Team Cymru Scout Create Incident And Notify
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook will create an incident for suspicious or malicious ip and notify to pre-defined or user customizable email id.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Team Cymru Scout |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuremonitorlogs |
Managed | 1 | 7 |
azuresentinel |
Managed | 1 | 8 |
outlook |
Managed | 1 | 1 |
Action parameters (URLs, paths, function IDs)
azuremonitorlogs (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Run_Query_And_List_Insights_Data_And_Country_Code_For_Indicator | post | /queryData |
— |
| Run_Query_and_List_Results_for_Insights | post | /queryData |
— |
| Run_Query_and_List_Results_for_Top_PDNS | post | /queryData |
— |
| Run_Query_and_List_Results_for_Top_Certs | post | /queryData |
— |
| Run_Query_and_List_Results_for_Top_Open_Ports | post | /queryData |
— |
| Run_Query_and_List_Results_for_Top_Fingerprints | post | /queryData |
— |
| Run_Query_and_List_Results_for_Whois | post | /queryData |
— |
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_Insights_Details_To_Incident_Comment_(V3) | post | /Incidents/Comment |
— |
| Add_Open_Ports_Details_To_Incident_Comment_(V3) | post | /Incidents/Comment |
— |
| Add_PDNS_Details_To_Incident_Comment_(V3) | post | /Incidents/Comment |
— |
| Create_Incident_For_IP | put | [concat('/Incidents/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/workspaces/', trim(parameters('WorkspaceName')))] |
— |
| Add_Certs_Details_To_Incident_Comment_(V3) | post | /Incidents/Comment |
— |
| Add_Fingerprints_Details_To_Incident_Comment_(V3) | post | /Incidents/Comment |
— |
| Add_Whois_Details_To_Incident_Comment_(V3) | post | /Incidents/Comment |
— |
| Add_Scout_link_And_General_Information_To_Incident_Comment | post | /Incidents/Comment |
— |
outlook (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Send_An_Email_(V2) | post | /v2/Mail |
— |
Additional Documentation
Summary
This playbook will create an incident for suspicious or malicious ip and notify to pre-defined or user customizable email id.
Prerequisites
- User should have an outlook mail account in order to use this playbook.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- PlaybookName: Please do not change the playbook name, else you will not be able to run playbook from workbook.
- EmailId: Enter valid comma separated email ID(s) of receiver without space. (e.g. person1@gmail.com,person2@gmail.com)
- WorkspaceName: Enter workspace name in which you want to create an incidents.
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Go to your logic app → API connections → Select outlook connection resource
- Go to General → Edit API connection.
- Click Authorize
- Sign in.
- Click Save.
- Repeat steps for other connections.
b. Assign Role to add a comment in the incident
After authorizing each connection, assign a role to this playbook.
- Go to Log Analytics Workspace → your workspace → Access Control → Add
- Add role assignment
- Assignment type: Job function roles
- Role: Microsoft Sentinel Contributor
- Members: select managed identity for "assigned access to" and add your logic app as a member.
- Click on review+assign
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