ProofpointTAP-CheckAccountInVAP

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

Once a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets Very Attacked People for the latest 14 days. 2. Enriches the incident with information whether incident's users are in VAP list and changes incident severity.

Attribute Value
Type Playbook
Solution ProofPointTap
Source View on GitHub

Additional Documentation

📄 Source: ProofpointTAP-CheckAccountInVAP/readme.md

ProofpointTAP-CheckAccountInVAP

## Summary Once a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets Very Attacked People for the latest 14 days. 2. Enriches the incident with information whether incident's users are in VAP list and changes incident severity.


Prerequisites

  1. ProofpointTAP Custom Connector has to be deployed prior to the deployment of this playbook under the same subscription.
  2. Obtain ProofpointTAP API credentials. Refer to ProofpointTAP Custom Connector documentation.

Deployment instructions

  1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
  2. Fill in the required paramteres:
    • Playbook Name: Enter the playbook name here

Deploy to Azure Deploy to Azure

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection. 1. Click the Microsoft Sentinel connection resource 2. Click edit API connection 3. Click Authorize 4. Sign in 5. Click Save 6. Repeat steps for Proofpoint TAP connector API Connection. Provide the Service Principal and the secret for authorizing.

b. Configurations in Sentinel

  1. In Microsoft Sentinel, analytical rules have to be configured to trigger an incident with risky user account. In the Entity maping section of the analytics rule creation workflow, user's email has to be mapped to FullName identitfier of the Account entity type. Check the documentation to learn more about mapping entities.
  2. Configure the automation rules to trigger the playbook.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Playbooks · Back to ProofPointTap