История

Yaniv Shasha 41a24a6269 4 new watchlist playbooks		2021-01-27 08:44:01 +02:00
..
Graphics	4 new watchlist playbooks	2021-01-27 08:44:01 +02:00
azuredeploy.json	4 new watchlist playbooks	2021-01-27 08:44:01 +02:00
readme.md	4 new watchlist playbooks	2021-01-27 08:44:01 +02:00

readme.md

Watchlist-Add-UserToWatchList

Author: Yaniv Shasha

This playbook will add a User entity to a new or existing watchlist.

logical flow to use this playbook

1. The analyst finished investigating an incident one of its findings is a suspicious user entity.
2. The analyst wants to enter this entity into a watchlist (can be from block list type or allowed list).
3. This playbook will run as a manual trigger from the full incident blade or the investigation graph blade, or automatically.

The playbook, available here and presented below, works as follows:

Manually trigger when we want to add a user entity from a given alert
Get the user entity relevant
Create an array of the user properties
Create a CSV from the above array
Check if the watchlist exists, if it does, use watchlist API and append the data, if not, create a new watchlist and append the data.

After Deploying the logicApp you will see the above workflow.

Deploying the solution:

Add the missing properties in the ARM template deployment The Watchlist name will be also the alias name that you will use to query the data, for example

_GetWatchlist('RiskUsers')
Post-deployment authenticates the Azure Sentinel connector and the API Http action with managed identity or SPN with Azure Sentinel contributor RBAC role.