11102022 as import ad group users to ms watchlist (#6597)

* Create init

* Add files via upload

* Add files via upload

* Delete init

* Add files via upload

* Update README.md

* Update azuredeploy.json

* Update README.md

* Update azuredeploy.json

* Create AS-Import-Azure-AD-Group-Users-to-MS-Watchlist

* Delete AS-Import-Azure-AD-Group-Users-to-MS-Watchlist

* Create rename

* Create README.md

* Create azuredeploy.json

* Delete Playbooks/AS-Import-Azure-AD-Group-Users-to-MS-Watchlistazuredeploy.json directory

* Delete rename

* Create watchlist_initialize.csv

* Create init

* Create azuredeploy.json

* Add files via upload

* Delete Playbooks/AS-Import-AD-Group-Users-to-MS-Watchlist directory

* Delete init

* Update README.md

* Add files via upload

* Delete AS_Group_Watchlist_Add_Role_1.png

* Update README.md

* Add files via upload

* Delete ApprovalEmail_Access_1.png

* Delete ApprovalEmail_Access_2.png

* Delete ApprovalEmail_Access_3.png

* Delete ApprovalEmail_Access_4.png

* Add files via upload

* Delete AS_Group_Watchlist_Add_Role_1.png

* Add files via upload

Playbooks/AS-Import-Azure-AD-Group-Users-to-MS-Watchlist/README.md

@@ -0,0 +1,193 @@
+# AS-Import-Azure-AD-Group-Users-to-MS-Watchlist
+
+Author: Accelerynt
+
+For any technical questions, please contact info@accelerynt.com  
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Import-AD-Group-Users-to-MS-Watchlist%2Fazuredeploy.json)
+[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Import-AD-Group-Users-to-MS-Watchlist%2Fazuredeploy.json)       
+
+This playbook is intended to be run on a schedule. It will add the users from a specified Azure Active Directory group to a Microsoft Sentinel watchlist.
+
+![AS_Group_Watchlist_Demo](Images/AS_Group_Watchlist_Demo.png)
+
+#
+### Requirements
+
+The following items are required under the template settings during deployment: 
+
+* An [Azure Active Directory group Id](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Import-AD-Group-Users-to-MS-Watchlist#azure-active-directory-group-id)
+
+* A [Microsoft Sentinel watchlist](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Import-AD-Group-Users-to-MS-Watchlist#create-a-microsoft-sentinel-watchlist)
+
+* A [Microsoft Sentinel workspace Id](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Import-AD-Group-Users-to-MS-Watchlist#microsoft-sentinel-workspace-id)
+
+# 
+### Setup
+
+#### Azure Active Directory Group Id:
+
+Navigate to the Azure Active Directory Groups page: 
+https://portal.azure.com/#view/Microsoft_AAD_IAM/GroupsManagementMenuBlade/~/AllGroups
+
+Create a new group or locate the existing group you would like to use with this playbook and click the name.
+
+![AS_Group_Watchlist_Group_Id_1](Images/AS_Group_Watchlist_Group_Id_1.png)
+
+From the group "**Overview**" page, copy the value of the "**Object Id**" and save it for deployment.
+
+![AS_Group_Watchlist_Group_Id_2](Images/AS_Group_Watchlist_Group_Id_2.png)
+
+#### Create a Microsoft Sentinel Watchlist:
+
+Navigate to the Microsoft Sentinel page and select a workspace:
+
+https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel
+
+Under the "**Configuration**" section of the menu, click "**Watchlist**", then click "**Add new**".
+
+![AS_Group_Watchlist_Create_Watchlist_2](Images/AS_Group_Watchlist_Create_Watchlist_2.png)
+
+Fill out the required fields and take note of the value you use for "**Alias**" as this will be needed for deployment. Then click "**Next: Source**".
+
+![AS_Group_Watchlist_Create_Watchlist_3](Images/AS_Group_Watchlist_Create_Watchlist_3.png)
+
+The watchlist cannot be created without initial data. We have created a file with the necessary headers and an entry that can later be deleted from the watchlist once it has been updated with additional entries.
+
