From 2e21ed5edf18e34d32b618465c5d137fbc184ba9 Mon Sep 17 00:00:00 2001 From: Ying Huang Date: Mon, 19 Dec 2022 17:26:26 -0800 Subject: [PATCH] rename from DataConnectors/CohesitySecurity/Helios2Sentinel rename to "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel update to use keyvault instead of apiKey from env. rename some playbooks. --- .../Helios2Sentinel/Helios2Sentinel.sln" | 0 .../IncidentConsumer/IncidentConsumer.cs" | 0 .../IncidentConsumer/IncidentConsumer.csproj" | 0 .../IncidentConsumer/host.json" | 0 .../IncidentConsumer/local.settings.json" | 0 .../IncidentConsumer/readme.md" | 6 +- .../IncidentProducer/IncidentProducer.cs" | 0 .../IncidentProducer/IncidentProducer.csproj" | 0 .../IncidentProducer/host.json" | 0 .../IncidentProducer/local.settings.json" | 0 .../IncidentProducer/readme.md" | 6 +- .../Helios2Sentinel/readme.md" | 4 +- .../Package/createUiDefinition.json | 4 +- .../Package/mainTemplate.json | 2433 +++++++++-------- .../azuredeploy.json | 6 +- .../readme.md | 25 +- .../azuredeploy.json | 46 +- .../azuredeploy.json | 6 +- Solutions/CohesitySecurity/readme.md | 8 +- .../input/Solution_CohesitySecurity.json | 2 +- 20 files changed, 1331 insertions(+), 1215 deletions(-) rename DataConnectors/CohesitySecurity/Helios2Sentinel/Helios2Sentinel.sln => "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/Helios2Sentinel.sln" (100%) rename DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.cs => "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentConsumer/IncidentConsumer.cs" (100%) rename DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.csproj => "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentConsumer/IncidentConsumer.csproj" (100%) rename DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/host.json => "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentConsumer/host.json" (100%) rename DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/local.settings.json => "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentConsumer/local.settings.json" (100%) rename DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/readme.md => "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentConsumer/readme.md" (90%) rename DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/IncidentProducer.cs => "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentProducer/IncidentProducer.cs" (100%) rename DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/IncidentProducer.csproj => "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentProducer/IncidentProducer.csproj" (100%) rename DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/host.json => "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentProducer/host.json" (100%) rename DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/local.settings.json => "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentProducer/local.settings.json" (100%) rename DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/readme.md => "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentProducer/readme.md" (91%) rename DataConnectors/CohesitySecurity/Helios2Sentinel/readme.md => "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/readme.md" (76%) rename Solutions/CohesitySecurity/Playbooks/{SNOW-CreateAndUpdateIncident => Cohesity_CreateOrUpdate_ServiceNow_Incident}/azuredeploy.json (99%) rename Solutions/CohesitySecurity/Playbooks/{SNOW-CreateAndUpdateIncident => Cohesity_CreateOrUpdate_ServiceNow_Incident}/readme.md (65%) diff --git a/DataConnectors/CohesitySecurity/Helios2Sentinel/Helios2Sentinel.sln "b/Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/Helios2Sentinel.sln" similarity index 100% rename from DataConnectors/CohesitySecurity/Helios2Sentinel/Helios2Sentinel.sln rename to "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/Helios2Sentinel.sln" diff --git a/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.cs "b/Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentConsumer/IncidentConsumer.cs" similarity index 100% rename from DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.cs rename to "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentConsumer/IncidentConsumer.cs" diff --git a/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.csproj "b/Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentConsumer/IncidentConsumer.csproj" similarity index 100% rename from DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.csproj rename to "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentConsumer/IncidentConsumer.csproj" diff --git a/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/host.json "b/Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentConsumer/host.json" similarity index 100% rename from DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/host.json rename to "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentConsumer/host.json" diff --git a/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/local.settings.json "b/Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentConsumer/local.settings.json" similarity index 100% rename from DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/local.settings.json rename to "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentConsumer/local.settings.json" diff --git a/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/readme.md "b/Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentConsumer/readme.md" similarity index 90% rename from DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/readme.md rename to "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentConsumer/readme.md" index 3113ffe71a..efd3278886 100644 --- a/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/readme.md +++ "b/Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentConsumer/readme.md" @@ -3,11 +3,11 @@ This function picks alerts from the queue and creates the corresponding records ## Publishing Prerequisites 1. Create your Sentinel [workspace](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel). -* __Attention__: It should be the same workspace as created for [IncidentProducer](https://raw.githubusercontent.com/cohesity/Azure-Sentinel/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/readme.md). +* __Attention__: It should be the same workspace as created for [IncidentProducer](https://raw.githubusercontent.com/cohesity/Azure-Sentinel/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentProducer/readme.md). 