Cohesity Security Integration for Microsoft Sentinel

Solution: CohesitySecurity

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Cohesity
Support Tier	Partner
Support Link	https://support.cohesity.com/
Categories	domains
Version	3.1.3
Author	Cohesity - support@cohesity.com
First Published	2022-10-10
Solution Folder	CohesitySecurity
Marketplace	Azure Marketplace · Rating: ★★★★★ 5.0/5 (1 ratings) · Popularity: 🟡 Low (23%)

This product integrates Cohesity Helios with Microsoft Sentinel to stay updated with the security events from your Cohesity environment and immediately respond to a ransomware attack or an anomaly

Data Connectors
Tables Used
Content Items
Additional Documentation

Data Connectors

This solution provides 1 data connector(s):

Cohesity

Tables Used

This solution uses 1 table(s):

Table	Used By Connectors	Used By Content
`Cohesity_CL`	Cohesity	-

Content Items

This solution includes 5 content item(s):

Content Type	Count
Playbooks	5

Playbooks

Name	Description	Tables Used
Close Cohesity Helios Incident	This playbook closes the corresponding Cohesity DataHawk (Helios) ticket.	-
Cohesity Create or Update ServiceNow incident	This playbook creates and updates the incident in the ServiceNow platform.	-
Cohesity Incident Email	This playbook sends an email to the recipient with the details related to the incidents.	-
Delete Cohesity incident blobs	This playbook deletes the blobs on Azure storage created by an incident that is generated by Cohesit...	-
Restore From Last Cohesity Snapshot	This playbook restores the latest good Data Hawk (Helios) snapshot.	-

Additional Documentation

📄 Source: CohesitySecurity/README.md

Cohesity Data Cloud Integration with Microsoft Sentinel

You can integrate Cohesity Data Cloud with Microsoft Sentinel to provide security operators and IT operation teams with the automation and operational simplicity to respond to threats and recover from ransomware incidents through Microsoft Sentinel. This integration allows you to:

Send ransomware alerts into Microsoft Sentinel.
View incidents with the alert details.
Escalate to ITSM tool.
Initiate recovery of clean snapshot.
Closed loop integration resolves alerts in Cohesity Data Cloud.

Package Building and Validation Instructions

Disclaimer: You can skip these steps and use one of the pre-built packages from this directory. These steps are required only if you want to rebuild the package. 1. Follow this readme.md to set up the build prerequisites. 2. Edit cohesity.json to add the required values. Note: The dummy values are provided to protect Personal Identifiable Information (PII) information. 3. Run build.ps1 to build the package. 4. Follow readme.md for post-build manual validation.

Deployment

This package contains the following Azure functions to communicate with Microsoft Sentinel and Cohesity Data Cloud, and playbooks to automate workflows.

The package consists of the following Azure functions: * IncidentProducer to retrieve Cohesity Data Cloud alerts through REST API. For more information, see IncidentProducer. * IncidentConsumer to create incidents in Microsoft Sentinel. For more information, see IncidentConsumer.

You can refer to the Azure Functions file to learn more about the pre-requisites and the deployment of Azure functions.

The package contains the following playbooks:

Cohesity Send Incident Email allows you to send an email to the recipient with the incident details. For more information, see Cohesity Send Incident Email.

[Content truncated...]

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.1.2	21-10-2024	Corrected Param for JobId for recovery API
3.1.1	10-10-2024	Updating Solution with fix for Restore Playbook
3.1.0	19-07-2024	added missing helioID using anomaly strength
3.0.0	29-06-2023	Updating Azure Function to Azure Functions in Data Connector Description