Team Cymru Scout Live Investigation
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook will fetch and ingest IP or Domain Indicator data based on input parameters given in the live investigation dashboard.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Team Cymru Scout |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 4 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azureloganalyticsdatacollector |
Managed | 1 | 21 |
azuremonitorlogs |
Managed | 1 | 1 |
http |
Built-in | 0 | 7 |
workflow |
Built-in | 0 | 2 |
Action parameters (URLs, paths, function IDs)
azureloganalyticsdatacollector (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Send_Proto_By_IP_Sections_Data_To_Log_Analytics_Table | post | /api/logs |
— |
| Send_Top_Asns_By_IP_Sections_Data_To_Log_Analytics_Table | post | /api/logs |
— |
| Send_Top_Certs_Data_To_Log_Analytics_Table | post | /api/logs |
— |
| Send_Top_Country_Codes_Sections_Data_To_Log_Analytics_Table_Name | post | /api/logs |
— |
| Send_Top_Fingerprints_Data_To_Log_Analytics_Table | post | /api/logs |
— |
| Send_Open_Ports_Section_Data_To_Log_Analytics_Table | post | /api/logs |
— |
| Send_Top_Pdns_Data_To_Log_Analytics_Table | post | /api/logs |
— |
| Send_Top_Services_By_IP_Sections_Data_To_Log_Analytics_Table | post | /api/logs |
— |
| Send_Top_Tags_By_IP_Sections_Data_To_Log_Analytics_Table | post | /api/logs |
— |
| Send_IP_Indicator_Data_To_IP_Details_Table | post | /api/logs |
— |
| Send_Identity_Data_To_Log_Analytics_Table | post | /api/logs |
— |
| Send_Whois_Data_To_Log_Analytics_Workspace | post | /api/logs |
— |
| Send_IP_Indicator_To_Live_Investigation_Indicators_Table | post | /api/logs |
— |
| Send_Insights_Data_To_Log_Analytics_Table | post | /api/logs |
— |
| Send_Communication_Peers_Data_To_Log_Analytic_Table | post | /api/logs |
— |
| Send_Main_PDNS_Data_To_Log_Analytic_Table | post | /api/logs |
— |
| Send_Main_Open_Ports_Data_To_Log_Analytic_Table | post | /api/logs |
— |
| Send_Main_Fingerprints_Data_To_Log_Analytic_Table | post | /api/logs |
— |
| Send_Main_X509_Data_To_Log_Analytic_Table | post | /api/logs |
— |
| Send_Domain_Data_To_Log_Analytics_Table | post | /api/logs |
— |
| Send_Domain_Indicator_To_Live_Investigation_Indicators_Table | post | /api/logs |
— |
azuremonitorlogs (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Run_Query_And_Check_Whether_This_is_First_Execution_Or_Not | post | /queryData |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| HTTP_Request_To_Fetch_Proto_By_IP_Sections_Data | GET | @{variables('base_url')}/api/scout/ip/@{variables('indicator_value')}/details |
— |
| HTTP_Request_To_Fetch_Top_Asns_By_IP_Sections_Data | GET | @{variables('base_url')}/api/scout/ip/@{variables('indicator_value')}/details |
— |
| HTTP_Request_To_Fetch_Top_Country_Codes_By_IP_Sections_Data | GET | @{variables('base_url')}/api/scout/ip/@{variables('indicator_value')}/details |
— |
| HTTP_Request_To_Fetch_Top_Services_By_IP_Sections_Data | GET | @{variables('base_url')}/api/scout/ip/@{variables('indicator_value')}/details |
— |
| HTTP_Request_To_Fetch_Top_Tags_By_IP_Sections_Data | GET | @{variables('base_url')}/api/scout/ip/@{variables('indicator_value')}/details |
— |
| HTTP_Request_To_Fetch_Details_Of_IP_Indicator | GET | @{variables('base_url')}/api/scout/ip/@{variables('indicator_value')}/details |
— |
| HTTP_Request_To_Fetch_Details_Of_Domain_Indicator | GET | @{variables('base_url')}/api/scout/search |
— |
workflow (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| TeamCymruScoutCreateIncidentAndNotifyForFirstRun | — | — | workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',trim(parameters('CreateIncidentAndNotifyPlaybookName')))]triggerName= manual |
| TeamCymruScoutCreateIncidentAndNotify | — | — | workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',trim(parameters('CreateIncidentAndNotifyPlaybookName')))]triggerName= manual |
Additional Documentation
Summary
This playbook will fetch and ingest IP or Domain Indicator data based on input parameters given in the live investigation dashboard.
Prerequisites
- Make sure that the TeamCymruScoutCreateIncidentAndNotify playbook is deployed before deploying the TeamCymruScoutLiveInvestigation playbook.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- PlaybookName: Please do not change the playbook name, else you will not get any data for the live investigation dashboard.
- UserName: Enter username of your Team Cymru Scout account.
- Password: Enter password of your Team Cymru Scout account.
- BaseURL: Enter Base URL of your Team Cymru Scout account.
- WorkspaceName: Enter workspace name in which you want to fetch or store your data.
- CreateIncidentAndNotifyPlaybookName: Playbook name which is deployed as part of prerequisites.
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Go to your logic app → API connections → Select azureloganalyticsdatacollector connection resource
- Go to General → Edit API connection.
- Enter Workspace ID and Workspace Key of your log analytics workspace.
- Click Authorize
- Sign in.
- Click Save.
- Repeat steps for other connections.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