Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #3665 from rons4/master 

SIGNL4 Solution Packaging
This commit is contained in:
v-jayakal 2022-01-05 14:05:27 -08:00 коммит произвёл GitHub
Родитель fc9d26fca3 7d4f5689f9
Коммит 0f7669a1eb
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
5 изменённых файлов: 516 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

Двоичные данные
Solutions/SIGNL4/Package/1.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

144
Solutions/SIGNL4/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,144 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/signl4/signl4-logo/main/signl4.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nSIGNL4 offers critical alerting, incident response and service dispatching for operating critical infrastructure. It alerts you persistently via app push, SMS text and voice calls including tracking, escalation, collaboration and duty planning. \n\n[Learn more >](https://www.signl4.com)\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for SIGNL4. You can get SIGNL4 custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) SIGNL4_CL in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "playbooks",
"label": "Playbooks",
"subLabel": {
"preValidation": "Configure the playbooks",
"postValidation": "Done"
},
"bladeTitle": "Playbooks",
"elements": [
{
"name": "playbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Azure Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "playbook1",
"type": "Microsoft.Common.Section",
"label": "SIGNL4_Alerting_and_Response",
"elements": [
{
"name": "playbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This playbook ingests events from SIGNL4 into Log Analytics using the API."
}
},
{
"name": "playbook1-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "SIGNL4_Alerting_and_Response",
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook resource name"
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(filter.id, toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"playbook1-PlaybookName": "[steps('playbooks').playbook1.playbook1-PlaybookName]"
}
}
}

