Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #2926 from RamboV/master 

IPQualityScore Content for Azure Sentinel Solutions
This commit is contained in:
Sreedhar Ande 2021-09-27 17:44:07 -07:00 коммит произвёл GitHub
Родитель bfe302b7b7 8eed98dcde
Коммит 07f64463bf
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
21 изменённых файлов: 3316 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

4
Logos/IPQualityScore_logo.svg Normal file
Просмотреть файл

@ -0,0 +1,4 @@
<svg id="eae568ab-2862-40ec-9133-8a40986d66fa" xmlns="http://www.w3.org/2000/svg" width="230" height="230" viewBox="0 0 230 230">
<path d="M115.4,93c1.8,0,2.9,1,2.9,3.5V112h-5.8V96.5c0-2.5,1.1-3.5,2.9-3.5m38,7.5-.3-1.5c0-.4.1-.9.1-1.4s-.1-1-.2-1.5-.1-1-.2-1.5l-.3-1.4h-.2a8,8,0,0,0-.3-1.5c-.1-.4-.3-.9-.4-1.4l-.3-1.4a8.3,8.3,0,0,1-.4-1.5,5.9,5.9,0,0,1-.6-1.4c-.2-.4-.3-.9-.5-1.4a5.4,5.4,0,0,0-.7-1.3,5.8,5.8,0,0,0-.5-1.4c-.2-.5-.3-1-.5-1.5s-.5-.8-.7-1.3-.3-1-.5-1.4l-.6-1.4-.8-1.3-.6-1.4a9.1,9.1,0,0,1-.7-1.4l-.6-1.3-.8-1.4c-.2-.4-.5-.8-.7-1.3a8.3,8.3,0,0,1-.7-1.3c-.3-.5-.4-1-.7-1.4a14.8,14.8,0,0,0-.8-1.3l-.8-1.3-.6-1.4-.9-1.2c-.2-.5-.5-.9-.7-1.4l-.9-1.2a8.3,8.3,0,0,0-.7-1.3l-.8-1.3-.9-1.1a9.4,9.4,0,0,0-1-1l-.9-1.1c-.3-.4-.7-.5-1-.8l-1-.6c-.5-.1-.7-.1-.9.2a4.9,4.9,0,0,0-.1,1.4,7.1,7.1,0,0,0,.1,1.4c.1.5.3,1,.4,1.5l.3,1.5.3,1.5.6,1.4a10.3,10.3,0,0,0,.4,1.4,8,8,0,0,0,.3,1.5c.1.5.3,1,.4,1.5a14.7,14.7,0,0,0,.6,1.4c.1.4.1,1,.2,1.4a8.4,8.4,0,0,0,.6,1.4c.1.5,0,1,.1,1.5a7.4,7.4,0,0,1,.4,1.4c.1.5.1,1,.2,1.4a8.3,8.3,0,0,1,.4,1.5,7.1,7.1,0,0,1,.1,1.4c0,.5-.3,1-.3,1.4a5.7,5.7,0,0,1-.4,1.4,2.6,2.6,0,0,1-.9.9,3.9,3.9,0,0,1-1.1.6,3.4,3.4,0,0,1-1.4-.1,2.9,2.9,0,0,1-2.5-1.1,3.4,3.4,0,0,1-.9-1.2c-.2-.5-.3-1-.5-1.5s-.3-1-.4-1.6a7.7,7.7,0,0,1-.2-1.5c0-.5-.1-1.1-.1-1.6s.1-1,.1-1.6V67.7c0-.6.1-1.1.1-1.6V64.5a7.6,7.6,0,0,1,.1-1.5c0-.5.1-1.1.1-1.6V59.9a8.5,8.5,0,0,0,0-1.6V56.7c-.1-.8-.3-1.2-.6-1.4s-.5-.2-1,.3l-.8,1-.6,1.1a8.6,8.6,0,0,0-.7,1c-.2.3-.3.8-.5,1.2a4.3,4.3,0,0,0-.5,1.2l-.5,1.2a6.1,6.1,0,0,0-.5,1.2l-.6,1.2a5.8,5.8,0,0,1-.3,1.4l-.4,1.2c-.1-.5-.1-.9-.2-1.4s-.3-.8-.4-1.3l-.3-1.4-.3-1.4c-.1-.5-.3-.9-.4-1.4l-.3-1.3c-.1-.5-.3-1-.4-1.5s-.3-1-.5-1.4l-.3-1.5-.6-1.4a5.7,5.7,0,0,0-.4-1.4,5.2,5.2,0,0,0-.6-1.3,5.7,5.7,0,0,0-.4-1.4c-.2-.5-.3-1-.5-1.4a6.7,6.7,0,0,1-.6-1.2l-.6-1.2-.6-1.2a3.4,3.4,0,0,0-.6-1.2c-.2-.4-.6-.6-.8-.8s-.6-.3-.8.2a5.8,5.8,0,0,0-.1,1.5c.1.4.1.9.2,1.5s.3.8.4,1.4.1.9.2,1.4l.3,1.3a7.6,7.6,0,0,1,.1,1.5,6.5,6.5,0,0,1,0,1.4c0,.5.1,1,.1,1.5v1.4a8,8,0,0,1-.3,1.5,6.6,6.6,0,0,1-.1,1.4c-.1.5-.1,1-.2,1.5l-.3,1.5a9,9,0,0,1-.3,1.6c-.1.5-.3.9-.4,1.4l-.6,1.5a8.3,8.3,0,0,1-.4,1.5c-.2.5-.3,1-.5,1.4l-.7,1.4a9.4,9.4,0,0,0-.6,1.5,6.9,6.9,0,0,1-.5-1.3c-.2-.5-.3-.9-.5-1.3l-.3-1.4c-.1-.4-.1-.9-.2-1.4l-.3-1.3a7,7,0,0,1-.3-1.4,7.5,7.5,0,0,1,0-1.5,7.7,7.7,0,0,1-.2-1.5,7.7,7.7,0,0,1-.2-1.5V54.1a10,10,0,0,0,.2-1.6c0-.6-.1-1.1-.1-1.6s-.1-1.1-.4-1.2-.5-.1-1,.3l-1,.8-.9,1.2a5.3,5.3,0,0,0-.9,1.1,12.5,12.5,0,0,0-.9,1.2l-.9,1.2a6.2,6.2,0,0,0-.9,1.2c-.2.4-.6.7-.9,1.2s-.6.7-.9,1.2l-.8,1.3-.8,1.2-.9,1.3-.8,1.3a15.5,15.5,0,0,1-1.5,2.5l-.8,1.2c-.3.4-.4.9-.7,1.4s-.6.8-.8,1.2-.5.8-.7,1.3a5.4,5.4,0,0,0-.7,1.3,7.5,7.5,0,0,0-.6,1.3,9.1,9.1,0,0,0-.8,1.3L84.4,77l-.8,1.3L83,79.6c-.2.5-.3,1-.5,1.4l-.6,1.4c-.2.4-.3.9-.5,1.3l-.6,1.4c-.1.4-.5.9-.6,1.3l-.5,1.4-.3,1.4-.3,1.4c-.1.5-.4.9-.5,1.4s-.2.3-.2.5a8.8,8.8,0,0,0-.2,1.6c-.1.5-.5.9-.6,1.4s-.1,1.1-.1,1.6a7.6,7.6,0,0,0-.1,1.5,7.5,7.5,0,0,0,0,1.5v1.5c0,.5.1.9.1,1.4s-.1,1,0,1.5l.3,1.5c.1.5.1,1,.2,1.5a5.9,5.9,0,0,0,.6,1.4l.3,1.5c.2.5.3,1,.5,1.5l.6,1.4c.2.5.7.9.9,1.4a10,10,0,0,1,.8,1.4l.9,1.3c.3.5.5,1,.8,1.4l1.1,1.3,1.2,1.2a6.9,6.9,0,0,0,1.1,1.3,7.4,7.4,0,0,0,1.2,1.3c.4.4,1,.6,1.4,1l1.4,1.1,1.5,1,1.4,1,1.6,1,1.7.7,1.2.6V115.2a3.2,3.2,0,0,1,3.2-3.2h5.5V96.9c0-5.7,3-9,8.5-9s8.5,3.3,8.5,9V112h5.5a3.2,3.2,0,0,1,3.2,3.2v15l.6-.4,1.7-.7,1.5-1,1.7-.7,1.4-1.2,1.5-.9,1.3-1.2,1.3-1.1,1.2-1.3,1.1-1.2c.3-.5.8-.8,1.1-1.3a6.4,6.4,0,0,0,.8-1.4,15,15,0,0,0,1.1-1.3c.2-.4.5-.9.7-1.4a8.4,8.4,0,0,0,.6-1.4l.7-1.4.8-1.4c.1-.5.1-1.1.2-1.6a5.9,5.9,0,0,0,.6-1.4c.1-.5.3-1,.4-1.5s0-1,.1-1.4.1-1,.2-1.5.2-1,.2-1.5v-1.5M79.6,174.7h6V136.5h-6Zm28.2-28.8v5c0,6.1-3,9.4-9,9.4H96v14.4H90V136.5h8.8c6,0,9,3.3,9,9.4m-11.8-4v13h2.8c1.9,0,3-.9,3-3.6v-5.8c0-2.7-1.1-3.6-3-3.6Z" fill="#f43a3a"/>
<path d="M110.3,145.7c0-6.2,3.2-9.6,9.1-9.6s9.1,3.4,9.1,9.6v19.8a11.9,11.9,0,0,1-1.1,5.3c.3.7.7.9,1.7.9h.5V177h-.8c-2.7,0-4.4-1-5.2-2.6a13.2,13.2,0,0,1-4.2.7c-5.9,0-9.1-3.5-9.1-9.6Zm6,20.2c0,2.7,1.2,3.7,3.1,3.7s3.1-1,3.1-3.7V145.3c0-2.8-1.2-3.8-3.1-3.8s-3.1,1-3.1,3.8Zm25.2-29.8c-5.8,0-8.8,3.4-8.8,9.6,0,10.9,11.7,12.3,11.7,20.2,0,2.7-1.2,3.7-3.1,3.7s-3.1-1-3.1-3.7v-2.7h-5.6v2.3c0,6.1,3,9.6,8.9,9.6s8.9-3.5,8.9-9.6c0-10.9-11.7-12.4-11.7-20.2,0-2.8,1.1-3.8,3-3.8s3,1,3,3.8v1.6h5.7v-1.2c0-6.2-3-9.6-8.9-9.6" fill="#1f1e2c"/>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 4.1 KiB

