IronNet_UpdateIronDefenseAlerts
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
author: IronNet
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | IronNet IronDefense |
| Source | View on GitHub |
⚠️ Not listed in Solution JSON: This content item was discovered by scanning the solution folder but is not included in the official Solution JSON file. It may be a legacy item, under development, or excluded from the official solution package.
Logic App Connectors
This playbook uses 1 Logic App connector / built-in action:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
http |
Built-in | 0 | 11 |
Action parameters (URLs, paths, function IDs)
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_All_Updated_Incident | GET | @variables('Next Link') |
— |
| IronNet_Login_to_fetch_the_Token | POST | @{parameters('IronNetUrl')}/IronApi/Login |
— |
| Get_Incident_and_System_Alert_relations | GET | https://management.azure.com@{parameters('ResourceGroupId')}/providers/Microsoft.OperationalInsights/workspaces/@{parameters('workspace_name')}/providers/Microsoft.SecurityInsights/incidents/@{items('Loop_through_each_Incident')?['name']}/relations?api-version=2019-01-01-preview |
— |
| Update_Incident_Rating | POST | @{parameters('IronNetUrl')}/IronApi/RateAlert |
— |
| Update_Incident_Rating_without_comment | POST | @{parameters('IronNetUrl')}/IronApi/RateAlert |
— |
| Update_Incident_Rating_with_classification_comment | POST | @{parameters('IronNetUrl')}/IronApi/RateAlert |
— |
| Update_Incident_Status | POST | @{parameters('IronNetUrl')}/IronApi/SetAlertStatus |
— |
| Update_Incident_Status_without_comment | POST | @{parameters('IronNetUrl')}/IronApi/SetAlertStatus |
— |
| Get_Entities | GET | https://management.azure.com@{parameters('ResourceGroupId')}/providers/Microsoft.OperationalInsights/workspaces/@{parameters('workspace_name')}/providers/Microsoft.SecurityInsights/Entities/@{items('Loop_through_Alerts')?['properties']?['relatedResourceName']}?api-version=2019-01-01-preview |
— |
| Get_Incident_latest_Comments | GET | https://management.azure.com@{items('Loop_through_each_Incident')?['id']}/comments?api-version=2020-01-01 |
— |
| Generate_the_token_for_Azure_Sentinel_Incident | POST | https://login.microsoftonline.com/@{parameters('TenantId')}/oauth2/token |
— |
Additional Documentation
author: IronNet
This playbook is used to keep IronDefense and Azure Sentinel in sync by receiving Sentinel incident updates to update the corresponding IronDefense alert workflow status and analyst rating through IronAPI. The playbook should be set to run when a new alert is generated by the "Create Incidents from IronDefense" analytic rule.
Prerequisites
- Create an IronVue user with the following permissions:
- Access IronAPI
- View Alert
- Edit Alert
- Manage Threat Intelligence Rules
- Configure the IronNet IronDefense data connector.
- Create an analytic rule using the "Create Incidents from IronDefense" rule template.
Deployment Instructions
- Click the "Deploy to Azure" button to open the ARM template wizard to deploy
this playbook.
- Enter template parameters. Use the IronVue user credentials for IronAPI.
Post-deployment Instructions
- Edit the "Create Incidents from IronDefense" analytic rule in your Azure Sentinel workspace.
- Click the "Automated Response" tab and select this playbook to run when new alerts are generated.
Playbook Execution
- The Playbook execution begins at configured intervals to check if the Sentinel Incidents has been updated
- Using the IronAPI for an updated Sentinel Incident, the status along with its classification will be updated to the corresponding IronDefense Alert
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