+Upload the "**watchlist_initialize.csv**" included in this repository and select "**id**" as the search key. Then click "**Next: Review and create**".
+
+![AS_Group_Watchlist_Create_Watchlist_4](Images/AS_Group_Watchlist_Create_Watchlist_4.png)
+
+Review the information, then click "**Create**".
+![AS_Group_Watchlist_Create_Watchlist_5](Images/AS_Group_Watchlist_Create_Watchlist_5.png)
+
+Once your watchlist has been created, you can view the entries by clicking the watchlist name from the "**Overview**" page, and then clicking "**View in logs**".
+
+![AS_Group_Watchlist_Create_Watchlist_6](Images/AS_Group_Watchlist_Create_Watchlist_6.png)
+
+This will run a Kusto query for your watchlist and you should be able to see the initializing data that was just uploaded. Please note it may take a minute after the creation of your watchlist for the query to show results.
+
+![AS_Group_Watchlist_Create_Watchlist_7](Images/AS_Group_Watchlist_Create_Watchlist_7.png)
+
+#### Microsoft Sentinel Workspace Id:
+
+Navigate to the Microsoft Sentinel page and select the same workspace as before:
+
+https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel
+
+Under the "**Configuration**" section of the menu, click "**Settings**", then click the "**Workspace settings**" tab.
+
+![AS_Group_Watchlist_Workspace_Id_1](Images/AS_Group_Watchlist_Workspace_Id_1.png)
+
+Copy the value of the "**Workspace ID**" field and save it for deployment.
+
+![AS_Group_Watchlist_Workspace_Id_2](Images/AS_Group_Watchlist_Workspace_Id_2.png)
+
+#
+### Deployment                                                                                                         
+                                                                                                        
+To configure and deploy this playbook:
+ 
+Open your browser and ensure you are logged into the same Microsoft Sentinel workspace selected above. In a separate tab, open the link to our playbook on the Accelerynt Security GitHub Repository:
+
+https://github.com/Accelerynt-Security/AS-Import-AD-Group-Users-to-MS-Watchlist
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Import-AD-Group-Users-to-MS-Watchlist%2Fazuredeploy.json)
+[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Import-AD-Group-Users-to-MS-Watchlist%2Fazuredeploy.json)                                             
+
+Click the “**Deploy to Azure**” button at the bottom and it will bring you to the custom deployment template.
+
+In the **Project Details** section:
+
+* Select the “**Subscription**” and “**Resource Group**” from the dropdown boxes you would like the playbook deployed to.  
+
+In the **Instance Details** section:   
+
+* **Playbook Name**: This can be left as "**AS-Import-AD-Group-Users-to-MS-Watchlist**" or you may change it.  
+
+* **Group Id**: Enter the Id of the Azure Active Directory group referenced in [Azure Active Directory group Id](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Import-AD-Group-Users-to-MS-Watchlist#azure-active-directory-group-id).
+
+* **Watchlist Name**: The name of the watchlist referenced in [Create a Microsoft Sentinel Watchlist](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Import-AD-Group-Users-to-MS-Watchlist#create-a-microsoft-sentinel-watchlist)
+
+* **Workspace Id**: The Id of the Microsoft Sentinel workspace the watchlist was created in, referenced in [Microsoft Sentinel workspace Id](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Import-AD-Group-Users-to-MS-Watchlist#microsoft-sentinel-workspace-id)
+
+Towards the bottom, click on “**Review + create**”. 
+
+![AS_Group_Watchlist_Deploy_1](Images/AS_Group_Watchlist_Deploy_1.png)
+
+Once the resources have validated, click on "**Create**".
+
+![AS_Group_Watchlist_Deploy_2](Images/AS_Group_Watchlist_Deploy_2.png)
+