Двоичные данные
Solutions/IPQualityScore/Playbooks/Enrich-Sentinel-IPQualityScore-Email-Address-Reputation/Graphics/comments.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 56 KiB

Двоичные данные
Solutions/IPQualityScore/Playbooks/Enrich-Sentinel-IPQualityScore-Email-Address-Reputation/Graphics/email_threat_metrix.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 40 KiB

751
Solutions/IPQualityScore/Playbooks/Enrich-Sentinel-IPQualityScore-Email-Address-Reputation/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,751 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"comments": "This playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich incidents generated by Sentinel. Learn more about the integration via the https://docs.microsoft.com/connectors/ipqsfraudandriskscor/ or visit https://www.ipqualityscore.com/contact-us to request a trial key.",
"author": "David Mackler, IPQualityScore"
},
"parameters": {
"PlaybookName": {
"defaultValue": "Enrich_Sentinel_IPQualityScore_Email_Address_Reputation",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"IPQSApiKey": "[concat('ipqsfraudandriskscor-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('IPQSApiKey')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/ipqsfraudandriskscor')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('IPQSApiKey'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
}
}
},
"actions": {
"Account_Name_Variable": {
"runAfter": {
"JSON_OUPUT": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "account_name",
"type": "string"
}
]
}
},
"Account_UPN_Suffix_Variable": {
"runAfter": {
"Account_Name_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "account_upn_suffix",
"type": "string"
}
]
}
},
"Disposable_Variable": {
"runAfter": {
"Email_FRAUD_SCORE_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "disposable",
"type": "boolean"
}
]
}
},
"Domain_Age_Variable": {
"runAfter": {
"Email_Entity_Value": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "domain_age",
"type": "string"
}
]
}
},
"Email_Connector_Variable": {
"runAfter": {
"Account_UPN_Suffix_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "email_connector",
"type": "string",
"value": "@"
}
]
}
},
"Email_Entity_Value": {
"runAfter": {
"Email_Connector_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "email_entity_value",
"type": "string"
}
]
}
},
"Email_FRAUD_SCORE_Variable": {
"runAfter": {
"IPQS_Reputation_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "email_fraud_score",
"type": "integer"
}
]
}
},
"Entities_-_Get_Accounts": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['Entities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/account"
}
},
"First_Seen_Variable": {
"runAfter": {
"Domain_Age_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "first_seen",
"type": "string"
}
]
}
},
"For_each": {
"foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
"actions": {
"Add_comment_to_incident_(V3)_2": {
"runAfter": {
"Alert_-_Get_incident_2": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident_2')?['id']",
"message": "<p><span style=\"font-size: 24px; color: rgb(71,85,119)\">IPQualityScore Reputation Data for </span><span style=\"font-size: 24px\"></span><span style=\"font-size: 24px\">@{variables('email_entity_value')}</span><span style=\"font-size: 24px\"><br>\n</span><span style=\"font-size: 18px; color: rgb(71,85,119)\">IPQS REPUTATION: </span><span style=\"font-size: 18px; color: rgb(71,85,119)\">@{variables('ipqs_reputation')}</span><span style=\"font-size: 18px; color: rgb(71,85,119)\"><br>\nIPQS API RESPONSE:<br>\n</span><span style=\"font-size: 18px; color: rgb(71,85,119)\">@{body('Create_HTML_table')}</span><span style=\"font-size: 18px; color: rgb(71,85,119)\"></span></p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Alert_-_Get_incident_2": {
"runAfter": {
"Create_HTML_table": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
}
},
"Checking_for_Successful_Response": {
"actions": {
"Check_Disposable": {
"actions": {
"IPQS_Reputation_Variable_CRITICAL": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "CRITICAL"
}
}
},
"runAfter": {
"Set_Valid": [
"Succeeded"
]
},
"else": {
"actions": {
"Check_Fraud_Score_is_100": {
"actions": {
"IPQS_Reputation_Variable_HIGH_RISK": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "HIGH RISK"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Check_Fraud_Score_is_in_between_88_and_99": {
"actions": {
"IPQS_Reputation_Variable_MODERATE_RISK": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "MODERATE RISK"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Check_Fraud_Score_is_in_between_80_and_87": {
"actions": {
"IPQS_Reputation_Variable_LOW_RISK": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "LOW RISK"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Check_Valid": {
"actions": {
"IPQS_Reputation_Variable_SUSPICIOUS": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "SUSPICIOUS"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Check_Fraud_Score_is_less_than_or_equal_to_79": {
"actions": {
"IPQS_Reputation_Variable_CLEAN": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "CLEAN"
}
}
},
"runAfter": {},
"expression": {
"and": [
{
"lessOrEquals": [
"@variables('email_fraud_score')",
79
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"equals": [
"@variables('valid')",
false
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"greaterOrEquals": [
"@variables('email_fraud_score')",
80
]
},
{
"lessOrEquals": [
"@variables('email_fraud_score')",
87
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"greaterOrEquals": [
"@variables('email_fraud_score')",
88
]
},
{
"lessOrEquals": [
"@variables('email_fraud_score')",
99
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"equals": [
"@variables('email_fraud_score')",
100
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"equals": [
"@variables('disposable')",
true
]
}
]
},
"type": "If"
},
"Set_Disposable": {
"runAfter": {
"Set_Fraud_Score": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "disposable",
"value": "@body('Retrieve_Email_address_reputation_data')?['disposable']"
}
},
"Set_Fraud_Score": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "email_fraud_score",
"value": "@body('Retrieve_Email_address_reputation_data')?['fraud_score']"
}
},
"Set_Valid": {
"runAfter": {
"Set_Disposable": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "valid",
"value": "@body('Retrieve_Email_address_reputation_data')?['valid']"
}
}
},
"runAfter": {
"Setting_Successful_Response_Variable": [
"Succeeded"
]
},
"expression": {
"and": [
{
"equals": [
"@variables('is_success')",
true
]
}
]
},
"type": "If"
},
"Create_HTML_table": {
"runAfter": {
"Setting_JSON_OUTPUT": [
"Succeeded"
]
},
"type": "Table",
"inputs": {
