How to create a playbook without the incident as reference

Question

Please excuse the novice question.&nbsp;But we are busy building playbooks for reactive and proactive responses to incidents. What we are finding is we can only create Playbooks based on incidents that have occurred in our environment.&nbsp;So, as we are creating the incident, we can leverage the schema for that incident and perform the action we require.&nbsp;1. How would you normally create Playbook for incidents that haven't occurred in your environment?2. Is there a way to generate incidents to help create and test playbooks?

garybushey · Answer

ReccoB&nbsp;1) Are you talking about incidents that were created in another tenant (either another one from your company or a client)?&nbsp; &nbsp;If so, you can use the Azure Sentinel REST API to get that information.&nbsp; However, I would consider why you need to run it in your environment since you will be copying data from the other environment into yours which could run into some legal issues, depending on where the data is originally stored.2) You can use the REST API calls to upload data into a custom log (see&nbsp;https://techcommunity.microsoft.com/t5/azure-sentinel/sending-rest-api-data-to-azure-sentinel/ba-p/558896&nbsp;for more information) and then write an Analytics rule to trigger off that data.&nbsp; I do that for my demos a lot.

thijs lecomte · Answer

You can create a Logic App with a scheduled trigger so that it runs without having to have it triggered by an event

reccob · Answer

GaryBushey&nbsp;The issue isnt where the data is sitting, its the creation of the playbook itself. I'll try explain myself a little better.&nbsp;I only know how to create a playbook based off Sentinel incidents that come in (which also allows me to test it). So when I create a playbook, I find it easier to reference data from an incident and create a playbook from that and battle if I don't have that info.&nbsp;How are you creating reactive playbooks?&nbsp;

garybushey · Answer

ReccoB&nbsp;Like&nbsp;Thijs Lecomte&nbsp;implied, Playbooks are just Azure Logic Apps that use a special trigger.&nbsp; You can create a Logic App that triggers off items like a timer or a http request that can perform various actions.&nbsp; You cannot associate these with an Analytics rule though, only Playbooks can do that.

stephenn300 · Answer

GaryBushey&nbsp;&nbsp;I have a similar issue, for example i am creating a logic app for the scenario for ssh vm brute force attempts.I want the playbook to block the IP for the brute forcer in the NSG (as sentinel recommends) via the logic app.Without creating a test incident, how would i find an example payload/schema to find&nbsp; where in the incident provides the IP address.I would never have guessed that it was under the following if i did not bruteforce my own vm to create a test incident:"body": {

"networkConnections": [

"sourceaddress": ""

]

}&nbsp;Does Microsoft have an online dump of all the schemas or example outputs for incidents created by things such as ATP or MCAS?

Forum Discussion

How to create a playbook without the incident as reference

Share

Resources