Problems with Playbooks - Request Header Fields Too Large
Hi all, Since this afternoon my Playbooks are not working anymore. I have a few Playbooks that are being triggered by Automations Rules. The first step in the Playbook is the Sentinel Incident Trigger. Second step is the "Get Incident" which gets the incident details with the Incident ARM ID from step 1. The second step is not working anymore and I get with every Playbook "Status Code: 431" and as output: { "StatusCode": 431, "ReasonPhrase": "Request Header Fields Too Large", "Content": "", "Headers": { "Pragma": [ "no-cache" ], The same error happens with a Playbook where I add a comment to the Incident. Status code is also 431 and stops the Playbook. Anybody any solution/help to fix this? Thanks in advance!
Create playbook to release requested quarantined emails?
I can't find any information on possibility of releasing quarantined emails of the alert created by Microsoft Defender XDR. Such as "User requested to release a quarantined message" and "User requested to release a quarantined message involving one user". I see there are playbooks created with Microsoft Defender Connector. Have conditions in such as non-high confidence only and not reported by more than one user. Would Azure logic app be able to do this, if so, some guide is appreciated?
Send-Teams-adaptive-card-on-incident add Entities
Hello everyone, I’m looking for a way to insert Entities into the adaptive card. The method I use for Outlook, namely HTML, I can’t use it because it’s not supported. Do you have any ideas? My goal is, in addition to the incident, to show the involved entities, for example, account, host, IP, file etc.AITM Attack - Canary URL
Hello. I am trying to work through the configuration in this article; https://ironpeak.be/blog/azure-detecting-aitm-attacks/ I created the following logic app; The generated URL has been added to a CSS file and uploaded as outlined in that article, and the branding changes are active. When someone logs in to something like the Azure portal the logic app is triggered, but the condition is always "false". If I look at the output the "Referer" is exactly as it should be for the condition to be true; Any help where I am going wrong would be greatly appreciated.
RE: How you extract 'Incident ARM ID' from a KQL query to be used in a Logic App
Hello, Can the Security Incident ID be extracted from the SecurityIncident table and used as a property or Entity value in a workflow action of a Logic App, such as 'Update Incident'? See the below image... What is the actual structure of the Incident ARM ID? Is it the 'IncidentNumber' from the table, OR do you have to parse it from the property 'IncidentUrl'?Permissions issue with Run-MDEAntivirus playbook
Hi, I am having a permissions issue with getting the playbook template ‘Run-MDEAntivirus’ working. So far I have: Given Microsoft Sentinel permissions to run playbooks in the correct Resource Group. Deployed the Playbook template from Sentinel (as at January 2023) with a system assigned managed identity. Used Powershell to grant the managed identity permissions ‘Machine.Scan’, ‘Machine.ReadWrite.All’ and ‘Machine.Read.All’ Dropped an EICAR file on a host and watched the playbook trigger as expected. Steps using the Sentinel connector inside the Logic app work (these all have green tickets and contain the expected data). The first MDE step ‘Machines - Get a Single Machine’ fails with a 403 error. Message it returns is ‘Missing application roles. API required roles: Machine.Read.All,Machine.ReadWrite.All, application roles ‘Machine.Scan’. I am not clear where I need to add those privileges. My understanding is the Logic App is using the wdatp-Run-MDEAntivirus API connection which in turn is using the Managed Identity (that has the right privileges). Any suggestions on what to do next would be welcome. Cheers, Michael
Provide MS Sentinel explicit permissions to run playbooks via ARM
Hi, Simple ask. Using ARM to add a template to a new install of Sentinel (LA workspace, sentinel, analytics, workbooks and playbooks all installed in one go) I can't figure out how to assign the permissions required as part of the initial ARM install. For the GUI it's simple enough - Sentinel > Settings > Settings > Playbook Permissions > Configure permissions > select RG and apply. How can this be replicated using ARM only - no PS and no GUI -- ideally i would like the ARM template to be a one shot. Any help is appreciated. Cheers
