The Hive - Create case
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Creates case in TheHive instance with enriched description and title. 2. Gets Hosts, IPs entities. 3. Creates task and bind it to case. 4. Creates observables with hosts and IPs for created case.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | TheHive |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 2 |
TheHive |
Custom | 1 | 4 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_Hosts | post | /entities/host |
— |
| Entities_-_Get_IPs | post | /entities/ip |
— |
TheHive (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| create_observable_for_a_case | post | /api/v0/case/@{encodeURIComponent(body('create_case')?['caseId'])}/artifact |
— |
| create_observable_for_a_case_2 | post | /api/v0/case/@{encodeURIComponent(body('create_case')?['caseId'])}/artifact |
— |
| create_case | post | /api/case |
— |
| create_task | post | /api/case/@{encodeURIComponent(body('create_case')?['caseId'])}/task |
— |
Additional Documentation
📄 Source: TheHive-CreateCase/readme.md
TheHvie-CreateCase
Summary
When a new sentinel incident is created, this playbook gets triggered and performs the following actions:
- Create case in TheHive instance with and enrich it with description and title
- Gets Hosts, IPs entities.
- Create task and bind it to case.
- Creates obsarvebles with hosts and IPs for created case.
Prerequisites
- Prior to the deployment of this playbook, TheHive API Connector needs to be deployed under the same subscription.
- Obtain TheHive API credentials. Refer to TheHive API Custom Connector documentation.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required paramteres:
- Playbook Name: Enter the playbook name here
- Connector Name: Enter the Logic App connector name for TheHive here
- onPremiseGatewayName: Provide the On-premises data gateway that will be used with The Hive connector. Data gateway should be deployed under the same subscription and resource group as playbook.
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections
b. Configurations in Sentinel
- In Microsoft Sentinel, analytical rules should be configured to trigger an incident. In the Entity maping section of the analytics rule creation workflow, suspicious IP and hostnames should be mapped to Address identitfier of the IP for IPs entity type and HostName for the Host. Check the documentation to learn more about mapping entities.
- Configure the automation rules to trigger the playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