Isolate endpoint - Carbon Black
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook will quarantine the host in Carbon Black.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | VMware Carbon Black Cloud |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 3 |
CarbonBlackCloudConnector |
Custom | 1 | 3 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Update_incident | put | /Incidents |
— |
| Entities_-_Get_Hosts | post | /entities/host |
— |
CarbonBlackCloudConnector (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Search_devices_in_your_organization_based_on_device_name | post | /appservices/v6/orgs/@{encodeURIComponent(variables('OrganizationKey'))}/devices/_search |
— |
| device_actions | post | /appservices/v6/orgs/@{encodeURIComponent(variables('OrganizationKey'))}/device_actions |
— |
| Search_devices_in_your_organization | post | /appservices/v6/orgs/@{encodeURIComponent(variables('OrganizationKey'))}/devices/_search |
— |
Additional Documentation
📄 Source: CarbonBlack-QuarantineDevice/readme.md
CarbonBlack-QuarantineDevice Enrich Incident With devices information
Summary
When a new Sentinel incident is created,this playbook gets triggered and performs below actions
Fetches the devices information from CarbonBlack
Quarantine the device
Enrich the incident with device information by fetching from CarbonBlack
Prerequisites
- CarbonBlack Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.
- Generate an API key.Refer this link how to generate the API Key
- Find Organization key by referring this link Find Organization key by referring this link
Deployment instructions
- Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters:
- Playbook Name: Enter the playbook name here (Ex:CarbonBlack-QuarantineDevice)
- OrganizationKey : Enter the Organization key
Post-Deployment instructions
Authorize connections
Once deployment is complete, you will need to authorize each connection.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat step 2&3 while for CarbonBlack connector Connection to authorize connector API of the playbook (For authorizing the CarbonBlack API connection, API Key needs to be provided. API Key Value is the combination of API Key / API ID)
Configurations in Sentinel
- In Microsoft sentinel analytical rules should be configured to trigger an incident with risky device
- Configure the automation rules to trigger this playbook
Playbook steps explained
When Microsoft Sentinel incident creation rule is triggered
Microsoft Sentinel incident is created. The playbook receives the incident as the input.
Entities - Get Hosts
Get the list of risky devices as entities from the Incident
Initialize variable to assign the Organization Id
Initialize an string variable to assign the Organization Id provided by Client while deploying the playbook and used a parameter while calling the search devices with organization API action.
Initialize variable to assign the CarbonBlack devices information
Initialize an array variable to assign the CarbonBlack devices used as source to format the HTML with the devices information
Initialize variable to assign the quarantined devices information
Initialize an array variable to assign the quarantined devices information used as source to format the HTML with the action takened devices information
For each-Hosts
This action will perform the below actions a. Make a call to CarbonBlack API with the parameters such as Organization Key and Query [ Contains device name ] b. Verify the CarbonBlack returned the results and Check the device is quarantined c. If the device is not quarantined then isolate it.
Construct HTML table - CarbonBlack devices information
This action will construct the HTML table with devices information
Construct HTML table - Quarantined devices through playbook
This action will construct the HTML table with Quarantined devices through playbook
Add a comment to the incident with the information
This action will enrich the incident with the constructed HTML table with devices information
Close the comment
This action will close the incident if there is no exceptions occurred while quarantining the devices
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