Merge branch 'master' into pr/8379
This commit is contained in:
v-atulyadav
Коммит
087ab25a49
|
|
@ -85,7 +85,7 @@
|
|||
"Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel",
|
||||
"Version": "2.0.12",
|
||||
"Version": "2.0.13",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1PConnector": true
|
||||
|
|
|
|||
Двоичный файл не отображается.
|
|
@ -6,7 +6,7 @@
|
|||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/azureactivedirectory_logo.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [ Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Azure Active Directory [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 59, **Playbooks:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/azureactivedirectory_logo.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [ Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Azure Active Directory [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 59, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
|
|
|
|||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
|
@ -6,11 +6,21 @@
|
|||
"description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.",
|
||||
"prerequisites": ["1. You must create an app registration for graph api with appropriate permissions.", "2. You will need to add the managed identity that is created by the logic app to the Password Administrator role in Azure AD."],
|
||||
"comments": "This playbook will revoke all signin sessions for the user using Graph API using a Beta API. It will send and email to the user's manager.",
|
||||
"author": "Nicholas DiCola"
|
||||
|
||||
"lastUpdateTime": "2021-07-14T00:00:00.000Z",
|
||||
"entities": [ "Account" ],
|
||||
"tags": [ "Remediation" ],
|
||||
"support": {
|
||||
"tier": "community"
|
||||
},
|
||||
"author": {
|
||||
"name": "Nicholas DiCola"
|
||||
}
|
||||
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "Revoke-AADSignInSessions",
|
||||
"defaultValue": "Revoke-AADSignInSessions-alert",
|
||||
"type": "string"
|
||||
},
|
||||
"UserName": {
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "Revoke-AADSignInSessions",
|
||||
"defaultValue": "Revoke-AADSignInSessions-incident",
|
||||
"type": "string"
|
||||
},
|
||||
"UserName": {
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@
|
|||
"Playbooks": [
|
||||
"Playbooks/Isolate-MDEMachine/Isolate-MDEMachine-alert-trigger/azuredeploy.json",
|
||||
"Playbooks/Isolate-MDEMachine/Isolate-MDEMachine-incident-trigger/azuredeploy.json",
|
||||
"Playbooks/Isolate-MDEMachine/Isolate-MDE-Machine-entity-trigger/azuredeploy.json",
|
||||
"Playbooks/Restrict-MDEAppExecution/Restrict-MDEAppExecution-alert-trigger/azuredeploy.json",
|
||||
"Playbooks/Restrict-MDEAppExecution/Restrict-MDEAppExecution-incident-trigger/azuredeploy.json",
|
||||
"Playbooks/Restrict-MDEDomain/Restrict-MDEDomain-alert-trigger/azuredeploy.json",
|
||||
|
|
@ -35,14 +34,15 @@
|
|||
"Playbooks/Run-MDEAntivirus/Run-MDEAntivirus-incident-trigger/azuredeploy.json",
|
||||
"Playbooks/Unisolate-MDEMachine/Unisolate-MDEMachine-alert-trigger/azuredeploy.json",
|
||||
"Playbooks/Unisolate-MDEMachine/Unisolate-MDEMachine-incident-trigger/azuredeploy.json",
|
||||
"Playbooks/Unisolate-MDEMachine/Unisolate-MDE-Machine-entity-trigger/azuredeploy.json",
|
||||
"Playbooks/Restrict-MDEDomain/Restrict-MDEDomain-entity-trigger/azuredeploy.json",
|
||||
"Playbooks/Restrict-MDEFileHash/Restrict-MDEFileHash-entity-trigger/azuredeploy.json",
|
||||
"Playbooks/Restrict-MDEIPAddress/Restrict-MDEIPAddress-entity-trigger/azuredeploy.json",
|
||||
"Playbooks/Restrict-MDEUrl/Restrict-MDEUrl-entity-trigger/azuredeploy.json"
|
||||
"Playbooks/Restrict-MDEUrl/Restrict-MDEUrl-entity-trigger/azuredeploy.json",
|
||||
"Playbooks/Isolate-MDEMachine/Isolate-MDE-Machine-entity-trigger/azuredeploy.json",
|
||||
"Playbooks/Unisolate-MDEMachine/Unisolate-MDE-Machine-entity-trigger/azuredeploy.json"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\MicrosoftDefenderForEndpoint",
|
||||
"Version": "2.0.4",
|
||||
"Version": "2.0.5",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1PConnector": true
|
||||
|
|
|
|||
Двоичный файл не отображается.
