Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #506 from swiftsolves-msft/nateswi_playbook 

updated params fields
This commit is contained in:
dicolanl 2020-02-27 08:56:52 -05:00 коммит произвёл GitHub
Родитель 95d58c265a cb173f4ec6
Коммит 1432932ad3
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
3 изменённых файлов: 502 добавлений и 7 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

13
Playbooks/Close-Incident-ASCAlert/azuredeploy.json
Просмотреть файл

@ -14,12 +14,12 @@
"defaultValue": "<username>@<domain>",
"type": "string"
},
"ASCLogAnalyticsWorkspaceName": {
"defaultValue": "yourASCworkspacename",
"AzureSentinelLogAnalyticsWorkspaceName": {
"defaultValue": "yourAzureSentinelworkspacename",
"type": "string"
},
"ASCLogAnalyticsWorkspaceResourceGroupName": {
"defaultValue": "yourASCworkspaceRGname",
"AzureSentinelLogAnalyticsWorkspaceResourceGroupName": {
"defaultValue": "yourAzureSentinelworkspaceRGname",
"type": "string"
}
},
@ -115,7 +115,6 @@
"type": "ApiConnection",
"inputs": {
"body": {
"CloseReason": "TruePositive",
"CloseReasonText": "Closed via Playbook to Dismiss ASC Alert"
},
"host": {
@ -192,8 +191,8 @@
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "[parameters('ASCLogAnalyticsWorkspaceResourceGroupName')]",
"resourcename": "[parameters('ASCLogAnalyticsWorkspaceName')]",
"resourcegroups": "[parameters('AzureSentinelLogAnalyticsWorkspaceResourceGroupName')]",
"resourcename": "[parameters('AzureSentinelLogAnalyticsWorkspaceName')]",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "[subscription().subscriptionId]",
"timerange": "Set in query"

