Tenable VM - Enrich incident with vulnerability info
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Obtains IPs from the incident. 2. Searches asset IDs by the IPs in Microsoft Sentinel. 3. Gets vulnerabilities information in Microsoft Sentinel. 4. Adds obtained information as a comment to the incident.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Tenable App |
| Source | View on GitHub |
Tables Used
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
Tenable_VM_Vuln_CL |
✓ | ✓ | ✓ |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuremonitorlogs |
Managed | 1 | 1 |
azuresentinel |
Managed | 1 | 2 |
Action parameters (URLs, paths, function IDs)
azuremonitorlogs (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Run_query_and_list_results | post | /queryData |
— |
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Entities_-_Get_IPs | post | /entities/ip |
— |
Additional Documentation
📄 Source: Playbooks/Tenable-EnrichIncidentWithVulnInfo/readme.md
Tenable-EnrichIncidentWithVulnInfo
Summary
When a new sentinel incident is created, this playbook gets triggered and performs the following actions:
- Obtains IPs from the incident.
- Searches asset ids by the IPs.
- Gets vulnerabilities information.
- Adds obtained information as a comment to the incident.
Prerequisites
- Prior to the deployment of this playbook, TenableVM Data Connector should be deployed.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required paramteres:
- Playbook Name: Enter the playbook name here
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat 1-5 steps for Azure Monitor Logs connection
b. Configurations in Sentinel
- In Microsoft sentinel, analytical rules should be configured to trigger an incident that contains IPs. In the Entity maping section of the analytics rule creation workflow, IP should be mapped to Address identitfier of the IP entity type. Check the documentation to learn more about mapping entities.
- Configure the automation rules to trigger the playbook. Check the documentation to learn more about automation rules.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