DEVHIDE
Login Or Sign up

Logic Apps: How to use create a new watchlist with data (raw content) module

45 Views Asked by At

I want to create a watchlist in my Sentinel workspace

enter image description here

im getting the following error: enter image description here

what is the correct way to use this module to create a watchlist?

pretend i have this object below and i want to turn it into a watchlist

{
  "value": [
    {
      "ip": "185.241.208.232"
    },
    {
      "ip": "194.26.192.64"
    },
    {
      "ip": "171.25.193.25"
    },
    {
      "ip": "80.67.167.81"
    }
]
}
azure-logic-apps azure-sentinel
Original Q&A
1

There are 1 best solutions below

0
Ikhtesam Afrin On BEST ANSWER

I am able to create a watchlist using the below workflow

enter image description here

enter image description here enter image description here

{
  "description": "A watchlist containing IP addresses",
  "displayName": "MyIPWatchlist",
  "itemsSearchKey": "ip",
  "rawContent": "@{body('Create_CSV_table')}"
}

Code -

{
    "definition": {
        "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
        "actions": {
            "Create_CSV_table": {
                "inputs": {
                    "format": "CSV",
                    "from": "@variables('IpAddresses')"
                },
                "runAfter": {
                    "Initialize_variable": [
                        "Succeeded"
                    ]
                },
                "type": "Table"
            },
            "Initialize_variable": {
                "inputs": {
                    "variables": [
                        {
                            "name": "IpAddresses",
                            "type": "array",
                            "value": [
                                {
                                    "ip": "185.241.208.232"
                                },
                                {
                                    "ip": "194.26.192.64"
                                },
                                {
                                    "ip": "171.25.193.25"
                                },
                                {
                                    "ip": "80.67.167.81"
                                }
                            ]
                        }
                    ]
                },
                "runAfter": {},
                "type": "InitializeVariable"
            },
            "Watchlists_-_Create_a_new_Watchlist_with_data_(Raw_Content)": {
                "inputs": {
                    "body": {
                        "description": "A watchlist containing IP addresses",
                        "displayName": "MyIPWatchlist",
                        "itemsSearchKey": "ip",
                        "rawContent": "@{body('Create_CSV_table')}"
                    },
                    "host": {
                        "connection": {
                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
                        }
                    },
                    "method": "put",
                    "path": "/Watchlists/subscriptions/@{encodeURIComponent('b83c1*******23f')}/resourceGroups/@{encodeURIComponent('*******')}/workspaces/@{encodeURIComponent('0497f*******cef')}/watchlists/@{encodeURIComponent('afreen-watchlist')}"
                },
                "runAfter": {
                    "Create_CSV_table": [
                        "Succeeded"
                    ]
                },
                "type": "ApiConnection"
            }
        },
        "contentVersion": "1.0.0.0",
        "outputs": {},
        "parameters": {
            "$connections": {
                "defaultValue": {},
                "type": "Object"
            }
        },
        "triggers": {
            "manual": {
                "inputs": {},
                "kind": "Http",
                "type": "Request"
            }
        }
    },
    "parameters": {
        "$connections": {
            "value": {
                "azuresentinel": {
                    "connectionId": "/subscriptions/b8***********3f/resourceGroups/*******/providers/Microsoft.Web/connections/azuresentinel",
                    "connectionName": "azuresentinel",
                    "id": "/subscriptions/b8**********3f/providers/Microsoft.Web/locations/eastus/managedApis/azuresentinel"
                }
            }
        }
    }
}

Output-

enter image description here

enter image description here

Related Questions in AZURE-LOGIC-APPS

Related Questions in AZURE-SENTINEL

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.