Files

.azure-pipelines
.github
.script
.vscode
ASIM
BYOML
Dashboards
DataConnectors
Detections
Exploration Queries
Functions
Hunting Queries
Logos
MasterPlaybooks
Notebooks
Parsers
Playbooks
- .template
- 2S-Sentinel2MISP
- AD4IoT-AutoCloseIncidents
- AD4IoT-MailbyProductionLine
- AD4IoT-NewAssetServiceNowTicket
- AD4IoT-TritonDetectionAndResponse
- ADX-Health-Playbook
- AS-AI-Commandline-Analysis
- AS-Add-Azure-AD-User-Job-Title-to-Incident
- AS-Add-Machine-Logon-Users-to-Incident
- AS-Azure-AD-Disable-User
- AS-Azure-AD-Enable-User
- AS-Azure-AD-Group
- AS-Blob-Storage-Add-Domains-to-Zscaler-URL-Category
- AS-Block-GitHub-User
- AS-Block-Hash-in-Defender
- AS-Clear-Okta-Network-Zone-List
- AS-Compromised-Machine-Tagging
- AS-Create-Opsgenie-Incident
- AS-Delete-App-Registration
- AS-Disable-Microsoft-Entra-ID-User-From-Entity
- AS-Edgescan-Integration
- AS-Enable-Microsoft-Entra-ID-User-From-Entity
- AS-IAM-Entra-ID-Master-Playbook
- AS-IAM-Master-Playbook
- AS-IP-Blocklist-Remove-IPs
- AS-IP-Blocklist
- AS-Import-Azure-AD-Group-Users-to-MS-Watchlist
- AS-Incident-Host-Exposure-Level
- AS-Incident-IP-Matched-on-Watchlist
- AS-Incident-Response-Approval-Email
- AS-Incident-Spiderfoot-Scan
- AS-MDE-Isolate-Machine
- AS-MDE-Unisolate-Machine
- AS-Make-GitHub-Repository-Private
- AS-Microsoft-DCR-Log-Ingestion
- AS-Okta-NetworkZoneUpdate
- AS-PagerDuty-Integration
- AS-Recurring-Host-Entity
- AS-Remove-Domains-from-Zscaler-URL-Category
- AS-Revoke-Azure-AD-User-Session-From-Entity
- AS-Revoke-Azure-AD-User-Session-From-Incident
- AS-Sign-Out-Google-User
- AS-Slack-Integration
- AS-Terminate-Okta-User-Session-From-Entity
- AS-Update-Okta-Network-Zone-From-Entity
- Add-IP-Entity-To-NSG
- Add-IP-Entity-To-Named-Location
- Affected-Key-Credentials-CVE-2021-42306
- Aggregate-SNOW-tickets
- AutoConnect-ASCSubscriptions
- AzureMonitor-ManagedId
- Block-AADUserOrAdmin
- Block-ExchangeIP
- Block-IPs-on-MDATP-Using-GraphSecurity
- Block-OnPremADUser
- Change-Incident-Severity
- CiscoASA
- Close-Incident-MCAS
- Close-SentinelIncident-fromSNOW
- Comment-OriginAlertURL
- Comment-RemediationSteps
- Create Incidents From Http
- Create Incidents with Email
- Create-AzureDevOpsTask
- Create-AzureSnapshot
- Create-IBMResilientIncident
- Create-Incident-on-missing-Data-Source
- Create-Zendesk-Ticket
- CrowdStrike
- CybleLogicApp
- Dismiss_Upstream_Events
- Dynamic-Summaries-API-Upsert
- Enrich-AzureResourceGraph-Incident
  - images
  - azuredeploy.json
  - readme.md
- Enrich-AzureResourceGraph
- Enrich-CIRCL-hashlookup
- Enrich-Intezer-Analyze
- Enrich-MalwareBazaar
- Enrich-Sentinel-Incident-AlienVault-OTX
- Enrich-SentinelIncident-GreyNoise-IP
- Enrich-SentinelIncident-GreyNoiseCommunity-IP
- Enrich-SentinelIncident-MDATPTVM
- Export-Incidents-With-Comments
- Export-Report-CSV
- F5BigIP
- ForcepointNGFW
- Fortinet-FortiGate
- Get-AD4IoTDeviceCVEs
- Get-ASCRecommendations
- Get-AlertEntitiesEnrichment
- Get-AlienVault_OTX
- Get-CompromisedPasswords
- Get-GeoFromIPandTagIncident-EmailAlertBasedonGeo
- Get-GeoFromIpAndTagIncident
- Get-MDATPVulnerabilities
- Get-MDEFileActivityWithin30Mins
- Get-MDEInvestigationPackage
- Get-MDEProcessActivityWithin30Mins
- Get-MDEStatistics
- Get-MachineData-EDR-SOAR-ActionsOnMachine
- Get-MerakiData-ConfigurationChanges
- Get-MerakiData-OrgSecurityEvents
- Get-Microsoft-Covid19-Indicators
- Get-O365Data
- Get-Recipients-EmailMessageID-containing-URL
- Get-SOCActions
- Get-SOCTasks
- Get-SentinelAlertsEvidence
- Get-TenableVlun
- Get-VTURLPositivesComment
- Guardicore-Import-Assets
- Guardicore-Import-Incidents
- Guardicore-ThreatIntel
- HaveIBeenPwned-Email
- HaveIBeenPwned
- IdentityProtection-EmailResponse
- IdentityProtection-TeamsBotResponse
- Incident-Email-Notification
- Incident-Status-Sync-To-WDATP
- IncidentUpdate -Get-SentinelAlertsEvidence
- Ingest-CanaryTokens
- Ingest-Prisma
- Isolate-AzureStorageAccount
- Isolate-AzureVMtoNSG
- M365-Security-Posture
- MDTI-Actor-Lookup
- Netskope
- Notify-ASCAlertAzureResource
- OktaRawLog
- Open-ServiceDeskPlusOnDemand-Ticket
- PaloAlto-PAN-OS
- PaloAlto-Wildfire
- Post-Tags-And-Comments-To-Your-IntSights-Account
- Put-MDEAlert-Hunting-GitHub
- QuickStart-SentinelTriggers
- RecordedFuture-Block-IPs-and-Domains-on-Microsoft-Defender-for-Endpoint
- RecordedFuture_IP_SCF
- Remove-MDEAppExecution
- Reopen-Incdient-With-Incomplete-Tasks
- Resolve-McasInfrequentCountryAlerts
- Run-AzureVMPacketCapture
- Run-Notebook-After-Incident-Creation
- Save-NamedLocations
- Send-AnalyticalRulesHealthNotifications
- Send-AzCommunicationsSMSMessage
- Send-ConnectorHealthStatus
- Send-IngestionCostAlert
- Send-IngestionCostAnomalyAlert
- Send-Slack-Message-Webhook
- Send-UnhealthyAzureArcResourceAlert
- Send-UrlReport
- Spur-Enrichment
- Start-MDEAutomatedInvestigation
- Sync-IncidentCommentToM365DOnUpdate
- Sync-Sentinel-Incident-Comments-To-M365Defender
- ThinkstCanary-Alert-Ingestion
- Update-BulkIncidents
- Update-CVE-IPs-WatchListwithGreyNoise
- Update-NamedLocations-TOR
- Update-VIPUsers-Watchlist-from-AzureAD-Group
- Update-Watchlist-With-NamedLocation
- Watchlist-SendSQLData-Watchlist
- Zscaler-add-Domains-to-URL-Category
- Zscaler
- [Deprecated]Move-LogAnalytics-to-Storage
- CSV-Report-Export
- Download.png
- ReadMe.md
- logic_app_logo.png
QueryLanguageSamples
Sample Data
Solutions
Summary rules
Tools
Tutorials
Watchlists
Workbooks
docs
.gitignore
.gitmodules
CODEOWNERS
Excessive login attempts.json
GettingStarted.md
LICENSE
README.md
SECURITY.md
azure-pipelines.yml
deploy.json
logic_app_logo.png
package-lock.json
package.json
tsconfig.json