|
|
@ -6,7 +6,7 @@
|
|||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Endpoint platform, integrating them into your Microsoft Sentinel Incidents queue. \r \n \r \n **Underlying Microsoft Technologies used:** \r \n \r \n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Codeless Connector Platform/Native Microsoft Sentinel Polling](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal)\n\n**Data Connectors:** 1, **Parsers:** 2, **Analytic Rules:** 1, **Hunting Queries:** 2, **Playbooks:** 20\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Endpoint platform, integrating them into your Microsoft Sentinel Incidents queue. \r \n \r \n **Underlying Microsoft Technologies used:** \r \n \r \n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Codeless Connector Platform/Native Microsoft Sentinel Polling](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal)\n\n**Data Connectors:** 1, **Parsers:** 2, **Analytic Rules:** 1, **Hunting Queries:** 2, **Playbooks:** 22\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
|
|
|
|||
|
|
@ -214,7 +214,21 @@
|
|||
"playbookContentId20": "Restrict-MDEUrl-entity-trigger",
|
||||
"_playbookContentId20": "[variables('playbookContentId20')]",
|
||||
"playbookId20": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId20'))]",
|
||||
"playbookTemplateSpecName20": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId20')))]"
|
||||
"playbookTemplateSpecName20": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId20')))]",
|
||||
"Isolate-MDE-Machine-entity-trigger": "Isolate-MDE-Machine-entity-trigger",
|
||||
"_Isolate-MDE-Machine-entity-trigger": "[variables('Isolate-MDE-Machine-entity-trigger')]",
|
||||
"playbookVersion21": "1.0",
|
||||
"playbookContentId21": "Isolate-MDE-Machine-entity-trigger",
|
||||
"_playbookContentId21": "[variables('playbookContentId21')]",
|
||||
"playbookId21": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId21'))]",
|
||||
"playbookTemplateSpecName21": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId21')))]",
|
||||
"Unisolate-MDE-Machine-entity-trigger": "Unisolate-MDE-Machine-entity-trigger",
|
||||
"_Unisolate-MDE-Machine-entity-trigger": "[variables('Unisolate-MDE-Machine-entity-trigger')]",
|
||||
"playbookVersion22": "1.0",
|
||||
"playbookContentId22": "Unisolate-MDE-Machine-entity-trigger",
|
||||
"_playbookContentId22": "[variables('playbookContentId22')]",
|
||||
"playbookId22": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId22'))]",
|
||||
"playbookTemplateSpecName22": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId22')))]"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
|
|
@ -244,7 +258,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "MicrosoftDefenderForEndpoint data connector with template version 2.0.4",
|
||||
"description": "MicrosoftDefenderForEndpoint data connector with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('dataConnectorVersion1')]",
|
||||
|
|
@ -410,7 +424,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "AquaBlizzardAVHits_AnalyticalRules Analytics Rule with template version 2.0.4",
|
||||
"description": "AquaBlizzardAVHits_AnalyticalRules Analytics Rule with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('analyticRuleVersion1')]",
|
||||
|
|
@ -543,7 +557,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "AssignedIPAddress Data Parser with template version 2.0.4",
|
||||
"description": "AssignedIPAddress Data Parser with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('parserVersion1')]",
|
||||
|
|
@ -674,7 +688,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName2'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Devicefromip Data Parser with template version 2.0.4",
|
||||
"description": "Devicefromip Data Parser with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('parserVersion2')]",
|
||||
|
|
@ -805,7 +819,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "MDE_Usage_HuntingQueries Hunting Query with template version 2.0.4",
|
||||
"description": "MDE_Usage_HuntingQueries Hunting Query with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('huntingQueryVersion1')]",
|
||||
|
|
@ -897,7 +911,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "MDE_Process-IOCs_HuntingQueries Hunting Query with template version 2.0.4",
|
||||
"description": "MDE_Process-IOCs_HuntingQueries Hunting Query with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('huntingQueryVersion2')]",
|
||||
|
|
@ -985,7 +999,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName1'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Isolate-MDEMachine Playbook with template version 2.0.4",
|
||||
"description": "Isolate-MDEMachine Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion1')]",
|
||||
|
|
@ -1305,7 +1319,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName2'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Isolate-MDEMachine Playbook with template version 2.0.4",
|
||||
"description": "Isolate-MDEMachine Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion2')]",
|
||||
|
|
@ -1608,7 +1622,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName3'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Restrict-MDEAppExecution Playbook with template version 2.0.4",
|
||||
"description": "Restrict-MDEAppExecution Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion3')]",
|
||||
|
|
@ -1927,7 +1941,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName4'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Restrict-MDEAppExecution Playbook with template version 2.0.4",
|
||||
