Add Asset to Protection - Zero Networks Segment
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook takes a host from a Microsoft Sentinel incident and adds it to protection. The playbook is configured to add the machine to protection(learning). If you want to have it go straight to protection, remove the protectAt property in the action.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | ZeroNetworks |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 2 |
ZeroNetworksConnector |
Custom | 1 | 2 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Entities_-_Get_Hosts | post | /entities/host |
— |
ZeroNetworksConnector (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_asset_to_protection | post | /assets/protect |
— |
| Search_for_an_Asset | get | /assets |
— |
Additional Documentation
📄 Source: ZeroNetworksSegment-AddAssettoProtection/readme.md
Zero Networks Segment-Add Asset to Protection
Summary
This playbook takes a host from a Microsoft Sentinel incident and adds it to protection. The playbook is configured to add the machine to protection(learning). If you want to have it go straight to protection, remove the protectAt property in the action.
When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs below actions
- For the hosts in the incident, each host is added to protection (learning).
- A comment is added to Microsoft Sentinel incident.
Playbook overview:
Prerequisites
- Zero Networks custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector doc page.
Deployment instructions
- Deploy the playbook by clicking on "Depoly to Azure" button. This will take you to deplyoing an ARM Template wizard.
- Fill in the required paramteres:
- Playbook Name: Enter the playbook name here (ex:ZNSegment-AddAssettoProtection)
- Zero Networks Connector name : Enter the name of the Zero Networks custom connector (default value:ZeroNetworksConnector)
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, you will need to authorize each connection.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections such as Zero Networks
c. Configurations in Sentinel
- In Microsoft Sentinel, analytical rules should be configured to trigger an incident with Host Entity.
- Configure the automation rules to trigger this playbook
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