2. [Register](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps) a client application in Azure Active Directory with the Contributor privileges ([steps](https://learn.microsoft.com/azure/healthcare-apis/register-application)). * Save _Application (client) ID_, _Directory (tenant) ID_ and _Secret Value_. 3. Create a new queue in [Azure Storage Accounts](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts) ([steps](https://learn.microsoft.com/azure/storage/queues/storage-quickstart-queues-portal)). -* __Attention__: It should be the same queue as created for [IncidentProducer](https://raw.githubusercontent.com/cohesity/Azure-Sentinel/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/readme.md). +* __Attention__: It should be the same queue as created for [IncidentProducer](https://raw.githubusercontent.com/cohesity/Azure-Sentinel/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentProducer/readme.md). * Save the connection string 4. Choose your [resource group](https://portal.azure.com/#view/HubsExtension/BrowseResourceGroups) that you are going to use for the function app. 5. Choose your [subscription](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade) that you are going to use for the function app. @@ -38,4 +38,4 @@ followed by * Confirm the restart. ## Testing -Check that the function successfully runs at _IncidentConsumer | Functions | Monitor_. If not, please check that you created all environment variables correctly by comparing their names with the ones in [local.settings.json](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/local.settings.json). +Check that the function successfully runs at _IncidentConsumer | Functions | Monitor_. If not, please check that you created all environment variables correctly by comparing their names with the ones in [local.settings.json](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentConsumer/local.settings.json). diff --git a/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/IncidentProducer.cs "b/Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentProducer/IncidentProducer.cs" similarity index 100% rename from DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/IncidentProducer.cs rename to "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentProducer/IncidentProducer.cs" diff --git a/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/IncidentProducer.csproj "b/Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentProducer/IncidentProducer.csproj" similarity index 100% rename from DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/IncidentProducer.csproj rename to "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentProducer/IncidentProducer.csproj" diff --git a/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/host.json "b/Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentProducer/host.json" similarity index 100% rename from DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/host.json rename to "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentProducer/host.json" diff --git a/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/local.settings.json "b/Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentProducer/local.settings.json" similarity index 100% rename from DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/local.settings.json rename to "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentProducer/local.settings.json" diff --git a/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/readme.md "b/Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentProducer/readme.md" similarity index 91% rename from DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/readme.md rename to "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentProducer/readme.md" index 39b3163677..38389d1f20 100644 --- a/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/readme.md +++ "b/Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/IncidentProducer/readme.md" @@ -10,11 +10,11 @@ This function retrieves ransomware alerts from Cohesity DataHawk and lands them * Enter a name for the API key. * Select _Save_. The API Key Token is displayed. 2. Create your Sentinel [workspace](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel). -* __Attention__: It should be the same workspace as created for [IncidentConsumer](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer#readme). +* __Attention__: It should be the same workspace as created for [IncidentConsumer](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentConsumer#readme). 3. [Register](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps) a client application in Azure Active Directory with the Contributor privileges ([steps](https://learn.microsoft.com/azure/healthcare-apis/register-application)). * Save _Application (client) ID_, _Directory (tenant) ID_ and _Secret Value_. 4. Create a new queue in [Azure Storage Accounts](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts) ([steps](https://learn.microsoft.com/azure/storage/queues/storage-quickstart-queues-portal)). -* __Attention__: It should be the same workspace as created for [IncidentConsumer](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer#readme). +* __Attention__: It should be the same workspace as created for [IncidentConsumer](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentConsumer#readme). * Save the connection string 5. Create an instance of [Azure Cache for Redis](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Cache%2FRedis) ([steps](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-configure)) * Save the connection string @@ -43,4 +43,4 @@ followed by * Confirm the restart. ## Testing -Check that the function successfully runs at _IncidentProducer | Functions | Monitor_. If not, please check that you created all environment variables correctly by comparing their names with the ones in [local.settings.json](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/local.settings.json). +Check that the function successfully runs at _IncidentProducer | Functions | Monitor_. If not, please check that you created all environment variables correctly by comparing their names with the ones in [local.settings.json](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentProducer/local.settings.json). diff --git a/DataConnectors/CohesitySecurity/Helios2Sentinel/readme.md "b/Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/readme.md" similarity index 76% rename from