Create Indicator - Minemeld

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook search for indicators in Minemeld related to the entities(IP, filehash, URL) gathered from Sentinel incident. If the search result is positive a comment stating the indicator is already present or it creates a new indicator in Minemeld.

Attribute	Value
Type	Playbook
Solution	Minemeld
Source	View on GitHub

Logic App Connectors

This playbook uses 2 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	6
`MinemeldCustomConnector`	Custom	1	4

Action parameters (URLs, paths, function IDs)

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Add_comment_to_incident_(V3)_6	post	`/Incidents/Comment`	—
Add_comment_to_incident_(V3)	post	`/Incidents/Comment`	—
Add_comment_to_incident_(V3)_4	post	`/Incidents/Comment`	—
Add_comment_to_incident_(V3)_2	post	`/Incidents/Comment`	—
Add_comment_to_incident_(V3)_5	post	`/Incidents/Comment`	—
Add_comment_to_incident_(V3)_3	post	`/Incidents/Comment`	—

`MinemeldCustomConnector` (Custom)

Action	Method	Endpoint	Other
Get_Indicators	get	`/config/data/@{encodeURIComponent(parameters('Miner DB Node'),'_indicators')}`	—
Add_delete_update_indicator_3	post	`/config/data/@{encodeURIComponent(parameters('Miner DB Node'),'_indicators')}/append`	—
Add_delete_update_indicator	post	`/config/data/@{encodeURIComponent(parameters('Miner DB Node'),'_indicators')}/append`	—
Add_delete_update_indicator_2	post	`/config/data/@{encodeURIComponent(parameters('Miner DB Node'),'_indicators')}/append`	—

Additional Documentation

📄 Source: MinemeldPlaybooks/Minemeld-CreateIndicator/readme.md

Minemeld- Add Indicators in Minemeld Playbook

Summary

When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs below actions

Searches for the matching indicator info of Entities (IP Address, FileHash, URL) in Minemeld
If indicators are not found, this playbook adds the new indicators to Minemeld Local database (Separate indicators for each IP Address, FileHash, URL that are present in Sentinel incident)

requisites

Minemeld Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.
Basic authentication of user and password is required for accessing Minemeld API.

Deployment instructions

Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
Fill in the required parameters:
- Playbook Name: Enter the playbook name here (Ex: Minemeld-CreateIndicator)
- Custom Connector Name: Enter the Minemeld custom connector name here (Ex: MinemeldCustomConnector)
- Local Minor DB node Name : Enter the Minemeld's Local Miner DB node name used for storing indictors

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, you will need to authorize each connection.

Click the Microsoft Sentinel connection resource
Click edit API connection
Click Authorize
Sign in
Click Save
Repeat steps for Minemeld Api Connection (For authorizing the Minemeld GraphQL API connection, user and password to be provided)

b. Configurations in Sentinel

In Microsoft sentinel analytical rules should be configured to trigger an incident with entity mapping of URL ,FileHash or IP Address.
Configure the automation rules to trigger this playbook

c. Assign Playbook Microsoft Sentinel Responder Role

Select the Playbook (Logic App) resource
Click on Identity Blade
Choose System assigned tab
Click on Azure role assignments
Click on Add role assignments
Select Scope - Resource group
Select Subscription - where Playbook has been created
Select Resource group - where Playbook has been created
Select Role - Microsoft Sentinel Responder
Click Save (It takes 3-5 minutes to show the added role.)

References

Minemeld documentation