Lookout-MobileThreat-NotifyAndEnrich

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

When a high or critical severity mobile threat incident is created in Microsoft Sentinel by Lookout, this playbook enriches the incident with a detailed investigation comment including threat intelligence context, device risk details, and recommended next steps for the analyst.

Attribute	Value
Type	Playbook
Solution	Lookout
Source	View on GitHub

Logic App Connectors

This playbook uses 1 Logic App connector / built-in action:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	3

Action parameters (URLs, paths, function IDs)

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Entities_-_Get_Accounts	post	`/entities/account`	—
Entities_-_Get_Hosts	post	`/entities/host`	—
Add_incident_enrichment_comment	post	`/Incidents/Comment`	—

Additional Documentation

📄 Source: Lookout-MobileThreat-NotifyAndEnrich/readme.md

Overview

This playbook triggers automatically when Microsoft Sentinel creates an incident from the Lookout - High Severity Mobile Threats Detected (v2) analytic rule. It performs three automated actions:

SOC Notification — Posts a detailed Teams message to the SOC channel with full threat intelligence: threat type, category, risk score, classifications, device platform, security status, and a direct link to the Sentinel incident.
Device Owner Email — Sends a formatted HTML email to the device owner with immediate actions required: stop using affected apps, open Lookout for Work, disconnect from corporate resources, and contact IT Security.
Incident Enrichment — Adds a structured comment to the Sentinel incident with threat intelligence context, device risk details, MDM connector status, and recommended next steps for the analyst.

Analytic Rules Supported

Rule	Severity
Lookout - High Severity Mobile Threats Detected (v2)	High
Lookout - New Threat events found	High

Prerequisites

A Microsoft Teams team and channel configured for SOC security alerts.
A Microsoft 365 / Office 365 account authorized to send email.
The playbook managed identity must be granted the Microsoft Sentinel Responder role on the Log Analytics workspace.

Deployment

Deployment Parameters

Parameter	Required	Description
PlaybookName	No	Name of the Logic App (default: `Lookout-MobileThreat-NotifyAndEnrich`)
TeamsGroupId	Yes	Microsoft Teams Group (Team) ID for SOC notifications
TeamsChannelId	Yes	Microsoft Teams Channel ID for SOC notifications

Finding your Teams IDs: In Microsoft Teams, right-click the channel → Get link to channel. The URL contains both groupId and the channel ID.

Post-Deployment Configuration

Step 1 — Authorize API Connections

After deployment, navigate to the resource group in the Azure portal and authorize the API connections:

Open the teams-Lookout-MobileThreat-NotifyAndEnrich connection → Edit API connection → Authorize → Save.
Open the office365-Lookout-MobileThreat-NotifyAndEnrich connection → Edit API connection → Authorize → Save.

Step 2 — Assign Sentinel Responder Role

Navigate to your Microsoft Sentinel workspace → Settings → Workspace settings.
Select Access control (IAM) → Add role assignment.
Role: Microsoft Sentinel Responder.
Assign to: the Logic App's managed identity (Lookout-MobileThreat-NotifyAndEnrich).

Step 3 — Create Automation Rule

In Microsoft Sentinel, go to Automation → + Create → Automation rule.
Configure:
- Trigger: When incident is created
- Conditions: Analytics rule name — Contains — Lookout - High Severity Mobile Threats
- Actions: Run playbook → Lookout-MobileThreat-NotifyAndEnrich
Save the automation rule.

Permissions Summary

Connection	Auth Method	Permission Required
Microsoft Sentinel	Managed Identity	Microsoft Sentinel Responder
Microsoft Teams	User Account	Channel Post Messages
Office 365	User Account	Send Email