Great Thanks to @Julian Gonzalez for working together on the playbooks templates!
In the previous article, Playbooks & Watchlists Part 1: Inform the subscription owner I have presented one scenario of using Watchlists in Playbooks. I also presented some best practices: how to query a watchlist using Azure Monitor Logs connector, and also how to use the output data.
In this blogpost I'll present another interesting use case and some new ways to work with the Watchlists data.
Allow-listing is a strategy for allowing certain identities or sources to access sensitive resources or to exclude them from security protections. An example for such scenario can be a set of IP addresses which might trigger new alerts, but known to the SOC as coming from approved sources. In a case where a new alert consists only approved IPs as its entities, we might want to save the analysts time and auto close the incident.
Of course, more steps and actions can be taken and added to this playbook for other steps taken in this case by the SOC. Also, the same practice can be adopted for Deny-list scenarios.
This blogpost includes:
A user or registered application with Azure Sentinel Contributor role to be used with the Azure Sentinel connector to Logic Apps.
When a response to an Azure Sentinel alert is triggered
Azure Sentinel alert was created. The playbook receives the alert as the input.
This actions stores values to be used later in the playbook:
Entities - Get IPs
This action takes all the entities found in the alert and parses only the IPs with their special fields ready to be used as dynamic values in later actions.
For Each IP
Iterates on the IPs found in this alert and performs the following:
Add a comment to the incident
In this step we audit the information collected so far: a list of safe IPs found in the Watchlist, a side to a list of unknown IPs.
Finally, we want to check if there is any IP which found as not safe. This step checks if our "not safe" array is empty. If so, we will close the incident.
Change Incident Status
Closes the incident with Benign Positive classification reason.
Create and Upload your watchlist
On the left menu, click on API connections.
For each product being used in this playbook, click on the connection name - in our case, it is only the Azure Sentinel connection.
Click on Authorize to log in with your user, and don't forget to save.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.