"description": "Restrict-MDEAppExecution Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion4')]",
|
||||
|
|
@ -2229,7 +2243,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName5'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Restrict-MDEDomain Playbook with template version 2.0.4",
|
||||
"description": "Restrict-MDEDomain Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion5')]",
|
||||
|
|
@ -2642,7 +2656,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName6'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Restrict-MDEDomain Playbook with template version 2.0.4",
|
||||
"description": "Restrict-MDEDomain Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion6')]",
|
||||
|
|
@ -3038,7 +3052,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName7'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Restrict-MDEFileHash Playbook with template version 2.0.4",
|
||||
"description": "Restrict-MDEFileHash Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion7')]",
|
||||
|
|
@ -3335,7 +3349,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName8'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Restrict-MDEFileHash Playbook with template version 2.0.4",
|
||||
"description": "Restrict-MDEFileHash Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion8')]",
|
||||
|
|
@ -3615,7 +3629,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName9'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Restrict-MDEIpAddress Playbook with template version 2.0.4",
|
||||
"description": "Restrict-MDEIpAddress Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion9')]",
|
||||
|
|
@ -3878,7 +3892,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName10'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Restrict-MDEIpAddress Playbook with template version 2.0.4",
|
||||
"description": "Restrict-MDEIpAddress Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion10')]",
|
||||
|
|
@ -4124,7 +4138,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName11'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Restrict-MDEUrl Playbook with template version 2.0.4",
|
||||
"description": "Restrict-MDEUrl Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion11')]",
|
||||
|
|
@ -4387,7 +4401,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName12'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Restrict-MDEUrl Playbook with template version 2.0.4",
|
||||
"description": "Restrict-MDEUrl Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion12')]",
|
||||
|
|
@ -4633,7 +4647,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName13'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Run-MDEAntivirus Playbook with template version 2.0.4",
|
||||
"description": "Run-MDEAntivirus Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion13')]",
|
||||
|
|
@ -4655,9 +4669,8 @@
|
|||
"AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
|
||||
"MDATPConnectionName": "[[concat('wdatp-', parameters('PlaybookName'))]",
|
||||
"roleAssignmentName": "[[guid(subscription().subscriptionId, resourceGroup().id)]",
|
||||
"ASResourceGroup": "[[if(empty(parameters('SentinelResourceGroupName')), resourceGroup().name, parameters('SentinelResourceGroupName'))]",
|
||||
"ASSubscriptionId": "[[if(empty(parameters('SentinelSubscriptionId')), subscription().subscriptionId, parameters('SentinelSubscriptionId'))]",
|
||||
"roleDefinitionId": "[[concat('/subscriptions/', variables('ASSubscriptionId'), '/', variables('ASResourceGroup'), '/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade')]",
|
||||
"roleDefinitionId": "[[concat('/subscriptions/', variables('ASSubscriptionId'),'/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade')]",
|
||||
"_roleDefinitionId": "[[variables('roleDefinitionId')]",
|
||||
"connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
|
||||
"_connection-1": "[[variables('connection-1')]",
|
||||
|
|
@ -4976,14 +4989,14 @@
|
|||
},
|
||||
{
|
||||
"type": "Microsoft.Authorization/roleAssignments",
|
||||
"apiVersion": "2019-08-01",
|
||||
"apiVersion": "2022-04-01",
|
||||
"name": "[[variables('roleAssignmentName')]",
|
||||
"dependsOn": [
|
||||
"[[resourceId('Microsoft.Logic/workflows', parameters('PlaybookName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"roleDefinitionId": "[[variables('_roleDefinitionId')]",
|
||||
"principalId": "[[reference(resourceId('Microsoft.Logic/workflows', parameters('PlaybookName')), '2018-11-30', 'full').identity.principalId]"
|
||||
"principalId": "[[reference(resourceId('Microsoft.Logic/workflows', parameters('PlaybookName')), '2019-05-01', 'full').identity.principalId]"
|
||||
}
|
||||
},
|
||||
{
|
||||
|
|
@ -5066,7 +5079,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName14'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Run-MDEAntivirus Playbook with template version 2.0.4",
|
||||
"description": "Run-MDEAntivirus Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion14')]",
|
||||
|
|
@ -5457,7 +5470,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName15'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Unisolate-MDEMachine Playbook with template version 2.0.4",
|
||||
"description": "Unisolate-MDEMachine Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion15')]",
|
||||
|
|
@ -5776,7 +5789,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName16'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Unisolate-MDEMachine Playbook with template version 2.0.4",
|
||||
"description": "Unisolate-MDEMachine Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion16')]",
|
||||
|
|
