IP Address Breach Data - SpyCloud Enterprise
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
The SpyCloud Enterprise API is able to provide breach data for a IP address or set of IP addresses associated with an incident.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | SpyCloud Enterprise Protection |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 3 |
spycloud-enterprise-connector |
Managed | 0 | 1 |
SpyCloud-Enterprise-Protection |
Custom | 1 | 0 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_IPs | post | /entities/ip |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Add_comment_to_incident_(V3)_2 | post | /Incidents/Comment |
— |
spycloud-enterprise-connector (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_Breach_Data_by_IP_Address | get | /breach/data/ips/@{encodeURIComponent(items('For_Each_Incident_IPS')?['Address'])} |
— |
Additional Documentation
SpyCloud Enterprise IP Address Breach Data Playbook
Table of Contents
Overview
The SpyCloud Enterprise API is able to provide breach data for an IP or set of IP addresses associated with an incident. When a new Microsoft Sentinel Incident is created, this playbook gets triggered and performs the following actions:
- It fetches all the IP entities in the incident.
- Iterates through the IP objects and fetches the breach data from SpyCloud Enterprise for each IP.
- All the breach data from SpyCloud Enterprise will be added as incident comments in a tabular format.
Prerequisites
- A SpyCloud Enterprise API Key.
- SpyCloud Enterprise custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found on the connector doc page.
Deployment Instructions
- Deploy the playbooks by clicking on the "Deploy to Azure" button. This will take you to deploy an ARM Template wizard.
- Fill in the required parameters for deploying the playbook.
- Click "Review + create". Once the validation is successful, click on "Create".
Post Deployment Instructions
Authorize connections
Once deployment is complete, you will need to authorize each connection:
- As a best practice, we have used the Sentinel connection in Logic Apps that use "ManagedSecurityIdentity" permissions. Please refer to this document and provide permissions to the Logic App accordingly.
- Provide connection details for the SpyCloud Enterprise Custom Connector.
- Save the Logic App. If the Logic App prompts any missing connections, please update the connections similarly.
Configurations in Sentinel:
- In Microsoft Sentinel, analytical rules should be configured to trigger an incident with an IP entity.
- Configure the automation rules to trigger this playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Playbooks · Back to SpyCloud Enterprise Protection