Infoblox-TIDE-Lookup-Comment-Enrichment
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
The playbook enrich an incident by adding TIDE Lookup information as comment on an incident.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Infoblox |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 17 |
http |
Built-in | 0 | 4 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_Comment_To_Incident_If_Entity_Mapping_Not_Found | post | /Incidents/Comment |
— |
| Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_Hash | post | /Incidents/Comment |
— |
| Add_Comment_That_Limit_Has_Been_Exceeded_For_Hash | post | /Incidents/Comment |
— |
| Add_Hash_TIDE_Data_As_Comment | post | /Incidents/Comment |
— |
| Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_Host | post | /Incidents/Comment |
— |
| Add_Comment_That_Limit_Has_Been_Exceeded_For_Host | post | /Incidents/Comment |
— |
| Add_Host_TIDE_Data_As_Comment | post | /Incidents/Comment |
— |
| Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_IP | post | /Incidents/Comment |
— |
| Add_Comment_That_Limit_Has_Been_Exceeded_For_IP | post | /Incidents/Comment |
— |
| Add_IP_TIDE_Data_As_Comment | post | /Incidents/Comment |
— |
| Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_URL | post | /Incidents/Comment |
— |
| Add_Comment_That_Limit_Has_Been_Exceeded_For_URL | post | /Incidents/Comment |
— |
| Add_URL_TIDE_Data_As_Comment | post | /Incidents/Comment |
— |
| Get_FileHashes_From_Entities | post | /entities/filehash |
— |
| Get_Hosts_From_Entities | post | /entities/host |
— |
| Get_IPs_From_Entities | post | /entities/ip |
— |
| Get_URLs_From_Entities | post | /entities/url |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| HTTP_Request_To_Get_TIDE_Data_Of_Type_Hash | GET | @{variables('base_url')}/tide/api/data/threats |
— |
| HTTP_Request_To_Get_TIDE_Data_Of_Type_Host | GET | @{variables('base_url')}/tide/api/data/threats |
— |
| HTTP_Request_To_Get_TIDE_Data_Of_Type_IP | GET | @{variables('base_url')}/tide/api/data/threats |
— |
| HTTP_Request_To_Get_TIDE_Data_Of_Type_URL | GET | @{variables('base_url')}/tide/api/data/threats |
— |
Additional Documentation
📄 Source: Infoblox TIDE Lookup Incident Comment Based/readme.md
Infoblox TIDE Lookup Comment Enrichment
Summary
The playbook enriches an incident by adding TIDE Lookup information as comment on an incident.
Prerequisites
- User must provide valid Infoblox API Key.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- Playbook Name: Enter the playbook name here
- Infoblox API Key: Enter valid value for API Key
- Infoblox Base Url: Enter baseurl for your Infoblox instance.(e.g. https://csp.infoblox.com)
Post-Deployment instructions
a. Assign Role to add comment in incident
Assign role to this playbook.
- Go to Log Analytics Workspace →
→ Access Control → Add - Add role assignment
- Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role
- Members: select managed identity for assigned access to and add your logic app as member
- Click on review+assign
b. Configurations in Microsoft Sentinel
- In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping available for IP
- To manually run the playbook on a particular incident follow the below steps:
a. Go to Microsoft Sentinel ->
-> Incidents b. Select an incident c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option d. Click on the Run button beside this playbook
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