MTI Threat Actor Lookup

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

To be deployed with the bundled function app to automate infrastructure chaining with the MTI API

Attribute	Value
Type	Playbook
Solution	Standalone Content
Source	View on GitHub

Logic App Connectors

This playbook uses 5 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	2	12
`keyvault`	Managed	1	1
`securitycopilot`	Managed	1	4
`http`	Built-in	0	4
`workflow`	Built-in	0	1

Action parameters (URLs, paths, function IDs)

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Entities_-_Get_Hosts	post	`/entities/host`	—
Entities_-_Get_IPs	post	`/entities/ip`	—
Add_comment_to_incident_(V3)_2	post	`/Incidents/Comment`	—
Update_incident_2	put	`/Incidents`	—
Add_comment_to_incident_(V3)	post	`/Incidents/Comment`	—
Update_incident	put	`/Incidents`	—
Add_comment_to_incident_(V3)_1	post	`/Incidents/Comment`	—
Add_comment_to_incident_(V3)_4	post	`/Incidents/Comment`	—
Update_incident_1	put	`/Incidents`	—
Add_comment_to_incident_(V3)_5	post	`/Incidents/Comment`	—
Add_comment_to_incident_(V3)_6	post	`/Incidents/Comment`	—
Update_incident_3	put	`/Incidents`	—

`keyvault` (Managed)

Action	Method	Endpoint	Other
Get_secret	get	`/secrets/@{encodeURIComponent('MechanicsDemo-AzureFunction')}/value`	—

`securitycopilot` (Managed)

Action	Method	Endpoint	Other
Submit_a_Copilot_for_Security_prompt_2	post	`/process-prompt`	—
Submit_a_Copilot_for_Security_prompt_1	post	`/process-prompt`	—
Submit_a_Copilot_for_Security_prompt	post	`/process-prompt`	—
Submit_a_Copilot_for_Security_prompt_4	post	`/process-prompt`	—

`http` (Built-in)

Action	Method	Endpoint	Other
MDTI_API_Hosts	GET	`https://graph.microsoft.com/beta/security/threatIntelligence/hosts/@{items('For_each')?['HostName']}.@{items('For_each')?['DnsDomain']}/reputation`	—
MDTI_API_IPs	GET	`https://graph.microsoft.com/beta/security/threatIntelligence/hosts/@{items('For_each_2')?['Address']}/reputation`	—
Function_App_call	POST	`@{parameters('Function App URL')}item=@{items('For_each_3')?['Address']}&code=@{body('Get_secret')?['value']}`	—
Function_App_call_1	POST	`@{parameters('Function App URL')}item=@{item()?['HostName']}.@{item()?['DnsDomain']}&code=@{body('Get_secret')?['value']}`	—

`workflow` (Built-in)

Action	Method	Endpoint	Other
MDTI-Base	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/MDTI-Base')]` triggerName=`manual`

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Playbooks