Endpoint enrichment - Carbon Black

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook will collect device information from Carbon Black and post a report on the incident.

Attribute	Value
Type	Playbook
Solution	VMware Carbon Black Cloud
Source	View on GitHub

Logic App Connectors

This playbook uses 2 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	2
`CarbonBlackCloudConnector`	Custom	1	1

Action parameters (URLs, paths, function IDs)

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Add_comment_to_incident_(V3)	post	`/Incidents/Comment`	—
Entities_-_Get_Hosts	post	`/entities/host`	—

`CarbonBlackCloudConnector` (Custom)

Action	Method	Endpoint	Other
Search_devices_in_your_organization	post	`/appservices/v6/orgs/@{encodeURIComponent(variables('OrganizationKey'))}/devices/_search`	—

Additional Documentation

📄 Source: CarbonBlack-DeviceEnrichment/readme.md

CarbonBlack-DeviceEnrichment Incident With devices information

Summary

When a new Sentinel incident is created,this playbook gets triggered and performs below actions

Fetches the devices information from CarbonBlack
Enrich the incident with device information by adding a comment to the incident

Prerequisites

CarbonBlack Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.
Generate an API key.Refer this link how to generate the API Key
Find Organization key by referring this link Find Organization key by referring this link

Deployment instructions

Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
Fill in the required parameters:
- Playbook Name: Enter the playbook name here (Ex:CarbonBlack-DeviceEnrichment)
- OrganizationKey : Enter the Organization key

Post-Deployment instructions

Authorize connections

Once deployment is complete, you will need to authorize each connection.

Click the Microsoft Sentinel connection resource
Click edit API connection
Click Authorize
Sign in
Click Save
Repeat step 2&3 while for CarbonBlack connector Connection to authorize connector API of the playbook (For authorizing the CarbonBlack API connection, API Key needs to be provided. API Key Value is the combination of API Key / API ID)

Configurations in Sentinel

In Microsoft Sentinel analytical rules should be configured to trigger an incident with risky device
Configure the automation rules to trigger this playbook

Playbook steps explained

When Microsoft Sentinel incident creation rule is triggered

Microsoft Sentinel incident is created. The playbook receives the incident as the input.

Entities - Get Hosts

Get the list of risky devices as entities from the Incident

Initialize variable to compose the devices information

Initialize an array variable to format the license query and used as parameter while calling the search devices with organization API action

Initialize variable to assign the Organization Id

Initialize an string variable to assign the Organization Id provided by Client while deploying the playbook and used a parameter while calling the search devices with organization API action.

For each-Hosts

This action will append each host to array variable called Hosts

Join OR to the hosts

This action will append logical OR operator to collected Hosts

Search devices in your organization

This action call API to search the devices in the organization by taking two parameters such as Organization Key and Query [ Query contains names of the devices ]

Construct HTML table

This action will construct the HTML table with devices information

Add a comment to the incident with the information

This action will enrich the incident with the constructed HTML table with devices information