ProofpointTAP-AddForensicsInfoToIncident
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Once a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets Forensics by the campaignId, provided in the alert custom entities. 2. Enriches the incident with Forensics info.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | ProofPointTap |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 1 |
proofpointtapapi |
Managed | 0 | 1 |
proofpointtap |
Custom | 1 | 0 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
proofpointtapapi (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_Forensics | get | /v2/forensics |
— |
Additional Documentation
📄 Source: ProofpointTAP-AddForensicsInfoToIncident/readme.md
Summary
Once a new sentinel incident is created, this playbook gets triggered and performs the following actions:
- Gets Forensics by the campaignId, provided in the alert custom entities.
- Enriches the incident with Forensics info.
Prerequisites
- ProofpointTAP Custom Connector has to be deployed prior to the deployment of this playbook under the same subscription.
- ProofpointTAP API credentials are required. Refer to ProofpointTAP Custom Connector documentation.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required paramteres:
- Playbook Name: Enter the playbook name here
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for Proofpoint TAP connector API Connection. Provide the Service Principal and the secret for authorizing.
b. Configurations in Sentinel
- In Microsoft Sentinel, analytical rules should be configured to trigger an incident. An incident should have campaignId custom entity (obtained from campaignId_s field in ProofpointTAP logs). Check the documentation to learn more about adding custom entities to incidents.
- Configure the automation rules to trigger the playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