"format": "HTML",
"from": "@variables('json_output')"
}
},
"Retrieve_Email_address_reputation_data": {
"runAfter": {
"Setting_Email_Entity_Value": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"$content-type": "multipart/form-data",
"$multipart": [
{
"body": "@variables('email_entity_value')",
"headers": {
"Content-Disposition": "form-data; name=\"email\""
}
},
{
"body": "0",
"headers": {
"Content-Disposition": "form-data; name=\"abuse_strictness\""
}
}
]
},
"host": {
"connection": {
"name": "@parameters('$connections')['ipqsfraudandriskscor']['connectionId']"
}
},
"method": "post",
"path": "/email"
}
},
"Set_Domain_Age_Variable": {
"runAfter": {
"Checking_for_Successful_Response": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "domain_age",
"value": "Human:@{body('Retrieve_Email_address_reputation_data')?['domain_age']?['human']} , Timestamp: @{body('Retrieve_Email_address_reputation_data')?['domain_age']?['timestamp']}, ISO: @{body('Retrieve_Email_address_reputation_data')?['domain_age']?['iso']}"
}
},
"Set_First_Seen_Variable": {
"runAfter": {
"Set_Domain_Age_Variable": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "first_seen",
"value": "Human: @{body('Retrieve_Email_address_reputation_data')?['first_seen']?['human']}, Timestamp: @{body('Retrieve_Email_address_reputation_data')?['first_seen']?['timestamp']} , ISO: @{body('Retrieve_Email_address_reputation_data')?['first_seen']?['iso']}"
}
},
"Setting_Accounts_Name_Variable": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "account_name",
"value": "@items('For_each')?['Name']"
}
},
"Setting_Accounts_UPN_suffix_variable": {
"runAfter": {
"Setting_Accounts_Name_Variable": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "account_upn_suffix",
"value": "@items('For_each')?['UPNSuffix']"
}
},
"Setting_Email_Entity_Value": {
"runAfter": {
"Setting_Accounts_UPN_suffix_variable": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "email_entity_value",
"value": "@{concat(variables('account_name'),variables('email_connector'),variables('account_upn_suffix'))}"
}
},
"Setting_JSON_OUTPUT": {
"runAfter": {
"Set_First_Seen_Variable": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "json_output",
"value": [
{
"Catch All": "@body('Retrieve_Email_address_reputation_data')?['catch_all']",
"Common": "@body('Retrieve_Email_address_reputation_data')?['common']",
"DNS Valid": "@body('Retrieve_Email_address_reputation_data')?['dns_valid']",
"Deliverability": "@body('Retrieve_Email_address_reputation_data')?['deliverability']",
"Disposable": "@body('Retrieve_Email_address_reputation_data')?['disposable']",
"Domain Age": "@variables('domain_age')",
"First Name": "@body('Retrieve_Email_address_reputation_data')?['first_name']",
"First Seen": "@variables('first_seen')",
"Fraud Score": "@body('Retrieve_Email_address_reputation_data')?['fraud_score']",
"Frequent Complainer": "@body('Retrieve_Email_address_reputation_data')?['frequent_complainer']",
"Generic": "@body('Retrieve_Email_address_reputation_data')?['generic']",
"HoneyPot": "@body('Retrieve_Email_address_reputation_data')?['honeypot']",
"Leaked": "@body('Retrieve_Email_address_reputation_data')?['leaked']",
"Overall Score": "@body('Retrieve_Email_address_reputation_data')?['overall_score']",
"Recent Abuse": "@body('Retrieve_Email_address_reputation_data')?['recent_abuse']",
"SMTP Score": "@body('Retrieve_Email_address_reputation_data')?['smtp_score']",
"Sanitized Email": "@body('Retrieve_Email_address_reputation_data')?['sanitized_email']",
"Spam Trap Score": "@body('Retrieve_Email_address_reputation_data')?['spam_trap_score']",
"Suggested Domain": "@body('Retrieve_Email_address_reputation_data')?['suggested_domain']",
"Suspect": "@body('Retrieve_Email_address_reputation_data')?['suspect']",
"Timed Out": "@body('Retrieve_Email_address_reputation_data')?['timed_out']",
"Valid": "@body('Retrieve_Email_address_reputation_data')?['valid']"
}
]
}
},
"Setting_Successful_Response_Variable": {
"runAfter": {
"Retrieve_Email_address_reputation_data": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "is_success",
"value": "@body('Retrieve_Email_address_reputation_data')?['success']"
}
}
},
"runAfter": {
"First_Seen_Variable": [
"Succeeded"
]
},
"type": "Foreach",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
},
"IPQS_Reputation_Variable": {
"runAfter": {
"Successful_Response_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ipqs_reputation",
"type": "string"
}
]
}
},
"JSON_OUPUT": {
"runAfter": {
"Valid_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "json_output",
"type": "array"
}
]
}
},
"Successful_Response_Variable": {
"runAfter": {
"Entities_-_Get_Accounts": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "is_success",
"type": "boolean"
}
]
}
},
"Valid_Variable": {
"runAfter": {
"Disposable_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "valid",
"type": "boolean"
}
]
}
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
},
"ipqsfraudandriskscor": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('IPQSApiKey'))]",
"connectionName": "[variables('IPQSApiKey')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/ipqsfraudandriskscor')]"
}
}
}
}
}
}
]
}

20
Solutions/IPQualityScore/Playbooks/Enrich-Sentinel-IPQualityScore-Email-Address-Reputation/readme.md Normal file
Просмотреть файл

@ -0,0 +1,20 @@
# Enrich-Sentinel-IPQualityScore-Email-Address-Reputation
author: David Mackler, IPQualityScore
This playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich Email Addresses found in the Sentinel incidents. This Playbook Template provides the Reputation such as **Critical, High Risk, Moderate Risk, Low Risk, Invalid, Clean** based on Fraud Score of the IP Address.
Learn more about the integration via the https://docs.microsoft.com/connectors/ipqsfraudandriskscor/ or visit https://www.ipqualityscore.com/contact-us to request a trial key.
## Sentinel Incident Comments Screenshot
![Incident Comments](./Graphics/comments.png)
## Reputation Threat Metrix
![Threat Metrix](./Graphics/email_threat_metrix.png)
## Links to deploy the Enrich-Sentinel-IPQualityScore-Email-Address-Reputation playbook template:
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FEnrich-Sentinel-IPQualityScore-Email-Address-Reputation%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FEnrich-Sentinel-IPQualityScore-Email-Address-Reputation%2Fazuredeploy.json)

Двоичные данные
Solutions/IPQualityScore/Playbooks/Enrich-Sentinel-IPQualityScore-IP-Address-Reputation/Graphics/comments.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 44 KiB

Двоичные данные
Solutions/IPQualityScore/Playbooks/Enrich-Sentinel-IPQualityScore-IP-Address-Reputation/Graphics/ip_threat_metrix.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 36 KiB

