Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook will run on a time schedule base (every hour) and it will check for any incident that was updated (in the last hour) in your Sentinel workspace by Sentinel Alerts.
It will then automatically attach the new alert evidence from the updated Azure Sentinel incident (from the last hour) and send the evidence to an Event Hub that can be consumed by a 3rd party SIEM solution.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Standalone Content |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
SecurityAlert |
✓ | ✗ | ✓ |
SecurityIncident |
✓ | ✗ | ✓ |
The following connectors provide data for this content item:
| Connector | Solution |
|---|---|
| DerdackSIGNL4 | SIGNL4 |
Solutions: SIGNL4
This playbook uses 4 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuremonitor |
Managed | 0 | 2 |
azuremonitorlogs |
Managed | 1 | 0 |
eventhub |
Managed | 0 | 2 |
eventhubs |
Managed | 1 | 0 |
azuremonitor (Managed)| Action | Method | Endpoint | Other |
|---|---|---|---|
| Run_query_and_list_results_(get_events_from_scheduled_rule) | post | /queryData |
— |
| Run_query_and_list_results_(get_alerts_added_to_incidents) | post | /queryData |
— |
eventhub (Managed)| Action | Method | Endpoint | Other |
|---|---|---|---|
| Send_event_(send_information_with_events_to_eventhub) | post | /@{encodeURIComponent('incidentalerteventhub')}/events |
— |
| Send_event_(send_information_of_alert_and_incident_to_eventhub) | post | /@{encodeURIComponent('incidentalerteventhub')}/events |
— |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