DataConnectors/CohesitySecurity/Helios2Sentinel/readme.md rename to "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/readme.md" index 0d77bb89c1..d0e7757d23 100644 --- a/DataConnectors/CohesitySecurity/Helios2Sentinel/readme.md +++ "b/Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel/readme.md" @@ -9,5 +9,5 @@ Before deployment, please make sure that all prerequisites and pre-deployment st * Install [azure-functions-core-tools](https://docs.microsoft.com/azure/azure-functions/functions-run-local). ## Deployment -* Deploy [IncidentProducer](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer#readme) function. -* Deploy [IncidentConsumer](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer#readme) function. +* Deploy [IncidentProducer](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentProducer#readme) function. +* Deploy [IncidentConsumer](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentConsumer#readme) function. diff --git a/Solutions/CohesitySecurity/Package/createUiDefinition.json b/Solutions/CohesitySecurity/Package/createUiDefinition.json index 96704e2316..4e5bb5b4e3 100644 --- a/Solutions/CohesitySecurity/Package/createUiDefinition.json +++ b/Solutions/CohesitySecurity/Package/createUiDefinition.json @@ -138,7 +138,7 @@ { "name": "playbook3", "type": "Microsoft.Common.Section", - "label": "SNOW-CreateAndUpdateIncident", + "label": "Cohesity_CreateOrUpdate_ServiceNow_Incident", "elements": [ { "name": "playbook3-text", @@ -151,7 +151,7 @@ "name": "playbook3-PlaybookName", "type": "Microsoft.Common.TextBox", "label": "Playbook Name", - "defaultValue": "SNOW-CreateAndUpdateIncident", + "defaultValue": "Cohesity_CreateOrUpdate_ServiceNow_Incident", "toolTip": "Resource name for the logic app playbook. No spaces are allowed", "constraints": { "required": true, diff --git a/Solutions/CohesitySecurity/Package/mainTemplate.json b/Solutions/CohesitySecurity/Package/mainTemplate.json index 1404653267..89640e685e 100644 --- a/Solutions/CohesitySecurity/Package/mainTemplate.json +++ b/Solutions/CohesitySecurity/Package/mainTemplate.json @@ -1,1217 +1,1306 @@ { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "author": "Cohesity - support@cohesity.com", - "comments": "Solution template for CohesitySecurity" + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Cohesity - support@cohesity.com", + "comments": "Solution template for CohesitySecurity" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } }, - "parameters": { - "location": { - "type": "string", - "minLength": 1, - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "playbook1-PlaybookName": { + "defaultValue": "My_Cohesity_Send_Incident_Email", + "type": "string", + "minLength": 1, + "metadata": { + "description": "Resource name for the logic app playbook. No spaces are allowed" + } + }, + "playbook1-EmailID": { + "defaultValue": "", + "type": "string", + "minLength": 1 + }, + "playbook2-PlaybookName": { + "defaultValue": "My_Cohesity_Restore_From_Last_Snapshot", + "type": "string", + "minLength": 1, + "metadata": { + "description": "Resource name for the logic app playbook. No spaces are allowed" + } + }, + "playbook3-PlaybookName": { + "defaultValue": "Cohesity_CreateOrUpdate_ServiceNow_Incident", + "type": "string", + "minLength": 1, + "metadata": { + "description": "Resource name for the logic app playbook. No spaces are allowed" + } + } + }, + "variables": { + "playbook1-Cohesity_Send_Incident_Email": "playbook1-Cohesity_Send_Incident_Email", + "_playbook1-Cohesity_Send_Incident_Email": "[variables('playbook1-Cohesity_Send_Incident_Email')]", + "playbook1-MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('playbook1-PlaybookName'))]", + "playbook1-OutlookConnectionName": "[concat('Outlook-', parameters('playbook1-PlaybookName'))]", + "playbook-1-connection-2": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azuresentinel')]", + "_playbook-1-connection-2": "[variables('playbook-1-connection-2')]", + "playbook-1-connection-3": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Outlook')]", + "_playbook-1-connection-3": "[variables('playbook-1-connection-3')]", + "playbook2-Cohesity_Restore_From_Last_Snapshot": "playbook2-Cohesity_Restore_From_Last_Snapshot", + "_playbook2-Cohesity_Restore_From_Last_Snapshot": "[variables('playbook2-Cohesity_Restore_From_Last_Snapshot')]", + "playbook2-AzureblobConnectionName": "[concat('Azureblob-', parameters('playbook2-PlaybookName'))]", + "playbook2-MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('playbook2-PlaybookName'))]", + "playbook2-KeyvaultConnectionName": "[concat('Keyvault-', parameters('playbook2-PlaybookName'))]", + "playbook-2-connection-2": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azureblob')]", + "_playbook-2-connection-2": "[variables('playbook-2-connection-2')]", + "playbook-2-connection-4": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Keyvault')]", + "_playbook-2-connection-4": "[variables('playbook-2-connection-4')]", + "playbook3-Cohesity_CreateOrUpdate_ServiceNow_Incident": "playbook3-Cohesity_CreateOrUpdate_ServiceNow_Incident", + "_playbook3-Cohesity_CreateOrUpdate_ServiceNow_Incident": "[variables('playbook3-Cohesity_CreateOrUpdate_ServiceNow_Incident')]", + "playbook3-MicrosoftsentinelConnectionName": "[concat('Microsoftsentinel-', parameters('playbook3-PlaybookName'))]", + "playbook3-ServiceNowConnectionName": "[concat('Service-Now-', parameters('playbook3-PlaybookName'))]", + "playbook-3-connection-2": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Microsoftsentinel')]", + "_playbook-3-connection-2": "[variables('playbook-3-connection-2')]", + "playbook-3-connection-3": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Service-Now')]", + "_playbook-3-connection-3": "[variables('playbook-3-connection-3')]", + "sourceId": "cohesity.cohesity_sentinel_data_connector", + "_sourceId": "[variables('sourceId')]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "EmailID": { + "defaultValue": "[parameters('playbook1-EmailID')]", + "type": "string" } - }, - "workspace-location": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } } - }, - "workspace": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + }, + "actions": { + "Initialize_variable": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "EmailBody", + "type": "string" + } + ] + } + }, + "Send_email_(V2)": { + "runAfter": { + "Set_variable_2": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

