История

Benjamin Kovacevic e409cc5ac3 update of whatchlist playbooks with native actions		2022-04-28 15:29:43 +01:00
..
alert-trigger	update of whatchlist playbooks with native actions	2022-04-28 15:29:43 +01:00
incident-trigger	update of whatchlist playbooks with native actions	2022-04-28 15:29:43 +01:00
readme.md	update of whatchlist playbooks with native actions	2022-04-28 15:29:43 +01:00

readme.md

Add-HostToWatchlist

Author: Yaniv Shasha

This playbook will add a Host entity to a new or existing watchlist.

Logical flow to use this playbook

1. The analyst finished investigating an incident and one of its findings is a suspicious Host entity.
2. The analyst wants to enter this entity into a watchlist (can be from block list type or allowed list).
3. This playbook will run as a manual trigger from the full incident blade or the investigation graph blade, or automatically, and will add host to the selected watchlist.

Prerequisites

None.

Quick Deployment

Deploy with incident trigger (recommended)

After deployment, attach this playbook to an automation rule so it runs when the incident is created.

Learn more about automation rules

Deploy with alert trigger

After deployment, you can run this playbook manually on an alert or attach it to an analytics rule so it will rune when an alert is created.

Post-deployment

Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity

Screenshots

Incident Trigger

Alert Trigger