AD4IoT-AutoTriageIncident

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

SOC and OT engineers can stream their workflows using the playbook, which automatically updates the incident severity based on the devices involved in the incident and their importance.

Attribute	Value
Type	Playbook
Solution	IoTOTThreatMonitoringwithDefenderforIoT
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
`SecurityAlert`	`SystemAlertId == "@{items("`	✓	✗	✓

Logic App Connectors

This playbook uses 3 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuremonitorlogs`	Managed	1	1
`azuresentinel`	Managed	2	0
`azuresentinel_1`	Managed	0	3

Action parameters (URLs, paths, function IDs)

`azuremonitorlogs` (Managed)

Action	Method	Endpoint	Other
Run_query_and_list_results	post	`/queryData`	—

`azuresentinel_1` (Managed)

Action	Method	Endpoint	Other
Entities_-_Get_IPs	post	`/entities/ip`	—
Add_comment_to_incident_(V3)	post	`/Incidents/Comment`	—
Update_incident	put	`/Incidents`	—

Additional Documentation

📄 Source: AutoTriageIncident/readme.md

Defender for IoT - Auto Triage Incident

Summary

This playbook updates the incident severity according to the importance of the devices involved, and creates a comment on the IoT Device entity page.

Prerequisites

The playbook require the following in order to connect and use the playbook:

Reader role applied on the Azure subscription \ resource group scope
Valid connections where required
An automation rule to connect incident triggers with the playbook.

Deployment

To add the Security Admin role to the Azure subscription where the playbook is installed:

1.Open the playbook from the Microsoft Sentinel Automation page.

2.With the playbook opened as a Logic app, select Identity > System assigned, and then in the Permissions area, select the Azure role assignments button.

3.In the Azure role assignments page, select Add role assignment.

4.In the Add role assignment pane:

Define the Scope as Subscription \ resource group
From the Subscription dropdown, select the subscription where your playbook is installed.
From the Role dropdown, select the Security Admin role, and then select Save.

** To ensure that you have valid connections for each of your connection steps in the playbook:**

Open the playbook from the Microsoft Sentinel Automation page.
With the playbook opened as a Logic app, select Logic app designer. If you have invalid connection details, you may have warning signs in both of the Connections steps.
Select a Connections step to expand it and add a valid connection as needed.

To connect your incidents, relevant analytics rules, and the playbook: Add a new Microsoft Sentinel analytics rule, defined as follows:

In the Trigger field, select When an incident is updated
In the Conditions area, select If > Analytic rule name > Contains, and then select the specific analytics rules relevant for Defender for IoT in your organization.

You may be using out-of-the-box analytics rules, or you may have modified the out-of-the-box content, or created your own. For more information, see Detect threats out-of-the-box with Defender for IoT data.

In the Actions area, select Run playbook > playbook name.