+The resources should take around a minute to deploy. Once the deployment is complete, you can expand the "**Deployment details**" section to view them.
+Click the one corresponding to the Logic App.
+
+![AS_Group_Watchlist_Deploy_3](Images/AS_Group_Watchlist_Deploy_3.png)
+
+Click on the “**Edit**” button. This will bring us into the Logic Apps Designer.
+
+![AS_Group_Watchlist_Deploy_4](Images/AS_Group_Watchlist_Deploy_4.png)
+
+Before the playbook can be run successfully, the Azure AD connection used in the second step and the Microsoft Sentinel connection used in the fourth and ninth steps will either need to be authorized, or existing authorized connections may be alternatively selected.  
+
+![AS_Group_Watchlist_Deploy_5](Images/AS_Group_Watchlist_Deploy_5.png)
+
+To validate the Azure AD connection, expand the second step labeled "**Connections**" and click the exclamation point icon next to the name matching the playbook.
+                                                                                                
+![AS_Group_Watchlist_Deploy_6](Images/AS_Group_Watchlist_Deploy_6.png)
+
+When prompted, sign in to validate the connection.  
+
+![AS_Group_Watchlist_Deploy_7](Images/AS_Group_Watchlist_Deploy_7.png)
+
+Repeat the process for the Microsoft Sentinel connection.
+
+![AS_Group_Watchlist_Deploy_8](Images/AS_Group_Watchlist_Deploy_8.png)
+
+Returning to the "**Overview**" page of the logic app, it can now be run successfully.
+
+![AS_Group_Watchlist_Deploy_9](Images/AS_Group_Watchlist_Deploy_9.png)
+
+# 
+### Add Microsoft Sentinel Contributor Role
+
+To run successfully, this playbook requires Microsoft Sentinel Contributor role on the Log Analytics workspace.
+
+Navigate to the Log Analytics Workspaces page and select the same workspace the watchlist is located in:
+
+https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.OperationalInsights%2Fworkspaces
+
+Select the "**Access control (IAM)**" option from the menu blade, then click "**Add role assignment**".
+
+![AS_Group_Watchlist_Add_Role_1](Images/AS_Group_Watchlist_Add_Role_1.png)
+
+Select the "**Microsoft Sentinel Contributor**" role, then click "**Next**".
+
+![AS_Group_Watchlist_Add_Role_2](Images/AS_Group_Watchlist_Add_Role_2.png)
+
+Select the "**Managed identity**" option, then under the subscription the logic app is located, set the value of "**Managed identity**" to "**Logic app**". Next, enter "**AS-Import-Azure-AD-Group-Users-to-MS-Watchlist**", or the alternative playbook name used during deployment, in the field labeled "**Select**". Select the playbook, then click "**Select**".
+
+![AS_Group_Watchlist_Add_Role_3](Images/AS_Group_Watchlist_Add_Role_3.png)
+
+Continue on to the "**Review + assign**" tab and click "**Review + assign**".
+
+![AS_Group_Watchlist_Add_Role_4](Images/AS_Group_Watchlist_Add_Role_4.png)
+
+# 
+### Editing the Microsoft Sentinel Watchlist
+
+A watchlist needs initial data in order to be created. Because of this, the watchlist will have a row with the values "**initial data**". Once the logic app has run successfully and other entries have been added, you can remove this row.
+
+To do this, navigate back to the Microsoft Sentinel page:
+
+https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel
+
+Click the workspace name used during deployment and then click "**Watchlist**" under the "**Configuration**" section of the menu.
+
+Click the name of the watchlist used during deployment. This will pull up a menu on the right side of the page. Click "**Update watchlist**".
+
+![AS_Group_Watchlist_View_Watchlist_2](Images/AS_Group_Watchlist_View_Watchlist_2.png)
+
+Check the box of the row with the values "**initial data**" and click "**Delete**".
+
+![AS_Group_Watchlist_View_Watchlist_3](Images/AS_Group_Watchlist_View_Watchlist_3.png)

