This playbook would be responsible to update the Alert status from the sentinel to the Armis Portal.
- The Armis Alerts data connector should be configured to send appropriate armis alerts events to Microsoft Sentinel.
- Store Armis API secret key in Key Vault and obtain keyvault name and tenantId. a. Create a Key Vault with unique name b. Go to KeyVault -> secrets -> Generate/import and create 'ArmisAPISecretKey' for storing Armis API Secret Key
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required paramteres:
- Playbook Name: Enter the playbook name here
- Armis Instance Base URL : Base URL of Armis Instance
- keyvaultname: Name of keyvault where secrets are stored
- tenantId: TenantId where keyvault is located
Once deployment is complete, authorize each connection like microsoft sentinel, Key vault.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections
- In Microsoft Sentinel, analytical rules should be configured to trigger an incident. An incident should have the alertID - custom entity that contains alertId of each generated Armis alert and alertStatus - custom entity that contains alertStatus of each generated Armis alerts. It can be obtained from the corresponding field in Armis Alerts custom logs. Check the documentation to learn more about adding custom entities to incidents.
- Configure the automation rules to trigger the playbook.
<Armis Alerts Table Name> | where Type == "<Type filed of sentinel customlog table>" and status_s == "<Armis Alert Status>"