Forum Discussion
How to create a playbook without the incident as reference
The issue isnt where the data is sitting, its the creation of the playbook itself. I'll try explain myself a little better.
I only know how to create a playbook based off Sentinel incidents that come in (which also allows me to test it). So when I create a playbook, I find it easier to reference data from an incident and create a playbook from that and battle if I don't have that info.
How are you creating reactive playbooks?
ReccoB Like Thijs Lecomte implied, Playbooks are just Azure Logic Apps that use a special trigger. You can create a Logic App that triggers off items like a timer or a http request that can perform various actions. You cannot associate these with an Analytics rule though, only Playbooks can do that.
I have a similar issue, for example i am creating a logic app for the scenario for https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux.
I want the playbook to block the IP for the brute forcer in the NSG (as sentinel recommends) via the logic app.
Without creating a test incident, how would i find an example payload/schema to find where in the incident provides the IP address.
I would never have guessed that it was under the following if i did not bruteforce my own vm to create a test incident:
"body": { "networkConnections": [ "sourceaddress": "" ] }Does Microsoft have an online dump of all the schemas or example outputs for incidents created by things such as ATP or MCAS?
StephenN300 All incidents in Azure Sentinel follow the same schema that can be found at https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01
The SecurityInsights.json shows the actual schema for the various calls you can make and what gets returned and the "examples" folder has examples of the calls and what gets returned. Take a look at "incidents" sub-folder for examples of what incident information is returned.
In your case I would think you would want to create a Playbook to perform this task automatically or at least send an Email validation to make sure you want to perform this action.
