Problems with Playbooks - Request Header Fields Too Large
Hi all, Since this afternoon my Playbooks are not working anymore. I have a few Playbooks that are being triggered by Automations Rules. The first step in the Playbook is the Sentinel Incident Trigger. Second step is the "Get Incident" which gets the incident details with the Incident ARM ID from step 1. The second step is not working anymore and I get with every Playbook "Status Code: 431" and as output: { "StatusCode": 431, "ReasonPhrase": "Request Header Fields Too Large", "Content": "", "Headers": { "Pragma": [ "no-cache" ], The same error happens with a Playbook where I add a comment to the Incident. Status code is also 431 and stops the Playbook. Anybody any solution/help to fix this? Thanks in advance!
Create playbook to release requested quarantined emails?
I can't find any information on possibility of releasing quarantined emails of the alert created by Microsoft Defender XDR. Such as "User requested to release a quarantined message" and "User requested to release a quarantined message involving one user". I see there are playbooks created with Microsoft Defender Connector. Have conditions in such as non-high confidence only and not reported by more than one user. Would Azure logic app be able to do this, if so, some guide is appreciated?Sentinel incident playbook - get alert entities
Hi! My main task is to get all alerts (alerts, not incidents) from sentinel (analytics rules and Defender XDR) to external case management. For different reasons we need to do this on alert level. Alert trigger by design works perfectly, but this does not trigger on Defender alerts on Sentinel, only analytic rules. When using Sentinel incident trigger, then i'm not able to extract entities related to alerts, only incident releated entities. Final output is sent with HTTP post to our external system using logic app. Any ideas how to get in logic app all alerts with their entities?
Send-Teams-adaptive-card-on-incident add Entities
Hello everyone, I’m looking for a way to insert Entities into the adaptive card. The method I use for Outlook, namely HTML, I can’t use it because it’s not supported. Do you have any ideas? My goal is, in addition to the incident, to show the involved entities, for example, account, host, IP, file etc.AITM Attack - Canary URL
Hello. I am trying to work through the configuration in this article; https://ironpeak.be/blog/azure-detecting-aitm-attacks/ I created the following logic app; The generated URL has been added to a CSS file and uploaded as outlined in that article, and the branding changes are active. When someone logs in to something like the Azure portal the logic app is triggered, but the condition is always "false". If I look at the output the "Referer" is exactly as it should be for the condition to be true; Any help where I am going wrong would be greatly appreciated.
RE: How you extract 'Incident ARM ID' from a KQL query to be used in a Logic App
Hello, Can the Security Incident ID be extracted from the SecurityIncident table and used as a property or Entity value in a workflow action of a Logic App, such as 'Update Incident'? See the below image... What is the actual structure of the Incident ARM ID? Is it the 'IncidentNumber' from the table, OR do you have to parse it from the property 'IncidentUrl'?Permissions issue with Run-MDEAntivirus playbook
Hi, I am having a permissions issue with getting the playbook template ‘Run-MDEAntivirus’ working. So far I have: Given Microsoft Sentinel permissions to run playbooks in the correct Resource Group. Deployed the Playbook template from Sentinel (as at January 2023) with a system assigned managed identity. Used Powershell to grant the managed identity permissions ‘Machine.Scan’, ‘Machine.ReadWrite.All’ and ‘Machine.Read.All’ Dropped an EICAR file on a host and watched the playbook trigger as expected. Steps using the Sentinel connector inside the Logic app work (these all have green tickets and contain the expected data). The first MDE step ‘Machines - Get a Single Machine’ fails with a 403 error. Message it returns is ‘Missing application roles. API required roles: Machine.Read.All,Machine.ReadWrite.All, application roles ‘Machine.Scan’. I am not clear where I need to add those privileges. My understanding is the Logic App is using the wdatp-Run-MDEAntivirus API connection which in turn is using the Managed Identity (that has the right privileges). Any suggestions on what to do next would be welcome. Cheers, Michael