@ -6078,7 +6091,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName17'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Restrict-MDEDomain-entityTrigger Playbook with template version 2.0.4",
|
||||
"description": "Restrict-MDEDomain-entityTrigger Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion17')]",
|
||||
|
|
@ -6313,7 +6326,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName18'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Restrict-MDEFileHash-entityTrigger Playbook with template version 2.0.4",
|
||||
"description": "Restrict-MDEFileHash-entityTrigger Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion18')]",
|
||||
|
|
@ -6557,6 +6570,7 @@
|
|||
"title": "Restrict MDE FileHash - Entity Triggered",
|
||||
"description": "This playbook will take the triggering FileHash entity and generate an alert and block threat indicator for the file hash in MDE for 90 days.",
|
||||
"prerequisites": "- **For Gov Only** \n\n You will need to update the HTTP action URL to the correct URL documented [here](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/gov?view=o365-worldwide#api) \n\n - You will need to grant Ti.ReadWrite permissions and assign Microsoft Sentinel Reader to the resource group for the managed identity. Run the following code replacing the managed identity object id, subscriptionId and resource group. You find the managed identity object id on the Identity blade under Settings for the Logic App. \n\n ```powershell \n\n $MIGuid = '<Enter your managed identity guid here>' \n\n $SubscriptionId = '<Enter your subsciption id here>' \n\n $ResourceGroup = '<Enter your resource group here>' \n\n $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid \n\n $MDEAppId = 'fc780465-2017-40d4-a0c5-307022471b92' \n\n $PermissionName = 'Ti.ReadWrite' \n\n $RoleName = 'Microsoft Sentinel Responder' \n\n $MDEServicePrincipal = Get-AzureADServicePrincipal -Filter 'appId eq '$MDEAppId'' \n\n $AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'} \n\n New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id \n\n New-AzRoleAssignment -ObjectId $MIGuid -RoleDefinitionName $RoleName -Scope /subscriptions/$SubscriptionId/resourcegroups/$ResourceGroup \n\n ```",
|
||||
"postDeployment": [""],
|
||||
"lastUpdateTime": "2023-02-26T00:00:00Z",
|
||||
"entities": [
|
||||
"FileHash"
|
||||
|
|
@ -6602,7 +6616,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName19'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Restrict-MDEIP-entityTrigger Playbook with template version 2.0.4",
|
||||
"description": "Restrict-MDEIP-entityTrigger Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion19')]",
|
||||
|
|
@ -6791,6 +6805,7 @@
|
|||
"title": "Restrict MDE Ip Address - Entity Triggered",
|
||||
"description": "This playbook will and generate alert and block threat indicators for the IP entity in MDE for 90 days.",
|
||||
"prerequisites": "- **For Gov Only** \n\n You will need to update the HTTP action URL to the correct URL documented [here](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/gov?view=o365-worldwide#api) \n\n - You will need to grant Ti.ReadWrite permissions and assign Microsoft Sentinel Reader to the resource group for the managed identity. Run the following code replacing the managed identity object id, subscriptionId and resource group. You find the managed identity object id on the Identity blade under Settings for the Logic App. \n\n ```powershell \n\n $MIGuid = '<Enter your managed identity guid here>' \n\n $SubscriptionId = '<Enter your subsciption id here>' \n\n $ResourceGroup = '<Enter your resource group here>' \n\n $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid \n\n $MDEAppId = 'fc780465-2017-40d4-a0c5-307022471b92' \n\n $PermissionName = 'Ti.ReadWrite' \n\n $RoleName = 'Microsoft Sentinel Responder' \n\n $MDEServicePrincipal = Get-AzureADServicePrincipal -Filter 'appId eq '$MDEAppId'' \n\n $AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'} \n\n New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id \n\n New-AzRoleAssignment -ObjectId $MIGuid -RoleDefinitionName $RoleName -Scope /subscriptions/$SubscriptionId/resourcegroups/$ResourceGroup \n\n ```",
|
||||
"postDeployment": [""],
|
||||
"lastUpdateTime": "2023-02-26T00:00:00Z",
|
||||
"entities": [
|
||||
"Ip"
|
||||
|
|
@ -6836,7 +6851,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName20'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Restrict-MDEUrl-entityTrigger Playbook with template version 2.0.4",
|
||||
"description": "Restrict-MDEUrl-entityTrigger Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion20')]",
|
||||
|
|
@ -7044,12 +7059,521 @@
|
|||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs",
|
||||
"apiVersion": "2022-02-01",
|
||||
"name": "[variables('playbookTemplateSpecName21')]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
|
||||
"hidden-sentinelContentType": "Playbook"
|
||||
},
|
||||
"properties": {
|
||||
"description": "Isolate-MDE-Machine-entityTrigger playbook",
|
||||
"displayName": "Isolate-MDE-Machine-entityTrigger playbook"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs/versions",
|
||||
"apiVersion": "2022-02-01",
|
||||
"name": "[concat(variables('playbookTemplateSpecName21'),'/',variables('playbookVersion21'))]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
|
||||
"hidden-sentinelContentType": "Playbook"
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName21'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Isolate-MDE-Machine-entityTrigger Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion21')]",
