Infoblox-TimeRangeBased-DHCP-Lookup
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
The playbook will retrieve IP entities from an incident, search for related DHCP data in a table for a apecified time range, and if found, add the DHCP lookup data as a comment on the incident.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Infoblox |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuremonitorlogs |
Managed | 1 | 1 |
azuresentinel |
Managed | 1 | 9 |
Action parameters (URLs, paths, function IDs)
azuremonitorlogs (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Run_Query_And_List_DHCP_Lookup_Data_For_Provided_Time_Range | post | /queryDataV2 |
— |
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_IPs | post | /entities/ip |
— |
| Add_Comment_To_Incident_For_Empty_IP_Address_Found | post | /Incidents/Comment |
— |
| Add_Comment_That_Limit_Has_Been_Exceeded_To_100 | post | /Incidents/Comment |
— |
| Add_Comment__For_Empty_Results_Found_For_IP | post | /Incidents/Comment |
— |
| Add_Comment_That_Limit_Has_Been_Exceeded_To_100_(2) | post | /Incidents/Comment |
— |
| Add_Comment_To_Incident_For_Remaining_Records | post | /Incidents/Comment |
— |
| Add_Comment_To_Incident_For_Limit_Exceeded | post | /Incidents/Comment |
— |
| Add_Comment_For_DHCP_Record_In_HTML_Table_Format_ | post | /Incidents/Comment |
— |
| Add_Comment_That_Limit_Has_Been_Exceeded | post | /Incidents/Comment |
— |
Additional Documentation
Infoblox TimeRangeBased DHCP Lookup
Summary
The playbook will retrieve IP entities from an incident, search for related DHCP data in a table for a specified time range, and if found, add the DHCP lookup data as a comment on the incident.
Prerequisites
- CEF based Infoblox Data Connector should be configured to ingest DHCP lease related data in Microsoft Sentinel.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- Playbook Name: Enter the playbook name here
- Start Date: Enter start date from which you want to perform lookup for DHCP data. Date should be in the format of yyyy-mm-dd
- End Date: Enter end date till you want to perform lookup for DHCP data. Date should be in the format of yyyy-mm-dd
- Workspace Name: Enter name of Log Analytics Workspace where DHCP data is available
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Go to your logic app -> API connections -> Select azuremonitorlogs connection resource
- Go to General -> edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections
b. Assign Role to add comment in incident
Assign role to this playbook.
- Go to Log Analytics Workspace →
→ Access Control → Add - Add role assignment
- Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role
- Members: select managed identity for assigned access to and add your logic app as member
- Click on review+assign
c. Configurations in Microsoft Sentinel
- In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping available for IP
- To manually run the playbook on a particular incident follow the below steps:
a. Go to Microsoft Sentinel ->
-> Incidents b. Select an incident c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option d. Click on the Run button beside this playbook
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