{"id":47356712,"url":"https://github.com/crowdsecurity/crowdsec-sentinel-playbook","last_synced_at":"2026-04-05T10:03:53.771Z","repository":{"id":327728971,"uuid":"1110523862","full_name":"crowdsecurity/crowdsec-sentinel-playbook","owner":"crowdsecurity","description":"Microsoft Sentinel CrowdSec IP Reputation PlayBook","archived":false,"fork":false,"pushed_at":"2026-02-23T15:26:08.000Z","size":234,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-01T07:51:56.681Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/crowdsecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-05T10:18:42.000Z","updated_at":"2026-02-23T15:26:12.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/crowdsecurity/crowdsec-sentinel-playbook","commit_stats":null,"previous_names":["buixor/crowdsec-sentinel-playbook","crowdsecurity/crowdsec-sentinel-playbook"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/crowdsecurity/crowdsec-sentinel-playbook","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crowdsecurity%2Fcrowdsec-sentinel-playbook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crowdsecurity%2Fcrowdsec-sentinel-playbook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crowdsecurity%2Fcrowdsec-sentinel-playbook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crowdsecurity%2Fcrowdsec-sentinel-playbook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/crowdsecurity","download_url":"https://codeload.github.com/crowdsecurity/crowdsec-sentinel-playbook/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crowdsecurity%2Fcrowdsec-sentinel-playbook/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31431454,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-05T08:13:15.228Z","status":"ssl_error","status_checked_at":"2026-04-05T08:13:11.839Z","response_time":75,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-03-18T03:00:19.121Z","updated_at":"2026-04-05T10:03:53.756Z","avatar_url":"https://github.com/crowdsecurity.png","language":null,"funding_links":[],"categories":["SIEM \u0026 Security Operations"],"sub_categories":["Other Bouncers"],"readme":"\n# Microsoft Sentinel CrowdSec CTI PlayBook\n\n## Summary\n\nThis PlayBook / Logic App automatically create an alert when a successful login is performed from a suspicious or malicious IP.\n\n![Example Alert](/img/alert.png)\n\n## Prerequisites\n\nBefore deploying this playbook, ensure the following prerequisites are completed:\n   1. Create a CTI API Key on https://app.crowdsec.net/\n   2. Note down the following required value from the console\n      - CrowdSec CTI API Key\n\n# Deployment Instructions\n\n1. Click the Deploy to Azure button below to launch the ARM Template deployment wizard.\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fbuixor%2Fcrowdsec-sentinel-playbook%2Frefs%2Fheads%2Fmain%2Fazuredeploy.json)\n\n2. Fill in the required parameters.\n\n![Deploy](/img/setup.png)\n\n# Post Deployment Instructions\n\n## Permissions\n\n - In the resource group, via IAM, grant:\n    - \"Microsoft Sentinel Contributor\" role to the Logic App\n    - \"Microsoft Sentinel Automation Contributor\" role to \"Azure Security Insights\"\n - Allow Azure Sentinel API Connection (General -\u003e Edit API Connection)\n\n## Example Usage\n\nIn our example, we are going to create an **Analytics Rule** to trigger on successful EntraID authentications, and use an **Automation Rule** to trigger our **Logic App**.\n\nOur **Logic App** will exploit CrowdSec's CTI to create an **Alert** if the authentication came from a malicious or suspicious IP.\n\n1. Create Analytics Rule\n\n![Analytics Rule Creation](/img/analytics-rule.png)\n\n2. Create Automation Rule\n\n![Automation Rule Creation](/img/automation-rule.png)\n\n3. Test it\n\nTry to connection from ie. Tor IP Address, wait for your analytics rule to trigger and watch the alerts appear.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcrowdsecurity%2Fcrowdsec-sentinel-playbook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcrowdsecurity%2Fcrowdsec-sentinel-playbook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcrowdsecurity%2Fcrowdsec-sentinel-playbook/lists"}