@{variables('EmailBody')}
", + "Importance": "Normal", + "Subject": "Cohesity Alert", + "To": "@parameters('playbook1-EmailID')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['outlook']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + }, + "Set_variable_2": { + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "EmailBody", + "value": "Hello SecurityTeam,
You have a Cohesity incident from Azure Sentinel. Below is information:
Please review and update incident accordingly.
Cohesity Team
" + } } + } }, - "playbook1-PlaybookName": { - "defaultValue": "My_Cohesity_Send_Incident_Email", - "type": "string", - "minLength": 1, - "metadata": { - "description": "Resource name for the logic app playbook. No spaces are allowed" - } - }, - "playbook1-EmailID": { - "defaultValue": "", - "type": "string", - "minLength": 1 - }, - "playbook2-PlaybookName": { - "defaultValue": "My_Cohesity_Restore_From_Last_Snapshot", - "type": "string", - "minLength": 1, - "metadata": { - "description": "Resource name for the logic app playbook. No spaces are allowed" - } - }, - "playbook3-PlaybookName": { - "defaultValue": "SNOW-CreateAndUpdateIncident", - "type": "string", - "minLength": 1, - "metadata": { - "description": "Resource name for the logic app playbook. No spaces are allowed" + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook1-MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('playbook1-MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "outlook": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook1-OutlookConnectionName'))]", + "connectionName": "[variables('playbook1-OutlookConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Outlook')]" + } } + } } + }, + "name": "[parameters('playbook1-PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-SentinelTemplateName": "My_Cohesity_Send_Incident_Email", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2019-05-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook1-MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook1-OutlookConnectionName'))]" + ] }, - "variables": { - "playbook1-Cohesity_Send_Incident_Email": "playbook1-Cohesity_Send_Incident_Email", - "_playbook1-Cohesity_Send_Incident_Email": "[variables('playbook1-Cohesity_Send_Incident_Email')]", - "playbook1-MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('playbook1-PlaybookName'))]", - "playbook1-OutlookConnectionName": "[concat('Outlook-', parameters('playbook1-PlaybookName'))]", - "playbook-1-connection-2": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azuresentinel')]", - "_playbook-1-connection-2": "[variables('playbook-1-connection-2')]", - "playbook-1-connection-3": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Outlook')]", - "_playbook-1-connection-3": "[variables('playbook-1-connection-3')]", - "playbook2-Cohesity_Restore_From_Last_Snapshot": "playbook2-Cohesity_Restore_From_Last_Snapshot", - "_playbook2-Cohesity_Restore_From_Last_Snapshot": "[variables('playbook2-Cohesity_Restore_From_Last_Snapshot')]", - "playbook2-AzureblobConnectionName": "[concat('Azureblob-', parameters('playbook2-PlaybookName'))]", - "playbook2-MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('playbook2-PlaybookName'))]", - "playbook-2-connection-2": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azureblob')]", - "_playbook-2-connection-2": "[variables('playbook-2-connection-2')]", - "playbook3-SNOW-CreateAndUpdateIncident": "playbook3-SNOW-CreateAndUpdateIncident", - "_playbook3-SNOW-CreateAndUpdateIncident": "[variables('playbook3-SNOW-CreateAndUpdateIncident')]", - "playbook3-MicrosoftsentinelConnectionName": "[concat('Microsoftsentinel-', parameters('playbook3-PlaybookName'))]", - "playbook3-ServiceNowConnectionName": "[concat('Service-Now-', parameters('playbook3-PlaybookName'))]", - "playbook-3-connection-3": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Service-Now')]", - "_playbook-3-connection-3": "[variables('playbook-3-connection-3')]", - "sourceId": "cohesity.cohesity_sentinel_data_connector", - "_sourceId": "[variables('sourceId')]" + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook1-MicrosoftSentinelConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook1-MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[variables('_playbook-1-connection-2')]" + } + } }, - "resources": [{ - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "EmailID": { - "defaultValue": "[parameters('playbook1-EmailID')]", - "type": "string" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "Initialize_variable": { - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "EmailBody", - "type": "string" - }] - } - }, - "Send_an_email_(V2)": { - "runAfter": { - "Set_variable": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "@{variables('EmailBody')}
", - "Importance": "Normal", - "Subject": "Cohesity Alert", - "To": "@parameters('playbook1-EmailID')" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['outlook']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } - }, - "Set_variable": { - "runAfter": { - "Initialize_variable": [ - "Succeeded" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "EmailBody", - "value": "Hello SecurityTeam,
You have a Cohesity incident from Azure Sentinel. Below is information:
Please review and update incident accordingly.
