Azure-Sentinel/Tools/Tasks-Repository
Benjamin Kovacevic 3b14f7b57e
Update readme.md
Fixed broken links and added link to the blog (blog will be online on Tuesday)
2024-02-02 13:08:17 +00:00
..
images Tasks Repository solution 2024-01-19 15:39:50 +00:00
TasksRepository.csv Tasks Repository solution 2024-01-19 15:39:50 +00:00
TasksRepositoryWatchlistTemplate.json Tasks Repository solution 2024-01-19 15:39:50 +00:00
azuredeploynmi.json Tasks Repository solution 2024-01-19 15:39:50 +00:00
readme.md Update readme.md 2024-02-02 13:08:17 +00:00

readme.md

Tasks-Repository

author: Benji Kovacevic

This solution contains Tasks Repository Watchlist and Playbook that are used to assign tasks automaticlly based on incident title.
This solution is explained in details in this blog - Create Tasks Repository in Microsoft Sentinel.

Prerequisites

Permissions

  1. Watchlist:
    Permission needed to deploy: Microsoft Sentinel Contributor
  2. Playbook:
    Permission needed to deploy: Logic App Contributor
    Permission needed to assign RBAC to managed identity: User Access Administrator or Owner on Resource Group where Microsoft Sentinel is
  3. Automation rule:
    Permission needed to create: Microsoft Sentinel Responder

Quick Deployment

  1. Deploy Tasks Repository watchlist using ARM template
    Deploy to Azure

, or using raw CSV file and following instructions on how to create watchlist manually.
Note:
When creating watchlist manually, use TasksRepository for alias, or this field will need to be updated in the playbook after deploying it. Also, map SearchKey to IncidentTitle column as playbook is using it as well.

  1. Deploy a playbook
    Deploy to Azure Deploy to Azure Gov

  2. Final step is to create an automation rule that will run on incident creation on all incidents, and as an action will run playbook.

  • Title: Tasks repository
  • Trigger: When incident is created
  • Actions: Run playbook -> TasksRepository

automation rule screenshot

Post-deployment

  1. Assign Microsoft Sentinel Responder role to the managed identity. To do so, choose Identity blade under Settings of the Logic App.
  2. Open Edit mode of the playbook, and add managed identity to Azure Monitor Logs action playbook screenshot
    playbook screenshot
    For Connection Name enter: Azuremonitorlogs-TasksRepository
    For Authentication Type choose: Logic Apps Managed Identity
    playbook screenshot
    Select Create New, and then Save the playbook.
  3. Add tasks to the Tasks Repository watchlist. Note: When adding additional tasks, there is a format that should be used so that playbook can map tasks title and description field. Each tasks filed should look like Tasks title, unique separator |^|, followed by Tasks description. Unique separator |^| is used in playbook to separate title and description of the tasks into its appropriate fields. In watchlist example, in column Task01 we can see example - Task 1|^|Task description.