Domain Breach Data - SpyCloud Enterprise
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
The SpyCloud Enterprise API is able to provide breach data for a domain or set of domains associated with an incident.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | SpyCloud Enterprise Protection |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 3 |
spycloud-enterprise-connector |
Managed | 0 | 1 |
SpyCloud-Enterprise-Protection |
Custom | 1 | 0 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_DNS | post | /entities/dnsresolution |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Add_comment_to_incident_(V3)_2 | post | /Incidents/Comment |
— |
spycloud-enterprise-connector (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_Breach_Data_by_Domain_Search | get | /breach/data/domains/@{encodeURIComponent(items('For_Each_Incident_DNS_Domain')?['DomainName'])} |
— |
Additional Documentation
📄 Source: SpyCloud-Get-Domain-Breach-Data-Playbook/readme.md
SpyCloud Enterprise Domain Breach Data Playbook
Table of Contents
Overview
The SpyCloud Enterprise API provides breach data for a domain or set of domains associated with an incident. When a new Microsoft Sentinel Incident is created, this playbook gets triggered and performs the following actions:
- It fetches all the DNS entities from the incident.
- Iterates through the domain objects and fetches the breach data from SpyCloud Enterprise for each domain.
- All the breach data from SpyCloud Enterprise will be added as incident comments in a tabular format.
Prerequisites
- A SpyCloud Enterprise API Key.
- SpyCloud Enterprise custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found on the connector doc page.
Deployment Instructions
- Deploy the playbooks by clicking on the "Deploy to Azure" button. This will take you to the Deploy an ARM Template wizard.
- Fill in the required parameters for deploying the playbook.
- Click "Review + create". Once the validation is successful, click on "Create".
Post-Deployment Instructions
Authorize connections
Once deployment is complete, you will need to authorize each connection:
- As a best practice, we have used the Sentinel connection in Logic Apps that use "ManagedSecurityIdentity" permissions. Please refer to this document and provide permissions to the Logic App accordingly.
- Provide connection details for the SpyCloud Enterprise Custom Connector.
- Save the Logic App. If the Logic App prompts any missing connections, please update the connections similarly.
Configurations in Sentinel:
- In Microsoft Sentinel, analytical rules should be configured to trigger an incident with a DNS entity.
- Configure the automation rules to trigger this playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Playbooks · Back to SpyCloud Enterprise Protection