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "Isolate-MDE-Machine-entityTrigger",
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
|
||||
"WdatpConnectionName": "[[concat('Wdatp-', parameters('PlaybookName'))]",
|
||||
"connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
|
||||
"_connection-2": "[[variables('connection-2')]",
|
||||
"connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Wdatp')]",
|
||||
"_connection-3": "[[variables('connection-3')]",
|
||||
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
|
||||
"workspace-name": "[parameters('workspace')]",
|
||||
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"properties": {
|
||||
"provisioningState": "Succeeded",
|
||||
"state": "Enabled",
|
||||
"definition": {
|
||||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"type": "Object"
|
||||
}
|
||||
},
|
||||
"triggers": {
|
||||
"Microsoft_Sentinel_entity": {
|
||||
"type": "ApiConnectionWebhook",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"path": "/entity/@{encodeURIComponent('Host')}"
|
||||
}
|
||||
}
|
||||
},
|
||||
"actions": {
|
||||
"Actions_-_Isolate_machine": {
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"Comment": "Host is isolated from Microsoft Sentinel using playbook Isolate-MDE-machine-entityTrigger.",
|
||||
"IsolationType": "Full"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['wdatp']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/api/machines/@{encodeURIComponent(triggerBody()?['entity']?['properties']?['additionalData']?['MdatpDeviceId'])}/isolate"
|
||||
}
|
||||
},
|
||||
"Condition": {
|
||||
"actions": {
|
||||
"Add_comment_to_incident_(V3)_-_device_isolated": {
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['IncidentArmID']",
|
||||
"message": "<p>Host - @{triggerBody()?['Entity']?['properties']?['HostName']} - is succesfully isolated!</p>"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/Incidents/Comment"
|
||||
}
|
||||
}
|
||||
},
|
||||
"runAfter": {
|
||||
"Actions_-_Isolate_machine": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"not": {
|
||||
"equals": [
|
||||
"@triggerBody()?['IncidentArmID']",
|
||||
"@null"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"type": "If"
|
||||
}
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"value": {
|
||||
"microsoftsentinel": {
|
||||
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
|
||||
"connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
|
||||
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
|
||||
"connectionProperties": {
|
||||
"authentication": {
|
||||
"type": "ManagedServiceIdentity"
|
||||
}
|
||||
}
|
||||
},
|
||||
"wdatp": {
|
||||
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('WdatpConnectionName'))]",
|
||||
"connectionName": "[[variables('WdatpConnectionName')]",
|
||||
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Wdatp')]",
|
||||
"connectionProperties": {
|
||||
"authentication": {
|
||||
"type": "ManagedServiceIdentity"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"name": "[[parameters('PlaybookName')]",
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"location": "[[variables('workspace-location-inline')]",
|
||||
"tags": {
|
||||
"hidden-SentinelTemplateName": "Isolate-MDE-Machine-entityTrigger",
|
||||
"hidden-SentinelTemplateVersion": "1.0",
|
||||
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
|
||||
},
|
||||
"identity": {
|
||||
"type": "SystemAssigned"
|
||||
},
|
||||
"apiVersion": "2017-07-01",
|
||||
"dependsOn": [
|
||||
"[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
|
||||
"[[resourceId('Microsoft.Web/connections', variables('WdatpConnectionName'))]"
|
||||
]
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[[variables('MicrosoftSentinelConnectionName')]",
|
||||
"location": "[[variables('workspace-location-inline')]",
|
||||
"kind": "V1",
|
||||
"properties": {
|
||||
"displayName": "[[variables('MicrosoftSentinelConnectionName')]",
|
||||
"parameterValueType": "Alternative",
|
||||
"api": {
|
||||
"id": "[[variables('_connection-2')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[[variables('WdatpConnectionName')]",
|
||||
"location": "[[variables('workspace-location-inline')]",
|
||||
"kind": "V1",
|
||||
"properties": {
|
||||
"displayName": "[[variables('WdatpConnectionName')]",
|
||||
"parameterValueType": "Alternative",
|
||||
"api": {
|
||||
"id": "[[variables('_connection-3')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2022-01-01-preview",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId21'),'/'))))]",
|
||||
"properties": {
|
||||
"parentId": "[variables('playbookId21')]",
|
||||
"contentId": "[variables('_playbookContentId21')]",
|
||||
"kind": "Playbook",
|
||||
"version": "[variables('playbookVersion21')]",
|
||||
"source": {
|
||||
"kind": "Solution",
|
||||
"name": "MicrosoftDefenderForEndpoint",
|
||||
"sourceId": "[variables('_solutionId')]"
|
||||
},
|
||||
"author": {
|
||||
"name": "Microsoft",
|
||||
"email": "[variables('_email')]"
|
||||
},
|
||||
"support": {
|
||||
"name": "Microsoft Corporation",
|
||||
"email": "support@microsoft.com",
|
||||
"tier": "Microsoft",
|
||||
"link": "https://support.microsoft.com"
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"metadata": {
|
||||
"title": "Isolate MDE Machine using entity trigger",
|
||||
"description": "This playbook will isolate Microsoft Defender for Endpoint (MDE) device using entity trigger.",
|
||||
"postDeployment": [
|
||||
"1. Add Microsoft Sentinel Responder role to the managed identity.",
|
||||
"2. Assign Machine.Isolate API permissions to the managed identity."
