AS-IP-Blocklist

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook is intended to be run from a Microsoft Sentinel Incident. It will add the IP address from Microsoft Sentinel Incidents to a Microsoft Azure Conditional Access Named Locations list, signifying compromised IP addresses.

Attribute	Value
Type	Playbook
Solution	Standalone Content
Source	View on GitHub

Logic App Connectors

This playbook uses 3 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	1
`keyvault`	Managed	1	1
`http`	Built-in	0	2

Action parameters (URLs, paths, function IDs)

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Entities_-_Get_IPs	post	`/entities/ip`	—

`keyvault` (Managed)

Action	Method	Endpoint	Other
Get_Secret	get	`[concat('/secrets/@{encodeURIComponent(''', parameters('SecretName'), ''')}/value')]`	—

`http` (Built-in)

Action	Method	Endpoint	Other
HTTP-_Add_IP_to_Named_Locations_List	PATCH	`[concat('https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations/', parameters('NamedLocationsListID'))]`	—
HTTP_-_Get_Previous_List_Values	GET	`[concat('https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations/', parameters('NamedLocationsListID'))]`	—

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Playbooks

AS-IP-Blocklist

Logic App Connectors

azuresentinel (Managed)

keyvault (Managed)

http (Built-in)

`azuresentinel` (Managed)

`keyvault` (Managed)

`http` (Built-in)