Skip to content

crowdsecurity/crowdsec-sentinel-playbook

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
img
img
 
 
README.md
README.md
 
 
azuredeploy.json
azuredeploy.json
 
 
exported-sentinel-playbook.json
exported-sentinel-playbook.json
 
 

Repository files navigation

Deploy to Azure

Microsoft Sentinel CrowdSec CTI PlayBook

This PlayBook / Logic App allows you to automatically create an alert when a successful login is performed from a suspicious or malicious IP.

Example Alert

Deployment

Deploy

Permissions

  • In the resource group, via IAM, grant:
    • "Microsoft Sentinel Contributor" role to the Logic App
    • "Microsoft Sentinel Automation Contributor" role to "Azure Security Insights"
  • Allow Azure Sentinel API Connection (General -> Edit API Connection)

Example Usage

In our example, we are going to create an Analytics Rule to trigger on successful EntraID authentications, and use an Automation Rule to trigger our Logic App.

Our Logic App will exploit CrowdSec's CTI to create an Alert if the authentication came from a malicious or suspicious IP.

  1. Create Analytics Rule

Analytics Rule Creation

  1. Create Automation Rule

Automation Rule Creation

  1. Test it

Try to connection from ie. Tor IP Address, wait for your analytics rule to trigger and watch the alerts appear.

About

Microsoft Sentinel CrowdSec IP Reputation PlayBook

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published