Skip to content

Latest commit

 

History

History
51 lines (30 loc) · 3.66 KB

quest2.md

File metadata and controls

51 lines (30 loc) · 3.66 KB
Raw

Quest 2 - Apprentice's curious road

< Quest 1 - 🏠Home - Quest 3 >

🌟🌟 🕒 10 mins

Introduction

In this section we will work with your playbook assigned to your "personal SAP incident" raised in Quest 1 to execute a workflow to inform the SAP security folks with an actionable alert in Microsoft Teams.

The path

  1. Navigate to the resource group dsag-participants or choose Active Playbooks from the Automation pane in Sentinel to find your Logic App (or in other words Sentinel playbook). The instance name contains your user name (e.g. something like sap-user-block-DSAGXX).

  2. Familiarize yourself with the playbook and its various steps. Are you able to identify how the SAP user lock request is submitted to SAP? What Teams Channel ID is being used?

Note: The Microsoft Teams connector supports dynamic dropdowns showing the names of your Teams team and channel. However, for maintenance and good design practice on the Logic App we chose to use variables for re-usability. This way you may change the target channel for all occurrences of the Teams task on the Logic App in one place. You may retrieve the IDs from Teams via the three dots ... and Get link to team, Get link to channel or from the URL once you navigated there.

  1. Open a new tab and navigate to teams.microsoft.com, login with your given M365 sandbox user (e.g. [email protected]) and find your Teams Channel within the team DSAG Hands-On Session 1. Your incident notifications from Sentinel will show up here.

  2. In case your alert rule didn't trigger an execution yet, feel free to intentionally execute from the Sentinel Incident UI. Choose again Actions -> Run playbook.

Connection Details

  1. Find the adaptive card posted to your Teams Channel and click on the Block User on... button.

Note - Optionally see the Outlook message informing about and linking to the Microsoft Teams message.

Connection Details

  1. You will see the adaptive card change. Shortly after a message from SAP will be posted as reply to your initial block request in the same Teams thread.

Note - you may follow the detailed execution steps from your Logic App's Runs history. Navigate to the Overview pane and choose the ribbon Runs history.

  1. Verify that you locked the SAP backend user that caused the incident (yourself 😉 in this case) by trying to log in via the SAP WebGUI. And don't worry we posted the unlock option via Teams too.

Connection Details

8. Make sure to unlock the user again by leveraging the unlock option via Teams mentioned above!

Where to next?

< Quest 1 - 🏠Home - Quest 3 >

🔝