SlashNext Web Access Log Assessment
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Designed to analyze Web Access logs from Web Gateways and Firewalls. Scan your logs for continuous detection of phishing and malicious threat URLs clicked by end users. Identify threats missed by current security layers.The playbook shall extract all the URLs from the logs to perform analysis using SlashNext Connector and create an incident for each unique malicious URL found in the web logs.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | SlashNext |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
SlashNext |
Custom | 1 | 1 |
function |
Built-in | 0 | 2 |
http |
Built-in | 0 | 4 |
Action parameters (URLs, paths, function IDs)
SlashNext (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Repute | post | /api/v1/urls/repute |
— |
function (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Extract_List_of_URLs | — | — | functionId=[concat('/subscriptions/',subscription().subscriptionId, '/resourceGroups/', resourceGroup().name,'/providers/Microsoft.Web/sites/',variables('azureFunction'),'/functions/processlogs')] |
| Generate_URL_Mapping | — | — | functionId=[concat('/subscriptions/',subscription().subscriptionId, '/resourceGroups/', resourceGroup().name,'/providers/Microsoft.Web/sites/',variables('azureFunction'),'/functions/processlogs')] |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Query_for_table_names | POST | @variables('Query API') |
— |
| Query_data_from_each_table | POST | @variables('Query API') |
— |
| Add_Comment_in_Existing_Incident | PUT | [uriComponentToString(uri(variables('domain'),'subscriptions/@{variables('subscription_id')}/resourceGroups/@{variables('resource_group')}/providers/Microsoft.OperationalInsights/workspaces/@{variables('workspace_name')}/providers/Microsoft.SecurityInsights/incidents/@{items('Incident_Creating_Loop')['hash']}/comments/@{guid()}?api-version=2021-10-01'))] |
— |
| Insert_Incident | PUT | [uriComponentToString(uri(variables('domain'),'subscriptions/@{variables('subscription_id')}/resourceGroups/@{variables('resource_group')}/providers/Microsoft.OperationalInsights/workspaces/@{variables('workspace_name')}/providers/Microsoft.SecurityInsights/incidents/@{body('Parse_URL_Mapping')?['hash']}?api-version=2021-10-01-preview'))] |
— |
Additional Documentation
Overview
Designed to analyze Web Access logs from Web Gateways and Firewalls. Scan your logs for continuous detection of phishing and malicious threat URLs clicked by end users. Identify threats missed by current security layers
The playbook shall extract all the URLs from the logs to perform analysis using SlashNext Connector and create an incident for each unique malicious URL found in the web logs.
SlashNext Web Access Log Assessment Playbook
Prerequisites
SlashNext Logic Apps Connector supports Basic authentication, while creating connection you will be asked to provide API key. To acquire SlashNext API key, please contact us at support@slashnext.com or visit SlashNext.com
Deployment Instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- Playbook Name: Enter playbook name here
Post-Deployment Instructions
a. Authorize connections
Once deployment is complete, authorize SlashNext Logic Apps Connector connection.
- Click on the SlashNext connection resource
- Click Edit API connection
- Enter API key acquired from SlashNext
- Click Save
b. Configure Logic App Permissions
- Click on Identity
- Select Azure role assignment from system assigned tab
- Click on Add role assignment
- Select relevant permission and save
- Repeat above steps for the following permissions
- Log Analytics Reader
- Microsoft Sentinel Contributor
c. Set following Variables in Logic App as per the Environment
- Subscription Id
- Workspace Id
- Resource Group
- Workspace Name
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