https://github.com/crowdsecurity/crowdsec-sentinel-playbook

Microsoft Sentinel CrowdSec IP Reputation PlayBook
https://github.com/crowdsecurity/crowdsec-sentinel-playbook

Last synced: 2 months ago
JSON representation

Microsoft Sentinel CrowdSec IP Reputation PlayBook

• Host: GitHub
• URL: https://github.com/crowdsecurity/crowdsec-sentinel-playbook
• Owner: crowdsecurity
• Created: 2025-12-05T10:18:42.000Z (6 months ago)
• Default Branch: main
• Last Pushed: 2026-02-23T15:26:08.000Z (4 months ago)
• Last Synced: 2026-04-01T07:51:56.681Z (2 months ago)
• Homepage:
• Size: 229 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-crowdsec - crowdsec-sentinel-playbook - Microsoft Sentinel playbook for automated IP reputation enrichment. (SIEM & Security Operations / Other Bouncers)

README

          

# Microsoft Sentinel CrowdSec CTI PlayBook

## Summary

This PlayBook / Logic App automatically create an alert when a successful login is performed from a suspicious or malicious IP.

![Example Alert](/img/alert.png)

## Prerequisites

Before deploying this playbook, ensure the following prerequisites are completed:

   1. Create a CTI API Key on https://app.crowdsec.net/

   2. Note down the following required value from the console

      - CrowdSec CTI API Key

# Deployment Instructions

1. Click the Deploy to Azure button below to launch the ARM Template deployment wizard.

[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fbuixor%2Fcrowdsec-sentinel-playbook%2Frefs%2Fheads%2Fmain%2Fazuredeploy.json)

2. Fill in the required parameters.

![Deploy](/img/setup.png)

# Post Deployment Instructions

## Permissions

 - In the resource group, via IAM, grant:

    - "Microsoft Sentinel Contributor" role to the Logic App

    - "Microsoft Sentinel Automation Contributor" role to "Azure Security Insights"

 - Allow Azure Sentinel API Connection (General -> Edit API Connection)

## Example Usage

In our example, we are going to create an **Analytics Rule** to trigger on successful EntraID authentications, and use an **Automation Rule** to trigger our **Logic App**.

Our **Logic App** will exploit CrowdSec's CTI to create an **Alert** if the authentication came from a malicious or suspicious IP.

1. Create Analytics Rule

![Analytics Rule Creation](/img/analytics-rule.png)

2. Create Automation Rule

![Automation Rule Creation](/img/automation-rule.png)

3. Test it

Try to connection from ie. Tor IP Address, wait for your analytics rule to trigger and watch the alerts appear.