SpyCloud Breach Information - SpyCloud Enterprise
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This Playbook will be triggered when an spycloud breach incident is created.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | SpyCloud Enterprise Protection |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 1 Logic App connector / built-in action:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 2 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_Accounts | post | /entities/account |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
Additional Documentation
📄 Source: SpyCloud-Breach-Playbook/readme.md
SpyCloud Enterprise Breach Playbook
Table of Contents
Overview
This playbook gets triggered when an incident is created from the "SpyCloud Breach Rule" and can perform the following actions
- Check if the breached password length is >= the minimum required by the organization. If not, exit the playbook.
- Check if the user is currently an active employee. If not, exit the playbook.
- Check if the exposed password is in use on the network (check AD, check Okta, check Ping, check G-Suite, etc.
- If the password is in use in one of the checked systems, perform a password reset, raise an incident, etc.
Prerequisites
- A SpyCloud Enterprise API Key.
- SpyCloud Enterprise custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found on the connector doc page.
- SpyCloud-Monitor-Watchlist-Data-Playbook needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found on the playbook doc page.
Deployment Instructions
- Deploy the playbooks by clicking on the "Deploy to Azure" button. This will take you to the ARM Template Wizard.
- Fill in the required parameters for deploying the playbook.
- Click "Review + create". Once the validation is successful, click on "Create".
Post Deployment Instructions
Authorize connections
Once deployment is complete, you will need to authorize each connection:
- As a best practice, we have used the Sentinel connection in Logic Apps that use "ManagedSecurityIdentity" permissions. Please refer to this document and provide permissions to the Logic App accordingly.
- Provide connection details for the SpyCloud Enterprise Custom Connector.
- Save the Logic App. If the Logic App prompts any missing connections, please update the connections similarly.
b.Configurations in Sentinel:
- In Microsoft Sentinel, configure the SpyCloud Breach rule automation rules to trigger this playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Playbooks · Back to SpyCloud Enterprise Protection