334
Solutions/SIGNL4/Package/mainTemplate.json Normal file
Просмотреть файл

@ -0,0 +1,334 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"comments": "Solution template for SIGNL4"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Sentinel is setup"
}
},
"playbook1-PlaybookName": {
"defaultValue": "SIGNL4_Alerting_and_Response",
"type": "string",
"minLength": 1,
"metadata": {
"description": "Resource name for the logic app playbook. No spaces are allowed"
}
},
"connector1-name": {
"type": "string",
"defaultValue": "78314b2d-533a-4393-b2e0-b7f6dc719ca3"
}
},
"variables": {
"playbook1-Playbooks": "playbook1-Playbooks",
"_playbook1-Playbooks": "[variables('playbook1-Playbooks')]",
"playbook1-AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('playbook1-PlaybookName'))]",
"playbook1-SIGNL4ConnectionName": "[concat('signl4-', parameters('playbook1-PlaybookName'))]",
"playbook-1-connection-1": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/azuresentinel')]",
"_playbook-1-connection-1": "[variables('playbook-1-connection-1')]",
"playbook-1-connection-2": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/signl4')]",
"_playbook-1-connection-2": "[variables('playbook-1-connection-2')]",
"connector1-source": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',parameters('connector1-name'))]",
"_connector1-source": "[variables('connector1-source')]",
"DerdackSIGNL4Connector": "DerdackSIGNL4Connector",
"_DerdackSIGNL4Connector": "[variables('DerdackSIGNL4Connector')]",
"sourceId": "signl4.azure-sentinel-solution-signl4",
"_sourceId": "[variables('sourceId')]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('playbook1-AzureSentinelConnectionName')]",
"location": "[parameters('workspace-location')]",
"kind": "V1",
"properties": {
"displayName": "[variables('playbook1-AzureSentinelConnectionName')]",
"parameterValueType": "Alternative",
"api": {
"id": "[variables('_playbook-1-connection-1')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('playbook1-SIGNL4ConnectionName')]",
"location": "[parameters('workspace-location')]",
"properties": {
"displayName": "[variables('playbook1-SIGNL4ConnectionName')]",
"api": {
"id": "[variables('_playbook-1-connection-2')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('playbook1-PlaybookName')]",
"location": "[parameters('workspace-location')]",
"tags": {
"LogicAppsCategory": "security",
"hidden-SentinelTemplateName": "SIGNL4",
"hidden-SentinelTemplateVersion": "1.0"
},
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('playbook1-AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('playbook1-SIGNL4ConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"type": "Object"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
},
"type": "ApiConnectionWebhook"
}
},
"actions": {
"For_each": {
"foreach": "@triggerBody()?['object']?['properties']?['Alerts']",
"actions": {
"Trigger_Alert": {
"type": "ApiConnection",
"inputs": {
"body": {
"flags": 0,
"severity": 0,
"text": "@items('For_each')?['properties']?['description']",
"title": "Azure Sentinel Alert"
},
"host": {
"connection": {
"name": "@parameters('$connections')['signl4']['connectionId']"
}
},
"method": "post",
"path": "/alerts"
}
}
},
"type": "Foreach"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook1-AzureSentinelConnectionName'))]",
"connectionName": "[variables('playbook1-AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"signl4": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook1-SIGNL4ConnectionName'))]",
"connectionName": "[variables('playbook1-SIGNL4ConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/signl4')]"
}
}
}
}
}
},
{
"id": "[variables('_connector1-source')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connector1-name'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "Derdack SIGNL4",
"publisher": "Derdack",
"descriptionMarkdown": "When critical systems fail or security incidents happen, SIGNL4 bridges the last mile to your staff, engineers, IT admins and workers in the field. It adds real-time mobile alerting to your services, systems, and processes in no time. SIGNL4 notifies through persistent mobile push, SMS text and voice calls with acknowledgement, tracking and escalation. Integrated duty and shift scheduling ensure the right people are alerted at the right time.\n\n[Learn more >](https://www.signl4.com)",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "SIGNL4_CL",
"baseQuery": "SecurityIncident"
}
],
"sampleQueries": [
{
"description": "Get SIGNL4 alert and status information.",
"query": "SecurityIncident\n | where Labels contains \"SIGNL4\""
}
],
"dataTypes": [
{
"name": "SIGNL4_CL",
"lastDataReceivedQuery": "SecurityIncident\n | where Labels contains \"SIGNL4\" | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"SecurityIncident\n | where Labels contains \"SIGNL4\""
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This data connector is mainly configured on the SIGNL4 side. You can find a description video here: [**Integrate SIGNL4 with Azure Sentinel**](https://www.signl4.com/blog/portfolio_item/azure-sentinel-mobile-alert-notification-duty-schedule-escalation/)."
},
{
"description": ">**SIGNL4 Connector:** The SIGNL4 connector for Azure Sentinel, Azure Security Center and other Azure Graph Security API providers provides seamless 2-way integration with your Azure Security solutions. Once added to your SIGNL4 team, the connector will read security alerts from Azure Graph Security API and fully automatically and trigger alert notifications to your team members on duty. It will also synchronize the alert status from SIGNL4 to Graph Security API, so that if alerts are acknowledged or closed, this status is also updated on the according Azure Graph Security API alert or the corresponding security provider. As mentioned, the connector mainly uses Azure Graph Security API, but for some security providers, such as Azure Sentinel, it also uses dedicated REST APIs from according Azure solutions."
},
{
"description": "Azure Sentinel is a cloud native SIEM solution from Microsoft and a security alert provider in Azure Graph Security API. However, the level of alert details available with the Graph Security API is limited for Azure Sentinel. The connector can therefore augment alerts with further details (insights rule search results), from the underlying Azure Sentinel Log Analytics workspace. To be able to do that, the connector communicates with Azure Log Analytics REST API and needs according permissions (see below). Furthermore, the app can also update the status of Azure Sentinel incidents, when all related security alerts are e.g. in progress or resolved. In order to be able to do that, the connector needs to be a member of the 'Azure Sentinel Contributors' group in your Azure Subscription.\n **Automated deployment in Azure**\n The credentials required to access the beforementioned APIs, are generated by a small PowerShell script that you can download below. The script performs the following tasks for you:\n - Logs you on to your Azure Subscription (please login with an administrator account)\n - Creates a new enterprise application for this connector in your Azure AD, also referred to as service principal\n - Creates a new role in your Azure IAM that grants read/query permission to only Azure Log Analytics workspaces.\n - Joins the enterprise application to that user role\n - Joins the enterprise application to the 'Azure Sentinel Contributors' role\n - Outputs some data that you need to configure app (see below)",
"title": "Azure Sentinel Features"
},
{
"description": "1. Download the PowerShell deployment script from [here](https://github.com/signl4/signl4-integration-azuresentinel/blob/master/registerSIGNL4Client.ps1).\n2. Review the script and the roles and permission scopes it deploys for the new app registration. If you don't want to use the connector with Azure Sentinel, you could remove all role creation and role assignment code and only use it to create the app registration (SPN) in your Azure Active Directory.\n3. Run the script. At the end it outputs information that you need to enter in the connector app configuration.\n4. In Azure AD, click on 'App Registrations'. Find the app with the name 'SIGNL4AzureSecurity' and open its details\n5. On the left menu blade click 'API Permissions'. Then click 'Add a permission'.\n6. On the blade that loads, under 'Microsoft APIs' click on the 'Microsoft Graph' tile, then click 'App permission'.\n7. In the table that is displayed expand 'SecurityEvents' and check 'SecurityEvents.Read.All' and 'SecurityEvents.ReadWrite.All'.\n8. Click 'Add permissions'.",
"title": "Deployment procedure"
},
{
"description": "Finally, enter the IDs, that the script has outputted in the connector configuration:\n - Azure Tenant ID\n - Azure Subscription ID\n - Client ID (of the enterprise application)\n - Client Secret (of the enterprise application)\n Once the app is enabled, it will start reading your Azure Graph Security API alerts.\n\n>**NOTE:** It will initially only read the alerts that have occurred within the last 24 hours.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
}
],
"title": "Configuring the SIGNL4 connector app"
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2021-03-01-preview",
"properties": {
"version": "1.0.0",
"kind": "Solution",
"contentId": "[variables('_sourceId')]",
"parentId": "[variables('_sourceId')]",
"source": {
"kind": "Solution",
"name": "SIGNL4",
"sourceId": "[variables('_sourceId')]"
},
"author": {
"name": "Nikhil Tripathi",
"email": "v-ntripathi@microsoft.com"
},
"support": {
"name": "Derdack",
"email": "success@signl4.com",
"tier": "Partner",
"link": "https://www.signl4.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "Playbook",
"contentId": "[variables('_playbook1-Playbooks')]",
"version": "1.0.0"
},
{
"kind": "DataConnector",
"contentId": "[variables('_DerdackSIGNL4Connector')]",
"version": "1.0.0"
}
]
},
"firstPublishDate": "2021-12-10",
"providers": [
"Derdack"
],
"categories": {
"domains": [
"DevOps",
"IT Operations"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]"
}
],
"outputs": {}
}

