…
|
||
---|---|---|
.. | ||
images | ||
azuredeploy.json | ||
readme.md |
readme.md
Watchlist-SendSQLData-Watchlist
author: Yaniv Shasha
This playbook levarages Azure Sentinel Watchlists in order to get the relevant date from Azure SQL, and create a new watchlist or update an exsisting watchlsit with the query output.
Prerequisites • A user or registered application with Azure Sentinel Contributor role to be used with the Azure Sentinel connector to Logic Apps. • A user with read access to SQL database to be able to query the data
The playbook, presented below, works as follows:
- Triggers daily.
- Take as variables the: • Subscription • Workspace • resource group • watchlist name.
- Run SQL Select statement against Azure SQL DB (can be change this logic app to run against SQL On-prem with logic app getaway feature
- Parse the results as JSON (if you are running different SQL query, you should adapt the Parse json schema)
- Create CSV payload from the results.
- Check if the watchlist exists.
- Based on the result, create, or update the watchlist with the result set from the SQL query
Step 1: Deploy the Logic App on Azure Sentinel.
-
Open the link to the playbook. Scroll down on the page and Click on “Deploy to Azure” or "Deploy to Azure Gov" button depending on your need.
-
Fill the parameters:
-
Playbook name - this is how you'll find the playbook in your subscription
-
User name (will affect the names of the API connections resources)
-
Azure Sentinel Workspace Name
-
Azure Sentinel ResourceGroup
-
The WatchList name
-
SQL Query that will run aginst the DB
-
Check the terms and conditions and click purchase.
-
The ARM template, contains the Logic App workflow (playbook) and API connections is now deploying to Azure. When finished, you will be taken to the Azure ARM Template summary page.
-
Click on the Logic Apps name. you will be taken to the Logic Apps resource of this playbook. Confirm API connections On the left menu, click on API connections. For each product being used in this playbook, click on the connection name - in our case, it is only the Azure Sentinel connection. Click on Authorize to log in with your user, and don't forget to save.