ProofpointTAP-AddForensicsInfoToIncident

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Once a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets Forensics by the campaignId, provided in the alert custom entities. 2. Enriches the incident with Forensics info.

Attribute	Value
Type	Playbook
Solution	ProofPointTap
Source	View on GitHub

Additional Documentation

📄 Source: ProofpointTAP-AddForensicsInfoToIncident/readme.md

Summary

Prerequisites

ProofpointTAP Custom Connector has to be deployed prior to the deployment of this playbook under the same subscription.
ProofpointTAP API credentials are required. Refer to ProofpointTAP Custom Connector documentation.

Deployment instructions

To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
Fill in the required paramteres:
- Playbook Name: Enter the playbook name here

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection. 1. Click the Microsoft Sentinel connection resource 2. Click edit API connection 3. Click Authorize 4. Sign in 5. Click Save 6. Repeat steps for Proofpoint TAP connector API Connection. Provide the Service Principal and the secret for authorizing.

b. Configurations in Sentinel

In Microsoft Sentinel, analytical rules should be configured to trigger an incident. An incident should have campaignId custom entity (obtained from campaignId_s field in ProofpointTAP logs). Check the documentation to learn more about adding custom entities to incidents.
Configure the automation rules to trigger the playbook.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Playbooks · Back to ProofPointTap