RiskIQ-Data-PassiveDns
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Passive DNS provides analysts with a means to see DNS data in a historic manner. This history can aid in creating analytical connections, especially if the operational security of a threat actor is poor. Leverage this playbook in order to enrich your incidents with raw passive DNS data related to indicators found within the incident.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | RiskIQ |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 5 |
riskiqpassivetotal |
Managed | 1 | 2 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Alert_-_Get_incident | get | /Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])} |
— |
| Entities_-_Get_Hosts | post | /entities/host |
— |
| Entities_-_Get_IPs | post | /entities/ip |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Add_comment_to_incident_(V3)_2 | post | /Incidents/Comment |
— |
riskiqpassivetotal (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_passive_DNS | get | /dns/passive |
— |
| Get_passive_DNS_2 | get | /dns/passive |
— |
Additional Documentation
📄 Source: RiskIQ-Data-PassiveDns/readme.md
Overview
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Microsoft Sentinel. Passive DNS provides analysts with a means to see DNS data in a historic manner. This history can aid in creating analytical connections, especially if the operational security of a threat actor is poor. Leverage this playbook in order to enrich your incidents with raw passive DNS data related to indicators found within the incident.
Prerequisites
This playbook inherits API connections created and established within a base playbook. Ensure you have deployed RiskIQ-Base prior to deploying this playbook. You will need your API credentials (email/secret) when configuring that playbook. Those can be found on your account settings page. For enterprise customers, it's preferred to use the "organization" credential pair, not the user. If you have trouble accessing your account or your credentials contact your account representative (support[@]riskiq.com).
Deployment
Post-Deployment Instructions
After deploying the playbook, you must authorize the connections leveraged.
- Visit the playbook resource.
- Under "Development Tools" (located on the left), click "API Connections".
- Ensure each connection has been authorized.
Note: If you've deployed the RiskIQ-Base playbook, you will only need to authorize the Microsoft Sentinel connection.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