Cohesity Team
" - } - } - } + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook1-OutlookConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook1-OutlookConnectionName')]", + "api": { + "id": "[variables('_playbook-1-connection-3')]" + } + } + }, + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook1-MicrosoftSentinelConnectionName'))]", - "connectionName": "[variables('playbook1-MicrosoftSentinelConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "outlook": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook1-OutlookConnectionName'))]", - "connectionName": "[variables('playbook1-OutlookConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Outlook')]" - } - } - } - } - }, - "name": "[parameters('playbook1-PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-SentinelTemplateName": "My_Cohesity_Send_Incident_Email", - "hidden-SentinelTemplateVersion": "1.0" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2019-05-01", - "dependsOn": [ - "[resourceId('Microsoft.Web/connections', variables('playbook1-MicrosoftSentinelConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('playbook1-OutlookConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('playbook1-MicrosoftSentinelConnectionName')]", - "location": "[parameters('workspace-location')]", - "kind": "V1", - "properties": { - "displayName": "[variables('playbook1-MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[variables('_playbook-1-connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('playbook1-OutlookConnectionName')]", - "location": "[parameters('workspace-location')]", - "kind": "V1", - "properties": { - "displayName": "[variables('playbook1-OutlookConnectionName')]", - "api": { - "id": "[variables('_playbook-1-connection-3')]" - } - } - }, - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "Get_cid_from_blob_content": { - "runAfter": { - "Get_jobId_from_blob_content": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } - }, - "method": "get", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", - "queries": { - "inferContentType": true, - "path": "/extra-parameters/@{variables('helioID')}/cid", - "queryParametersSingleEncoded": true - } - } - }, - "Get_entityId_from_blob_content": { - "runAfter": { - "Get_jobInstanceId_from_blob_content": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } - }, - "method": "get", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", - "queries": { - "inferContentType": true, - "path": "/extra-parameters/@{variables('helioID')}/entityId", - "queryParametersSingleEncoded": true - } - } - }, - "Get_jobId_from_blob_content": { - "runAfter": { - "Initialize_HelioID": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } - }, - "method": "get", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", - "queries": { - "inferContentType": true, - "path": "/extra-parameters/@{variables('helioID')}/jobId", - "queryParametersSingleEncoded": true - } - } - }, - "Get_jobInstanceId_from_blob_content": { - "runAfter": { - "Get_jobStartTimeUsecs_from_blob_content": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } - }, - "method": "get", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", - "queries": { - "inferContentType": true, - "path": "/extra-parameters/@{variables('helioID')}/jobInstanceId", - "queryParametersSingleEncoded": true - } - } - }, - "Get_jobStartTimeUsecs_from_blob_content": { - "runAfter": { - "Get_cid_from_blob_content": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } - }, - "method": "get", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", - "queries": { - "inferContentType": true, - "path": "/extra-parameters/@{variables('helioID')}/jobStartTimeUsecs", - "queryParametersSingleEncoded": true - } - } - }, - "Get_object_from_blob_content": { - "runAfter": { - "Get_entityId_from_blob_content": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } - }, - "method": "get", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", - "queries": { - "inferContentType": true, - "path": "/extra-parameters/@{variables('helioID')}/object", - "queryParametersSingleEncoded": true - } - } - }, - "HTTP": { - "runAfter": { - "Get_object_from_blob_content": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "body": { - "name": "Sentinel_triggered_restore_task_@{body('Get_object_from_blob_content')}", - "objects": [{ - "jobId": "@int(string(body('Get_jobId_from_blob_content')))", - "jobRunId": "@int(string(body('Get_jobInstanceId_from_blob_content')))", - "protectionSourceId": "@int(string(body('Get_entityId_from_blob_content')))", - "sourceName": "@{body('Get_object_from_blob_content')}", - "startedTimeUsecs": "@int(string(body('Get_jobStartTimeUsecs_from_blob_content')))" - }], - "type": "kRecoverVMs", - "vmwareParameters": { - "powerOffAndRenameExistingVm": true, - "poweredOn": true, - "prefix": "Recover-", - "recoveryProcessType": "kCopyRecovery", - "suffix": "-VM" - } - }, - "headers": { - "Content-Type": "application/json", - "apiKey": "33e44eac-ce99-46df-7f4e-9ac39446a66e", - "clusterid": "@{body('Get_cid_from_blob_content')}" - }, - "method": "POST", - "uri": "https://helios.cohesity.com/irisservices/api/v1/public/restore/recover" - } - }, - "Initialize_Description": { - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "description", - "type": "string", - "value": "@triggerBody()?['object']?['properties']?['description']" - }] - } - }, - "Initialize_HelioID": { - "runAfter": { - "Initialize_Description": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "helioID", - "type": "string", - "value": "@{split(variables('description'), 'Helios ID: ')[1]}" - }] - } - } - } + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } }, - "parameters": { - "$connections": { - "value": { - "azureblob": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook2-AzureblobConnectionName'))]", - "connectionName": "[variables('playbook2-AzureblobConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azureblob')]" - }, - "azuresentinel": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook2-MicrosoftSentinelConnectionName'))]", - "connectionName": "[variables('playbook2-MicrosoftSentinelConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - } - } + "path": "/incident-creation" + } + } + }, + "actions": { + "Get_cid_from_blob_content": { + "runAfter": { + "Get_jobId_from_blob_content": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "get", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", + "queries": { + "inferContentType": true, + "path": "/extra-parameters/@{variables('helioID')}/cid", + "queryParametersSingleEncoded": true + } + } + }, + "Get_entityId_from_blob_content": { + "runAfter": { + "Get_jobInstanceId_from_blob_content": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "get", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", + "queries": { + "inferContentType": true, + "path": "/extra-parameters/@{variables('helioID')}/entityId", + "queryParametersSingleEncoded": true + } + } + }, + "Get_jobId_from_blob_content": { + "runAfter": { + "Initialize_HelioID": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "get", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", + "queries": { + "inferContentType": true, + "path": "/extra-parameters/@{variables('helioID')}/jobId", + "queryParametersSingleEncoded": true + } + } + }, + "Get_jobInstanceId_from_blob_content": { + "runAfter": { + "Get_jobStartTimeUsecs_from_blob_content": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "get", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", + "queries": { + "inferContentType": true, + "path": "/extra-parameters/@{variables('helioID')}/jobInstanceId", + "queryParametersSingleEncoded": true + } + } + }, + "Get_jobStartTimeUsecs_from_blob_content": { + "runAfter": { + "Get_cid_from_blob_content": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "get", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", + "queries": { + "inferContentType": true, + "path": "/extra-parameters/@{variables('helioID')}/jobStartTimeUsecs", + "queryParametersSingleEncoded": true + } + } + }, + "Get_object_from_blob_content": { + "runAfter": { + "Get_entityId_from_blob_content": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "get", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", + "queries": { + "inferContentType": true, + "path": "/extra-parameters/@{variables('helioID')}/object", + "queryParametersSingleEncoded": true + } + } + }, + "Get_secret": { + "runAfter": { + "Get_object_from_blob_content": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent('ApiKey')}/value" + } + }, + "HTTP": { + "runAfter": { + "Get_secret": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": { + "name": "Sentinel_triggered_restore_task_@{body('Get_object_from_blob_content')}", + "objects": [ + { + "jobId": "@int(string(body('Get_jobId_from_blob_content')))", + "jobRunId": "@int(string(body('Get_jobInstanceId_from_blob_content')))", + "protectionSourceId": "@int(string(body('Get_entityId_from_blob_content')))", + "sourceName": "@{body('Get_object_from_blob_content')}", + "startedTimeUsecs": "@int(string(body('Get_jobStartTimeUsecs_from_blob_content')))" } - } + ], + "type": "kRecoverVMs", + "vmwareParameters": { + "powerOffAndRenameExistingVm": true, + "poweredOn": true, + "prefix": "Recover-", + "recoveryProcessType": "kCopyRecovery", + "suffix": "-VM" + } + }, + "headers": { + "Content-Type": "application/json", + "apiKey": "@body('Get_secret')?['value']", + "clusterid": "@{body('Get_cid_from_blob_content')}" + }, + "method": "POST", + "uri": "https://helios.cohesity.com/irisservices/api/v1/public/restore/recover" + } }, - "name": "[parameters('playbook2-PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-SentinelTemplateName": "Cohesity_Restore_From_Last_Snapshot", - "hidden-SentinelTemplateVersion": "1.0" + "Initialize_Description": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "description", + "type": "string", + "value": "@triggerBody()?['object']?['properties']?['description']" + } + ] + } }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2019-05-01", - "dependsOn": [ - "[resourceId('Microsoft.Web/connections', variables('playbook2-AzureblobConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('playbook2-MicrosoftSentinelConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('playbook2-AzureblobConnectionName')]", - "location": "[parameters('workspace-location')]", - "kind": "V1", - "properties": { - "displayName": "[variables('playbook2-AzureblobConnectionName')]", - "api": { - "id": "[variables('_playbook-2-connection-2')]" - } + "Initialize_HelioID": { + "runAfter": { + "Initialize_Description": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "helioID", + "type": "string", + "value": "@{split(variables('description'), 'Helios ID: ')[1]}" + } + ] + } } + } }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('playbook2-MicrosoftSentinelConnectionName')]", - "location": "[parameters('workspace-location')]", - "kind": "V1", - "properties": { - "displayName": "[variables('playbook2-MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[variables('_playbook-1-connection-2')]" + "parameters": { + "$connections": { + "value": { + "azureblob": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook2-AzureblobConnectionName'))]", + "connectionName": "[variables('playbook2-AzureblobConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azureblob')]" + }, + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook2-MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('playbook2-MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } } + }, + "keyvault": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook2-KeyvaultConnectionName'))]", + "connectionName": "[variables('playbook2-KeyvaultConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Keyvault')]" + } } - }, - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } + } + } + }, + "name": "[parameters('playbook2-PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-SentinelTemplateName": "Cohesity_Restore_From_Last_Snapshot", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2019-05-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook2-AzureblobConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook2-MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook2-KeyvaultConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook2-AzureblobConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook2-AzureblobConnectionName')]", + "api": { + "id": "[variables('_playbook-2-connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook2-MicrosoftSentinelConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook2-MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[variables('_playbook-1-connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook2-KeyvaultConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook2-KeyvaultConnectionName')]", + "api": { + "id": "[variables('_playbook-2-connection-4')]" + } + } + }, + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Condition_-_create_or_update_incident": { + "actions": { + "Create_Record": { + "runAfter": { + "Switch": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "comments": "Link to Microsoft Sentinel Incident: [code]Incident_URL[/code] ", + "description": "Incident description: @{triggerBody()?['object']?['properties']?['description']}; Severity: @{triggerBody()?['object']?['properties']?['severity']}; Alerts: @{join(triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames'],'; ')};", + "impact": "@variables('Creation severity')", + "number": "@triggerBody()?['object']?['name']", + "short_description": "@triggerBody()?['object']?['properties']?['title']", + "urgency": "@variables('Creation severity')" }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } + "host": { + "connection": { + "name": "@parameters('$connections')['service-now_1']['connectionId']" + } }, + "method": "post", + "path": "/api/now/v2/table/@{encodeURIComponent('incident')}", + "queries": { + "sysparm_display_value": true, + "sysparm_exclude_reference_link": false + } + } + }, + "Switch": { + "cases": { + "Case_Severity_High": { + "case": "High", + "actions": { + "Set_Severity_variable_to_High": { + "type": "SetVariable", + "inputs": { + "name": "Creation severity", + "value": "1" + } + } + } + }, + "Case_Severity_Medium": { + "case": "Medium", + "actions": { + "Set_Severity_variable_to_Medium": { + "type": "SetVariable", + "inputs": { + "name": "Creation severity", + "value": "2" + } + } + } + } + }, + "expression": "@triggerBody()?