517
Solutions/IPQualityScore/Playbooks/Enrich-Sentinel-IPQualityScore-IP-Address-Reputation/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,517 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"comments": "This playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich incidents generated by Sentinel. Learn more about the integration via the https://docs.microsoft.com/connectors/ipqsfraudandriskscor/ or visit https://www.ipqualityscore.com/contact-us to request a trial key.",
"author": "David Mackler, IPQualityScore"
},
"parameters": {
"PlaybookName": {
"defaultValue": "Enrich_Sentinel_IPQualityScore_IP_Address_Reputation",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"IPQSApiKey": "[concat('ipqsfraudandriskscor-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('IPQSApiKey')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/ipqsfraudandriskscor')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('IPQSApiKey'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
}
}
},
"actions": {
"Entities_-_Get_IPs": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['Entities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/ip"
}
},
"IPQS_Reputation_Variable": {
"runAfter": {
"Sucessful_Response_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ipqs_reputation",
"type": "string"
}
]
}
},
"IP_FRAUD_SCORE_Variable": {
"runAfter": {
"IPQS_Reputation_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ip_fraud_score",
"type": "integer",
"value": 0
}
]
}
},
"JSON_OUPUT": {
"runAfter": {
"IP_FRAUD_SCORE_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "json_output",
"type": "array"
}
]
}
},
"Looping_Through_IP_Object": {
"foreach": "@body('Entities_-_Get_IPs')?['IPs']",
"actions": {
"Checking_for_Successful_Response": {
"actions": {
"Add_comment_to_incident_(V3)_2": {
"runAfter": {
"Alert_-_Get_incident_3": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident_3')?['id']",
"message": "<p><span style=\"font-size: 24px; color: rgb(71,85,119)\">IPQualityScore Reputation Data For </span><span style=\"font-size: 24px; color: rgb(71,85,119)\">@{items('Looping_Through_IP_Object')?['Address']}</span><span style=\"font-size: 24px; color: rgb(71,85,119)\">:</span><span style=\"color: rgb(71,85,119)\"><br>\n</span><span style=\"font-size: 18px; color: rgb(71,85,119)\">IPQS Reputation : </span><span style=\"font-size: 18px; color: rgb(71,85,119)\">@{variables('ipqs_reputation')}</span><span style=\"font-size: 18px; color: rgb(71,85,119)\"><br>\nIPQS API Response :<br>\n</span><span style=\"font-size: 18px; color: rgb(71,85,119)\">@{body('Create_HTML_table')}</span><span style=\"font-size: 18px; color: rgb(71,85,119)\"></span></p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Alert_-_Get_incident_3": {
"runAfter": {
"Create_HTML_table": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
}
},
"Check_Fraud_Score_is_100": {
"actions": {
"SET_CRITICAL": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "CRITICAL "
}
}
},
"runAfter": {
"Fetch_Fraud_Score": [
"Succeeded"
]
},
"else": {
"actions": {
"Check_Fraud_Score_is_between_85_and_99": {
"actions": {
"SET_HIGH_RISK": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "HIGH RISK"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Check_Fraud_Score_is_between_75_and_84": {
"actions": {
"SET_MODERATE_RISK": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "MODERATE RISK"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Check_Fraud_Score_is_between_60_and_74": {
"actions": {
"Set_SUSPICIOUS": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "SUSPICIOUS"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Check_Fraud_Score_is_less_than_or_equal_to_59": {
"actions": {
"Set_CLEAN": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "CLEAN"
}
}
},
"runAfter": {},
"expression": {
"and": [
{
"lessOrEquals": [
"@variables('ip_fraud_score')",
59
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"greaterOrEquals": [
"@variables('ip_fraud_score')",
60
]
},
{
"lessOrEquals": [
"@variables('ip_fraud_score')",
74
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"greaterOrEquals": [
"@variables('ip_fraud_score')",
75
]
},
{
"lessOrEquals": [
"@variables('ip_fraud_score')",
84
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"greaterOrEquals": [
"@variables('ip_fraud_score')",
85
]
},
{
"lessOrEquals": [
"@variables('ip_fraud_score')",
99
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"equals": [
"@variables('ip_fraud_score')",
100
]
}
]
},
"type": "If"
},
"Create_HTML_table": {
"runAfter": {
"Set_JSON_OUTPUT": [
"Succeeded"
]
},
"type": "Table",
"inputs": {
"format": "HTML",
"from": "@variables('json_output')"
}
},
"Fetch_Fraud_Score": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ip_fraud_score",
"value": "@body('Retrieve_IP_address_reputation_data')?['fraud_score']"
}
},
"Set_JSON_OUTPUT": {
"runAfter": {
"Check_Fraud_Score_is_100": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "json_output",
"value": [
{
"ASN": "@body('Retrieve_IP_address_reputation_data')?['ASN']",
"Abuse Velocity": "@body('Retrieve_IP_address_reputation_data')?['abuse_velocity']",
"Active TOR": "@body('Retrieve_IP_address_reputation_data')?['active_tor']",
"Active VPN": "@body('Retrieve_IP_address_reputation_data')?['active_vpn']",
"Bot Status": "@body('Retrieve_IP_address_reputation_data')?['bot_status']",
"City": "@body('Retrieve_IP_address_reputation_data')?['city']",
"Connection Type": "@body('Retrieve_IP_address_reputation_data')?['connection_type']",
"Country Code": "@body('Retrieve_IP_address_reputation_data')?['country_code']",
"Fraud Score": "@body('Retrieve_IP_address_reputation_data')?['fraud_score']",
"Host": "@body('Retrieve_IP_address_reputation_data')?['host']",
"ISP": "@body('Retrieve_IP_address_reputation_data')?['ISP']",
"Is Crawler": "@body('Retrieve_IP_address_reputation_data')?['is_crawler']",
"Latitube": "@body('Retrieve_IP_address_reputation_data')?['latitude']",
"Longitude": "@body('Retrieve_IP_address_reputation_data')?['longitude']",
"Mobile": "@body('Retrieve_IP_address_reputation_data')?['mobile']",
"Organization": "@body('Retrieve_IP_address_reputation_data')?['Organization']",
"Proxy": "@body('Retrieve_IP_address_reputation_data')?['proxy']",
"Recent Abuse": "@body('Retrieve_IP_address_reputation_data')?['recent_abuse']",
"Region": "@body('Retrieve_IP_address_reputation_data')?['region']",
"TOR": "@body('Retrieve_IP_address_reputation_data')?['tor']",
"TimeZone": "@body('Retrieve_IP_address_reputation_data')?['timezone']",
"VPN": "@body('Retrieve_IP_address_reputation_data')?['vpn']"
}
]
}
}
},
"runAfter": {
"Setting_Successful_Response_Variable": [
"Succeeded"
]
},
"expression": {
"and": [
{
"equals": [
"@variables('is_success')",
true
]
}
]
},
"type": "If"
},
"Retrieve_IP_address_reputation_data": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
"$content-type": "multipart/form-data",
"$multipart": [
{
"body": "@items('Looping_Through_IP_Object')?['Address']",
"headers": {
"Content-Disposition": "form-data; name=\"ip\""
}
},
{
"body": "0",
"headers": {
"Content-Disposition": "form-data; name=\"strictness\""
}
}
]
},
"host": {
"connection": {
"name": "@parameters('$connections')['ipqsfraudandriskscor']['connectionId']"
}
},
"method": "post",
"path": "/ip"
}
},
"Setting_Successful_Response_Variable": {
"runAfter": {
"Retrieve_IP_address_reputation_data": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "is_success",
"value": "@body('Retrieve_IP_address_reputation_data')?['success']"
}
}
},
"runAfter": {
"JSON_OUPUT": [
"Succeeded"
]
},
"type": "Foreach",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
},
"Sucessful_Response_Variable": {
"runAfter": {
"Entities_-_Get_IPs": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "is_success",
"type": "boolean"
}
]
}
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
},
"ipqsfraudandriskscor": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('IPQSApiKey'))]",
"connectionName": "[variables('IPQSApiKey')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/ipqsfraudandriskscor')]"
}
}
}
}
}
}
]
}

20
Solutions/IPQualityScore/Playbooks/Enrich-Sentinel-IPQualityScore-IP-Address-Reputation/readme.md Normal file
Просмотреть файл

@ -0,0 +1,20 @@
# Enrich-Sentinel-IPQualityScore-IP-Address-Reputation
author: David Mackler, IPQualityScore
This playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich IP Addresses found in the Sentinel incidents. This Playbook Template provides the Reputation such as **Critical, High Risk, Moderate Risk, Suspicious, Clean** based on Fraud Score.
Learn more about the integration via the https://docs.microsoft.com/connectors/ipqsfraudandriskscor/ or visit https://www.ipqualityscore.com/contact-us to request a trial key.
## Sentinel Incident Comments Screenshot
![Incident Comments](./Graphics/comments.png)
## Reputation Threat Metrix
![Threat Metrix](./Graphics/ip_threat_metrix.png)
## Links to deploy the Enrich-Sentinel-IPQualityScore-IP-Address-Reputation playbook template:
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FEnrich-Sentinel-IPQualityScore-IP-Address-Reputation%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FEnrich-Sentinel-IPQualityScore-IP-Address-Reputation%2Fazuredeploy.json)

