How to create a playbook without the incident as reference

Copper Contributor

Please excuse the novice question.

 

But we are busy building playbooks for reactive and proactive responses to incidents. What we are finding is we can only create Playbooks based on incidents that have occurred in our environment.

 

So, as we are creating the incident, we can leverage the schema for that incident and perform the action we require.

 

1. How would you normally create Playbook for incidents that haven't occurred in your environment?

2. Is there a way to generate incidents to help create and test playbooks?

6 Replies

@ReccoB 

1) Are you talking about incidents that were created in another tenant (either another one from your company or a client)?   If so, you can use the Azure Sentinel REST API to get that information.  However, I would consider why you need to run it in your environment since you will be copying data from the other environment into yours which could run into some legal issues, depending on where the data is originally stored.

2) You can use the REST API calls to upload data into a custom log (see https://techcommunity.microsoft.com/t5/azure-sentinel/sending-rest-api-data-to-azure-sentinel/ba-p/5... for more information) and then write an Analytics rule to trigger off that data.  I do that for my demos a lot.

You can create a Logic App with a scheduled trigger so that it runs without having to have it triggered by an event

@Gary Bushey

 

The issue isnt where the data is sitting, its the creation of the playbook itself. I'll try explain myself a little better.

 

I only know how to create a playbook based off Sentinel incidents that come in (which also allows me to test it). So when I create a playbook, I find it easier to reference data from an incident and create a playbook from that and battle if I don't have that info.

 

How are you creating reactive playbooks? 

@ReccoB Like @Thijs Lecomte implied, Playbooks are just Azure Logic Apps that use a special trigger.  You can create a Logic App that triggers off items like a timer or a http request that can perform various actions.  You cannot associate these with an Analytics rule though, only Playbooks can do that.

@Gary Bushey 

 

I have a similar issue, for example i am creating a logic app for the scenario for ssh vm brute force attempts.

I want the playbook to block the IP for the brute forcer in the NSG (as sentinel recommends) via the logic app.

Without creating a test incident, how would i find an example payload/schema to find  where in the incident provides the IP address.

I would never have guessed that it was under the following if i did not bruteforce my own vm to create a test incident:

"body": {

            "networkConnections": [

                                                 "sourceaddress": ""

]

}

 Does Microsoft have an online dump of all the schemas or example outputs for incidents created by things such as ATP or MCAS?

@StephenN300 All incidents in Azure Sentinel follow the same schema that can be found at https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...

 

The SecurityInsights.json shows the actual schema for the various calls you can make and what gets returned and the "examples" folder has examples of the calls and what gets returned. Take a look at "incidents" sub-folder for examples of what incident information is returned.

 

In your case I would think you would want to create a Playbook to perform this task automatically or at least send an Email validation to make sure you want to perform this action.