['object']?['properties']?['severity']", + "type": "Switch" + }, + "Update_incident": { + "runAfter": { + "Create_Record": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "tagsToAdd": { + "TagsToAdd": [ + { + "Tag": "SNOW System ID: @{body('Create_Record')?['result']?['sys_id']}" + } + ] + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + } + } + }, + "runAfter": { + "Initialize_variable_-_creation_severity": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "For_each": { + "foreach": "@triggerBody()?['object']?['properties']?['labels']", "actions": { - "Condition_-_create_or_update_incident": { + "Condition": { + "actions": { + "Condition_-_is_incident_closed": { "actions": { - "Create_Record": { - "runAfter": { - "Switch": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "comments": "Link to Microsoft Sentinel Incident: [code]Incident_URL[/code] ", - "description": "Incident description: @{triggerBody()?['object']?['properties']?['description']}; Severity: @{triggerBody()?['object']?['properties']?['severity']}; Alerts: @{join(triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames'],'; ')};", - "impact": "@variables('Creation severity')", - "number": "@triggerBody()?['object']?['name']", - "short_description": "@triggerBody()?['object']?['properties']?['title']", - "urgency": "@variables('Creation severity')" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['service-now_1']['connectionId']" - } - }, - "method": "post", - "path": "/api/now/v2/table/@{encodeURIComponent('incident')}", - "queries": { - "sysparm_display_value": true, - "sysparm_exclude_reference_link": false - } - } - }, - "Switch": { - "cases": { - "Case_Severity_High": { - "case": "High", - "actions": { - "Set_Severity_variable_to_High": { - "type": "SetVariable", - "inputs": { - "name": "Creation severity", - "value": "1" - } - } - } - }, - "Case_Severity_Medium": { - "case": "Medium", - "actions": { - "Set_Severity_variable_to_Medium": { - "type": "SetVariable", - "inputs": { - "name": "Creation severity", - "value": "2" - } - } - } - } - }, - "expression": "@triggerBody()?['object']?['properties']?['severity']", - "type": "Switch" - }, - "Update_incident": { - "runAfter": { - "Create_Record": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "tagsToAdd": { - "TagsToAdd": [{ - "Tag": "SNOW System ID: @{body('Create_Record')?['result']?['sys_id']}" - }] - } - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Incidents" + "Update_Record_-_Incident_closed": { + "type": "ApiConnection", + "inputs": { + "body": { + "caller_id": "@triggerBody()?['incidentUpdates']?['updatedBy']?['name']", + "close_code": "Resolved by Caller", + "close_notes": "Classification: @{triggerBody()?['object']?['properties']?['classification']} Classification reason: @{triggerBody()?['object']?['properties']?['classificationReason']} Classification comment: @{triggerBody()?['object']?['properties']?['classificationComment']}", + "state": "7" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['service-now_1']['connectionId']" } + }, + "method": "put", + "path": "/api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('SNOW System ID'))}", + "queries": { + "sysparm_display_value": false, + "sysparm_exclude_reference_link": true + } } + } }, "runAfter": { - "Initialize_variable_-_creation_severity": [ - "Succeeded" - ] + "Set_variable_-_SNOW_System_ID": [ + "Succeeded" + ] }, "else": { - "actions": { - "For_each": { - "foreach": "@triggerBody()?['object']?['properties']?['labels']", - "actions": { - "Condition": { - "actions": { - "Condition_-_is_incident_closed": { - "actions": { - "Update_Record_-_Incident_closed": { - "type": "ApiConnection", - "inputs": { - "body": { - "caller_id": "@triggerBody()?['incidentUpdates']?['updatedBy']?['name']", - "close_code": "Resolved by Caller", - "close_notes": "Classification: @{triggerBody()?['object']?['properties']?['classification']} Classification reason: @{triggerBody()?['object']?['properties']?['classificationReason']} Classification comment: @{triggerBody()?['object']?['properties']?['classificationComment']}", - "state": "7" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['service-now_1']['connectionId']" - } - }, - "method": "put", - "path": "/api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('SNOW System ID'))}", - "queries": { - "sysparm_display_value": false, - "sysparm_exclude_reference_link": true - } - } - } - }, - "runAfter": { - "Set_variable_-_SNOW_System_ID": [ - "Succeeded" - ] - }, - "else": { - "actions": { - "Condition_-_alert_updated": { - "actions": { - "Compose_alert": { - "runAfter": { - "For_each_-_new_alert": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "Alerts: @{variables('New alert')}" - }, - "For_each_-_new_alert": { - "foreach": "@triggerBody()?['incidentUpdates']?['alerts']", - "actions": { - "Append_to_string_variable_-_alert": { - "type": "AppendToStringVariable", - "inputs": { - "name": "New alert", - "value": "@concat(items('For_each_-_new_alert')?['properties']?['alertDisplayName'], '; ')" - } - } - }, - "type": "Foreach" - } - }, - "runAfter": { - "Condition_-_comment_updated": [ - "Succeeded" - ] - }, - "expression": { - "and": [{ - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Alerts" - ] - }] - }, - "type": "If" - }, - "Condition_-_comment_updated": { - "actions": { - "Compose_comment": { - "runAfter": { - "For_each_-_new_comment": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "Comment: @{variables('New comments')}" - }, - "For_each_-_new_comment": { - "foreach": "@triggerBody()?['incidentUpdates']?['comments']", - "actions": { - "Append_to_string_variable_-_comment": { - "type": "AppendToStringVariable", - "inputs": { - "name": "New comments", - "value": "@concat(items('For_each_-_new_comment')?['properties']?['message'], '; ')" - } - } - }, - "type": "Foreach" - } - }, - "expression": { - "and": [{ - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Comments" - ] - }] - }, - "type": "If" - }, - "Condition_-_owner_update": { - "actions": { - "Append_to_string_variable_-_owner": { - "type": "AppendToStringVariable", - "inputs": { - "name": "New owner", - "value": "@triggerBody()?['object']?['properties']?['owner']?['assignedTo']" - } - }, - "Compose_owner": { - "runAfter": { - "Append_to_string_variable_-_owner": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "Owner: @{variables('New owner')}" - } - }, - "runAfter": { - "Condition_-_tag_updated": [ - "Succeeded" - ] - }, - "expression": { - "and": [{ - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Owner" - ] - }] - }, - "type": "If" - }, - "Condition_-_severity_update": { - "actions": { - "Append_to_string_variable_-_severity": { - "type": "AppendToStringVariable", - "inputs": { - "name": "New severity", - "value": "@triggerBody()?['object']?['properties']?