azure-logic-appsazure-sentinel

Logic Apps: How to use create a new watchlist with data (raw content) module


I want to create a watchlist in my Sentinel workspace

enter image description here

im getting the following error: enter image description here

what is the correct way to use this module to create a watchlist?

pretend i have this object below and i want to turn it into a watchlist

{
  "value": [
    {
      "ip": "185.241.208.232"
    },
    {
      "ip": "194.26.192.64"
    },
    {
      "ip": "171.25.193.25"
    },
    {
      "ip": "80.67.167.81"
    }
]
}

Solution

  • I am able to create a watchlist using the below workflow

    enter image description here

    enter image description here enter image description here

    {
      "description": "A watchlist containing IP addresses",
      "displayName": "MyIPWatchlist",
      "itemsSearchKey": "ip",
      "rawContent": "@{body('Create_CSV_table')}"
    }
    

    Code -

    {
        "definition": {
            "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
            "actions": {
                "Create_CSV_table": {
                    "inputs": {
                        "format": "CSV",
                        "from": "@variables('IpAddresses')"
                    },
                    "runAfter": {
                        "Initialize_variable": [
                            "Succeeded"
                        ]
                    },
                    "type": "Table"
                },
                "Initialize_variable": {
                    "inputs": {
                        "variables": [
                            {
                                "name": "IpAddresses",
                                "type": "array",
                                "value": [
                                    {
                                        "ip": "185.241.208.232"
                                    },
                                    {
                                        "ip": "194.26.192.64"
                                    },
                                    {
                                        "ip": "171.25.193.25"
                                    },
                                    {
                                        "ip": "80.67.167.81"
                                    }
                                ]
                            }
                        ]
                    },
                    "runAfter": {},
                    "type": "InitializeVariable"
                },
                "Watchlists_-_Create_a_new_Watchlist_with_data_(Raw_Content)": {
                    "inputs": {
                        "body": {
                            "description": "A watchlist containing IP addresses",
                            "displayName": "MyIPWatchlist",
                            "itemsSearchKey": "ip",
                            "rawContent": "@{body('Create_CSV_table')}"
                        },
                        "host": {
                            "connection": {
                                "name": "@parameters('$connections')['azuresentinel']['connectionId']"
                            }
                        },
                        "method": "put",
                        "path": "/Watchlists/subscriptions/@{encodeURIComponent('b83c1*******23f')}/resourceGroups/@{encodeURIComponent('*******')}/workspaces/@{encodeURIComponent('0497f*******cef')}/watchlists/@{encodeURIComponent('afreen-watchlist')}"
                    },
                    "runAfter": {
                        "Create_CSV_table": [
                            "Succeeded"
                        ]
                    },
                    "type": "ApiConnection"
                }
            },
            "contentVersion": "1.0.0.0",
            "outputs": {},
            "parameters": {
                "$connections": {
                    "defaultValue": {},
                    "type": "Object"
                }
            },
            "triggers": {
                "manual": {
                    "inputs": {},
                    "kind": "Http",
                    "type": "Request"
                }
            }
        },
        "parameters": {
            "$connections": {
                "value": {
                    "azuresentinel": {
                        "connectionId": "/subscriptions/b8***********3f/resourceGroups/*******/providers/Microsoft.Web/connections/azuresentinel",
                        "connectionName": "azuresentinel",
                        "id": "/subscriptions/b8**********3f/providers/Microsoft.Web/locations/eastus/managedApis/azuresentinel"
                    }
                }
            }
        }
    }
    

    Output-

    enter image description here

    enter image description here