Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook leverages Microsoft Sentinel Watchlists in order to adapt the incidents severity which include User entity and check it against VIP user list.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Watchlists Utilities |
| Source | View on GitHub |
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 0 |
microsoftsentinel |
Managed | 0 | 5 |
microsoftsentinel (Managed)| Action | Method | Endpoint | Other |
|---|---|---|---|
| Alert_-_Get_incident | get | /Cases/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])} |
— |
| Entities_-_Get_Accounts | post | /entities/account |
— |
| Change_incident_severity | put | /Case/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(body('Alert_-_Get_incident')?['properties']?['CaseNumber'])}/Severity/@{encodeURIComponent('Critical')} |
— |
| Change_incident_title_(V2) | put | /Case/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(body('Alert_-_Get_incident')?['properties']?['CaseNumber'])}/Title |
— |
| Watchlists_-_Get_all_watchlist_Items_for_a_given_watchlist | get | /Watchlists/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/watchlists/@{encodeURIComponent(parameters('WatchlistAlias'))}/watchlistItems |
— |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