['severity']" - } - }, - "Compose_severity": { - "runAfter": { - "Append_to_string_variable_-_severity": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "Severity: @{variables('New severity')}" - } - }, - "runAfter": { - "Condition_-_owner_update": [ - "Succeeded" - ] - }, - "expression": { - "and": [{ - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Severity" - ] - }] - }, - "type": "If" - }, - "Condition_-_status_update": { - "actions": { - "Append_to_string_variable_-_status": { - "type": "AppendToStringVariable", - "inputs": { - "name": "New status", - "value": "@triggerBody()?['object']?['properties']?['status']" - } - }, - "Compose_status": { - "runAfter": { - "Append_to_string_variable_-_status": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "Status: @{variables('New status')}" - } - }, - "runAfter": { - "Condition_-_tactics_update": [ - "Succeeded" - ] - }, - "expression": { - "and": [{ - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Status" - ] - }] - }, - "type": "If" - }, - "Condition_-_tactics_update": { - "actions": { - "Compose_tactics": { - "type": "Compose", - "inputs": "Tactics: @{join(triggerBody()?['incidentUpdates']?['tactics'], '; ')}" - } - }, - "runAfter": { - "Condition_-_severity_update": [ - "Succeeded" - ] - }, - "expression": { - "and": [{ - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Tactics" - ] - }] - }, - "type": "If" - }, - "Condition_-_tag_updated": { - "actions": { - "Compose_tag": { - "runAfter": { - "For_each_-_new_tag": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "Tags: @{variables('New tag')}" - }, - "For_each_-_new_tag": { - "foreach": "@triggerBody()?['incidentUpdates']?['labels']", - "actions": { - "Append_to_string_variable_-_tag": { - "type": "AppendToStringVariable", - "inputs": { - "name": "New tag", - "value": "@concat(items('For_each_-_new_tag')?['labelName'], '; ')" - } - } - }, - "type": "Foreach" - } - }, - "runAfter": { - "Condition_-_alert_updated": [ - "Succeeded" - ] - }, - "expression": { - "and": [{ - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Labels" - ] - }] - }, - "type": "If" - }, - "Update_Record_-_incident_not_closed": { - "runAfter": { - "Condition_-_status_update": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "comments": "Microsoft Sentinel incident is updated: Update fields: @{join(triggerBody()?['incidentUpdates']?['updatedFields'], '; ')} Update by: @{triggerBody()?['incidentUpdates']?['updatedBy']?['name']} New values: @{outputs('Compose_alert')} @{outputs('Compose_severity')} @{outputs('Compose_owner')} @{outputs('Compose_status')} @{outputs('Compose_tag')} @{outputs('Compose_comment')} @{outputs('Compose_tactics')}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['service-now_1']['connectionId']" - } - }, - "method": "put", - "path": "/api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('SNOW System ID'))}", - "queries": { - "sysparm_display_value": false, - "sysparm_exclude_reference_link": true - } - } - } - } - }, - "expression": { - "and": [{ - "equals": [ - "@triggerBody()?['object']?['properties']?['status']", - "Closed" - ] - }] - }, - "type": "If" - }, - "Set_variable_-_SNOW_System_ID": { - "type": "SetVariable", - "inputs": { - "name": "SNOW System ID", - "value": "@{split(items('For_each')?['labelName'],': ')[1]}" - } - } - }, - "expression": { - "and": [{ - "contains": [ - "@items('For_each')?['labelName']", - "SNOW" - ] - }] - }, - "type": "If" - } - }, - "type": "Foreach" + "actions": { + "Condition_-_alert_updated": { + "actions": { + "Compose_alert": { + "runAfter": { + "For_each_-_new_alert": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "Alerts: @{variables('New alert')}" + }, + "For_each_-_new_alert": { + "foreach": "@triggerBody()?['incidentUpdates']?['alerts']", + "actions": { + "Append_to_string_variable_-_alert": { + "type": "AppendToStringVariable", + "inputs": { + "name": "New alert", + "value": "@concat(items('For_each_-_new_alert')?['properties']?['alertDisplayName'], '; ')" + } + } + }, + "type": "Foreach" } + }, + "runAfter": { + "Condition_-_comment_updated": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Alerts" + ] + } + ] + }, + "type": "If" + }, + "Condition_-_comment_updated": { + "actions": { + "Compose_comment": { + "runAfter": { + "For_each_-_new_comment": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "Comment: @{variables('New comments')}" + }, + "For_each_-_new_comment": { + "foreach": "@triggerBody()?['incidentUpdates']?['comments']", + "actions": { + "Append_to_string_variable_-_comment": { + "type": "AppendToStringVariable", + "inputs": { + "name": "New comments", + "value": "@concat(items('For_each_-_new_comment')?['properties']?['message'], '; ')" + } + } + }, + "type": "Foreach" + } + }, + "expression": { + "and": [ + { + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Comments" + ] + } + ] + }, + "type": "If" + }, + "Condition_-_owner_update": { + "actions": { + "Append_to_string_variable_-_owner": { + "type": "AppendToStringVariable", + "inputs": { + "name": "New owner", + "value": "@triggerBody()?['object']?['properties']?['owner']?['assignedTo']" + } + }, + "Compose_owner": { + "runAfter": { + "Append_to_string_variable_-_owner": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "Owner: @{variables('New owner')}" + } + }, + "runAfter": { + "Condition_-_tag_updated": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Owner" + ] + } + ] + }, + "type": "If" + }, + "Condition_-_severity_update": { + "actions": { + "Append_to_string_variable_-_severity": { + "type": "AppendToStringVariable", + "inputs": { + "name": "New severity", + "value": "@triggerBody()?['object']?['properties']?['severity']" + } + }, + "Compose_severity": { + "runAfter": { + "Append_to_string_variable_-_severity": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "Severity: @{variables('New severity')}" + } + }, + "runAfter": { + "Condition_-_owner_update": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Severity" + ] + } + ] + }, + "type": "If" + }, + "Condition_-_status_update": { + "actions": { + "Append_to_string_variable_-_status": { + "type": "AppendToStringVariable", + "inputs": { + "name": "New status", + "value": "@triggerBody()?['object']?['properties']?['status']" + } + }, + "Compose_status": { + "runAfter": { + "Append_to_string_variable_-_status": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "Status: @{variables('New status')}" + } + }, + "runAfter": { + "Condition_-_tactics_update": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Status" + ] + } + ] + }, + "type": "If" + }, + "Condition_-_tactics_update": { + "actions": { + "Compose_tactics": { + "type": "Compose", + "inputs": "Tactics: @{join(triggerBody()?['incidentUpdates']?['tactics'], '; ')}" + } + }, + "runAfter": { + "Condition_-_severity_update": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Tactics" + ] + } + ] + }, + "type": "If" + }, + "Condition_-_tag_updated": { + "actions": { + "Compose_tag": { + "runAfter": { + "For_each_-_new_tag": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "Tags: @{variables('New tag')}" + }, + "For_each_-_new_tag": { + "foreach": "@triggerBody()?['incidentUpdates']?['labels']", + "actions": { + "Append_to_string_variable_-_tag": { + "type": "AppendToStringVariable", + "inputs": { + "name": "New tag", + "value": "@concat(items('For_each_-_new_tag')?