Microsoft Sentinel Logic Apps Playbooks

Free integration setupWe’ll install and validate this for you.

Book a setup call

Support Statement

DISCLAIMER

This documentation is provided "as is" without support for 3rd party software. The level of support for this integration guide is best effort without any SLA on response time. No 3rd party product support can be provided by Superna directly. 3rd party components require support contracts. See EULA for more details.

---

Overview

A key capability of SOAR and security automation platforms is the ability to run sophisticated automations that help protect IT assets. The Cyber Storage integration with the Superna Zero Trust API allows SecOps professionals to execute storage-layer protection functions directly within their security tools.

Key Use Cases

• User Lockout — Run an incident playbook to lock out the affected user from all storage SMB shares to stop a ransomware attack against NAS storage.
• Critical Data Snapshot — Run an incident playbook to snapshot critical NAS storage data as a proactive step. This playbook does not interrupt user access and provides a 4-hour snapshot of production data. The critical snapshot feature must be configured in Superna Security Edition.

Key Benefits

• Automates security responses for increased response times and eliminates human error
• Builds upon a composable security architecture that integrates security tools into workflows and playbooks
• Integrates Cyber Storage capabilities to protect unstructured data

Import Logic App Playbooks into Sentinel

Download the playbook templates before proceeding with configuration:

• Zero Trust Snapshot Playbook JSON
• Zero Trust Lockout Playbook JSON

1. Log in to the Azure Console and search for Template Deployment.
2. Select Build your own template in the editor.
3. Click Load file and upload the JSON template.
4. Click Save.
5. Fill in the subscription, resource group (use the Sentinel resource group), and region.
6. Click Review and create to deploy the playbook.
7. Proceed to the configuration steps below.

Create the API Token

1. Log in to the Eyeglass VM as admin.
2. Navigate to Eyeglass REST API.
3. Click Create new token and provide a name (for example, Zero Trust).
4. Copy the token for use in the playbook configuration steps below.

Configure the User Lockout Playbook

Prerequisites

• Microsoft Sentinel Azure instance
• Permissions to create Sentinel resources and Logic Apps
• Superna Eyeglass VM API token (see above)
• Firewall rule allowing Azure source IPs to reach the Eyeglass VM endpoint over HTTPS port 443

Logic App Flow Summary

1. Receive the incident data in JSON format.
2. Initialize a variable to store the username from the incident.
3. Parse the incoming incident payload using a schema that includes the custom Zero Trust alert details (username, SID, IP address, protocol).
4. For each incident item:
   • Pass the custom Zero Trust alert data to the compose function.
   • Extract the username field from the payload.
   • Remove the encoded double backslashes and quotes to produce domain\username syntax.
   • Set the Logic App variable to the clean username.
   • URL-encode the string for use in the API call URL.
   • Send the URL-encoded value to the HTTP function to call the Eyeglass Zero Trust API.
   • Send the username to the email function to send a lockout alert notification.

Configure the Playbook Zero Trust API Integration

1. Click on the newly created Logic App resource.

2. Click Logic Designer.

3. Locate the HTTP step at the end of the designer.

4. Edit the HTTP details:

   • Replace x.x.x.x with the Eyeglass VM hostname or IP address.
   • Replace the placeholder API key igls-1hp9n7vg4uu61k4t0r2np9a8qpf5is7bc11bacs11gf2ad9lnoc1 with the token you created above.

5. Configure the Outlook connection for email notifications:

   note

   This playbook uses the Outlook connection step to send an alert each time a user is locked out. This step can be deleted, but sending a notification is recommended. To use email, register an Office 365 subscription with Azure following the Azure documentation. Once registered, open the Logic App designer and click Add new connection to configure the email option.

6. Click Save after each step.

How to Use the User Lockout Playbook in Sentinel

1. Open an incident in Microsoft Sentinel.
2. Select Run Playbook (preview).
3. Execute the user lockout playbook.

Configure the Critical Data Snapshot Playbook

Prerequisites

• Microsoft Sentinel Azure instance
• Permissions to create Sentinel resources and Logic Apps
• Superna Eyeglass VM API token (see above)
• Firewall rule allowing Azure source IPs to reach the Eyeglass VM endpoint over HTTPS port 443

Logic App Flow Summary

1. Receive the incident data in JSON format.
2. Call the Zero Trust API via HTTP to issue a critical data snapshot request to all protected storage devices managed by Superna Security Edition, using the correct API token and headers.

Configure the Playbook Zero Trust API Integration

1. Click on the newly created Logic App resource.
2. Click Logic Designer.
3. Edit the endpoint:
   • Replace x.x.x.x with the Eyeglass VM hostname or IP address.
   • Replace igls-yyyyy with the API token you created above.
4. Click Save.

How to Use the Critical Data Snapshot Playbook in Sentinel

Use this playbook when you suspect an incident may involve malware, ransomware, or any threat to corporate data.

1. Open an incident in Microsoft Sentinel.
2. Select Run Playbook (preview).
3. Select the snapshot creation playbook and click Run.
4. Review the results to verify it completes correctly.