|
||||
],
|
||||
"lastUpdateTime": "2022-12-22T00:00:00Z",
|
||||
"tags": [
|
||||
"Host"
|
||||
],
|
||||
"releaseNotes": {
|
||||
"version": "1.0",
|
||||
"title": "[variables('blanks')]",
|
||||
"notes": [
|
||||
"Initial version"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs",
|
||||
"apiVersion": "2022-02-01",
|
||||
"name": "[variables('playbookTemplateSpecName22')]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
|
||||
"hidden-sentinelContentType": "Playbook"
|
||||
},
|
||||
"properties": {
|
||||
"description": "Unisolate-MDE-Machine-entityTrigger playbook",
|
||||
"displayName": "Unisolate-MDE-Machine-entityTrigger playbook"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs/versions",
|
||||
"apiVersion": "2022-02-01",
|
||||
"name": "[concat(variables('playbookTemplateSpecName22'),'/',variables('playbookVersion22'))]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
|
||||
"hidden-sentinelContentType": "Playbook"
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName22'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Unisolate-MDE-Machine-entityTrigger Playbook with template version 2.0.5",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion22')]",
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "Unisolate-MDE-Machine-entityTrigger",
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
|
||||
"WdatpConnectionName": "[[concat('Wdatp-', parameters('PlaybookName'))]",
|
||||
"connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
|
||||
"_connection-2": "[[variables('connection-2')]",
|
||||
"connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Wdatp')]",
|
||||
"_connection-3": "[[variables('connection-3')]",
|
||||
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
|
||||
"workspace-name": "[parameters('workspace')]",
|
||||
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"properties": {
|
||||
"provisioningState": "Succeeded",
|
||||
"state": "Enabled",
|
||||
"definition": {
|
||||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"type": "Object"
|
||||
}
|
||||
},
|
||||
"triggers": {
|
||||
"Microsoft_Sentinel_entity": {
|
||||
"type": "ApiConnectionWebhook",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"path": "/entity/@{encodeURIComponent('Host')}"
|
||||
}
|
||||
}
|
||||
},
|
||||
"actions": {
|
||||
"Actions_-_Unisolate_machine": {
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"Comment": "Host is unisolated from Microsoft Sentinel using playbook Unisolate-MDE-machine-entityTrigger."
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['wdatp']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/api/machines/@{encodeURIComponent(triggerBody()?['entity']?['properties']?['additionalData']?['MdatpDeviceId'])}/unisolate"
|
||||
}
|
||||
},
|
||||
"Condition": {
|
||||
"actions": {
|
||||
"Add_comment_to_incident_(V3)_-_device_unisolated": {
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['IncidentArmID']",
|
||||
"message": "<p>Host - @{triggerBody()?['Entity']?['properties']?['HostName']} - is succesfully unisolated!</p>"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/Incidents/Comment"
|
||||
}
|
||||
}
|
||||
},
|
||||
"runAfter": {
|
||||
"Actions_-_Unisolate_machine": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"not": {
|
||||
"equals": [
|
||||
"@triggerBody()?['IncidentArmID']",
|
||||
"@null"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"type": "If"
|
||||
}
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"value": {
|
||||
"microsoftsentinel": {
|
||||
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
|
||||
"connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
|
||||
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
|
||||
"connectionProperties": {
|
||||
"authentication": {
|
||||
"type": "ManagedServiceIdentity"
|
||||
}
|
||||
}
|
||||
},
|
||||
"wdatp": {
|
||||
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('WdatpConnectionName'))]",
|
||||
"connectionName": "[[variables('WdatpConnectionName')]",
|
||||
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Wdatp')]",
|
||||
"connectionProperties": {
|
||||
"authentication": {
|
||||
"type": "ManagedServiceIdentity"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"name": "[[parameters('PlaybookName')]",
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"location": "[[variables('workspace-location-inline')]",
|
||||
"tags": {
|
||||
"hidden-SentinelTemplateName": "Unisolate-MDE-Machine-entityTrigger",
|
||||
"hidden-SentinelTemplateVersion": "1.0",
|
||||
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
|
||||
},
|
||||
"identity": {
|
||||
"type": "SystemAssigned"
|
||||
},
|
||||
"apiVersion": "2017-07-01",
|
||||
"dependsOn": [
|
||||
"[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
|
||||
"[[resourceId('Microsoft.Web/connections', variables('WdatpConnectionName'))]"
|
||||
]
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[[variables('MicrosoftSentinelConnectionName')]",
|
||||
"location": "[[variables('workspace-location-inline')]",
|
||||
"kind": "V1",
|
||||
"properties": {
|
||||
"displayName": "[[variables('MicrosoftSentinelConnectionName')]",
|
||||
"parameterValueType": "Alternative",
|
||||
"api": {
|
||||
"id": "[[variables('_connection-2')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[[variables('WdatpConnectionName')]",
|
||||
"location": "[[variables('workspace-location-inline')]",
|
||||
"kind": "V1",
|
||||
"properties": {
|
||||
"displayName": "[[variables('WdatpConnectionName')]",
|
||||
"parameterValueType": "Alternative",
|
||||
"api": {
|
||||
"id": "[[variables('_connection-3')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2022-01-01-preview",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId22'),'/'))))]",
|
||||
"properties": {
|
||||
"parentId": "[variables('playbookId22')]",
|
||||
"contentId": "[variables('_playbookContentId22')]",
|
||||
"kind": "Playbook",
|
||||
"version": "[variables('playbookVersion22')]",
|
||||
"source": {
|
||||
"kind": "Solution",
|
||||
"name": "MicrosoftDefenderForEndpoint",
|
||||
"sourceId": "[variables('_solutionId')]"
|
||||
},
|
||||
"author": {
|
||||
"name": "Microsoft",
|
||||
"email": "[variables('_email')]"
|
||||
},
|
||||
"support": {
|
||||
"name": "Microsoft Corporation",
|
||||
"email": "support@microsoft.com",
|
||||
"tier": "Microsoft",
|
||||
"link": "https://support.microsoft.com"
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"metadata": {
|
||||
"title": "Unisolate MDE Machine using entity trigger",
|
||||
"description": "This playbook will unisolate Microsoft Defender for Endpoint (MDE) device using entity trigger.",
|
||||
"postDeployment": [
|
||||
"1. Add Microsoft Sentinel Responder role to the managed identity.",
|
||||
"2. Assign Machine.Isolate API permissions to the managed identity."