Двоичные данные
Solutions/IPQualityScore/Playbooks/Enrich-Sentinel-IPQualityScore-Phone-Number-Reputation/Graphics/comments.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 40 KiB

Двоичные данные
Solutions/IPQualityScore/Playbooks/Enrich-Sentinel-IPQualityScore-Phone-Number-Reputation/Graphics/phone_threat_metrix.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 41 KiB

604
Solutions/IPQualityScore/Playbooks/Enrich-Sentinel-IPQualityScore-Phone-Number-Reputation/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,604 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"comments": "This playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich incidents generated by Sentinel. Learn more about the integration via the https://docs.microsoft.com/connectors/ipqsfraudandriskscor/ or visit https://www.ipqualityscore.com/contact-us to request a trial key.",
"author": "David Mackler, IPQualityScore"
},
"parameters": {
"PlaybookName": {
"defaultValue": "Enrich_Sentinel_IPQualityScore_Phone_Number_Reputation",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"IPQSApiKey": "[concat('ipqsfraudandriskscor-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('IPQSApiKey')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/ipqsfraudandriskscor')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('IPQSApiKey'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
}
}
},
"actions": {
"Active_Variable": {
"runAfter": {
"Phone_FRAUD_SCORE_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "active",
"type": "boolean"
}
]
}
},
"Entities_-_Get_Accounts": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['Entities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/account"
}
},
"For_each": {
"foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
"actions": {
"Checking_for_Successful_Response": {
"actions": {
"Add_comment_to_incident_(V3)_3": {
"runAfter": {
"Alert_-_Get_incident_3": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident_3')?['id']",
"message": "<p><span style=\"font-size: 24px; color: rgb(71,85,119)\">IPQualityScore Reputation Data for </span><span style=\"font-size: 24px; color: rgb(71,85,119)\">@{variables('phone_number')}</span><span style=\"font-size: 24px; color: rgb(71,85,119)\"></span><span style=\"color: rgb(71,85,119)\"><br>\n</span><span style=\"font-size: 18px; color: rgb(71,85,119)\">IPQS REPUTATION: </span><span style=\"font-size: 18px; color: rgb(71,85,119)\">@{variables('ipqs_reputation')}</span><span style=\"font-size: 18px; color: rgb(71,85,119)\"><br>\nIPQS API RESPONSE:<br>\n</span><span style=\"font-size: 18px; color: rgb(71,85,119)\">@{body('Create_HTML_table_2')}</span><span style=\"font-size: 18px; color: rgb(71,85,119)\"></span></p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Alert_-_Get_incident_3": {
"runAfter": {
"Create_HTML_table_2": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
}
},
"Check_Fraud_Score_between_90_and_100": {
"actions": {
"IPQS_Reputation_Variable_HIGH_RISK_1": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "HIGH RISK"
}
}
},
"runAfter": {
"Set_Valid": [
"Succeeded"
]
},
"else": {
"actions": {
"Check_Active_OR_Valid": {
"actions": {
"IPQS_Reputation_Variable_MODERATE_RISK_1": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "MODERATE RISK"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Check_Fraud_Score_is_in_between_80_and_89": {
"actions": {
"IPQS_Reputation_Variable_LOW_RISK_1": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "LOW RISK"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Check_Fraud_Score_is_in_between_50_and_79": {
"actions": {
"IPQS_Reputation_Variable_SUSPICIOUS_1": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "SUSPICIOUS"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Check_Fraud_Score_is_less_than_or_equal_to_49": {
"actions": {
"IPQS_Reputation_Variable_CLEAN_1": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "CLEAN"
}
}
},
"runAfter": {},
"expression": {
"and": [
{
"lessOrEquals": [
"@variables('phone_fraud_score')",
49
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"greaterOrEquals": [
"@variables('phone_fraud_score')",
50
]
},
{
"lessOrEquals": [
"@variables('phone_fraud_score')",
79
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"greaterOrEquals": [
"@variables('phone_fraud_score')",
80
]
},
{
"lessOrEquals": [
"@variables('phone_fraud_score')",
89
]
}
]
},
"type": "If"
}
}
},
"expression": {
"or": [
{
"equals": [
"@variables('active')",
false
]
},
{
"equals": [
"@variables('valid')",
false
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"greaterOrEquals": [
"@variables('phone_fraud_score')",
90
]
},
{
"lessOrEquals": [
"@variables('phone_fraud_score')",
100
]
}
]
},
"type": "If"
},
"Create_HTML_table_2": {
"runAfter": {
"Set_JSON_OUTPUT": [
"Succeeded"
]
},
"type": "Table",
"inputs": {
"format": "HTML",
"from": "@variables('json_output')"
}
},
"Set_Active": {
"runAfter": {
"Set_Fraud_Score": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "active",
"value": "@body('Retrieve_Phone_Number_reputation_data')?['active']"
}
},
"Set_Fraud_Score": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "phone_fraud_score",
"value": "@body('Retrieve_Phone_Number_reputation_data')?['fraud_score']"
}
},
"Set_JSON_OUTPUT": {
"runAfter": {
"Check_Fraud_Score_between_90_and_100": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "json_output",
"value": [
{
"Active": "@body('Retrieve_Phone_Number_reputation_data')?['active']",
"Active Status": "@body('Retrieve_Phone_Number_reputation_data')?['active_status']",
"Carrier": "@body('Retrieve_Phone_Number_reputation_data')?['carrier']",
"City": "@body('Retrieve_Phone_Number_reputation_data')?['city']",
"Country": "@body('Retrieve_Phone_Number_reputation_data')?['country']",
"Dialing Code": "@body('Retrieve_Phone_Number_reputation_data')?['dialing_code']",
"Do Not Call": "@body('Retrieve_Phone_Number_reputation_data')?['do_not_call']",
"Formatted ": "@body('Retrieve_Phone_Number_reputation_data')?['formatted']",
"Fraud Score": "@body('Retrieve_Phone_Number_reputation_data')?['fraud_score']",
"Line Type": "@body('Retrieve_Phone_Number_reputation_data')?['line_type']",
"Local Format": "@body('Retrieve_Phone_Number_reputation_data')?['local_format']",
"Name": "@body('Retrieve_Phone_Number_reputation_data')?['name']",
"Prepaid": "@body('Retrieve_Phone_Number_reputation_data')?['prepaid']",
"Recent Abuse": "@body('Retrieve_Phone_Number_reputation_data')?['recent_abuse']",
"Region": "@body('Retrieve_Phone_Number_reputation_data')?['region']",
"Risky": "@body('Retrieve_Phone_Number_reputation_data')?['risky']",
"Timezone": "@body('Retrieve_Phone_Number_reputation_data')?['timezone']",
"VOIP": "@body('Retrieve_Phone_Number_reputation_data')?['VOIP']",
"Valid": "@body('Retrieve_Phone_Number_reputation_data')?['valid']",
"Zip Code": "@body('Retrieve_Phone_Number_reputation_data')?['zip_code']"
}
]
}
},
"Set_Valid": {
"runAfter": {
"Set_Active": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "valid",
"value": "@body('Retrieve_Phone_Number_reputation_data')?['valid']"
}
}
},
"runAfter": {
"Setting_Successful_Response_Variable": [
"Succeeded"
]
},
"expression": {
"and": [
{
"equals": [
"@variables('is_success')",
true
]
}
]
},
"type": "If"
},
"Retrieve_Phone_Number_reputation_data": {
"runAfter": {
"Setting_Phone_Number_Variable": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"$content-type": "multipart/form-data",
"$multipart": [
{
"body": "@variables('phone_number')",
"headers": {
"Content-Disposition": "form-data; name=\"phone\""
}
},
{
"body": "0",
"headers": {
"Content-Disposition": "form-data; name=\"strictness\""
}
}
]
},
"host": {
"connection": {
"name": "@parameters('$connections')['ipqsfraudandriskscor']['connectionId']"
}
},
"method": "post",
"path": "/phone"
}
},
"Setting_Phone_Number_Variable": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "phone_number",
"value": "@items('For_each')?['Name']"
}
},
"Setting_Successful_Response_Variable": {
"runAfter": {
"Retrieve_Phone_Number_reputation_data": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "is_success",
"value": "@body('Retrieve_Phone_Number_reputation_data')?['success']"
}
}
},
"runAfter": {
"Phone_Variable": [
"Succeeded"
]
},
"type": "Foreach",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
},
"IPQS_Reputation_Variable": {
"runAfter": {
"Successful_Response_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ipqs_reputation",
"type": "string"
}
]
}
},
"JSON_OUPUT": {
"runAfter": {
"Valid_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "json_output",
"type": "array"
}
]
}
},
"Phone_FRAUD_SCORE_Variable": {
"runAfter": {
"IPQS_Reputation_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "phone_fraud_score",
"type": "integer"
}
]
}
},
"Phone_Variable": {
"runAfter": {
"JSON_OUPUT": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "phone_number",
"type": "string"
}
]
}
},
"Successful_Response_Variable": {
"runAfter": {
"Entities_-_Get_Accounts": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "is_success",
"type": "boolean"
}
]
}
},
"Valid_Variable": {
"runAfter": {
"Active_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "valid",
"type": "boolean"
}
]
}
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
},
"ipqsfraudandriskscor": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('IPQSApiKey'))]",
"connectionName": "[variables('IPQSApiKey')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/ipqsfraudandriskscor')]"
}
}
}
}
}
}
]
}