Enrich-AzureResourceGraph-Incident

docs: add IAM Sentinel Responder to readme

Apr 30, 2023

0ebf595 · Apr 30, 2023

Name	Name	Last commit message	Last commit date
parent directory ..
images	images	feat: add Playbooks/Enrich-AzureResourceGraph-Incident	Apr 22, 2023
azuredeploy.json	azuredeploy.json	fix: add metadata	Apr 22, 2023
readme.md	readme.md	docs: add IAM Sentinel Responder to readme	Apr 30, 2023

readme.md

Enrich-AzureResourceGraph-Incident

This logicapp calls Enrich-AzureResourceGraph to comment Sentinel Incident based on ResourceGraph data

Quick Deployment

After deployment,

Allow logicapp managed identity to update incident by adding IAM role Sentinel Responder or above
attach this playbook to an automation rule so it runs when the incident is created.

Learn more about automation rules

Prerequisites

Enrich-AzureResourceGraph logicapp
Adapt query to your context

Screenshots

Workflow explained

Azure Sentinel incident trigger
Get Hosts entities
For each host, call Enrich-AzureResourceGraph
Add comment and tag found/notfound depending on output

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Files

Enrich-AzureResourceGraph-Incident

Enrich-AzureResourceGraph-Incident

readme.md

Enrich-AzureResourceGraph-Incident

Quick Deployment

Prerequisites

Screenshots

Workflow explained

Files

Enrich-AzureResourceGraph-Incident

Directory actions

More options

Directory actions

More options

Latest commit

History

Enrich-AzureResourceGraph-Incident

Folders and files

parent directory

readme.md

Enrich-AzureResourceGraph-Incident

Quick Deployment

Prerequisites

Screenshots

Workflow explained