Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Playbooks/Enrich-MalwareBazaar
История
juju4 71b42f11b1 docs: prerequisites update 2023-01-21 15:52:00 +00:00
..
CustomConnector feat: add Playbooks/Enrich-MalwareBazaar 2023-01-08 16:55:12 +00:00
Playbook style: change parameter name to customConnector 2023-01-21 15:51:28 +00:00
images feat: add Playbooks/Enrich-MalwareBazaar 2023-01-08 16:55:12 +00:00
readme.md docs: prerequisites update 2023-01-21 15:52:00 +00:00

readme.md

Enrich-MalwareBazaar

Add information from MalwareBazaar aka abuse.ch to a Sentinel Incident

Quick Deployment

Deploy with incident trigger (recommended)

After deployment, attach this playbook to an automation rule so it runs when the incident is created.

Learn more about automation rules

Deploy to Azure Deploy to Azure Gov

Prerequisites

  • API key is not required for malwarebazaar
  • Logic Apps Custom Connector for MalwareBazaar
  • Logic App managed identity should be given Sentinel Responder role to read incident trigger and write comment/tag to incident

Screenshots

Enrich-MalwareBazaar

Workflow explained

(step by step pseudo-code)

  1. Sentinel incident trigger
  2. Get FileHashes entities
  3. Validate that entities list is not empty or terminate
  4. For each FileHashes, do a malwarebazaar query and append output to comment
  5. Update sentinel incident with comment and appropriate tag Found/NotFound