['labelName'], '; ')" + } + } + }, + "type": "Foreach" + } + }, + "runAfter": { + "Condition_-_alert_updated": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Labels" + ] + } + ] + }, + "type": "If" + }, + "Update_Record_-_incident_not_closed": { + "runAfter": { + "Condition_-_status_update": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "comments": "Microsoft Sentinel incident is updated: Update fields: @{join(triggerBody()?['incidentUpdates']?['updatedFields'], '; ')} Update by: @{triggerBody()?['incidentUpdates']?['updatedBy']?['name']} New values: @{outputs('Compose_alert')} @{outputs('Compose_severity')} @{outputs('Compose_owner')} @{outputs('Compose_status')} @{outputs('Compose_tag')} @{outputs('Compose_comment')} @{outputs('Compose_tactics')}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['service-now_1']['connectionId']" + } + }, + "method": "put", + "path": "/api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('SNOW System ID'))}", + "queries": { + "sysparm_display_value": false, + "sysparm_exclude_reference_link": true + } + } } + } }, "expression": { - "and": [{ - "equals": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "@null" - ] - }] + "and": [ + { + "equals": [ + "@triggerBody()?['object']?['properties']?['status']", + "Closed" + ] + } + ] }, "type": "If" - }, - "Initialize_variable_-_SNOW_System_ID": { - "type": "InitializeVariable", + }, + "Set_variable_-_SNOW_System_ID": { + "type": "SetVariable", "inputs": { - "variables": [{ - "name": "SNOW System ID", - "type": "string" - }] + "name": "SNOW System ID", + "value": "@{split(items('For_each')?['labelName'],': ')[1]}" } + } }, - "Initialize_variable_-_alert": { - "runAfter": { - "Initialize_variable_-_comment": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "New alert", - "type": "string" - }] + "expression": { + "and": [ + { + "contains": [ + "@items('For_each')?['labelName']", + "SNOW" + ] } + ] }, - "Initialize_variable_-_comment": { - "runAfter": { - "Initialize_variable_-_SNOW_System_ID": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "New comments", - "type": "string" - }] - } - }, - "Initialize_variable_-_creation_severity": { - "runAfter": { - "Initialize_variable_-_status": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "Creation severity", - "type": "string", - "value": "3" - }] - } - }, - "Initialize_variable_-_owner": { - "runAfter": { - "Initialize_variable_-_tag": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "New owner", - "type": "string" - }] - } - }, - "Initialize_variable_-_severity": { - "runAfter": { - "Initialize_variable_-_owner": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "New severity", - "type": "string" - }] - } - }, - "Initialize_variable_-_status": { - "runAfter": { - "Initialize_variable_-_severity": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "New status", - "type": "string" - }] - } - }, - "Initialize_variable_-_tag": { - "runAfter": { - "Initialize_variable_-_alert": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "New tag", - "type": "string" - }] - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "microsoftsentinel": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook3-MicrosoftsentinelConnectionName'))]", - "connectionName": "[variables('playbook3-MicrosoftsentinelConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Microsoftsentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "service-now_1": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook3-ServiceNowConnectionName'))]", - "connectionName": "[variables('playbook3-ServiceNowConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Service-Now')]" - } - } - } + "type": "If" + } + }, + "type": "Foreach" + } } - }, - "name": "[parameters('playbook3-PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-SentinelTemplateName": "SNOW-CreateAndUpdateIncident", - "hidden-SentinelTemplateVersion": "1.0" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2019-05-01", - "dependsOn": [ - "[resourceId('Microsoft.Web/connections', variables('playbook3-MicrosoftsentinelConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('playbook3-ServiceNowConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('playbook3-MicrosoftsentinelConnectionName')]", - "location": "[parameters('workspace-location')]", - "kind": "V1", - "properties": { - "displayName": "[variables('playbook3-MicrosoftsentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[variables('_playbook-1-connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('playbook3-ServiceNowConnectionName')]", - "location": "[parameters('workspace-location')]", - "kind": "V1", - "properties": { - "displayName": "[variables('playbook3-ServiceNowConnectionName')]", - "api": { - "id": "[variables('_playbook-3-connection-3')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2021-03-01-preview", - "properties": { - "version": "2.0.0", - "kind": "Solution", - "contentId": "[variables('_sourceId')]", - "parentId": "[variables('_sourceId')]", - "source": { - "kind": "Solution", - "name": "CohesitySecurity", - "sourceId": "[variables('_sourceId')]" - }, - "author": { - "name": "Cohesity", - "email": "support@cohesity.com" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Partner", - "link": "https://support.cohesity.com" - }, - "dependencies": { - "operator": "AND", - "criteria": [{ - "kind": "Playbook", - "contentId": "[variables('_playbook1-Cohesity_Send_Incident_Email')]", - "version": "2.0.0" - }, - { - "kind": "Playbook", - "contentId": "[variables('_playbook2-Cohesity_Restore_From_Last_Snapshot')]", - "version": "2.0.0" - }, - { - "kind": "Playbook", - "contentId": "[variables('_playbook3-SNOW-CreateAndUpdateIncident')]", - "version": "2.0.0" - } + }, + "expression": { + "and": [ + { + "equals": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "@null" ] - }, - "firstPublishDate": "2022-10-10", - "providers": [ - "Cohesity" - ], - "categories": { - "domains": [ - "Security - Cloud Security", - "Security - Automation (SOAR)" - ] - } + } + ] + }, + "type": "If" }, - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]" + "Initialize_variable_-_SNOW_System_ID": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "SNOW System ID", + "type": "string" + } + ] + } + }, + "Initialize_variable_-_alert": { + "runAfter": { + "Initialize_variable_-_comment": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "New alert", + "type": "string" + } + ] + } + }, + "Initialize_variable_-_comment": { + "runAfter": { + "Initialize_variable_-_SNOW_System_ID": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "New comments", + "type": "string" + } + ] + } + }, + "Initialize_variable_-_creation_severity": { + "runAfter": { + "Initialize_variable_-_status": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Creation severity", + "type": "string", + "value": "3" + } + ] + } + }, + "Initialize_variable_-_owner": { + "runAfter": { + "Initialize_variable_-_tag": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "New owner", + "type": "string" + } + ] + } + }, + "Initialize_variable_-_severity": { + "runAfter": { + "Initialize_variable_-_owner": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "New severity", + "type": "string" + } + ] + } + }, + "Initialize_variable_-_status": { + "runAfter": { + "Initialize_variable_-_severity": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "New status", + "type": "string" + } + ] + } + }, + "Initialize_variable_-_tag": { + "runAfter": { + "Initialize_variable_-_alert": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "New tag", + "type": "string" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "microsoftsentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook3-MicrosoftsentinelConnectionName'))]", + "connectionName": "[variables('playbook3-MicrosoftsentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Microsoftsentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "service-now_1": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook3-ServiceNowConnectionName'))]", + "connectionName": "[variables('playbook3-ServiceNowConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Service-Now')]" + } + } + } } - ], - "outputs": {} + }, + "name": "[parameters('playbook3-PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-SentinelTemplateName": "Cohesity_CreateOrUpdate_ServiceNow_Incident", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2019-05-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook3-MicrosoftsentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook3-ServiceNowConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook3-MicrosoftsentinelConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook3-MicrosoftsentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[variables('_playbook-3-connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook3-ServiceNowConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook3-ServiceNowConnectionName')]", + "api": { + "id": "[variables('_playbook-3-connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2021-03-01-preview", + "properties": { + "version": "2.0.0", + "kind": "Solution", + "contentId": "[variables('_sourceId')]", + "parentId": "[variables('_sourceId')]", + "source": { + "kind": "Solution", + "name": "CohesitySecurity", + "sourceId": "[variables('_sourceId')]" + }, + "author": { + "name": "Cohesity", + "email": "support@cohesity.com" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Partner", + "link": "https://support.cohesity.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Playbook", + "contentId": "[variables('_playbook1-Cohesity_Send_Incident_Email')]", + "version": "2.0.0" + }, + { + "kind": "Playbook", + "contentId": "[variables('_playbook2-Cohesity_Restore_From_Last_Snapshot')]", + "version": "2.0.0" + }, + { + "kind": "Playbook", + "contentId": "[variables('_playbook3-Cohesity_CreateOrUpdate_ServiceNow_Incident')]", + "version": "2.0.0" + } + ] + }, + "firstPublishDate": "2022-10-10", + "providers": [ + "Cohesity" + ], + "categories": { + "domains": [ + "Security - Cloud Security", + "Security - Automation (SOAR)" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]" + } + ], + "outputs": {} } diff --git a/Solutions/CohesitySecurity/Playbooks/SNOW-CreateAndUpdateIncident/azuredeploy.json b/Solutions/CohesitySecurity/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/azuredeploy.json similarity index 99% rename from Solutions/CohesitySecurity/Playbooks/SNOW-CreateAndUpdateIncident/azuredeploy.json rename to Solutions/CohesitySecurity/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/azuredeploy.json index b2a505246d..4cbe1225a6 100644 --- a/Solutions/CohesitySecurity/Playbooks/SNOW-CreateAndUpdateIncident/azuredeploy.json +++ b/Solutions/CohesitySecurity/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/azuredeploy.json @@ -20,7 +20,7 @@ }, "parameters": { "PlaybookName": { - "defaultValue": "SNOW-CreateAndUpdateIncident", + "defaultValue": "Cohesity_CreateOrUpdate_ServiceNow_Incident", "type": "string" } }, @@ -656,7 +656,7 @@ "type": "Microsoft.Logic/workflows", "location": "[resourceGroup().location]", "tags": { - "hidden-SentinelTemplateName": "SNOW-CreateAndUpdateIncident", + "hidden-SentinelTemplateName": "Cohesity_CreateOrUpdate_ServiceNow_Incident", "hidden-SentinelTemplateVersion": "1.0" }, "identity": { @@ -679,7 +679,7 @@ "customParameterValues": {}, "parameterValueType": "Alternative", "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Microsoftsentinel')]" } } }, diff --git a/Solutions/CohesitySecurity/Playbooks/SNOW-CreateAndUpdateIncident/readme.md b/Solutions/CohesitySecurity/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/readme.md similarity index 65% rename from Solutions/CohesitySecurity/Playbooks/SNOW-CreateAndUpdateIncident/readme.md rename to Solutions/CohesitySecurity/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/readme.md index 9210eb9f6b..6283d0dcf0 100644 --- a/Solutions/CohesitySecurity/Playbooks/SNOW-CreateAndUpdateIncident/readme.md +++ b/Solutions/CohesitySecurity/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/readme.md @@ -1,13 +1,13 @@ -# Cohesity Create or Update ServiceNow Incident +# Cohesity Create or Update ServiceNow Incident ## Summary -This playbook creates a ticket in ServiceNow. It can be also used for updating ticket information or closing it. For example, an automation rule can be created to close the ServiceNow ticket by running this playbook when the corresponding Sentinel ticket is closed ([details](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/Servicenow/Playbooks/SNOW-CreateAndUpdateIncident/readme.md)). +This playbook creates a ticket in ServiceNow. It can be also used for updating ticket information or closing it. For example, an automation rule can be created to close the ServiceNow ticket by running this playbook when the corresponding Sentinel ticket is closed ([details](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/Servicenow/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/readme.md)). ## Prerequisites 1. Create an account for [ServiceNow](https://signon.service-now.com/x_snc_sso_auth.do). ## Deployment instructions 1. Deploy the playbook by clicking on the "Deploy to Azure" button. This will take you to deploying an ARM Template wizard. -[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fcohesity%2FAzure-Sentinel%2FCohesitySecurity.internal%2FSolutions%2FCohesitySecurity%2FPlaybooks%2FSNOW-CreateAndUpdateIncident%2Fazuredeploy.json) +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fcohesity%2FAzure-Sentinel%2FCohesitySecurity.internal%2FSolutions%2FCohesitySecurity%2FPlaybooks%2FCohesity_CreateOrUpdate_ServiceNow_Incident%2Fazuredeploy.json) 2. Fill in the required parameters: * __Playbook Name:__ Enter the playbook name here. @@ -16,13 +16,12 @@ This playbook creates a ticket in ServiceNow. It can be also used for updating t * Go to _Logic Apps_. * Choose your app (playbook). * Select _Development Tools\API Connections_. -* Select a connection you'd like to authorize. Usually, such a connection contains your playbook name. For example, if your playbook is called **My-SNOW-CreateAndUpdateIncident**, then the connection _can_ be called _Service-Now-_**My-SNOW-CreateAndUpdateIncident**. -* Click on _General\Edit API Connection_. -* Enter path to your instance, e.g. dev12345. +* Select a connection you'd like to authorize. +* Click on General\Edit API Connection. +* Enter