|
||||
],
|
||||
"lastUpdateTime": "2022-12-22T00:00:00Z",
|
||||
"entities": [
|
||||
"Host"
|
||||
],
|
||||
"releaseNotes": {
|
||||
"version": "1.0",
|
||||
"title": "[variables('blanks')]",
|
||||
"notes": [
|
||||
"Initial version"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2022-01-01-preview",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"properties": {
|
||||
"version": "2.0.4",
|
||||
"version": "2.0.5",
|
||||
"kind": "Solution",
|
||||
"contentSchemaVersion": "2.0.0",
|
||||
"contentId": "[variables('_solutionId')]",
|
||||
|
|
@ -7201,6 +7725,16 @@
|
|||
"kind": "Playbook",
|
||||
"contentId": "[variables('_Restrict-MDEUrl-entity-trigger')]",
|
||||
"version": "[variables('playbookVersion20')]"
|
||||
},
|
||||
{
|
||||
"kind": "Playbook",
|
||||
"contentId": "[variables('_Isolate-MDE-Machine-entity-trigger')]",
|
||||
"version": "[variables('playbookVersion21')]"
|
||||
},
|
||||
{
|
||||
"kind": "Playbook",
|
||||
"contentId": "[variables('_Unisolate-MDE-Machine-entity-trigger')]",
|
||||
"version": "[variables('playbookVersion22')]"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@
|
|||
"Workbooks/IncidentTasksWorkbook.json"
|
||||
],
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"BasePath": "C:\\Sentinel-Repos\\19.05.22\\Azure-Sentinel\\Solutions\\SentinelSOARessentials",
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SentinelSOARessentials",
|
||||
"Version": "2.1.0",
|
||||
"TemplateSpec": true,
|
||||
"Is1PConnector": true
|
||||
|
|
|
|||
Двоичный файл не отображается.
|
|
@ -6,7 +6,7 @@
|
|||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Sentinel SOAR Essentials solution for Microsoft Sentinel contains Playbooks that can help you get started with basic notification and orchestration scenarios for common use cases. These include Playbooks for sending notifications over email and/or collaboration platforms such as MS Teams, Slack, etc.\n\n**Playbooks:** 12\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Microsoft Sentinel SOAR Essentials solution for Microsoft Sentinel contains Playbooks that can help you get started with basic notification and orchestration scenarios for common use cases. These include Playbooks for sending notifications over email and/or collaboration platforms such as MS Teams, Slack, etc.\n\n**Workbooks:** 4, **Playbooks:** 18\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
|
|
@ -51,6 +51,90 @@
|
|||
}
|
||||
],
|
||||
"steps": [
|
||||
{
|
||||
"name": "workbooks",
|
||||
"label": "Workbooks",
|
||||
"subLabel": {
|
||||
"preValidation": "Configure the workbooks",
|
||||
"postValidation": "Done"
|
||||
},
|
||||
"bladeTitle": "Workbooks",
|
||||
"elements": [
|
||||
{
|
||||
"name": "workbooks-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "workbooks-link",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "workbook1",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Automation health",
|
||||
"elements": [
|
||||
{
|
||||
"name": "workbook1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Have a holistic overview of your automation health, gain insights about failures, correlate Microsoft Sentinel health with Logic Apps diagnostics logs and deep dive automation details per incident"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "workbook2",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Incident overview",
|
||||
"elements": [
|
||||
{
|
||||
"name": "workbook2-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "The Incident Overview workbook is designed to assist in triaging and investigation by providing in-depth information about the incident, including:\r\n* General information\r\n* Entity data\r\n* Triage time (time between incident creation and first response)\r\n* Mitigation time (time between incident creation and closing)\r\n* Comments\r\n\r\nCustomize this workbook by saving and editing it. \r\nYou can reach this workbook template from the incidents panel as well. Once you have customized it, the link from the incident panel will open the customized workbook instead of the template.\r\n"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "workbook3",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Security Operations Efficiency",
|
||||
"elements": [
|
||||
{
|
||||
"name": "workbook3-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Security operations center managers can view overall efficiency metrics and measures regarding the performance of their team. They can find operations by multiple indicators over time including severity, MITRE tactics, mean time to triage, mean time to resolve and more. The SOC manager can develop a picture of the performance in both general and specific areas over time and use it to improve efficiency."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "workbook4",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Incident Tasks Workbook",
|
||||
"elements": [
|
||||
{
|
||||
"name": "workbook4-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Use this workbook to review and modify existing incidents with tasks. This workbook provides views that higlight incident tasks that are open, closed, or deleted, as well as incidents with tasks that are either owned or unassigned. The workbook also provides SOC metrics around incident task performance, such as percentage of incidents without tasks, average time to close tasks, and more."
