Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Add comment to incident with IP information

Brass Contributor

Greetings everyone!

 

I am currently trying to set up a playbook that takes the IP from a incident, looks up this ip(ip lookup or other similar services), and places a comment on the incident regarding information about who owns this IP. 

I am doing this because there is extensive use of VPN's in the network and i wish to know if the logins occurring e.g. outside of Europe is owned by a known entity, such as Microsoft, or if it's something else. 

I do not know much about how the logic apps are configured so any pointers in the right direction is much appreciated.

9 Replies
best response confirmed by stianhoydal (Brass Contributor)
Solution
Hi

The Azure Sentinel Github page is an awesome resource as it's actively maintained by the Sentinel team.
Here are a few examples:
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Get-IPReputation
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Get-GeoFromIpAndTagIncident
https://secureinfra.blog/2020/09/03/how-to-add-geographical-data-for-ip-addresses-to-an-azure-sentin...

I have been playing around with Logic Apps heavily. So feel free to reply if you are stuck somewhere

@Thijs Lecomte 

This looks exactly like what i need. Let's see if i can make it work for my environment. Thank you : )

@Thijs Lecomte 

 

Well.. After some trial and error I cannot seem to make this work for me. I've read something about playbooks not necessarily working without the correct permission, you wouldn't happen to know which roles are needed to make functioning playbooks?

P.S. I am currently only assigned a Security Operator role.

What kind of errors are you receiving?
You need Contributor permissions in or der to deploy to logic app

@Thijs Lecomte 

 

The "Alert - Get incident" returns "NotFound" and ends the run. 

Just the generic 404 resource not found. 

@stianhoydal If you look at this page: https://docs.microsoft.com/en-us/azure/sentinel/roles#roles-and-allowed-actions, you will notice that to work with Playbooks you need Azure Sentinel Contributor + Logic App Contributor roles.

@Gary Bushey 

I went in and checked, and i do have these permissions, but the error message i get, when running the logic app @Thijs Lecomte linked, persists. Thanks for linking the resource though, it was nice to clear up what permissions i actually need.

Could you share the Logic App and the exact error please?
Have you linked an Analytics rule to an alert?

@Thijs Lecomte 

That seems to have been my mistake, i never did link it to an alert, so no wonder it didn't find anything. But now it works like a charm. Thanks for the help. 

1 best response

Accepted Solutions
best response confirmed by stianhoydal (Brass Contributor)
Solution
Hi

The Azure Sentinel Github page is an awesome resource as it's actively maintained by the Sentinel team.
Here are a few examples:
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Get-IPReputation
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Get-GeoFromIpAndTagIncident
https://secureinfra.blog/2020/09/03/how-to-add-geographical-data-for-ip-addresses-to-an-azure-sentin...

I have been playing around with Logic Apps heavily. So feel free to reply if you are stuck somewhere

View solution in original post