application Secret: Enter value for Entra ID Application Secret
    • Client ID: Enter value for Application (Client) ID
    • Tenant ID: Enter value for Directory (Tenant) ID

Deploy to AzureDeploy to Azure Gov

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection.

  1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource
  2. Go to General -> edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
  6. Repeat steps for other connections

b. Assign Role to Update in incident

Assign role to this playbook

  1. Go to Log Analytics Workspace → select your workspace → Access Control → Add
  2. Add role assignment
  3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role
  4. Members: select managed identity for assigned access to and add your logic app as member
  5. Click on review+assign

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to Infoblox