17
Solutions/SIGNL4/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,17 @@
{
"publisherId": "signl4",
"offerId": "azure-sentinel-solution-signl4",
"firstPublishDate": "2021-12-10",
"lastPublishDate": "2021-12-10",
"providers": ["Derdack"],
"categories": {
"domains" : ["DevOps", "IT Operations"],
"verticals": []
},
"support": {
"name": "Derdack",
"email": "success@signl4.com",
"tier": "Derdack",
"link": "https://www.signl4.com"
}
}

21
Tools/Create-Azure-Sentinel-Solution/input/Solution_SIGNL4.json Normal file
Просмотреть файл

@ -0,0 +1,21 @@
{
"Name": "SIGNL4",
"Author": "Ronald Czachara - ron@signl4.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/signl4/signl4-logo/main/signl4.svg\" width=\"75px\" height=\"75px\">",
"Description": "SIGNL4 offers critical alerting, incident response and service dispatching for operating critical infrastructure. It alerts you persistently via app push, SMS text and voice calls including tracking, escalation, collaboration and duty planning. \n\n[Learn more >](https://www.signl4.com)",
"WorkbookDescription": [],
"Workbooks": [],
"Analytic Rules": [],
"Playbooks": [
"Playbooks/azuredeploy.json"
],
"Parsers": [],
"Hunting Queries": [],
"Data Connectors": [
"Data Connectors/DerdackSIGNL4.json"
],
"Watchlists": [],
"BasePath": "C:/GitHub/Azure-Sentinel/Solutions/SIGNL4/",
"Version": "1.0.0",
"Metadata": "SolutionMetadata.json"
}