Hello again! Today we will be configuring our Sentinel Playbook to use with our newly created Sentinel environment. If you haven’t done part 1 or part 2 yet, I suggest going back now and coming to this at a later time.
In this blog post, we will configure a Playbook. You might be wondering what I’m going on about, but to sum it up, it is practically a collection of procedures that we later automate and respond to entire incidents, or an individual alert or a specific end-point.
Go ahead and open up your Sentinel Training Lab Resource group, as we will be configuring an API connection there.
azuresentinel-Get-GeoFromIpAndTagIncidentOnce clicked, look to your left side of the dashboard and you will see a couple options, ignore them for now, as we will focus on editing the API.
Click on General, and a drop down menu will appear. Click on Edit API connection.
You will get a prompt for authorization, click authorize. It will open a new window for authentication and ask you an account to authenticate with, it will typically be the one you are logged in with, but in real world applications, it may differ.
Once Authorization is complete, you can go ahead and click Save. This will allow the API connection to be set so we can dive further into the training.
Now that’s setup, we will now install and enable Data Connectors in Microsoft Sentinel to bring in alerts from a multitude of sources in the next blog post. Thanks for reading!