The Hive - Lock user
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Parses alerts custom details 2. Locks Users by UserId or UserLogin passed from alert.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | TheHive |
| Source | View on GitHub |
Additional Documentation
📄 Source: TheHive-LockUser/readme.md
TheHive-LockUser
Summary
When a new sentinel incident created, this playbook gets triggered and performs the following actions:
- Parse alerts custom details
- Locks Users by UserId or UserLogin passed from alert.
Prerequisites
- Prior to the deployment of this playbook, TheHive API Connector needs to be deployed under the same subscription.
- Obtain TheHive API credentials. Refer to TheHive API Custom Connector documentation.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required paramteres:
- Playbook Name: Enter the playbook name here
- Connector Name: Enter the Logic App connector name for TheHive here
- onPremiseGatewayName: Provide the On-premises data gateway that will be used with The Hive connector. Data gateway should be deployed under the same subscription and resource group as playbook.
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections
b. Configurations in Sentinel
- In Microsoft Sentinel, analytical rules should be configured to trigger an incident. An alert should contain UserId or/and UserLogin custom entities.
- Configure the automation rules to trigger the playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