20
Solutions/IPQualityScore/Playbooks/Enrich-Sentinel-IPQualityScore-Phone-Number-Reputation/readme.md Normal file
Просмотреть файл

@ -0,0 +1,20 @@
# Enrich-Sentinel-IPQualityScore-Phone-Number-Reputation
author: David Mackler, IPQualityScore
This playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich Phone Numbers found in the Sentinel incidents. This Playbook Template provides the Reputation such as **High Risk, Moderate Risk, Low Risk, Suspicious, Clean** based on Fraud Score.
Learn more about the integration via the https://docs.microsoft.com/connectors/ipqsfraudandriskscor/ or visit https://www.ipqualityscore.com/contact-us to request a trial key.
## Sentinel Incident Comments Screenshot
![Incident Comments](./Graphics/comments.png)
## Reputation Threat Metrix
![Threat Metrix](./Graphics/phone_threat_metrix.png)
## Link to deploy the Enrich-Sentinel-IPQualityScore-Phone-Number-Reputation playbook template:
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FEnrich-Sentinel-IPQualityScore-Phone-Number-Reputation%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FEnrich-Sentinel-IPQualityScore-Phone-Number-Reputation%2Fazuredeploy.json)

Двоичные данные
Solutions/IPQualityScore/Playbooks/Enrich-Sentinel-IPQualityScore-URL-Reputation/Graphics/comments.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 46 KiB

Двоичные данные
Solutions/IPQualityScore/Playbooks/Enrich-Sentinel-IPQualityScore-URL-Reputation/Graphics/domain_threat_metrix.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 46 KiB

629
Solutions/IPQualityScore/Playbooks/Enrich-Sentinel-IPQualityScore-URL-Reputation/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,629 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"comments": "This playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich incidents generated by Sentinel. Learn more about the integration via the https://docs.microsoft.com/connectors/ipqsfraudandriskscor/ or visit https://www.ipqualityscore.com/contact-us to request a trial key.",
"author": "David Mackler, IPQualityScore"
},
"parameters": {
"PlaybookName": {
"defaultValue": "Enrich_Sentinel_IPQualityScore_URL_Reputation",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"IPQSApiKey": "[concat('ipqsfraudandriskscor-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('IPQSApiKey')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/ipqsfraudandriskscor')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('IPQSApiKey'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
}
}
},
"actions": {
"Domain_Age_Variable": {
"runAfter": {
"JSON_OUPUT": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "domain_age",
"type": "string"
}
]
}
},
"Entities_-_Get_URLs": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['Entities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/url"
}
},
"For_each": {
"foreach": "@body('Entities_-_Get_URLs')?['URLs']",
"actions": {
"Add_comment_to_incident_(V3)": {
"runAfter": {
"Alert_-_Get_incident_2": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident_2')?['id']",
"message": "<p><span style=\"font-size: 24px; color: rgb(71,85,119)\">IPQualityScore Reputation Data for </span><span style=\"font-size: 24px; color: rgb(71,85,119)\">@{items('For_each')?['Url']}</span><span style=\"font-size: 24px; color: rgb(71,85,119)\">:<br>\n</span><span style=\"font-family: arial; font-size: 18px; color: rgb(71,85,119)\">IPQS Reputation: </span><span style=\"font-family: arial; font-size: 18px; color: rgb(71,85,119)\">@{variables('ipqs_reputation')}</span><span style=\"font-family: arial; font-size: 18px; color: rgb(71,85,119)\"><br>\nIPQS API Response:<br>\n</span><span style=\"font-family: arial; font-size: 18px; color: rgb(71,85,119)\">@{body('Create_HTML_table')}</span><span style=\"font-family: arial; font-size: 18px; color: rgb(71,85,119)\"></span></p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Alert_-_Get_incident_2": {
"runAfter": {
"Create_HTML_table": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
}
},
"Checking_for_Successful_Response": {
"actions": {
"Check_Malware_or_Phishing_is_true": {
"actions": {
"Set_IPQS_Reputation_Variable_Critical": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "CRITICAL"
}
}
},
"runAfter": {
"Set_RISK_SCORE": [
"Succeeded"
]
},
"else": {
"actions": {
"Check_Risk_Score_is_greater_than_or_equal_to_90": {
"actions": {
"Set_IPQS_Reputation_Variable_High_Risk": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "HIGH RISK"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Check_Risk_Score_is_between_80_and_89": {
"actions": {
"Set_IPQS_Reputation_Variable_MODERATE_Risk": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "MODERATE RISK"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Check_Risk_Score_is_between_70_and_79": {
"actions": {
"Set_IPQS_Reputation_Variable_Low_Risk": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "LOW RISK"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Check_Risk_Score_is_between_55_and_69": {
"actions": {
"Set_IPQS_Reputation_Variable_Suspicious": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "SUSPICIOUS"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Check_Risk_Score_is_less_than_or_equal_to_54": {
"actions": {
"Set_IPQS_Reputation_Variable_Clean": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "CLEAN"
}
}
},
"runAfter": {},
"expression": {
"and": [
{
"lessOrEquals": [
"@variables('url_risk_score')",
54
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"greaterOrEquals": [
"@variables('url_risk_score')",
55
]
},
{
"lessOrEquals": [
"@variables('url_risk_score')",
69
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"greaterOrEquals": [
"@variables('url_risk_score')",
70
]
},
{
"lessOrEquals": [
"@variables('url_risk_score')",
79
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"greaterOrEquals": [
"@variables('url_risk_score')",
80
]
},
{
"lessOrEquals": [
"@variables('url_risk_score')",
89
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"greaterOrEquals": [
"@variables('url_risk_score')",
90
]
}
]
},
"type": "If"
}
}
},
"expression": {
"or": [
{
"equals": [
"@variables('is_phishing')",
true
]
},
{
"equals": [
"@variables('is_malware')",
true
]
}
]
},
"type": "If"
},
"Set_Malware_Valriable": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "is_malware",
"value": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['malware']"
}
},
"Set_Phishing_Variable": {
"runAfter": {
"Set_Malware_Valriable": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "is_phishing",
"value": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['phishing']"
}
},
"Set_RISK_SCORE": {
"runAfter": {
"Set_Phishing_Variable": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "url_risk_score",
"value": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['risk_score']"
}
}
},
"runAfter": {
"Setting_Successful_Response_Variable": [
"Succeeded"
]
},
"expression": {
"and": [
{
"equals": [
"@variables('is_success')",
true
]
}
]
},
"type": "If"
},
"Create_HTML_table": {
"runAfter": {
"Setting_JSON_OUTPUT": [
"Succeeded"
]
},
"type": "Table",
"inputs": {
"format": "HTML",
"from": "@variables('json_output')"
}
},
"Retrieve_URL_(or)_Domain_reputation_data": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
"$content-type": "multipart/form-data",
"$multipart": [
{
"body": "@items('For_each')?['Url']",
"headers": {
"Content-Disposition": "form-data; name=\"url\""
}
},
{
"body": "0",
"headers": {
"Content-Disposition": "form-data; name=\"strictness\""
}
}
]
},
"host": {
"connection": {
"name": "@parameters('$connections')['ipqsfraudandriskscor']['connectionId']"
}
},
"method": "post",
"path": "/url"
}
},
"Set_Domain_Age_Variable": {
"runAfter": {
"Checking_for_Successful_Response": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "domain_age",
"value": "Human: @{body('Retrieve_URL_(or)_Domain_reputation_data')?['domain_age']?['human']} , Timestamp: @{body('Retrieve_URL_(or)_Domain_reputation_data')?['domain_age']?['timestamp']} , ISO: @{body('Retrieve_URL_(or)_Domain_reputation_data')?['domain_age']?['iso']}"
}
},
"Setting_JSON_OUTPUT": {
"runAfter": {
"Set_Domain_Age_Variable": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "json_output",
"value": [
{
"Adult": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['adult']",
"Content Type": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['content_type']",
"DNS Valid": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['dns_valid']",
"Domain": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['domain']",
"Domain Age": "@variables('domain_age')",
"Domain Rank": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['domain_rank']",
"IP Address": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['ip_address']",
"Malware": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['malware']",
"Page Size": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['page_size']",
"Parking": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['parking']",
"Phishing": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['phishing']",
"Risk Score": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['risk_score']",
"Server": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['server']",
"Spamming": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['spamming']",
"Status Code": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['status_code']",
"Suspicious": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['suspicious']",
"UnSafe": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['unsafe']"
}
]
}
},
"Setting_Successful_Response_Variable": {
"runAfter": {
"Retrieve_URL_(or)_Domain_reputation_data": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "is_success",
"value": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['success']"
}
}
},
"runAfter": {
"Domain_Age_Variable": [
"Succeeded"
]
},
"type": "Foreach",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
},
"IPQS_Reputation_Variable": {
"runAfter": {
"Successful_Response_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ipqs_reputation",
"type": "string"
}
]
}
},
"JSON_OUPUT": {
"runAfter": {
"Phishing_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "json_output",
"type": "array"
}
]
}
},
"Malware_Variable": {
"runAfter": {
"URL_RISK_SCORE_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "is_malware",
"type": "boolean"
}
]
}
},
"Phishing_Variable": {
"runAfter": {
"Malware_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "is_phishing",
"type": "boolean"
}
]
}
},
"Successful_Response_Variable": {
"runAfter": {
"Entities_-_Get_URLs": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "is_success",
"type": "boolean"
}
]
}
},
"URL_RISK_SCORE_Variable": {
"runAfter": {
"IPQS_Reputation_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "url_risk_score",
"type": "integer"
}
]
}
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
},
"ipqsfraudandriskscor": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('IPQSApiKey'))]",
"connectionName": "[variables('IPQSApiKey')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/ipqsfraudandriskscor')]"
}
}
}
}
}
}
]
}