path to your instance, e.g. https://dev12345.service-now.com. * Enter username. * Enter password. * Click Save. -**Note:** Your ServiceNow credentials can be found in your ServiceNow instance account profile (see _Instance Action\Manage Instance Password_). Alternatively, you can follow these steps to achieve the same goal. This would be especially useful if the previous steps didn’t work for you. * Go to _Logic Apps_. @@ -38,15 +37,5 @@ Alternatively, you can follow these steps to achieve the same goal. This would b * Choose the _Access Control (IAM)_ option from the left pane. * Click on _Add > Add Role Assignment_ and add _Microsoft Sentinel Responder_ managed identity role to the playbook. -3. (Recommendation). Create automation rule to close ServiceNow tickets when the corresponding ticket is closed. -* Choose _Automation_ in the _Configuration_ pane. -* Select _Create/Automation rule_. -* In the _Create new automation rule_ window, enter your new rule name, e.g. _Close ServiceNow Ticket_. -* In the _Trigger_ list, select _When incident is updated_. -* Add the condition _Tag contains_ **SNOW System ID:**. -* Add the condition _Status chaged to_ **Close**. -* In _Actions/Run playbook_ select your playbook. -* Click _Apply_. - # References - - [Cohesity support documentation](https://docs.cohesity.com/ui/login?redirectPath=%2FHomePage%2FContent%2FTechGuides%2FTechnicalGuides.htm). + - [Cohesity support documentation](https://docs.cohesity.com/ui/login?redirectPath=%2FHomePage%2FContent%2FTechGuides%2FTechnicalGuides.htm) diff --git a/Solutions/CohesitySecurity/Playbooks/Cohesity_Restore_From_Last_Snapshot/azuredeploy.json b/Solutions/CohesitySecurity/Playbooks/Cohesity_Restore_From_Last_Snapshot/azuredeploy.json index a31c9ab4cd..900dd266f0 100644 --- a/Solutions/CohesitySecurity/Playbooks/Cohesity_Restore_From_Last_Snapshot/azuredeploy.json +++ b/Solutions/CohesitySecurity/Playbooks/Cohesity_Restore_From_Last_Snapshot/azuredeploy.json @@ -26,7 +26,8 @@ }, "variables": { "AzureblobConnectionName": "[concat('Azureblob-', parameters('PlaybookName'))]", - "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]" + "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]" }, "resources": [{ "properties": { @@ -190,12 +191,29 @@ } } }, - "HTTP": { + "Get_secret": { "runAfter": { "Get_object_from_blob_content": [ "Succeeded" ] }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent('ApiKey')}/value" + } + }, + "HTTP": { + "runAfter": { + "Get_secret": [ + "Succeeded" + ] + }, "type": "Http", "inputs": { "body": { @@ -218,7 +236,7 @@ }, "headers": { "Content-Type": "application/json", - "apiKey": "33e44eac-ce99-46df-7f4e-9ac39446a66e", + "apiKey": "@body('Get_secret')?['value']", "clusterid": "@{body('Get_cid_from_blob_content')}" }, "method": "POST", @@ -271,6 +289,11 @@ "type": "ManagedServiceIdentity" } } + }, + "keyvault": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", + "connectionName": "[variables('KeyvaultConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]" } } } @@ -289,7 +312,8 @@ "apiVersion": "2019-05-01", "dependsOn": [ "[resourceId('Microsoft.Web/connections', variables('AzureblobConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" ] }, { @@ -320,6 +344,20 @@ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" } } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('KeyvaultConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('KeyvaultConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]" + } + } } ] } diff --git a/Solutions/CohesitySecurity/Playbooks/Cohesity_Send_Incident_Email/azuredeploy.json b/Solutions/CohesitySecurity/Playbooks/Cohesity_Send_Incident_Email/azuredeploy.json index e88888153b..96ee88653a 100644 --- a/Solutions/CohesitySecurity/Playbooks/Cohesity_Send_Incident_Email/azuredeploy.json +++ b/Solutions/CohesitySecurity/Playbooks/Cohesity_Send_Incident_Email/azuredeploy.json @@ -78,9 +78,9 @@ }] } }, - "Send_an_email_(V2)": { + "Send_email_(V2)": { "runAfter": { - "Set_variable": [ + "Set_variable_2": [ "Succeeded" ] }, @@ -101,7 +101,7 @@ "path": "/v2/Mail" } }, - "Set_variable": { + "Set_variable_2": { "runAfter": { "Initialize_variable": [ "Succeeded" diff --git a/Solutions/CohesitySecurity/readme.md b/Solutions/CohesitySecurity/readme.md index 4bd36a7e82..ca2f6f7c9f 100644 --- a/Solutions/CohesitySecurity/readme.md +++ b/Solutions/CohesitySecurity/readme.md @@ -14,13 +14,13 @@ __Disclaimer:__ You can skip these steps and use one of the pre-built packages f 4. Follow [readme.md](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/README.md) for post-build manual validation. ## Deployment -The package consists of the following Azure functions ([install pre-requisites](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel#readme)) -* _IncidentProducer_ to retrieve Helios alerts via a special REST API ([deployment steps](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/readme.md)) -* _IncidentConsumer_ to create incidents in MS Sentinel ([deployment steps](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/readme.md)) +The package consists of the following Azure functions ([install pre-requisites](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel#readme)) +* _IncidentProducer_ to retrieve Helios alerts via a special REST API ([deployment steps](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentProducer/readme.md)) +* _IncidentConsumer_ to create incidents in MS Sentinel ([deployment steps](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentConsumer/readme.md)) It also has a few playbooks for automation. * *Cohesity_Send_Incident_Email* to send an email to the recipient with the incident details ([deployment steps](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Playbooks/Cohesity_Send_Incident_Email#readme.md)). -* *Cohesity_CreateOrUpdate_ServiceNow_Incident* to create and update the incident in the ServiceNow platform ([deployment steps](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Playbooks/SNOW-CreateAndUpdateIncident#readme.md)). +* *Cohesity_CreateOrUpdate_ServiceNow_Incident* to create and update the incident in the ServiceNow platform ([deployment steps](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident#readme.md)). * *Cohesity_Restore_From_Last_Snapshot* to restore data from the latest clean snapshot in Helios ([deployment steps](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Playbooks/Cohesity_Restore_From_Last_Snapshot#readme.md)) ## Misc diff --git a/Tools/Create-Azure-Sentinel-Solution/input/Solution_CohesitySecurity.json b/Tools/Create-Azure-Sentinel-Solution/input/Solution_CohesitySecurity.json index 630dd3c85a..4885754f57 100644 --- a/Tools/Create-Azure-Sentinel-Solution/input/Solution_CohesitySecurity.json +++ b/Tools/Create-Azure-Sentinel-Solution/input/Solution_CohesitySecurity.json @@ -5,7 +5,7 @@ "Playbooks": [ "Playbooks/Cohesity_Send_Incident_Email/azuredeploy.json", "Playbooks/Cohesity_Restore_From_Last_Snapshot/azuredeploy.json", - "Playbooks/SNOW-CreateAndUpdateIncident/azuredeploy.json" + "Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/azuredeploy.json" ], "BasePath": "Solutions/CohesitySecurity", "Version": "2.0.0",