Forum Discussion
How to create a playbook without the incident as reference
Please excuse the novice question. But we are busy building playbooks for reactive and proactive responses to incidents. What we are finding is we can only create Playbooks based on incidents tha...
1) Are you talking about incidents that were created in another tenant (either another one from your company or a client)? If so, you can use the Azure Sentinel REST API to get that information. However, I would consider why you need to run it in your environment since you will be copying data from the other environment into yours which could run into some legal issues, depending on where the data is originally stored.
2) You can use the REST API calls to upload data into a custom log (see https://techcommunity.microsoft.com/t5/azure-sentinel/sending-rest-api-data-to-azure-sentinel/ba-p/558896 for more information) and then write an Analytics rule to trigger off that data. I do that for my demos a lot.
The issue isnt where the data is sitting, its the creation of the playbook itself. I'll try explain myself a little better.
I only know how to create a playbook based off Sentinel incidents that come in (which also allows me to test it). So when I create a playbook, I find it easier to reference data from an incident and create a playbook from that and battle if I don't have that info.
How are you creating reactive playbooks?
ReccoB Like Thijs Lecomte implied, Playbooks are just Azure Logic Apps that use a special trigger. You can create a Logic App that triggers off items like a timer or a http request that can perform various actions. You cannot associate these with an Analytics rule though, only Playbooks can do that.
I have a similar issue, for example i am creating a logic app for the scenario for ssh vm brute force attempts.
I want the playbook to block the IP for the brute forcer in the NSG (as sentinel recommends) via the logic app.
Without creating a test incident, how would i find an example payload/schema to find where in the incident provides the IP address.
I would never have guessed that it was under the following if i did not bruteforce my own vm to create a test incident:
"body": { "networkConnections": [ "sourceaddress": "" ] }Does Microsoft have an online dump of all the schemas or example outputs for incidents created by things such as ATP or MCAS?
