Forum Discussion
Add comment to incident with IP information
- Hi
The Azure Sentinel Github page is an awesome resource as it's actively maintained by the Sentinel team.
Here are a few examples:
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Get-IPReputation
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Get-GeoFromIpAndTagIncident
https://secureinfra.blog/2020/09/03/how-to-add-geographical-data-for-ip-addresses-to-an-azure-sentinel-incident/
I have been playing around with Logic Apps heavily. So feel free to reply if you are stuck somewhere
The Azure Sentinel Github page is an awesome resource as it's actively maintained by the Sentinel team.
Here are a few examples:
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Get-IPReputation
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Get-GeoFromIpAndTagIncident
https://secureinfra.blog/2020/09/03/how-to-add-geographical-data-for-ip-addresses-to-an-azure-sentinel-incident/
I have been playing around with Logic Apps heavily. So feel free to reply if you are stuck somewhere
Well.. After some trial and error I cannot seem to make this work for me. I've read something about playbooks not necessarily working without the correct permission, you wouldn't happen to know which roles are needed to make functioning playbooks?
P.S. I am currently only assigned a Security Operator role.
stianhoydal If you look at this page: https://docs.microsoft.com/en-us/azure/sentinel/roles#roles-and-allowed-actions, you will notice that to work with Playbooks you need Azure Sentinel Contributor + Logic App Contributor roles.
I went in and checked, and i do have these permissions, but the error message i get, when running the logic app Thijs Lecomte linked, persists. Thanks for linking the resource though, it was nice to clear up what permissions i actually need.
- What kind of errors are you receiving?
You need Contributor permissions in or der to deploy to logic appThe "Alert - Get incident" returns "NotFound" and ends the run.
Just the generic 404 resource not found.
This looks exactly like what i need. Let's see if i can make it work for my environment. Thank you : )