478
Playbooks/Notify-ASCAlertAzureResource/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,478 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata":{
"comments": "This playbook will notify all mail enabled users assigned RBAC on the Azure Resource via a ASC alert generated Sentinel Incident.",
"author": "Nathan Swift"
},
"parameters": {
"PlaybookName": {
"defaultValue": "Notify-ASCAlertAzureResource",
"type": "String"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
},
"AzureSentinelLogAnalyticsWorkspaceName": {
"defaultValue": "yourAzureSentinelworkspacename",
"type": "string"
},
"AzureSentinelLogAnalyticsWorkspaceResourceGroupName": {
"defaultValue": "yourAzureSentinelworkspaceRGname",
"type": "string"
},
"AADTenantID": {
"defaultValue": "Your AAD Tenant ID",
"type": "string"
}
},
"variables": {
"AzureMonitorLogsConnectionName": "[concat('azuremonitorlogs-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"office365ConnectionName": "[concat('office365-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureMonitorLogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('office365ConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"LogicAppsCategory": "security"
},
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"TenantID": {
"defaultValue": "[parameters('AADTenantID')]",
"type": "String"
}
},
"triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
}
}
},
"actions": {
"Alert_-_Get_incident": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Cases/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}"
}
},
"For_each": {
"foreach": "@body('Alert_-_Get_incident')?['properties']?['RelatedAlertIds']",
"actions": {
"Filter_array": {
"runAfter": {
"HTTP_2": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('HTTP_2')?['value']",
"where": "@not(equals(item()?['mail'], null))"
}
},
"For_each_2": {
"foreach": "@body('HTTP')?['value']",
"actions": {
"Append_to_array_variable": {
"runAfter": {},
"type": "AppendToArrayVariable",
"inputs": {
"name": "simpleassignarray",
"value": "@items('For_each_2')?['properties']?['principalId']"
}
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "Foreach"
},
"For_each_3": {
"foreach": "@body('Filter_array')",
"actions": {
"Append_to_string_variable": {
"runAfter": {},
"type": "AppendToStringVariable",
"inputs": {
"name": "emailstring",
"value": "@{items('For_each_3')?['mail']};"
}
}
},
"runAfter": {
"Filter_array": [
"Succeeded"
]
},
"type": "Foreach"
},
"HTTP": {
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "Http",
"inputs": {
"authentication": {
"audience": "https://management.azure.com",
"type": "ManagedServiceIdentity"
},
"method": "GET",
"uri": "https://management.azure.com/@{body('Run_query_and_list_results')['value'][0]['resourceId']}/providers/Microsoft.Authorization/roleAssignments?api-version=2018-09-01-preview"
}
},
"HTTP_2": {
"runAfter": {
"For_each_2": [
"Succeeded"
]
},
"type": "Http",
"inputs": {
"authentication": {
"audience": "https://graph.windows.net/",
"type": "ManagedServiceIdentity"
},
"body": {
"includeDirectoryObjectReferences": true,
"objectIds": "@variables('simpleassignarray')",
"types": [
"user"
]
},
"method": "POST",
"uri": "https://graph.windows.net/@{parameters('TenantID')}/getObjectsByObjectIds?api-version=1.6"
}
},
"Parse_JSON": {
"runAfter": {
"Run_query_and_list_results": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('Run_query_and_list_results')?['value']",
"schema": {
"items": {
"properties": {
"AlertLink": {
"type": "string"
},
"AlertName": {
"type": "string"
},
"AlertSeverity": {
"type": "string"
},
"AlertType": {
"type": "string"
},
"ConfidenceLevel": {
"type": "string"
},
"ConfidenceScore": {},
"Description": {
"type": "string"
},
"DisplayName": {
"type": "string"
},
"EndTime": {
"type": "string"
},
"Entities": {
"type": "string"
},
"ExtendedLinks": {
"type": "string"
},
"ExtendedProperties": {
"type": "string"
},
"IsIncident": {
"type": "boolean"
},
"ProcessingEndTime": {
"type": "string"
},
"ProductComponentName": {
"type": "string"
},
"ProductName": {
"type": "string"
},
"ProviderName": {
"type": "string"
},
"RemediationSteps": {
"type": "string"
},
"ResourceId": {
"type": "string"
},
"SourceComputerId": {
"type": "string"
},
"SourceSystem": {
"type": "string"
},
"StartTime": {
"type": "string"
},
"SystemAlertId": {
"type": "string"
},
"TenantId": {
"type": "string"
},
"TimeGenerated": {
"type": "string"
},
"Type": {
"type": "string"
},
"VendorName": {
"type": "string"
},
"VendorOriginalId": {
"type": "string"
},
"WorkspaceResourceGroup": {
"type": "string"
},
"WorkspaceSubscriptionId": {
"type": "string"
},
"resourceprovider": {
"type": "string"
},
"resourcergname": {
"type": "string"
}
},
"required": [
"SystemAlertId",
"TimeGenerated",
"TenantId",
"DisplayName",
"AlertName",
"AlertSeverity",
"Description",
"ProviderName",
"VendorName",
"VendorOriginalId",
"ResourceId",
"SourceComputerId",
"AlertType",
"ConfidenceLevel",
"ConfidenceScore",
"IsIncident",
"StartTime",
"EndTime",
"ProcessingEndTime",
"RemediationSteps",
"ExtendedProperties",
"Entities",
"SourceSystem",
"WorkspaceSubscriptionId",
"WorkspaceResourceGroup",
"ExtendedLinks",
"ProductName",
"ProductComponentName",
"AlertLink",
"Type"
],
"type": "object"
},
"type": "array"
}
}
},
"Run_query_and_list_results": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": "SecurityAlert\n| summarize arg_max(TimeGenerated, *) by SystemAlertId\n| where SystemAlertId in (\"@{items('For_each')}\")\n| where TimeGenerated >= ago (90d)",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "[parameters('AzureSentinelLogAnalyticsWorkspaceResourceGroupName')]",
"resourcename": "[parameters('AzureSentinelLogAnalyticsWorkspaceName')]",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "[subscription().subscriptionId]",
"timerange": "Set in query"
}
}
},
"Send_an_email_(V2)": {
"runAfter": {
"For_each_3": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"Body": "<p>SOC Analyst has found an issue that needs further investigation within the Azure resource.<br>\n<br>\nPlease read the following discovery report to take action: @{body('Parse_JSON')[0]?['AlertLink']}<br>\n<br>\nPlease contact your security team with Case: @{body('Alert_-_Get_incident')?['properties']?['CaseNumber']}</p>",
"Importance": "High",
"Subject": "Severity - @{body('Alert_-_Get_incident')?['properties']?['Severity']} - @{triggerBody()?['AlertDisplayName']}",
"To": "@variables('emailstring')"
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
}
},
"method": "post",
"path": "/v2/Mail"
}
}
},
"runAfter": {
"Initialize_variable_2": [
"Succeeded"
]
},
"type": "Foreach"
},
"Initialize_variable": {
"runAfter": {
"Alert_-_Get_incident": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "simpleassignarray",
"type": "array",
"value": []
}
]
}
},
"Initialize_variable_2": {
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "emailstring",
"type": "string",
"value": "@{null}"
}
]
}
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
},
"azuremonitorlogs": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureMonitorLogsConnectionName'))]",
"connectionName": "[variables('AzureMonitorLogsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
},
"office365": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]",
"connectionName": "office365",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
}
}
}
}
}
]
}

18
Playbooks/Notify-ASCAlertAzureResource/readme.md Normal file
Просмотреть файл

@ -0,0 +1,18 @@
# Notify-ASCAlertAzureResource
author: Nathan Swift
This playbook will notify all mail enabled users assigned RBAC on the Azure Resource via a ASC alert generated Sentinel Incident.
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FNotify-ASCAlertAzureResource%2Fazuredeploy.json" target="_blank">
<img src="https://aka.ms/deploytoazurebutton"/>
</a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FNotify-ASCAlertAzureResource%2Fazuredeploy.json" target="_blank">
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
</a>
**Additional Post Install Notes:**
The Logic App uses a Managed System Identity (MSI) to authenticate and authorize against management.azure.com to obtain PrincipalIDs assigned to the Azure Resource. The MSI is also used to authenticate and authorize against graph.windows.net to obtains RBAC Objects by PrincipalIDs. Be sure to turn on the System Assigned Identity in the Logic App.
Assign RBAC 'Reader' role to the Logic App at the Subscription level.
Assign AAD Directory Role 'Directory readers' role to the Logic App.