Oct 04 2020
- last edited on
Dec 23 2021
I am currently trying to set up a playbook that takes the IP from a incident, looks up this ip(ip lookup or other similar services), and places a comment on the incident regarding information about who owns this IP.
I am doing this because there is extensive use of VPN's in the network and i wish to know if the logins occurring e.g. outside of Europe is owned by a known entity, such as Microsoft, or if it's something else.
I do not know much about how the logic apps are configured so any pointers in the right direction is much appreciated.
Oct 05 2020 12:11 AMSolution
Oct 06 2020 12:29 AM
Well.. After some trial and error I cannot seem to make this work for me. I've read something about playbooks not necessarily working without the correct permission, you wouldn't happen to know which roles are needed to make functioning playbooks?
P.S. I am currently only assigned a Security Operator role.
Oct 06 2020 01:25 AM
Oct 06 2020 03:36 AM
@stianhoydal If you look at this page: https://docs.microsoft.com/en-us/azure/sentinel/roles#roles-and-allowed-actions, you will notice that to work with Playbooks you need Azure Sentinel Contributor + Logic App Contributor roles.
Oct 06 2020 04:00 AM
Oct 06 2020 07:11 AM