Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Restrict-MDATPFileHash (#653)

This commit is contained in:
dicolanl 2020-05-07 16:48:49 -04:00 коммит произвёл GitHub
Родитель 8fbebf7a4a
Коммит 2af80cf7eb
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
2 изменённых файлов: 385 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

360
Playbooks/Restrict-MDATPFileHash/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,360 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"comments": "This playbook will take FileHash entities and generate alert and block threat indicators for each file hash in MDATP for 90 days.",
"author": "Nicholas DiCola"
},
"parameters": {
"PlaybookName": {
"defaultValue": "Restrict-MDATPFileHash",
"type": "String"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {
},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"LogicAppsCategory": "security"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"identity": {
"type": "SystemAssigned"
},
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Alert_-_Get_incident": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Cases/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}"
},
"runAfter": {
},
"type": "ApiConnection"
},
"For_each": {
"actions": {
"Condition": {
"actions": {
"Switch": {
"cases": {
"Case": {
"actions": {
"HTTP": {
"inputs": {
"authentication": {
"audience": "https://api.securitycenter.windows.com/",
"type": "ManagedServiceIdentity"
},
"body": {
"action": "AlertAndBlock",
"application": "@{triggerBody()?['ProductName']}",
"description": "@{body('Alert_-_Get_incident')?['properties']?['Title']}",
"expirationTime": "@{addDays(triggerBody()?['TimeGenerated'], 90)}",
"indicatorType": "FileSha1",
"indicatorValue": "@{items('For_each')?['Value']}",
"severity": "@{body('Alert_-_Get_incident')?['properties']?['Severity']}",
"title": "@{guid()}"
},
"method": "POST",
"uri": "https://api.securitycenter.windows.com/api/indicators"
},
"runAfter": {
},
"type": "Http"
}
},
"case": "SHA1"
},
"Case_2": {
"actions": {
"HTTP_2": {
"inputs": {
"authentication": {
"audience": "https://api.securitycenter.windows.com/",
"type": "ManagedServiceIdentity"
},
"body": {
"action": "AlertAndBlock",
"application": "@{triggerBody()?['ProductName']}",
"description": "@{body('Alert_-_Get_incident')?['properties']?['Title']}",
"expirationTime": "@{addDays(triggerBody()?['TimeGenerated'], 90)}",
"indicatorType": "FileSha256",
"indicatorValue": "@{items('For_each')?['Value']}",
"severity": "@{body('Alert_-_Get_incident')?['properties']?['Severity']}",
"title": "@{guid()}"
},
"method": "POST",
"uri": "https://api.securitycenter.windows.com/api/indicators"
},
"runAfter": {
},
"type": "Http"
}
},
"case": "SHA256"
}
},
"default": {
"actions": {
}
},
"expression": "@items('For_each')?['Algorithm']",
"runAfter": {
},
"type": "Switch"
}
},
"expression": {
"and": [
{
"equals": [
"@items('For_each')['Type']",
"filehash"
]
}
]
},
"runAfter": {
},
"type": "If"
}
},
"foreach": "@body('Parse_JSON')",
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "Foreach"
},
"Parse_JSON": {
"inputs": {
"content": "@triggerBody()?['Entities']",
"schema": {
"items": {
"properties": {
"$id": {
"type": "string"
},
"AadUserId": {
"type": "string"
},
"Account": {
"properties": {
"$ref": {
"type": "string"
}
},
"type": "object"
},
"Address": {
"type": "string"
},
"Algorithm": {
"type": "string"
},
"CommandLine": {
"type": "string"
},
"CreatedTimeUtc": {
"type": "string"
},
"CreationTimeUtc": {
"type": "string"
},
"Directory": {
"type": "string"
},
"DnsDomain": {
"type": "string"
},
"ElevationToken": {
"type": "string"
},
"FileHashes": {
"items": {
"properties": {
"$ref": {
"type": "string"
}
},
"required": [
"$ref"
],
"type": "object"
},
"type": "array"
},
"Host": {
"properties": {
"$ref": {
"type": "string"
}
},
"type": "object"
},
"HostName": {
"type": "string"
},
"ImageFile": {
"properties": {
"$ref": {
"type": "string"
}
},
"type": "object"
},
"IsDomainJoined": {
"type": "boolean"
},
"IsDownloaded": {
"type": "boolean"
},
"IsPe": {
"type": "boolean"
},
"IsValid": {
"type": "boolean"
},
"LastAccessTimeUtc": {
"type": "string"
},
"LastWriteTimeUtc": {
"type": "string"
},
"MachineId": {
"type": "string"
},
"MachineIdType": {
"type": "integer"
},
"NTDomain": {
"type": "string"
},
"Name": {
"type": "string"
},
"ParentProcess": {
"properties": {
"$ref": {
"type": "string"
}
},
"type": "object"
},
"ProcessId": {
"type": "string"
},
"Sid": {
"type": "string"
},
"SizeInBytes": {
"type": "integer"
},
"Type": {
"type": "string"
},
"UPNSuffix": {
"type": "string"
},
"Url": {
"type": "string"
},
"Value": {
"type": "string"
}
},
"required": [
"$id",
"Type"
],
"type": "object"
},
"type": "array"
}
},
"runAfter": {
"Alert_-_Get_incident": [
"Succeeded"
]
},
"type": "ParseJson"
}
},
"contentVersion": "1.0.0.0",
"outputs": {
},
"parameters": {
"$connections": {
"defaultValue": {
},
"type": "Object"
}
},
"triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
}
}
}
}
]
}

25
Playbooks/Restrict-MDATPFileHash/readme.md Normal file
Просмотреть файл

@ -0,0 +1,25 @@
# Restrict-MDATPFileHash
author: Nicholas DiCola
This playbook will take FileHash entities and generate alert and block threat indicators for each file hash in MDATP for 90 days.
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRestrict-MDATPFileHash%2Fazuredeploy.json" target="_blank">
<img src="http://azuredeploy.net/deploybutton.png"/>
</a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRestrict-MDATPFileHash%2Fazuredeploy.json" target="_blank">
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
</a>
**Additional Post Install Notes:**
The Logic App creates and uses a Managed System Identity (MSI) to authenticate and authorize against api.securitycenter.windows.com to update threat indicators.
The MSI must be assigned API Permissions 'Ti.ReadWrite' to WindowsDefenderATP App. To assign use PowerShell and AzureAD Module. Run the following commands:
$msi = Get-AzureADServicePrincipal | ?{$_.DisplayName -ieq "Restrict-MDATPUrl"}
$graph = Get-AzureADServicePrincipal -Filter "AppId eq 'fc780465-2017-40d4-a0c5-307022471b92'"
$roles = $graph.AppRoles | ?{$_.Value -imatch "Ti.ReadWrite" }
Foreach ($role in $roles){
New-AzureADServiceAppRoleAssignment -ObjectId $msi.ObjectId -PrincipalId $msi.ObjectId -Id $role.Id -ResourceId $graph.ObjectId
}