IronNet_UpdateSentinelIncidents
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
author: IronNet
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | IronNet IronDefense |
| Source | View on GitHub |
⚠️ Not listed in Solution JSON: This content item was discovered by scanning the solution folder but is not included in the official Solution JSON file. It may be a legacy item, under development, or excluded from the official solution package.
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 3 |
http |
Built-in | 0 | 3 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Update_incident_2 | put | /Incidents |
— |
| Update_incident | put | /Incidents |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_Alert_IronDome_Information | POST | @{parameters('IronNetUrl')}/IronApi/GetAlertIronDomeInformation |
— |
| Generate_the_token_for_Azure_Sentinel_Incident | POST | https://login.microsoftonline.com/@{parameters('TenantId')}/oauth2/token |
— |
| Get_Sentinel_Incident | GET | https://management.azure.com@{parameters('ResourceGroupId')}/providers/Microsoft.OperationalInsights/workspaces/@{parameters('workspace_name')}/providers/Microsoft.SecurityInsights/incidents?api-version=2020-01-01&$filter=endsWith(properties/title,'(@{variables('IronNet Alert Id')})') |
— |
Additional Documentation
author: IronNet
This playbook is used to keep IronDefense and Azure Sentinel in sync by triggering on any new IronDefense alert notifications that is added to a Sentinel incident and updating the incident's status and classification based on the IronDefense alert.
Prerequisites
- Configure the IronNet IronDefense data connector.
- Create an analytic rule using the "Create Incidents from IronDefense" rule template.
Deployment Instructions
- Click the "Deploy to Azure" button to open the ARM template wizard to deploy
this playbook.
- Enter template parameters. Use the IronVue user credentials for IronAPI.
Playbook Execution
- The Playbook execution begins with an Alert triggered due to the IronDefense Alert activity
- This Alert contains the actions taken by the IronDefense Alert
- These actions will have the information about the status, classification and severity of the Irondefense Alert
- These details will be picked from the IronDefense and update to its corresponding Sentinel Incidents
- The Alerts from IronDefense will be the Events associated with the Sentinel Incidents
- The Status, Classification and Severity of the Irondefense Alert will be updated as the Sentinel Incident's status, classification and severity respectively
- The Sentinel Incident's "custom details" will be consisting of IronDefense Analyst rating, AlertCreatedTime and IronDefenseAlertId fields
- The Sentinel Incident's comments will be updated with the comments raised by users for IronDome Notifications
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