Creating Playbooks & Logic Apps (part 4)

By Ashwin Venugopal -

 



To read part 1, please click here
To read part 2, please click here
To read part 3, please click here





Using the Logic Apps Designer Page

After creating the playbook, you can go to the Logic Apps Designer page which contains two different types of views. The first one can be seen if your workflow is empty and provides a quick introduction video, some common triggers as well as predefined templates that can help you to build your workflow. You can also view a list of templates and the Blank Logic App button to create an empty workflow.

After you click on the button, you will go to the second view containing a list under Recent in the workflow editor section which depends on your recent use of connectors and actions. Each section of this page is described below:

  • The Logic App Designer Header Bar- It contains all the buttons required to work with a workflow, like you can save or discard changes, switch between the GUI and the code views, add parameters, etc. Each button's details are- 

  1. The Save button can save your changes and will only be active whenever any changes are made in a workflow.
  2. The Discard button will help you to discard all the changes you have made and revert the workflow to the last saved instance. It will only be active if any changes are made in a workflow.
  3. The Run button can run the current workflow in view.
  4. The Designer and Code view buttons can either show you the designer view or code view. If the Code view button is pressed, then, the JSON code will be shown, whereas, the Designer button will take you to the GUI view. 
  5. The Parameters button will show the Parameters blade which helps you to add, edit, or delete parameters for a playbook and can also forward information to your logic app during automated deployments. 
  6. Templates will show a list of pre-existing templates that can be used as a basis for your playbook. However, if you click this button to select a template, then your existing playbook's design will be overwritten by the template.
  7. The Connectors button can open a new page that contains logic app connectors information and also offers a list of existing, non-preview connectors as well as actions.

  • The Logic App Designer's Workflow Editor Section- It is the place where you will build your workflow after selecting an appropriate trigger to use and then add the various actions required to use. 

Creating a Simple Microsoft Sentinel Playbook

To create a new playbook that Microsoft Sentinel can use, you must remember to use the Microsoft Sentinel connector:
  1. Click the Add playbook button on the Microsoft Sentinel playbook screen and choose an appropriate resource group as well as location.
  2. Now click on the Blank Logic App button to create a new logic app after creating your playbook.
  3. Locate and select the Microsoft Sentinel connector in the Logic App Designer page. Enter Microsoft Sentinel in the search box to find the connector if it's not listed in the Recent connector listing. 
  4. After that use the Alert - Get incident action, click on the New step link, select the Microsoft Sentinel entry in the Recent section. By doing this, the connector will be added again and shows the actions. 
  5. Now scroll down to locate Alert - Get incident (preview) and select it. 
  6. After adding the action, fill the given fields.
  7. Now click on the Specify subscription id field to open a new pop up window containing a list of all the fields provided by the trigger. 
  8. All these fields have a dynamic content in which the variable name is replaced by the actual value whenever the playbook runs. However, most of the triggers as well as alerts have their own dynamic content and this list grows as the new steps are added. 
  9. Map the fields with the trigger value as shown below-   

Action Name

Trigger value

Specify subscription id

Subscription ID

Specify resource group

Resource group

Specify workspace id

Workspace ID

Specify alert id

System alert ID

   10. After you are done with the task, you will have your alert. 

Now, we have to alert the analysts if a high risk alert is raised and as the Alert - Get Incident action can return all the incidents, then, we only have to filter the high-severity ones and post a message. After you are done with performing all the tasks, you can simply click on the Save button on the Logic App Designer page's header to save your playbook where you can be informed of the errors, if any and you can have a fully functional as well as incredibly useful Microsoft Sentinel playbook with no coding required.   






To read part 1, please click here
To read part 2, please click here
To read part 3, please click here

Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can query the log data stor
Read more