Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Playbooks/Enrich-CIRCL-hashlookup
История
juju4 87d3dd6591 change custom connector variable name 2023-01-28 19:30:05 +00:00
..
CustomConnector remove customconnector iconUri 2023-01-28 19:27:03 +00:00
Playbook change custom connector variable name 2023-01-28 19:30:05 +00:00
images style: remove duplicate condition 2023-01-21 15:44:10 +00:00
readme.md

readme.md

Enrich-CIRCL-hashlookup

Add information from CIRCL hashlookup public instance about hashes found in Sentinel incident entities. MD5 and SHA1 only.

Quick Deployment

Deploy with incident trigger (recommended)

After deployment, attach this playbook to an automation rule so it runs when the incident is created.

Learn more about automation rules

Deploy to Azure Deploy to Azure Gov

Prerequisites

  • No authentication to hashlookup server
  • Logic Apps Custom Connector CIRCL-hashlookup
  • Logic App managed identity should be given Sentinel Responder role to read incident trigger and write comment/tag to incident

Screenshots

Enrich-CIRCL-hashlookup

Workflow explained

(step by step pseudo-code)

  1. Sentinel incident trigger
  2. Get FileHashes entities
  3. Validate entities list is not empty or terminate
  4. For each FileHash, bulk search for md5 and sha1, and append to comment
  5. Update sentinel incident with comment and appropriate tag Found/NotFound