e409cc5ac3
|
||
|---|---|---|
| .. | ||
| alert-trigger | ||
| incident-trigger | ||
| readme.md | ||
readme.md
Add-IPToWatchist
Author: Yaniv Shasha
This playbook will add a IP entity to a new or existing watchlist.
Logical flow to use this playbook
1. The analyst finished investigating an incident and one of its findings is a suspicious IP entity.
2. The analyst wants to enter this entity into a watchlist (can be from block list type or allowed list).
3. This playbook will run as a manual trigger from the full incident blade or the investigation graph blade, or automatically, and will add host to the selected watchlist.
Prerequisites
None.
Quick Deployment
Deploy with incident trigger (recommended)
After deployment, attach this playbook to an automation rule so it runs when the incident is created.
Learn more about automation rules
Deploy with alert trigger
After deployment, you can run this playbook manually on an alert or attach it to an analytics rule so it will rune when an alert is created.
Post-deployment
- Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity
Screenshots
Incident Trigger
Alert Trigger