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "playbooks",
|
||||
"label": "Playbooks",
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -246,5 +246,13 @@
|
|||
{
|
||||
"OldPath": "Playbooks/Sync-IncidentsWithJira/Sync-Status",
|
||||
"NewPath": "Solutions/AtlassianJiraAudit/Playbooks/Sync-Status"
|
||||
},
|
||||
{
|
||||
"OldPath": "Playbooks/CreateIncident-MicrosoftForms",
|
||||
"NewPath": "Solutions/SentinelSOARessentials/Playbooks/CreateIncident-MicrosoftForms"
|
||||
},
|
||||
{
|
||||
"OldPath": "Playbooks/CreateIncident-SharedMailbox",
|
||||
"NewPath": "Solutions/SentinelSOARessentials/Playbooks/CreateIncident-SharedMailbox"
|
||||
}
|
||||
]
|
||||
|
|
@ -5194,29 +5194,28 @@
|
|||
]
|
||||
}
|
||||
},
|
||||
|
||||
{
|
||||
"workbookKey": "NetCleanProActiveWorkbook",
|
||||
"logoFileName": "NetCleanImpactLogo.svg",
|
||||
"description": "This workbook provides insights on NetClean ProActive Incidents.",
|
||||
"dataTypesDependencies": [
|
||||
"Netclean_Incidents_CL"
|
||||
],
|
||||
"dataConnectorsDependencies": [
|
||||
"Netclean_ProActive_Incidents"
|
||||
],
|
||||
"previewImagesFileNames": [
|
||||
"NetCleanProActiveBlack1.png",
|
||||
"NetCleanProActiveBlack2.png",
|
||||
"NetCleanProActiveWhite1.png",
|
||||
"NetCleanProActiveWhite2.png"
|
||||
],
|
||||
"version": "1.0.0",
|
||||
"title": "NetClean ProActive",
|
||||
"templateRelativePath": "NetCleanProActiveWorkbook.json",
|
||||
"subtitle": "",
|
||||
"provider": "NetClean"
|
||||
},
|
||||
{
|
||||
"workbookKey": "NetCleanProActiveWorkbook",
|
||||
"logoFileName": "NetCleanImpactLogo.svg",
|
||||
"description": "This workbook provides insights on NetClean ProActive Incidents.",
|
||||
"dataTypesDependencies": [
|
||||
"Netclean_Incidents_CL"
|
||||
],
|
||||
"dataConnectorsDependencies": [
|
||||
"Netclean_ProActive_Incidents"
|
||||
],
|
||||
"previewImagesFileNames": [
|
||||
"NetCleanProActiveBlack1.png",
|
||||
"NetCleanProActiveBlack2.png",
|
||||
"NetCleanProActiveWhite1.png",
|
||||
"NetCleanProActiveWhite2.png"
|
||||
],
|
||||
"version": "1.0.0",
|
||||
"title": "NetClean ProActive",
|
||||
"templateRelativePath": "NetCleanProActiveWorkbook.json",
|
||||
"subtitle": "",
|
||||
"provider": "NetClean"
|
||||
},
|
||||
{
|
||||
"workbookKey": "AutomationHealth",
|
||||
"logoFileName": "Azure_Sentinel.svg",
|
||||
|
|
@ -5233,22 +5232,7 @@
|
|||
"title": "Automation health",
|
||||
"templateRelativePath": "AutomationHealth.json",
|
||||
"subtitle": "",
|
||||
"provider": "Microsoft Sentinel Community",
|
||||
"support": {
|
||||
"tier": "Microsoft"
|
||||
},
|
||||
"author": {
|
||||
"name": "Microsoft Corporation"
|
||||
},
|
||||
"source": {
|
||||
"kind": "Community"
|
||||
},
|
||||
"categories": {
|
||||
"domains": [
|
||||
"IT Operations",
|
||||
"Platform"
|
||||
]
|
||||
}
|
||||
"provider": "Microsoft Sentinel Community"
|
||||
},
|
||||
{
|
||||
"workbookKey": "SAP-AuditControls",
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче