Gallery adaptions
Added metadata to ARM templates dark+light screenshots Encapsulated incident trigger/alert trigger in different folders, so gallery can read them as different playbooks changed azuredeploy.json names (gallery expects "azuredeploy.json" file in each folder)
This commit is contained in:
Lior Tamir
Родитель
25d62eade2
Коммит
0e27a49011
|
До Ширина: | Высота: | Размер: 86 KiB После Ширина: | Высота: | Размер: 86 KiB |
|
|
@ -2,8 +2,18 @@
|
|||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"comments": "This playbook will disable the user in Azure Active Directoy and add a comment to the incident",
|
||||
"author": "Nicholas DiCola"
|
||||
"title": "Identity Protection response from Teams",
|
||||
"description": "For each account entity included in the incident, this playbook will disable the user in Azure Active Directoy and add a comment to the incident",
|
||||
"prerequisites": "",
|
||||
"lastUpdateTime": "2021-05-30T10:00:00.000Z",
|
||||
"entities": ["Account"],
|
||||
"tags": ["Remidiation"],
|
||||
"support": {
|
||||
"kind": "Community"
|
||||
},
|
||||
"author": {
|
||||
"name": "Nicholas DiCola"
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
|
|
@ -90,7 +100,7 @@
|
|||
"inputs": {
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"message": "<p>User was disabled in AAD via playbook</p>"
|
||||
"message": "<p>User @{items('For_each')?['Name']} was disabled in AAD via playbook Block-AADUser.</p>"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
|
|
@ -110,7 +120,7 @@
|
|||
"inputs": {
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"message": "<p>@{body('Update_user')['error']['message']}</p>"
|
||||
"message": "<p>Block-AADUser playbook could not disable user @{items('For_each')?['Name']}. <br>\nError message: @{body('Update_user')['error']['message']}</p>"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
|
До Ширина: | Высота: | Размер: 102 KiB После Ширина: | Высота: | Размер: 102 KiB |
Двоичные данные
Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotDark1.png
Normal file
Двоичные данные
Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotDark1.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 70 KiB |
Двоичные данные
Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotLight1.png
Normal file
Двоичные данные
Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotLight1.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 50 KiB |
|
|
@ -10,10 +10,10 @@ After deployment, attach this playbook to an **automation rule** so it runs when
|
|||
|
||||
[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules)
|
||||
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FBlock-AADUser%2Fazuredeploy_incident.json" target="_blank">
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FBlock-AADUser%2Fincident-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://aka.ms/deploytoazurebutton""/>
|
||||
</a>
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FBlock-AADUser%2Fazuredeploy_incident.json" target="_blank">
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FBlock-AADUser%2Fincident-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
|
||||
</a>
|
||||
|
||||
|
|
@ -21,10 +21,10 @@ After deployment, attach this playbook to an **automation rule** so it runs when
|
|||
|
||||
After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will rune when an alert is created.
|
||||
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FBlock-AADUser%2Fazuredeploy_alert.json" target="_blank">
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FBlock-AADUser%2Falert-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://aka.ms/deploytoazurebutton""/>
|
||||
</a>
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FBlock-AADUser%2Fazuredeploy_alert.json" target="_blank">
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FBlock-AADUser%2Falert-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
|
||||
</a>
|
||||
|
||||
|
|
@ -32,8 +32,8 @@ After deployment, you can run this playbook manually on an alert or attach it to
|
|||
None
|
||||
|
||||
## Screenshots
|
||||
**Incident Trigger**
|
||||
|
||||
|
||||
**Alert Trigger**
|
||||
|
||||
**Incident Trigger**<br>
|
||||
|
||||
<br>
|
||||
**Alert Trigger**<br>
|
||||
|
||||
|
До Ширина: | Высота: | Размер: 30 KiB После Ширина: | Высота: | Размер: 30 KiB |
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 30 KiB |
|
|
@ -2,8 +2,18 @@
|
|||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"comments": "This playbook will set the Risky User property in AAD using Graph API using a Beta API. NOTE: You must create an app registration for graph api with appropriate permissions. NOTE: You will need to add the managed identity that is created by the logic app to the Security Administrator role in Azure AD.",
|
||||
"author": "Nicholas DiCola"
|
||||
"title": "Confirm-AADRiskyUser",
|
||||
"description": "For each account entity included in the incident, this playbook will set the Risky User property in AAD using Graph API using a Beta API.",
|
||||
"prerequisites": "1. You must create an app registration for graph api with appropriate permissions. 2. You will need to add the managed identity that is created by the logic app to the Security Administrator role in Azure AD.",
|
||||
"lastUpdateTime": "2021-05-30T10:00:00.000Z",
|
||||
"entities": ["Account"],
|
||||
"tags": ["Remidiation"],
|
||||
"support": {
|
||||
"kind": "Community"
|
||||
},
|
||||
"author": {
|
||||
"name": "Nicholas DiCola"
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
|
|
@ -51,7 +61,7 @@
|
|||
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel_1']['connectionId']"
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
|
|
@ -70,7 +80,7 @@
|
|||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel_1']['connectionId']"
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
|
|
@ -161,7 +171,7 @@
|
|||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel_1']['connectionId']"
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"path": "/incident-creation"
|
||||
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 120 KiB |
Двоичные данные
Playbooks/Confirm-AADRiskyUser/incident-trigger/images/designerLight.png
Normal file
Двоичные данные
Playbooks/Confirm-AADRiskyUser/incident-trigger/images/designerLight.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 77 KiB |
|
|
@ -10,10 +10,10 @@ After deployment, attach this playbook to an **automation rule** so it runs when
|
|||
|
||||
[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules)
|
||||
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FConfirm-AADRiskyUser%2Fazuredeploy_incident.json" target="_blank">
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FConfirm-AADRiskyUser%2Fincident-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://aka.ms/deploytoazurebutton""/>
|
||||
</a>
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FConfirm-AADRiskyUser%2Fazuredeploy_incident.json" target="_blank">
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FConfirm-AADRiskyUser%2Fincident-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
|
||||
</a>
|
||||
|
||||
|
|
@ -21,10 +21,10 @@ After deployment, attach this playbook to an **automation rule** so it runs when
|
|||
|
||||
After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will rune when an alert is created.
|
||||
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FConfirm-AADRiskyUser%2Fazuredeploy_alert.json" target="_blank">
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FConfirm-AADRiskyUser%2Falert-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://aka.ms/deploytoazurebutton""/>
|
||||
</a>
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FConfirm-AADRiskyUser%2Fazuredeploy_alert.json" target="_blank">
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FConfirm-AADRiskyUser%2Falert-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
|
||||
</a>
|
||||
|
||||
|
|
@ -33,8 +33,7 @@ After deployment, you can run this playbook manually on an alert or attach it to
|
|||
- You will need to add the managed identity that is created by the Logic App to the Security Administrator role in Azure AD.
|
||||
|
||||
## Screenshots
|
||||
**Incident Trigger**
|
||||
|
||||
|
||||
**Alert Trigger**
|
||||
|
||||
**Incident Trigger**<br>
|
||||
<br>
|
||||
**Alert Trigger**<br>
|
||||
|
||||
|
До Ширина: | Высота: | Размер: 17 KiB После Ширина: | Высота: | Размер: 17 KiB |
|
|
@ -1,6 +1,20 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "Create-AzureDevOpsTask",
|
||||
"description": "This playbook will create the Azure DevOps task filled with the Azure Sentinel incident details.",
|
||||
"prerequisites": "",
|
||||
"lastUpdateTime": "2021-05-30T10:00:00.000Z",
|
||||
"entities": [],
|
||||
"tags": ["Sync"],
|
||||
"support": {
|
||||
"kind": "Community"
|
||||
},
|
||||
"author": {
|
||||
"name": "Nicholas DiCola"
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "Create-AzureDevOpsTask",
|
||||
|
|
@ -70,7 +84,7 @@
|
|||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel_1']['connectionId']"
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
|
|
@ -87,7 +101,7 @@
|
|||
"inputs": {
|
||||
"body": {
|
||||
"description": "Incident Description: @{triggerBody()?['object']?['properties']?['description']}\nIncident Severity: @{triggerBody()?['object']?['properties']?['severity']}\nIncident URL: @{triggerBody()?['object']?['properties']?['incidentUrl']}\n",
|
||||
"title": "New Azure Sentinel Incident: "
|
||||
"title": "New Azure Sentinel Incident: @{triggerBody()?['object']?['properties']?['title']}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
|
|
@ -120,7 +134,7 @@
|
|||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel_1']['connectionId']"
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"path": "/incident-creation"
|
||||
Двоичные данные
Playbooks/Create-AzureDevOpsTask/incident-trigger/images/designerScreenshotDark.png
Normal file
Двоичные данные
Playbooks/Create-AzureDevOpsTask/incident-trigger/images/designerScreenshotDark.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 10 KiB |
|
До Ширина: | Высота: | Размер: 29 KiB После Ширина: | Высота: | Размер: 29 KiB |
|
|
@ -10,10 +10,10 @@ After deployment, attach this playbook to an **automation rule** so it runs when
|
|||
|
||||
[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules)
|
||||
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-AzureDevOpsTask%2Fazuredeploy_incident.json" target="_blank">
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-AzureDevOpsTask%2Fincident-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://aka.ms/deploytoazurebutton""/>
|
||||
</a>
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-AzureDevOpsTask%2Fazuredeploy_incident.json" target="_blank">
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-AzureDevOpsTask%2Fincident-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
|
||||
</a>
|
||||
|
||||
|
|
@ -21,10 +21,10 @@ After deployment, attach this playbook to an **automation rule** so it runs when
|
|||
|
||||
After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will rune when an alert is created.
|
||||
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-AzureDevOpsTask%2Fazuredeploy_alert.json" target="_blank">
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-AzureDevOpsTask%2Falert-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://aka.ms/deploytoazurebutton""/>
|
||||
</a>
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-AzureDevOpsTask%2Fazuredeploy_alert.json" target="_blank">
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-AzureDevOpsTask%2Falert-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
|
||||
</a>
|
||||
|
||||
|
|
@ -34,8 +34,8 @@ None
|
|||
|
||||
## Screenshots
|
||||
|
||||
**Incident Trigger**
|
||||
|
||||
|
||||
**Alert Trigger**
|
||||
|
||||
**Incident Trigger**<br>
|
||||
<br>
|
||||
<br>
|
||||
**Alert Trigger**<br>
|
||||
|
||||
|
|
@ -9,10 +9,10 @@ This playbook uses a custom connector in Logic Apps. The template is set to not
|
|||
|
||||
**If you want to deploy just the customer connector:**
|
||||
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-IBMResilientIncident%2Fazuredeploy-customconnector.json" target="_blank">
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-IBMResilientIncident%2FcustomConnector%2Fazuredeploy-customconnector.json" target="_blank">
|
||||
<img src="https://aka.ms/deploytoazurebutton""/>
|
||||
</a>
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-IBMResilientIncident%2Fazuredeploy-customconnector.json" target="_blank">
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-IBMResilientIncident%2FcustomConnector%2Fazuredeploy-customconnector.json" target="_blank">
|
||||
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
|
||||
</a>
|
||||
|
||||
|
|
@ -24,10 +24,10 @@ After deployment, attach this playbook to an **automation rule** so it runs when
|
|||
|
||||
[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules)
|
||||
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-IBMResilientIncident%2Fazuredeploy_incident.json" target="_blank">
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-IBMResilientIncident%2Fincident-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://aka.ms/deploytoazurebutton""/>
|
||||
</a>
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-IBMResilientIncident%2Fazuredeploy_incident.json" target="_blank">
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-IBMResilientIncident%2Fincident-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
|
||||
</a>
|
||||
|
||||
|
|
@ -35,10 +35,10 @@ After deployment, attach this playbook to an **automation rule** so it runs when
|
|||
|
||||
After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will rune when an alert is created.
|
||||
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-IBMResilientIncident%2Fazuredeploy_alert.json" target="_blank">
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-IBMResilientIncident%2Falert-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://aka.ms/deploytoazurebutton""/>
|
||||
</a>
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-IBMResilientIncident%2Fazuredeploy_alert.json" target="_blank">
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate-IBMResilientIncident%2Falert-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
|
||||
</a>
|
||||
|
||||
|
|
@ -48,8 +48,8 @@ None
|
|||
|
||||
## Screenshots
|
||||
|
||||
**Incident Trigger**
|
||||
|
||||
**Incident Trigger**<br>
|
||||
|
||||
|
||||
**Alert Trigger**
|
||||
|
||||
|
||||
|
До Ширина: | Высота: | Размер: 52 KiB После Ширина: | Высота: | Размер: 52 KiB |
|
|
@ -1,547 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"comments": "This playbook will create an IBM Resilent Incident and artifacts for the entities in Azure Sentinel",
|
||||
"author": "Nicholas DiCola"
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "Create-IBMResilientIncident",
|
||||
"type": "String"
|
||||
},
|
||||
"customConnectorName": {
|
||||
"defaultValue": "IBMResilient-Incidents",
|
||||
"type": "String"
|
||||
},
|
||||
"IBMResilientServerName": {
|
||||
"type": "string"
|
||||
},
|
||||
"IBMResilientOrgNumber": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
|
||||
"IBMReslientConnectionName": "[concat('ibmresilient-', parameters('PlaybookName'))]"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedTemplate",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Playbooks/Create-IBMResilientIncident/azuredeploy-customconnector.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"customConnectorName": {
|
||||
"value": "[parameters('customConnectorName')]"
|
||||
},
|
||||
"IBMResilientServerName": {
|
||||
"value": "[parameters('IBMResilientServerName')]"
|
||||
},
|
||||
"IBMResilientOrgNumber": {
|
||||
"value": "[parameters('IBMResilientOrgNumber')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('IBMReslientConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Resources/deployments', 'linkedTemplate')]"
|
||||
],
|
||||
"properties": {
|
||||
"displayName": "IBM_Resilient",
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().id, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/customApis/Resilient-Incidents')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('AzureSentinelConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"kind": "V1",
|
||||
"properties": {
|
||||
"displayName": "[parameters('PlaybookName')]",
|
||||
"customParameterValues": {},
|
||||
"parameterValueType": "Alternative",
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().id, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"apiVersion": "2017-07-01",
|
||||
"name": "[parameters('PlaybookName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"tags": {
|
||||
"LogicAppsCategory": "security"
|
||||
},
|
||||
"identity": {
|
||||
"type": "SystemAssigned"
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||
"[resourceId('Microsoft.Web/connections', variables('IBMReslientConnectionName'))]",
|
||||
"[resourceId('Microsoft.Resources/deployments', 'linkedTemplate')]"
|
||||
],
|
||||
"properties": {
|
||||
"state": "Enabled",
|
||||
"definition": {
|
||||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||
"actions": {
|
||||
"Entities_-_Get_Accounts": {
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/entities/account"
|
||||
},
|
||||
"runAfter": {
|
||||
"GetTimeInEpoch": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Entities_-_Get_Hosts": {
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/entities/host"
|
||||
},
|
||||
"runAfter": {
|
||||
"Entities_-_Get_Accounts": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Entities_-_Get_IPs": {
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/entities/ip"
|
||||
},
|
||||
"runAfter": {
|
||||
"Entities_-_Get_Hosts": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"For_each": {
|
||||
"actions": {
|
||||
"Switch_2": {
|
||||
"cases": {
|
||||
"Case": {
|
||||
"actions": {
|
||||
"create_IncidentArtifact": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"description": {
|
||||
"content": "From Azure Sentinel",
|
||||
"format": "text"
|
||||
},
|
||||
"ip": {
|
||||
"destination": false,
|
||||
"source": false
|
||||
},
|
||||
"type": {
|
||||
"name": "IP Address"
|
||||
},
|
||||
"value": "@items('For_each')?['Address']"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['Resilient-Incidents']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/incidents/@{encodeURIComponent(body('create_incident')?['id'])}/artifacts"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"case": "ip"
|
||||
},
|
||||
"Case_2": {
|
||||
"actions": {
|
||||
"create_IncidentArtifact_2": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"description": {
|
||||
"content": "From Azure Sentinel - AAD GUID: @{items('For_each')?['AadUserId']}",
|
||||
"format": "text"
|
||||
},
|
||||
"ip": {
|
||||
"destination": false,
|
||||
"source": false
|
||||
},
|
||||
"type": {
|
||||
"name": "User Account"
|
||||
},
|
||||
"value": "@{concat(items('For_each')?['Name'], '@', items('For_each')?['UPNSuffix'])}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['Resilient-Incidents']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/incidents/@{encodeURIComponent(body('create_incident')?['id'])}/artifacts"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"case": "account"
|
||||
},
|
||||
"Case_3": {
|
||||
"actions": {
|
||||
"create_IncidentArtifact_3": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"description": {
|
||||
"content": "From Azure Sentinel - AzureID: @{items('For_each')?['AzureID']}",
|
||||
"format": "text"
|
||||
},
|
||||
"ip": {
|
||||
"destination": false,
|
||||
"source": false
|
||||
},
|
||||
"type": {
|
||||
"name": "System Name"
|
||||
},
|
||||
"value": "@items('For_each')?['HostName']"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['Resilient-Incidents']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/incidents/@{encodeURIComponent(body('create_incident')?['id'])}/artifacts"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"case": "host"
|
||||
},
|
||||
"Case_4": {
|
||||
"actions": {
|
||||
"create_IncidentArtifact_4": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"description": {
|
||||
"content": "From Azure Sentinel",
|
||||
"format": "text"
|
||||
},
|
||||
"ip": {
|
||||
"destination": false,
|
||||
"source": false
|
||||
},
|
||||
"type": {
|
||||
"name": "URL"
|
||||
},
|
||||
"value": "@items('For_each')?['Url']"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['Resilient-Incidents']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/incidents/@{encodeURIComponent(body('create_incident')?['id'])}/artifacts"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"case": "url"
|
||||
}
|
||||
},
|
||||
"default": {
|
||||
"actions": {}
|
||||
},
|
||||
"expression": "@items('For_each')['Type']",
|
||||
"runAfter": {},
|
||||
"type": "Switch"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Parse_JSON')",
|
||||
"runAfter": {
|
||||
"Parse_JSON": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"GetIncidentTimeInEpoch": {
|
||||
"inputs": "@div(sub(ticks(triggerBody()?['object']?['properties']?['createdTimeUtc']), ticks('1970-01-01T00:00:00Z')), 10000)",
|
||||
"runAfter": {
|
||||
"Entities_-_Get_IPs": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Compose"
|
||||
},
|
||||
"GetTimeInEpoch": {
|
||||
"inputs": "@div(sub(ticks(utcNow()), ticks('1970-01-01T00:00:00Z')), 10000)",
|
||||
"runAfter": {
|
||||
"Initialize_variable": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Compose"
|
||||
},
|
||||
"Initialize_variable": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "ReslientVariable",
|
||||
"type": "string",
|
||||
"value": "null"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "InitializeVariable"
|
||||
},
|
||||
"Parse_JSON": {
|
||||
"inputs": {
|
||||
"content": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"schema": {
|
||||
"items": {
|
||||
"properties": {
|
||||
"$id": {
|
||||
"type": "string"
|
||||
},
|
||||
"AadUserId": {
|
||||
"type": "string"
|
||||
},
|
||||
"Address": {
|
||||
"type": "string"
|
||||
},
|
||||
"AppId": {
|
||||
"type": "integer"
|
||||
},
|
||||
"AzureID": {
|
||||
"type": "string"
|
||||
},
|
||||
"HostName": {
|
||||
"type": "string"
|
||||
},
|
||||
"InstanceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"Name": {
|
||||
"type": "string"
|
||||
},
|
||||
"OMSAgentID": {
|
||||
"type": "string"
|
||||
},
|
||||
"Type": {
|
||||
"type": "string"
|
||||
},
|
||||
"UPNSuffix": {
|
||||
"type": "string"
|
||||
},
|
||||
"Url": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
"$id",
|
||||
"Type"
|
||||
],
|
||||
"type": "object"
|
||||
},
|
||||
"type": "array"
|
||||
}
|
||||
},
|
||||
"runAfter": {
|
||||
"create_incident": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ParseJson"
|
||||
},
|
||||
"Switch": {
|
||||
"cases": {
|
||||
"Case": {
|
||||
"actions": {
|
||||
"Set_variable_2": {
|
||||
"inputs": {
|
||||
"name": "ReslientVariable",
|
||||
"value": "High"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "SetVariable"
|
||||
}
|
||||
},
|
||||
"case": "High"
|
||||
},
|
||||
"Case_2": {
|
||||
"actions": {
|
||||
"Set_variable_3": {
|
||||
"inputs": {
|
||||
"name": "ReslientVariable",
|
||||
"value": "Medium"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "SetVariable"
|
||||
}
|
||||
},
|
||||
"case": "Medium"
|
||||
},
|
||||
"Case_3": {
|
||||
"actions": {
|
||||
"Set_variable_4": {
|
||||
"inputs": {
|
||||
"name": "ReslientVariable",
|
||||
"value": "Low"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "SetVariable"
|
||||
}
|
||||
},
|
||||
"case": "Low"
|
||||
},
|
||||
"Case_4": {
|
||||
"actions": {
|
||||
"Set_variable_5": {
|
||||
"inputs": {
|
||||
"name": "ReslientVariable",
|
||||
"value": "No Risk"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "SetVariable"
|
||||
}
|
||||
},
|
||||
"case": "Informational"
|
||||
}
|
||||
},
|
||||
"default": {
|
||||
"actions": {
|
||||
"Set_variable": {
|
||||
"inputs": {
|
||||
"name": "ReslientVariable",
|
||||
"value": "Informational"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "SetVariable"
|
||||
}
|
||||
}
|
||||
},
|
||||
"expression": "@triggerBody()?['object']?['properties']?['severity']",
|
||||
"runAfter": {
|
||||
"GetIncidentTimeInEpoch": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Switch"
|
||||
},
|
||||
"create_incident": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"description": "@triggerBody()?['object']?['properties']?['description']",
|
||||
"discovered_date": "@outputs('GetIncidentTimeInEpoch')",
|
||||
"name": "AS: @{triggerBody()?['object']?['properties']?['incidentNumber']}- @{triggerBody()?['object']?['properties']?['title']}",
|
||||
"severity_code": {
|
||||
"name": "@variables('ReslientVariable')"
|
||||
}
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['Resilient-Incidents']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/incidents"
|
||||
},
|
||||
"runAfter": {
|
||||
"Switch": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"contentVersion": "1.0.0.0",
|
||||
"outputs": {},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"defaultValue": {},
|
||||
"type": "Object"
|
||||
}
|
||||
},
|
||||
"triggers": {
|
||||
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"path": "/incident-creation"
|
||||
},
|
||||
"type": "ApiConnectionWebhook"
|
||||
}
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"value": {
|
||||
"azuresentinel": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||
"connectionName": "[variables('AzureSentinelConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
|
||||
"connectionProperties": {
|
||||
"authentication": {
|
||||
"type": "ManagedServiceIdentity"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Resilient-Incidents": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('IBMReslientConnectionName'))]",
|
||||
"connectionName": "[variables('IBMReslientConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/connections/', variables('IBMReslientConnectionName'))]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -6,10 +6,6 @@
|
|||
"author": "Nicholas DiCola"
|
||||
},
|
||||
"parameters": {
|
||||
"customConnectorName": {
|
||||
"defaultValue": "Resilient-Incidents",
|
||||
"type": "String"
|
||||
},
|
||||
"IBMResilientServerName": {
|
||||
"type": "string"
|
||||
},
|
||||
|
|
@ -23,7 +19,7 @@
|
|||
{
|
||||
"type": "Microsoft.Web/customApis",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[parameters('customConnectorName')]",
|
||||
"name": "Resilient-Incidents",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"backendService": {
|
||||
|
|
@ -306,7 +302,7 @@
|
|||
"tags": [
|
||||
]
|
||||
},
|
||||
"displayName": "[parameters('customConnectorName')]",
|
||||
"displayName": "Resilient-Incidents",
|
||||
"iconUri": "/Content/retail/assets/default-connection-icon.e6bb72160664a5e37b9923c3d9f50ca5.2.svg"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,550 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "Create-IBMResilientIncident",
|
||||
"description": "This playbook will create an IBM Resilient incident from an Azure Sentinel incident. It will also add the Azure Sentinel Incident Entities as IBM Resilient Incident Artifacts.",
|
||||
"prerequisites": "This playbook uses a custom connector in Logic Apps (deployed as part of this template). The template is set to not need a gateway, but if IBM Resilient is on-prem you can deploy a Logic Apps gateway and set the connector to use that gateway. You will need to update the connector and delete/re-add the API connection.",
|
||||
"lastUpdateTime": "2021-05-30T10:00:00.000Z",
|
||||
"entities": [],
|
||||
"tags": ["Sync"],
|
||||
"support": {
|
||||
"kind": "Community"
|
||||
},
|
||||
"author": {
|
||||
"name": "Nicholas DiCola"
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "Create-IBMResilientIncident",
|
||||
"type": "string"
|
||||
},
|
||||
"IBMResilientServerName": {
|
||||
"type": "string"
|
||||
},
|
||||
"IBMResilientOrgNumber": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
|
||||
"IBMReslientConnectionName": "[concat('ibmresilient-', parameters('PlaybookName'))]"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedTemplate",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Playbooks/Create-IBMResilientIncident/customConnector/azuredeploy-customconnector.json",
|
||||
"contentVersion": "1.0.0.0"
|
||||
},
|
||||
"parameters": {
|
||||
"IBMResilientServerName": {
|
||||
"value": "[parameters('IBMResilientServerName')]"
|
||||
},
|
||||
"IBMResilientOrgNumber": {
|
||||
"value": "[parameters('IBMResilientOrgNumber')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('IBMReslientConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Resources/deployments', 'linkedTemplate')]"
|
||||
],
|
||||
"properties": {
|
||||
"displayName": "IBM_Resilient",
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().id, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/customApis/Resilient-Incidents')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('AzureSentinelConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"kind": "V1",
|
||||
"properties": {
|
||||
"displayName": "[parameters('PlaybookName')]",
|
||||
"customParameterValues": {},
|
||||
"parameterValueType": "Alternative",
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().id, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"apiVersion": "2017-07-01",
|
||||
"name": "[parameters('PlaybookName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"tags": {
|
||||
"LogicAppsCategory": "security"
|
||||
},
|
||||
"identity": {
|
||||
"type": "SystemAssigned"
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||
"[resourceId('Microsoft.Web/connections', variables('IBMReslientConnectionName'))]",
|
||||
"[resourceId('Microsoft.Resources/deployments', 'linkedTemplate')]"
|
||||
],
|
||||
"properties": {
|
||||
"state": "Enabled",
|
||||
"definition": {
|
||||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||
"actions": {
|
||||
"Entities_-_Get_Accounts": {
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/entities/account"
|
||||
},
|
||||
"runAfter": {
|
||||
"GetTimeInEpoch": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Entities_-_Get_Hosts": {
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/entities/host"
|
||||
},
|
||||
"runAfter": {
|
||||
"Entities_-_Get_Accounts": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Entities_-_Get_IPs": {
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/entities/ip"
|
||||
},
|
||||
"runAfter": {
|
||||
"Entities_-_Get_Hosts": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"For_each": {
|
||||
"actions": {
|
||||
"Switch_2": {
|
||||
"cases": {
|
||||
"Case": {
|
||||
"actions": {
|
||||
"create_IncidentArtifact": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"description": {
|
||||
"content": "From Azure Sentinel",
|
||||
"format": "text"
|
||||
},
|
||||
"ip": {
|
||||
"destination": false,
|
||||
"source": false
|
||||
},
|
||||
"type": {
|
||||
"name": "IP Address"
|
||||
},
|
||||
"value": "@items('For_each')?['Address']"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['Resilient-Incidents']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/incidents/@{encodeURIComponent(body('create_incident')?['id'])}/artifacts"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"case": "ip"
|
||||
},
|
||||
"Case_2": {
|
||||
"actions": {
|
||||
"create_IncidentArtifact_2": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"description": {
|
||||
"content": "From Azure Sentinel - AAD GUID: @{items('For_each')?['AadUserId']}",
|
||||
"format": "text"
|
||||
},
|
||||
"ip": {
|
||||
"destination": false,
|
||||
"source": false
|
||||
},
|
||||
"type": {
|
||||
"name": "User Account"
|
||||
},
|
||||
"value": "@{concat(items('For_each')?['Name'], '@', items('For_each')?['UPNSuffix'])}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['Resilient-Incidents']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/incidents/@{encodeURIComponent(body('create_incident')?['id'])}/artifacts"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"case": "account"
|
||||
},
|
||||
"Case_3": {
|
||||
"actions": {
|
||||
"create_IncidentArtifact_3": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"description": {
|
||||
"content": "From Azure Sentinel - AzureID: @{items('For_each')?['AzureID']}",
|
||||
"format": "text"
|
||||
},
|
||||
"ip": {
|
||||
"destination": false,
|
||||
"source": false
|
||||
},
|
||||
"type": {
|
||||
"name": "System Name"
|
||||
},
|
||||
"value": "@items('For_each')?['HostName']"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['Resilient-Incidents']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/incidents/@{encodeURIComponent(body('create_incident')?['id'])}/artifacts"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"case": "host"
|
||||
},
|
||||
"Case_4": {
|
||||
"actions": {
|
||||
"create_IncidentArtifact_4": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"description": {
|
||||
"content": "From Azure Sentinel",
|
||||
"format": "text"
|
||||
},
|
||||
"ip": {
|
||||
"destination": false,
|
||||
"source": false
|
||||
},
|
||||
"type": {
|
||||
"name": "URL"
|
||||
},
|
||||
"value": "@items('For_each')?['Url']"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['Resilient-Incidents']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/incidents/@{encodeURIComponent(body('create_incident')?['id'])}/artifacts"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"case": "url"
|
||||
}
|
||||
},
|
||||
"default": {
|
||||
"actions": {}
|
||||
},
|
||||
"expression": "@items('For_each')['Type']",
|
||||
"runAfter": {},
|
||||
"type": "Switch"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Parse_JSON')",
|
||||
"runAfter": {
|
||||
"Parse_JSON": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"GetIncidentTimeInEpoch": {
|
||||
"inputs": "@div(sub(ticks(triggerBody()?['object']?['properties']?['createdTimeUtc']), ticks('1970-01-01T00:00:00Z')), 10000)",
|
||||
"runAfter": {
|
||||
"Entities_-_Get_IPs": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Compose"
|
||||
},
|
||||
"GetTimeInEpoch": {
|
||||
"inputs": "@div(sub(ticks(utcNow()), ticks('1970-01-01T00:00:00Z')), 10000)",
|
||||
"runAfter": {
|
||||
"Initialize_variable": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Compose"
|
||||
},
|
||||
"Initialize_variable": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "ReslientVariable",
|
||||
"type": "string",
|
||||
"value": "null"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "InitializeVariable"
|
||||
},
|
||||
"Parse_JSON": {
|
||||
"inputs": {
|
||||
"content": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"schema": {
|
||||
"items": {
|
||||
"properties": {
|
||||
"$id": {
|
||||
"type": "string"
|
||||
},
|
||||
"AadUserId": {
|
||||
"type": "string"
|
||||
},
|
||||
"Address": {
|
||||
"type": "string"
|
||||
},
|
||||
"AppId": {
|
||||
"type": "integer"
|
||||
},
|
||||
"AzureID": {
|
||||
"type": "string"
|
||||
},
|
||||
"HostName": {
|
||||
"type": "string"
|
||||
},
|
||||
"InstanceName": {
|
||||
"type": "string"
|
||||
},
|
||||
"Name": {
|
||||
"type": "string"
|
||||
},
|
||||
"OMSAgentID": {
|
||||
"type": "string"
|
||||
},
|
||||
"Type": {
|
||||
"type": "string"
|
||||
},
|
||||
"UPNSuffix": {
|
||||
"type": "string"
|
||||
},
|
||||
"Url": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
"$id",
|
||||
"Type"
|
||||
],
|
||||
"type": "object"
|
||||
},
|
||||
"type": "array"
|
||||
}
|
||||
},
|
||||
"runAfter": {
|
||||
"create_incident": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ParseJson"
|
||||
},
|
||||
"Switch": {
|
||||
"cases": {
|
||||
"Case": {
|
||||
"actions": {
|
||||
"Set_variable_2": {
|
||||
"inputs": {
|
||||
"name": "ReslientVariable",
|
||||
"value": "High"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "SetVariable"
|
||||
}
|
||||
},
|
||||
"case": "High"
|
||||
},
|
||||
"Case_2": {
|
||||
"actions": {
|
||||
"Set_variable_3": {
|
||||
"inputs": {
|
||||
"name": "ReslientVariable",
|
||||
"value": "Medium"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "SetVariable"
|
||||
}
|
||||
},
|
||||
"case": "Medium"
|
||||
},
|
||||
"Case_3": {
|
||||
"actions": {
|
||||
"Set_variable_4": {
|
||||
"inputs": {
|
||||
"name": "ReslientVariable",
|
||||
"value": "Low"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "SetVariable"
|
||||
}
|
||||
},
|
||||
"case": "Low"
|
||||
},
|
||||
"Case_4": {
|
||||
"actions": {
|
||||
"Set_variable_5": {
|
||||
"inputs": {
|
||||
"name": "ReslientVariable",
|
||||
"value": "No Risk"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "SetVariable"
|
||||
}
|
||||
},
|
||||
"case": "Informational"
|
||||
}
|
||||
},
|
||||
"default": {
|
||||
"actions": {
|
||||
"Set_variable": {
|
||||
"inputs": {
|
||||
"name": "ReslientVariable",
|
||||
"value": "Informational"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "SetVariable"
|
||||
}
|
||||
}
|
||||
},
|
||||
"expression": "@triggerBody()?['object']?['properties']?['severity']",
|
||||
"runAfter": {
|
||||
"GetIncidentTimeInEpoch": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Switch"
|
||||
},
|
||||
"create_incident": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"description": "@triggerBody()?['object']?['properties']?['description']",
|
||||
"discovered_date": "@outputs('GetIncidentTimeInEpoch')",
|
||||
"name": "AS: @{triggerBody()?['object']?['properties']?['incidentNumber']}- @{triggerBody()?['object']?['properties']?['title']}",
|
||||
"severity_code": {
|
||||
"name": "@variables('ReslientVariable')"
|
||||
}
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['Resilient-Incidents']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/incidents"
|
||||
},
|
||||
"runAfter": {
|
||||
"Switch": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"contentVersion": "1.0.0.0",
|
||||
"outputs": {},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"defaultValue": {},
|
||||
"type": "Object"
|
||||
}
|
||||
},
|
||||
"triggers": {
|
||||
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"path": "/incident-creation"
|
||||
},
|
||||
"type": "ApiConnectionWebhook"
|
||||
}
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"value": {
|
||||
"azuresentinel": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||
"connectionName": "[variables('AzureSentinelConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
|
||||
"connectionProperties": {
|
||||
"authentication": {
|
||||
"type": "ManagedServiceIdentity"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Resilient-Incidents": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('IBMReslientConnectionName'))]",
|
||||
"connectionName": "[variables('IBMReslientConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().id, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/customApis/Resilient-Incidents')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
До Ширина: | Высота: | Размер: 32 KiB После Ширина: | Высота: | Размер: 32 KiB |
|
До Ширина: | Высота: | Размер: 32 KiB После Ширина: | Высота: | Размер: 32 KiB |
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 32 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 116 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 74 KiB |
|
|
@ -2,8 +2,18 @@
|
|||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"comments": "This playbook will dismiss the Risky User property in AAD using Graph API using a Beta API.",
|
||||
"author": "Nicholas DiCola"
|
||||
"title": "Dismiss-AADRiskyUser",
|
||||
"description": "This playbook will dismiss the Risky User property in AAD using Graph API.",
|
||||
"prerequisites": "",
|
||||
"lastUpdateTime": "2021-05-30T10:00:00.000Z",
|
||||
"entities": ["Account"],
|
||||
"tags": ["Remediation"],
|
||||
"support": {
|
||||
"kind": "Community"
|
||||
},
|
||||
"author": {
|
||||
"name": "Nicholas DiCola"
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
Двоичные данные
Playbooks/Dismiss-AADRiskyUser/incident-trigger/images/designerScreenshotDark.png
Normal file
Двоичные данные
Playbooks/Dismiss-AADRiskyUser/incident-trigger/images/designerScreenshotDark.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 116 KiB |
Двоичные данные
Playbooks/Dismiss-AADRiskyUser/incident-trigger/images/designerScreenshotLight.png
Normal file
Двоичные данные
Playbooks/Dismiss-AADRiskyUser/incident-trigger/images/designerScreenshotLight.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 74 KiB |
|
|
@ -11,21 +11,21 @@ After deployment, attach this playbook to an **automation rule** so it runs when
|
|||
|
||||
[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules)
|
||||
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FDismiss-AADRiskyUser%2Fazuredeploy_incident.json" target="_blank">
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FDismiss-AADRiskyUser%2Fincident-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://aka.ms/deploytoazurebutton""/>
|
||||
</a>
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FDismiss-AADRiskyUser%2Fazuredeploy_incident.json" target="_blank">
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FDismiss-AADRiskyUser%2Fincident-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
|
||||
</a>
|
||||
|
||||
**Deploy with alert trigger**
|
||||
|
||||
After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will rune when an alert is created.
|
||||
After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will run when an alert is created.
|
||||
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FDismiss-AADRiskyUser%2Fazuredeploy_alert.json" target="_blank">
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FDismiss-AADRiskyUser%2Falert-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://aka.ms/deploytoazurebutton""/>
|
||||
</a>
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FDismiss-AADRiskyUser%2Fazuredeploy_alert.json" target="_blank">
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FDismiss-AADRiskyUser%2Falert-trigger%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
|
||||
</a>
|
||||
|
||||
|
|
@ -34,8 +34,8 @@ After deployment, you can run this playbook manually on an alert or attach it to
|
|||
- You will need to add the managed identity that is created by the Logic App to the Security Administrator role in Azure AD.
|
||||
|
||||
## Screenshots
|
||||
**Incident Trigger**
|
||||
|
||||
**Incident Trigger**<br>
|
||||
<br>
|
||||
|
||||
**Alert Trigger**
|
||||
|
||||
**Alert Trigger**<br>
|
||||
<br>
|
||||
Загрузка…
Ссылка в новой задаче