Playbooks/AS-Import-Azure-AD-Group-Users-to-MS-Watchlist/azuredeploy.json

@@ -0,0 +1,262 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "metadata": {
+        "title": "AS-Import-Azure-AD-Group-Users-to-MS-Watchlist", 
+        "description": "This playbook is intended to be run on a schedule. It will add the users from a specified Azure Active Directory group to a Microsoft Sentinel watchlist.",
+        "lastUpdateTime": "2022-11-01T18:18:05Z",
+        "tags": ["Microsoft Sentinel", "Watchlist", "Azure Active Directory", "Group"], 
+        "support": {
+            "tier": "developer"
+        },
+        "author": {
+            "name": "Accelerynt"
+        }
+    },
+    "parameters": {
+        "PlaybookName": {
+            "defaultValue": "AS-Import-Azure-AD-Group-Users-to-MS-Watchlist",
+            "type": "string"
+        },
+        "GroupId": {
+            "type": "string",
+            "metadata": {
+                "description": "The object id of the desired Azure Active Directory group"
+            }
+        },
+        "WatchlistName": {
+            "type": "string",
+            "metadata": {
+                "description": "The name of the Microsoft Sentinel watchlist"
+            }
+        },
+        "WorkspaceId": {
+            "type": "string",
+            "metadata": {
+                "description": "The name of the Microsoft Sentinel workspace the watchlist is located"
+            }
+        }
+    },
+    "variables": {
+        "azuread": "[concat('azuread-', parameters('PlaybookName'))]",
+        "azuresentinel": "[concat('azuresentinel-', parameters('PlaybookName'))]"
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Web/connections",
+            "apiVersion": "2016-06-01",
+            "name": "[variables('azuread')]",
+            "location": "[resourceGroup().location]",
+            "properties": {
+                "displayName": "[parameters('PlaybookName')]",
+                "customParameterValues": {},
+                "api": {
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Web/connections",
+            "apiVersion": "2016-06-01",
+            "name": "[variables('azuresentinel')]",
+            "location": "[resourceGroup().location]",
+            "kind": "V1",
+            "properties": {
+                "displayName": "[parameters('PlaybookName')]",
+                "customParameterValues": {},
+                "parameterValueType": "Alternative",
+                "api": {
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Logic/workflows",
+            "apiVersion": "2017-07-01",
+            "name": "[parameters('PlaybookName')]",
+            "location": "[resourceGroup().location]",
+            "tags": {
+                "LogicAppsCategory": "security"
+            },
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "dependsOn": [
+                "[resourceId('Microsoft.Web/connections', variables('azuread'))]",
+                "[resourceId('Microsoft.Web/connections', variables('azuresentinel'))]"
+            ],
+            "properties": {
+                "state": "Enabled",
+                "definition": {
+                    "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+                    "contentVersion": "1.0.0.0",
+                    "parameters": {
+                        "$connections": {
+                            "defaultValue": {},
+                            "type": "Object"
+                        }
+                    },
+                    "triggers": {
+                        "Recurrence": {
+                            "evaluatedRecurrence": {
+                                "frequency": "Day",
+                                "interval": 1,
+                                "schedule": {
+                                    "hours": [
+                                        "23"
+                                    ]
+                                }
+                            },
+                            "recurrence": {
+                                "frequency": "Day",
+                                "interval": 1,
+                                "schedule": {
+                                    "hours": [
+                                        "23"
+                                    ]
+                                }
+                            },
+                            "type": "Recurrence"
+                        }
+                    },
+                    "actions": {
+                        "For_each_-_Existing_watchlist_items": {
+                            "foreach": "@body('Watchlists_-_Get_all_watchlist_Items_for_a_given_watchlist')?['properties']?['watchlistItems']",
+                            "actions": {
+                                "Append_to_array_variable": {
+                                    "runAfter": {},
+                                    "type": "AppendToArrayVariable",
+                                    "inputs": {
+                                        "name": "Watchlist IDs",
+                                        "value": "@items('For_each_-_Existing_watchlist_items')?['properties.itemsKeyValue']?['id']"
+                                    }
+                                }
+                            },
+                            "runAfter": {
+                                "Watchlists_-_Get_all_watchlist_Items_for_a_given_watchlist": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "Foreach"
+                        },
+                        "For_each_-_Group_members": {
+                            "foreach": "@body('Get_group_members')?['value']",
+                            "actions": {
+                                "Condition_-_Check_if_user_is_already_in_watchlist": {
+                                    "actions": {},
+                                    "runAfter": {},
+                                    "else": {
+                                        "actions": {
+                                            "Watchlists_-_Add_a_new_watchlist_item": {