19
Solutions/IPQualityScore/Playbooks/Enrich-Sentinel-IPQualityScore-URL-Reputation/readme.md Normal file
Просмотреть файл

@ -0,0 +1,19 @@
# Enrich-Sentinel-IPQualityScore-URL-Reputation
author: David Mackler, IPQualityScore
This playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich URL's found in the Sentinel incidents. This Playbook Template provides the Reputation such as **Critical, High Risk, Moderate Risk, Low Risk, Suspicious, Clean** based on Fraud Score.
Learn more about the integration via the https://docs.microsoft.com/connectors/ipqsfraudandriskscor/ or visit https://www.ipqualityscore.com/contact-us to request a trial key.
## Sentinel Incident Comments Screenshot
![Incident Comments](./Graphics/comments.png)
## Reputation Threat Metrix
![Threat Metrix](./Graphics/domain_threat_metrix.png)
## Links to deploy the Enrich-Sentinel-IPQualityScore-URL-Reputation playbook template:
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FEnrich-Sentinel-IPQualityScore-URL-Reputation%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FEnrich-Sentinel-IPQualityScore-URL-Reputation%2Fazuredeploy.json)

Двоичные данные
Solutions/IPQualityScore/Playbooks/Enrich_Sentinel_IPQualityScore_Domain_Reputation/Graphics/comments.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 47 KiB

Двоичные данные
Solutions/IPQualityScore/Playbooks/Enrich_Sentinel_IPQualityScore_Domain_Reputation/Graphics/domain_threat_metrix.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 46 KiB

713
Solutions/IPQualityScore/Playbooks/Enrich_Sentinel_IPQualityScore_Domain_Reputation/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,713 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"comments": "This playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich incidents generated by Sentinel. Learn more about the integration via the https://docs.microsoft.com/connectors/ipqsfraudandriskscor/ or visit https://www.ipqualityscore.com/contact-us to request a trial key.",
"author": "David Mackler, IPQualityScore"
},
"parameters": {
"PlaybookName": {
"defaultValue": "Enrich_Sentinel_IPQualityScore_Domain_Reputation",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"IPQSApiKey": "[concat('ipqsfraudandriskscor-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('IPQSApiKey')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/ipqsfraudandriskscor')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('IPQSApiKey'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
}
}
},
"actions": {
"Domain_Age_Variable": {
"runAfter": {
"Host_Host_Entity_Full_Name": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "domain_age",
"type": "string"
}
]
}
},
"Domain_RISK_SCORE_Variable": {
"runAfter": {
"IPQS_Reputation_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "domain_risk_score",
"type": "integer"
}
]
}
},
"Entities_-_Get_Hosts": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['Entities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/host"
}
},
"For_each": {
"foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
"actions": {
"Add_comment_to_incident_(V3)": {
"runAfter": {
"Alert_-_Get_incident_2": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident_2')?['id']",
"message": "<p><span style=\"font-size: 24px; color: rgb(71,85,119)\">IPQualityScore Reputation Data for </span><span style=\"font-size: 24px; color: rgb(71,85,119)\">@{items('For_each')?['HostName']}</span><span style=\"font-size: 24px; color: rgb(71,85,119)\">.</span><span style=\"font-size: 24px; color: rgb(71,85,119)\">@{items('For_each')?['DnsDomain']}</span><span style=\"font-size: 24px; color: rgb(71,85,119)\">:<br>\n</span><span style=\"font-family: arial; font-size: 18px; color: rgb(71,85,119)\">IPQS Reputation: </span><span style=\"font-family: arial; font-size: 18px; color: rgb(71,85,119)\"></span><span style=\"font-family: arial; font-size: 18px; color: rgb(71,85,119)\">@{variables('ipqs_reputation')}</span><span style=\"font-family: arial; font-size: 18px; color: rgb(71,85,119)\"><br>\nIPQS API Response:</span><span style=\"font-family: arial; font-size: 18px; color: rgb(71,85,119)\"><strong><br>\n</strong></span><span style=\"font-family: arial; font-size: 18px; color: rgb(71,85,119)\"><strong>@{body('Create_HTML_table')}</strong></span><span style=\"font-family: arial; font-size: 18px; color: rgb(71,85,119)\"><strong></strong></span></p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Alert_-_Get_incident_2": {
"runAfter": {
"Create_HTML_table": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
}
},
"Checking_for_Successful_Response": {
"actions": {
"Check_Malware_or_Phishing_is_true": {
"actions": {
"Set_IPQS_Reputation_Variable_Critical": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "CRITICAL"
}
}
},
"runAfter": {
"Set_Domain_Risk_variable": [
"Succeeded"
]
},
"else": {
"actions": {
"Check_Risk_Score_is_greater_than_or_equal_to_90": {
"actions": {
"Set_IPQS_Reputation_Variable_High_Risk": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "HIGH RISK"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Check_Risk_Score_is_between_80_and_89": {
"actions": {
"Set_IPQS_Reputation_Variable_MODERATE_Risk": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "MODERATE RISK"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Check_Risk_Score_is_between_70_and_79": {
"actions": {
"Set_IPQS_Reputation_Variable_Low_Risk": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "LOW RISK"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Check_Risk_Score_is_between_55_and_69": {
"actions": {
"Set_IPQS_Reputation_Variable_Suspicious": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "SUSPICIOUS"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Check_Risk_Score_is_less_than_or_equal_to_54": {
"actions": {
"Set_IPQS_Reputation_Variable_Clean": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "ipqs_reputation",
"value": "CLEAN"
}
}
},
"runAfter": {},
"expression": {
"and": [
{
"lessOrEquals": [
"@variables('domain_risk_score')",
54
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"greaterOrEquals": [
"@variables('domain_risk_score')",
55
]
},
{
"lessOrEquals": [
"@variables('domain_risk_score')",
69
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"greaterOrEquals": [
"@variables('domain_risk_score')",
70
]
},
{
"lessOrEquals": [
"@variables('domain_risk_score')",
79
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"greaterOrEquals": [
"@variables('domain_risk_score')",
80
]
},
{
"lessOrEquals": [
"@variables('domain_risk_score')",
89
]
}
]
},
"type": "If"
}
}
},
"expression": {
"and": [
{
"greaterOrEquals": [
"@variables('domain_risk_score')",
90
]
}
]
},
"type": "If"
}
}
},
"expression": {
"or": [
{
"equals": [
"@variables('is_phishing')",
true
]
},
{
"equals": [
"@variables('is_malware')",
true
]
}
]
},
"type": "If"
},
"Set_Domain_Risk_variable": {
"runAfter": {
"Set_Phishing_Variable": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "domain_risk_score",
"value": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['risk_score']"
}
},
"Set_Malware_Valriable": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "is_malware",
"value": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['malware']"
}
},
"Set_Phishing_Variable": {
"runAfter": {
"Set_Malware_Valriable": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "is_phishing",
"value": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['phishing']"
}
}
},
"runAfter": {
"Setting_Successful_Response_Variable": [
"Succeeded"
]
},
"expression": {
"and": [
{
"equals": [
"@variables('is_success')",
true
]
}
]
},
"type": "If"
},
"Create_HTML_table": {
"runAfter": {
"Setting_JSON_OUTPUT": [
"Succeeded"
]
},
"type": "Table",
"inputs": {
"format": "HTML",
"from": "@variables('json_output')"
}
},
"Retrieve_URL_(or)_Domain_reputation_data": {
"runAfter": {
"Set_host_entity_value": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"$content-type": "multipart/form-data",
"$multipart": [
{
"body": "@variables('host_entity_value')",
"headers": {
"Content-Disposition": "form-data; name=\"url\""
}
},
{
"body": "0",
"headers": {
"Content-Disposition": "form-data; name=\"strictness\""
}
}
]
},
"host": {
"connection": {
"name": "@parameters('$connections')['ipqsfraudandriskscor']['connectionId']"
}
},
"method": "post",
"path": "/url"
}
},
"Set_Domain_Age_Variable": {
"runAfter": {
"Checking_for_Successful_Response": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "domain_age",
"value": "Human:@{body('Retrieve_URL_(or)_Domain_reputation_data')?['domain_age']?['human']} , Timestamp: @{body('Retrieve_URL_(or)_Domain_reputation_data')?['domain_age']?['timestamp']}, ISO: @{body('Retrieve_URL_(or)_Domain_reputation_data')?['domain_age']?['iso']}"
}
},
"Set_dns_domain_variable": {
"runAfter": {
"Set_host_name_variable": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "dns_domain",
"value": "@items('For_each')?['DnsDomain']"
}
},
"Set_host_entity_value": {
"runAfter": {
"Set_dns_domain_variable": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "host_entity_value",
"value": "@{variables('host_name')}.@{variables('dns_domain')}"
}
},
"Set_host_name_variable": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "host_name",
"value": "@items('For_each')?['HostName']"
}
},
"Setting_JSON_OUTPUT": {
"runAfter": {
"Set_Domain_Age_Variable": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "json_output",
"value": [
{
"Adult": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['adult']",
"Content Type": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['content_type']",
"DNS Valid": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['dns_valid']",
"Domain": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['domain']",
"Domain Age": "@variables('domain_age')",
"Domain Rank": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['domain_rank']",
"IP Address": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['ip_address']",
"Malware": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['malware']",
"Page Size": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['page_size']",
"Parking": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['parking']",
"Phishing": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['phishing']",
"Risk Score": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['risk_score']",
"Server": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['server']",
"Spamming": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['spamming']",
"Status Code": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['status_code']",
"Suspicious": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['suspicious']",
"UnSafe": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['unsafe']"
}
]
}
},
"Setting_Successful_Response_Variable": {
"runAfter": {
"Retrieve_URL_(or)_Domain_reputation_data": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "is_success",
"value": "@body('Retrieve_URL_(or)_Domain_reputation_data')?['success']"
}
}
},
"runAfter": {
"Domain_Age_Variable": [
"Succeeded"
]
},
"type": "Foreach",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
},
"Host_Dns_Domain_Variable": {
"runAfter": {
"Host_Host_Name_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "dns_domain",
"type": "string"
}
]
}
},
"Host_Host_Entity_Full_Name": {
"runAfter": {
"Host_Dns_Domain_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "host_entity_value",
"type": "string"
}
]
}
},
"Host_Host_Name_Variable": {
"runAfter": {
"JSON_OUPUT": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "host_name",
"type": "string"
}
]
}
},
"IPQS_Reputation_Variable": {
"runAfter": {
"Successful_Response_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ipqs_reputation",
"type": "string"
}
]
}
},
"JSON_OUPUT": {
"runAfter": {
"Phishing_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "json_output",
"type": "array"
}
]
}
},
"Malware_Variable": {
"runAfter": {
"Domain_RISK_SCORE_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "is_malware",
"type": "boolean"
}
]
}
},
"Phishing_Variable": {
"runAfter": {
"Malware_Variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "is_phishing",
"type": "boolean"
}
]
}
},
"Successful_Response_Variable": {
"runAfter": {
"Entities_-_Get_Hosts": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "is_success",
"type": "boolean"
}
]
}
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
},
"ipqsfraudandriskscor": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('IPQSApiKey'))]",
"connectionName": "[variables('IPQSApiKey')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/ipqsfraudandriskscor')]"
}
}
}
}
}
}
]
}

19
Solutions/IPQualityScore/Playbooks/Enrich_Sentinel_IPQualityScore_Domain_Reputation/readme.md Normal file
Просмотреть файл

@ -0,0 +1,19 @@
# Enrich_Sentinel_IPQualityScore_Domain_Reputation
author: David Mackler, IPQualityScore
This playbook uses the IPQS Fraud and Risk Scoring connector to automatically enrich Domain's found in the Sentinel incidents. This Playbook Template provides the Reputation such as **Critical, High Risk, Moderate Risk, Low Risk, Suspicious, Clean** based on Risk Score.
Learn more about the integration via the https://docs.microsoft.com/connectors/ipqsfraudandriskscor/ or visit https://www.ipqualityscore.com/contact-us to request a trial key.
## Sentinel Incident Comments Screenshot
![Incident Comments](./Graphics/comments.png)
## Reputation Threat Metrix
![Threat Metrix](./Graphics/domain_threat_metrix.png)
## Links to deploy the Enrich_Sentinel_IPQualityScore_Domain_Reputation playbook template:
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FEnrich_Sentinel_IPQualityScore_Domain_Reputation%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FEnrich_Sentinel_IPQualityScore_Domain_Reputation%2Fazuredeploy.json)