Spur IP Enrichment
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This Playbook Submits IP Addresses associated with an alert to Spur Context API
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Spur |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 4 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 4 |
spurconnector |
Managed | 0 | 1 |
Spur-Context-Connector |
Custom | 1 | 0 |
http |
Built-in | 0 | 2 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_IPs | post | /entities/ip |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Update_incident | put | /Incidents |
— |
| Alert_-_Get_incident | get | /Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])} |
— |
spurconnector (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_IP_Context | get | /v2/context/@{encodeURIComponent(body('Parse_IP_Entity_')?['address'])} |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| GetAccessTokenSpur | POST | @variables('access_token_url') |
— |
| HTTP_-_Save_to_Custom_Table | POST | @concat(parameters('DCE_Endpoint_URL'),'/dataCollectionRules/',parameters('DCR_Immutable_ID'),'/streams/Custom-','Spur_IP_Context_Details_CL','?api-version=2023-01-01') |
— |
Additional Documentation
Table of Contents
- Overview
- Deploy Spur IP Enrichment Alert Trigger Playbook
- Prerequisites
- Deployment
- Post Deployment Steps
Overview
This playbook uses the Spur Context API. It is able to provide hosted high-performance IP enrichment lookups of the highest-fidelity IP intelligence available. With pre-built integrations into the most common threat analysis platforms and services, Spur ensures that security teams can instantly leverage data to protect their environments from the latest evasion and obfuscation methods, such as VPNs, residential proxies, and bot automation.
When a new Azure Sentinel Alert is created, this playbook gets triggered and performs the following actions:
- It fetches all the IP address entities in the Alert.
- Iterates through the IP address enities and fetches the results from Spur Context API for each IP Address.
- All the details from Spur Context API will be added as comments in a tabular format.
- Optionally, is saved the Context API data into Log Analytics custom table.
Links to deploy the DomainTools Iris Enrich Domain Playbook:
Prerequisites for using and deploying playbook
- A Spur API Key.
- Spur Custom Connector.
Deployment instructions
- Deploy the playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters for deploying the playbook.
- Click "Review + create". Once the validation is successful, click on "Create".
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, you will need to authorize each connection:
- Open the Logic App in the edit mode.
- Logic App prompts any missing connections, please update the connections.
- As a best practice, we have used the Sentinel connection in Logic Apps that use "ManagedSecurityIdentity" permissions. Please refer to this document and provide permissions to the Logic App accordingly.
- Click on 'Parameter' and Enter All Parameters to save data as logs.
- Set the following parameters:
Save_To_Custom_Table: Set totrueto enable saving Spur data to a custom Log Analytics tableDCE_Endpoint_URL: Data Collection Endpoint URL for your Log Analytics workspaceDCR_Immutable_ID: Immutable ID of the Data Collection RuleTenantID: Azure AD tenant ID for authentication (From Azure App Registration)ClientID: Application (client) ID of the service principal (From Azure App Registration)ClientSecret: Client secret for the service principal (secure string)(From Azure App Registration)Auth_LoginEndpoint: Login endpoint for authentication. Copy and paste this value in parameter-'https://login.microsoftonline.com'
b. Configurations in Sentinel:
- In Azure Sentinel, analytical rules should be configured to trigger an Alert with IP indicators.
- Configure the automation rules to trigger the playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