+                                                "runAfter": {},
+                                                "type": "ApiConnection",
+                                                "inputs": {
+                                                    "body": {
+                                                        "id": "@{items('For_each_-_Group_members')?['id']}",
+                                                        "userPrincipalName": "@{items('For_each_-_Group_members')?['userPrincipalName']}"
+                                                    },
+                                                    "host": {
+                                                        "connection": {
+                                                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                                                        }
+                                                    },
+                                                    "method": "put",
+                                                    "path": "[concat('/Watchlists/subscriptions/@{encodeURIComponent(''', subscription().subscriptionId, ''')}/resourceGroups/@{encodeURIComponent(''', resourceGroup().name, ''')}/workspaces/@{encodeURIComponent(''', parameters('WorkspaceId'), ''')}/watchlists/@{encodeURIComponent(''', parameters('WatchlistName'), ''')}/watchlistItem')]"
+                                                }
+                                            }
+                                        }
+                                    },
+                                    "expression": {
+                                        "and": [
+                                            {
+                                                "equals": [
+                                                    "@contains(variables('Watchlist IDs'), items('For_each_-_Group_members')?['id'])",
+                                                    "@true"
+                                                ]
+                                            }
+                                        ]
+                                    },
+                                    "type": "If"
+                                }
+                            },
+                            "runAfter": {
+                                "For_each_-_Existing_watchlist_items": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "Foreach"
+                        },
+                        "Get_group_members": {
+                            "runAfter": {},
+                            "type": "ApiConnection",
+                            "inputs": {
+                                "host": {
+                                    "connection": {
+                                        "name": "@parameters('$connections')['azuread']['connectionId']"
+                                    }
+                                },
+                                "method": "get",
+                                "path": "[concat('/v1.0/groups/@{encodeURIComponent(''', parameters('GroupId'), ''')}/members')]"
+                            }
+                        },
+                        "Initialize_variable_-_Watchlist_IDs": {
+                            "runAfter": {
+                                "Get_group_members": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "InitializeVariable",
+                            "inputs": {
+                                "variables": [
+                                    {
+                                        "name": "Watchlist IDs",
+                                        "type": "array"
+                                    }
+                                ]
+                            }
+                        },
+                        "Watchlists_-_Get_all_watchlist_Items_for_a_given_watchlist": {
+                            "runAfter": {
+                                "Initialize_variable_-_Watchlist_IDs": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "ApiConnection",
+                            "inputs": {
+                                "host": {
+                                    "connection": {
+                                        "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                                    }
+                                },
+                                "method": "get",
+                                "path": "[concat('/Watchlists/subscriptions/@{encodeURIComponent(''', subscription().subscriptionId, ''')}/resourceGroups/@{encodeURIComponent(''', resourceGroup().name, ''')}/workspaces/@{encodeURIComponent(''', parameters('WorkspaceId'), ''')}/watchlists/@{encodeURIComponent(''', parameters('WatchlistName'), ''')}/watchlistItems')]"
+                            }
+                        }
+                    },
+                    "outputs": {}
+                },
+                "parameters": {
+                    "$connections": {
+                        "value": {
+                            "azuread": {
+                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('azuread'))]",
+                                "connectionName": "[variables('azuread')]",
+                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
+                            },
+                            "azuresentinel": {
+                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('azuresentinel'))]",
+                                "connectionName": "[variables('azuresentinel')]",
+                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
+                                "connectionProperties": {
+                                    "authentication": {
+                                        "type": "ManagedServiceIdentity"
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    ]
+}

Playbooks/AS-Import-Azure-AD-Group-Users-to-MS-Watchlist/watchlist_initialize.csv

@@ -0,0 +1,2 @@
+id,userPrincipalName
+initial data,initial data