This PlayBook / Logic App automatically create an alert when a successful login is performed from a suspicious or malicious IP.
Before deploying this playbook, ensure the following prerequisites are completed:
- Create a CTI API Key on https://app.crowdsec.net/
- Note down the following required value from the console
- CrowdSec CTI API Key
- Click the Deploy to Azure button below to launch the ARM Template deployment wizard.
- Fill in the required parameters.
- In the resource group, via IAM, grant:
- "Microsoft Sentinel Contributor" role to the Logic App
- "Microsoft Sentinel Automation Contributor" role to "Azure Security Insights"
- Allow Azure Sentinel API Connection (General -> Edit API Connection)
In our example, we are going to create an Analytics Rule to trigger on successful EntraID authentications, and use an Automation Rule to trigger our Logic App.
Our Logic App will exploit CrowdSec's CTI to create an Alert if the authentication came from a malicious or suspicious IP.
- Create Analytics Rule
- Create Automation Rule
- Test it
Try to connection from ie. Tor IP Address, wait for your analytics rule to trigger and watch the alerts appear.