SpyCloud Malware Information - SpyCloud Enterprise
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This Playbook will be triggered when an spycloud malware incident is created.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | SpyCloud Enterprise Protection |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 3 |
spycloud-enterprise-connector |
Managed | 0 | 1 |
SpyCloud-Enterprise-Protection |
Custom | 1 | 0 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_Hosts | post | /entities/host |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Update_incident | put | /Incidents |
— |
spycloud-enterprise-connector (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_Compass_Devices_Data | get | /compass/data/devices/@{encodeURIComponent(variables('infected_machine_id'))} |
— |
Additional Documentation
📄 Source: SpyCloud-Malware-Playbook/readme.md
SpyCloud Enterprise Malware Playbook
Table of Contents
Overview
This playbook gets triggered when an incident is created from the "SpyCloud Malware Rule" and can perform the following actions
- Check if the hostname is a managed asset. If no hostname exists in the record, skip this check.
- For the specific machine ID, if the organization has access to compass data, pull all the additional records for the specific machine ID from the appropriate compass endpoint and add them to the incident.
- Escalate the incident for someone to handle the malware infection.
Prerequisites
- A SpyCloud Enterprise API Key
- SpyCloud Enterprise custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found on the connector documentation page.
- SpyCloud-Monitor-Watchlist-Data-Playbook needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found on the playbook document page.
Deployment Instructions
- Deploy the playbooks by clicking on the "Deploy to Azure" button. This will take you to the Deploy an ARM Template wizard.
- Fill in the required parameters for deploying the playbook.
- Click "Review + create". Once the validation is successful, click on "Create".
Post Deployment Instructions
Authorize connections
Once deployment is complete, you will need to authorize each connection:
- As a best practice, we have used the Sentinel connection in Logic Apps that use "ManagedSecurityIdentity" permissions. Please refer to this document and provide permissions to the Logic App accordingly.
- Provide connection details for the SpyCloud Enterprise Custom Connector.
- Save the Logic App. If the Logic App prompts any missing connections, please update the connections similarly.
b.Configurations in Sentinel:
- In Microsoft Sentinel, configure the SpyCloud Malware rule automation rules to trigger this playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Playbooks · Back to SpyCloud Enterprise Protection