SOLVED

Add comment to incident with IP information

%3CLINGO-SUB%20id%3D%22lingo-sub-1744327%22%20slang%3D%22en-US%22%3EAdd%20comment%20to%20incident%20with%20IP%20information%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1744327%22%20slang%3D%22en-US%22%3E%3CP%3EGreetings%20everyone!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20currently%20trying%20to%20set%20up%20a%20playbook%20that%20takes%20the%20IP%20from%20a%20incident%2C%20looks%20up%20this%20ip(ip%20lookup%20or%20other%20similar%20services)%2C%20and%20places%20a%20comment%20on%20the%20incident%20regarding%20information%20about%20who%20owns%20this%20IP.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20doing%20this%20because%20there%20is%20extensive%20use%20of%20VPN's%20in%20the%20network%20and%20i%20wish%20to%20know%20if%20the%20logins%20occurring%20e.g.%20outside%20of%20Europe%20is%20owned%20by%20a%20known%20entity%2C%20such%20as%20Microsoft%2C%20or%20if%20it's%20something%20else.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20do%20not%20know%20much%20about%20how%20the%20logic%20apps%20are%20configured%20so%20any%20pointers%20in%20the%20right%20direction%20is%20much%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1744327%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ELogic%20Apps%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPlaybook%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1744449%22%20slang%3D%22en-US%22%3ERe%3A%20Add%20comment%20to%20incident%20with%20IP%20information%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1744449%22%20slang%3D%22en-US%22%3EHi%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20Azure%20Sentinel%20Github%20page%20is%20an%20awesome%20resource%20as%20it's%20actively%20maintained%20by%20the%20Sentinel%20team.%3CBR%20%2F%3EHere%20are%20a%20few%20examples%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FGet-IPReputation%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FGet-IPReputation%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FGet-GeoFromIpAndTagIncident%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FGet-GeoFromIpAndTagIncident%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fsecureinfra.blog%2F2020%2F09%2F03%2Fhow-to-add-geographical-data-for-ip-addresses-to-an-azure-sentinel-incident%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecureinfra.blog%2F2020%2F09%2F03%2Fhow-to-add-geographical-data-for-ip-addresses-to-an-azure-sentinel-incident%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20been%20playing%20around%20with%20Logic%20Apps%20heavily.%20So%20feel%20free%20to%20reply%20if%20you%20are%20stuck%20somewhere%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1748256%22%20slang%3D%22en-US%22%3ERe%3A%20Add%20comment%20to%20incident%20with%20IP%20information%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1748256%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWell..%20After%20some%20trial%20and%20error%20I%20cannot%20seem%20to%20make%20this%20work%20for%20me.%20I've%20read%20something%20about%20playbooks%20not%20necessarily%20working%20without%20the%20correct%20permission%2C%20you%20wouldn't%20happen%20to%20know%20which%20roles%20are%20needed%20to%20make%20functioning%20playbooks%3F%3C%2FP%3E%3CP%3EP.S.%20I%20am%20currently%20only%20assigned%20a%20Security%20Operator%20role.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1748510%22%20slang%3D%22en-US%22%3ERe%3A%20Add%20comment%20to%20incident%20with%20IP%20information%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1748510%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20%22Alert%20-%20Get%20incident%22%20returns%20%22NotFound%22%20and%20ends%20the%20run.%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20the%20generic%20404%20resource%20not%20found.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Greetings everyone!

 

I am currently trying to set up a playbook that takes the IP from a incident, looks up this ip(ip lookup or other similar services), and places a comment on the incident regarding information about who owns this IP. 

I am doing this because there is extensive use of VPN's in the network and i wish to know if the logins occurring e.g. outside of Europe is owned by a known entity, such as Microsoft, or if it's something else. 

I do not know much about how the logic apps are configured so any pointers in the right direction is much appreciated.

9 Replies
Highlighted
Best Response confirmed by stianhoydal (Occasional Contributor)
Solution
Hi

The Azure Sentinel Github page is an awesome resource as it's actively maintained by the Sentinel team.
Here are a few examples:
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Get-IPReputation
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Get-GeoFromIpAndTagIncident
https://secureinfra.blog/2020/09/03/how-to-add-geographical-data-for-ip-addresses-to-an-azure-sentin...

I have been playing around with Logic Apps heavily. So feel free to reply if you are stuck somewhere
Highlighted

@Thijs Lecomte 

This looks exactly like what i need. Let's see if i can make it work for my environment. Thank you : )

Highlighted

@Thijs Lecomte 

 

Well.. After some trial and error I cannot seem to make this work for me. I've read something about playbooks not necessarily working without the correct permission, you wouldn't happen to know which roles are needed to make functioning playbooks?

P.S. I am currently only assigned a Security Operator role.

Highlighted
What kind of errors are you receiving?
You need Contributor permissions in or der to deploy to logic app
Highlighted

@Thijs Lecomte 

 

The "Alert - Get incident" returns "NotFound" and ends the run. 

Just the generic 404 resource not found. 

Highlighted

@stianhoydal If you look at this page: https://docs.microsoft.com/en-us/azure/sentinel/roles#roles-and-allowed-actions, you will notice that to work with Playbooks you need Azure Sentinel Contributor + Logic App Contributor roles.

Highlighted

@Gary Bushey 

I went in and checked, and i do have these permissions, but the error message i get, when running the logic app @Thijs Lecomte linked, persists. Thanks for linking the resource though, it was nice to clear up what permissions i actually need.

Highlighted
Could you share the Logic App and the exact error please?
Have you linked an Analytics rule to an alert?
Highlighted

@Thijs Lecomte 

That seems to have been my mistake, i never did link it to an alert, so no wonder it didn't find anything. But now it works like a charm. Thanks for the help.