circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

UEBA Add Activity to Whitelist

UEBA Add Activity to Whitelist is an interactive playbook where the security analyst can decide whether to add the user and the activity to the whitelist (permanent or temporary) or not. The playbook checks the presence of the User entity to continue the investigation. If the Entity is available, it emails an HTML notification which includes a Case URL to the security analyst. Through the Case URL, the analyst is led to an interactive Prompt where they can decide whether or not to whitelist the user and activity.

1. Trigger - retrieves the parameters from multiple action blocks of the UEBA Triage playbook.

2. If...Then - applies a HAS VALUE operator to check the Entity value. If the value is available, the result is fed to the Format action block. If it isn't, the playbook terminates.

3. Format - uploads a Base64 image (text format) of a Logo which will be used in the report or email.

4. Format - creates an HTML notification that includes all the parameters.

5. String Utilities - normalizes the HTML notification information.

6. API - uses Microsoft's Graph API to authenticate users and retrieve the access token. The access token is used by the next API for authorization.

7. API - uses Microsoft's Outlook API to email the HTML notification to the security team.

8. Prompt - let’s the security analyst add the user and activity to the whitelist, either permanently or temporarily. If the analyst rejects whitelisting, the playbook stops.

9. Script - runs the Python script to get the current time.

10. If... Then - applies a not equal to (!==) operator to check whitelist duration.

10.1. If the duration is FOREVER, a Query action block for a permanent whitelist is called.

10.2. If not, the next Query action block for a temporary whitelist is called.

or

10.3. It applies a not equal to (!==) operator to check whitelist duration. Depending upon the duration being FOREVER or not, the relevant preceding Query action block is called.

11. Query - if the duration is not FOREVER, it runs the query using the eval command to add the parameters to the temporary whitelist.

12. Query - if the duration is FOREVER, it runs the query using the eval command to add the parameters to the permanent whitelist.

13. Parameters - retrieves the temporary whitelist and sets Whitelisted as a global parameter.

14. Parameters - retrieves the permanent whitelist and sets Whitelisted as a global parameter.

15. Case Item - informs that the activity of the user was included in the whitelist (permanent or temporary).

16. End - maps the parameters from the playbook whose values can be seen from Results in Monitoring. These values are further analyzed by the security team. In addition, these parameters are transferred to the UEBA Triage playbook.

Last updated

Was this helpful?