The Hive - Lock user
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Parses alerts custom details 2. Locks Users by UserId or UserLogin passed from alert.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | TheHive |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 6 |
TheHive |
Custom | 1 | 2 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3)_5 | post | /Incidents/Comment |
— |
| Add_comment_to_incident_(V3)_6 | post | /Incidents/Comment |
— |
| Add_comment_to_incident_(V3)_4 | post | /Incidents/Comment |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Add_comment_to_incident_(V3)_2 | post | /Incidents/Comment |
— |
| Add_comment_to_incident_(V3)_3 | post | /Incidents/Comment |
— |
TheHive (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Lock_user_by_id | patch | /api/v1/user/@{encodeURIComponent(items('Lock_users_by_UserId'))} |
— |
| Lock_user_by_login | patch | /api/v1/user/@{encodeURIComponent(items('Lock_users_by_UserLogin'))} |
— |
Additional Documentation
📄 Source: TheHive-LockUser/readme.md
TheHive-LockUser
Summary
When a new sentinel incident created, this playbook gets triggered and performs the following actions:
- Parse alerts custom details
- Locks Users by UserId or UserLogin passed from alert.
Prerequisites
- Prior to the deployment of this playbook, TheHive API Connector needs to be deployed under the same subscription.
- Obtain TheHive API credentials. Refer to TheHive API Custom Connector documentation.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required paramteres:
- Playbook Name: Enter the playbook name here
- Connector Name: Enter the Logic App connector name for TheHive here
- onPremiseGatewayName: Provide the On-premises data gateway that will be used with The Hive connector. Data gateway should be deployed under the same subscription and resource group as playbook.
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections
b. Configurations in Sentinel
- In Microsoft Sentinel, analytical rules should be configured to trigger an incident. An alert should contain UserId or/and UserLogin custom entities.
- Configure the automation rules to trigger the playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