AD4IoT-CVEAutoWorkflow

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

The playbook automates the SOC workflow by automatically enriching incident comments with the CVEs of the involved devices based on Defender for IoT data. An automated triage is performed if the CVE is critical, and the asset owner is automatically notified by email.

Attribute	Value
Type	Playbook
Solution	IoTOTThreatMonitoringwithDefenderforIoT
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
`SecurityAlert`	`SystemAlertId == "@{items("`	✓	✗	✓

Logic App Connectors

This playbook uses 6 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuremonitorlogs`	Managed	1	1
`azuresentinel`	Managed	2	0
`azuresentinel_1`	Managed	0	3
`office365`	Managed	1	0
`office365_1`	Managed	0	1
`http`	Built-in	0	1

Action parameters (URLs, paths, function IDs)

`azuremonitorlogs` (Managed)

Action	Method	Endpoint	Other
Run_query_and_list_results	post	`/queryData`	—

`azuresentinel_1` (Managed)

Action	Method	Endpoint	Other
Entities_-_Get_IPs	post	`/entities/ip`	—
Add_comment_to_incident_(V3)	post	`/Incidents/Comment`	—
Update_incident	put	`/Incidents`	—

`office365_1` (Managed)

Action	Method	Endpoint	Other
Send_an_email_(V2)	post	`/v2/Mail`	—

`http` (Built-in)

Action	Method	Endpoint	Other
HTTP	POST	`@variables('ARGEndPoint')`	—

Additional Documentation

📄 Source: CVEAutoWorkflow/readme.md

Defender for IoT - CVE Auto Workflow

Summary

Prerequisites

The playbook require the following in order to connect and use the playbook:

Reader role applied on the Azure subscription \ resource group scope
Valid connections where required
An automation rule to connect incident triggers with the playbook.

Deployment

To add the Security Admin role to the Azure subscription where the playbook is installed:

1.Open the playbook from the Microsoft Sentinel Automation page.

2.With the playbook opened as a Logic app, select Identity > System assigned, and then in the Permissions area, select the Azure role assignments button.

3.In the Azure role assignments page, select Add role assignment.

4.In the Add role assignment pane:

Define the Scope as Subscription \ resource group
From the Subscription dropdown, select the subscription where your playbook is installed.
From the Role dropdown, select the Security Admin role, and then select Save.

** To ensure that you have valid connections for each of your connection steps in the playbook:**

Open the playbook from the Microsoft Sentinel Automation page.
With the playbook opened as a Logic app, select Logic app designer. If you have invalid connection details, you may have warning signs in both of the Connections steps. For example:

Screenshot of the default AD4IOT AutoAlertStatusSync playbook.

Select a Connections step to expand it and add a valid connection as needed.

To connect your incidents, relevant analytics rules, and the playbook: Add a new Microsoft Sentinel analytics rule, defined as follows:

In the Trigger field, select When an incident is updated
In the Conditions area, select If > Analytic rule name > Contains, and then select the specific analytics rules relevant for Defender for IoT in your organization.

You may be using out-of-the-box analytics rules, or you may have modified the out-of-the-box content, or created your own. For more information, see Detect threats out-of-the-box with Defender for IoT data.

In the Actions area, select Run playbook > playbook name.