4a23af9be0 | ||
---|---|---|
.. | ||
images | ||
VIPUserswatchlistexample.csv | ||
azuredeploy.json | ||
readme.md |
readme.md
Watchlist-ChangeIncidentSeverityandTitleIFUserVIP
author: Yaniv Shasha
This playbook leverages Azure Sentinel Watchlists in order to adapt the incidents severity which include User entity and check it against VIP user list
For each User account included in the alert (entities of type User):
- Check if User is included in watchlist.
- If user is in the watchlist, change the incident severity to Critical 2. Add a comment to the incident the list of safe and not safe IPs found.
- Modify the incident title that include the User name and the text. VIP User!!!
Configurations
- Configure the step "Run query and list results" with the identifiers of the Sentinel workspace where the watchlist is stored.
- The watchlist used in this example has at list one column named Name which stores the safe address. See the csv file attached in this folder as an example.
Overall:
For each IP: