Forum Discussion

ReccoB's avatar
ReccoB
Copper Contributor
Aug 19, 2020

How to create a playbook without the incident as reference

Please excuse the novice question.   But we are busy building playbooks for reactive and proactive responses to incidents. What we are finding is we can only create Playbooks based on incidents tha...
GaryBushey's avatar
GaryBushey
Bronze Contributor
Aug 20, 2020

ReccoB 

1) Are you talking about incidents that were created in another tenant (either another one from your company or a client)?   If so, you can use the Azure Sentinel REST API to get that information.  However, I would consider why you need to run it in your environment since you will be copying data from the other environment into yours which could run into some legal issues, depending on where the data is originally stored.

2) You can use the REST API calls to upload data into a custom log (see https://techcommunity.microsoft.com/t5/azure-sentinel/sending-rest-api-data-to-azure-sentinel/ba-p/558896 for more information) and then write an Analytics rule to trigger off that data.  I do that for my demos a lot.

ReccoB's avatar
ReccoB
Copper Contributor
Aug 20, 2020

GaryBushey

 

The issue isnt where the data is sitting, its the creation of the playbook itself. I'll try explain myself a little better.

 

I only know how to create a playbook based off Sentinel incidents that come in (which also allows me to test it). So when I create a playbook, I find it easier to reference data from an incident and create a playbook from that and battle if I don't have that info.

 

How are you creating reactive playbooks? 

  • GaryBushey's avatar
    GaryBushey
    Bronze Contributor
    Aug 21, 2020

    ReccoB Like Thijs Lecomte implied, Playbooks are just Azure Logic Apps that use a special trigger.  You can create a Logic App that triggers off items like a timer or a http request that can perform various actions.  You cannot associate these with an Analytics rule though, only Playbooks can do that.

    • StephenN300's avatar
      StephenN300
      Copper Contributor
      Aug 23, 2020

      GaryBushey 

       

      I have a similar issue, for example i am creating a logic app for the scenario for https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux.

      I want the playbook to block the IP for the brute forcer in the NSG (as sentinel recommends) via the logic app.

      Without creating a test incident, how would i find an example payload/schema to find  where in the incident provides the IP address.

      I would never have guessed that it was under the following if i did not bruteforce my own vm to create a test incident:

      "body": {

            "networkConnections": [

                                                 "sourceaddress": ""

]

}

       Does Microsoft have an online dump of all the schemas or example outputs for incidents created by things such as ATP or MCAS?