@{variables('EmailBody')}

", + "Importance": "Normal", + "Subject": "Cohesity Alert", + "To": "@parameters('playbook1-EmailID')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['outlook']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + }, + "Set_variable_2": { + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "EmailBody", + "value": "

Hello SecurityTeam,

You have a Cohesity incident from Azure Sentinel. Below is information:

Please review and update incident accordingly.

Cohesity Team

" + } } + } }, - "playbook1-PlaybookName": { - "defaultValue": "My_Cohesity_Send_Incident_Email", - "type": "string", - "minLength": 1, - "metadata": { - "description": "Resource name for the logic app playbook. No spaces are allowed" - } - }, - "playbook1-EmailID": { - "defaultValue": "", - "type": "string", - "minLength": 1 - }, - "playbook2-PlaybookName": { - "defaultValue": "My_Cohesity_Restore_From_Last_Snapshot", - "type": "string", - "minLength": 1, - "metadata": { - "description": "Resource name for the logic app playbook. No spaces are allowed" - } - }, - "playbook3-PlaybookName": { - "defaultValue": "SNOW-CreateAndUpdateIncident", - "type": "string", - "minLength": 1, - "metadata": { - "description": "Resource name for the logic app playbook. No spaces are allowed" + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook1-MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('playbook1-MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "outlook": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook1-OutlookConnectionName'))]", + "connectionName": "[variables('playbook1-OutlookConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Outlook')]" + } } + } } + }, + "name": "[parameters('playbook1-PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-SentinelTemplateName": "My_Cohesity_Send_Incident_Email", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2019-05-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook1-MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook1-OutlookConnectionName'))]" + ] }, - "variables": { - "playbook1-Cohesity_Send_Incident_Email": "playbook1-Cohesity_Send_Incident_Email", - "_playbook1-Cohesity_Send_Incident_Email": "[variables('playbook1-Cohesity_Send_Incident_Email')]", - "playbook1-MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('playbook1-PlaybookName'))]", - "playbook1-OutlookConnectionName": "[concat('Outlook-', parameters('playbook1-PlaybookName'))]", - "playbook-1-connection-2": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azuresentinel')]", - "_playbook-1-connection-2": "[variables('playbook-1-connection-2')]", - "playbook-1-connection-3": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Outlook')]", - "_playbook-1-connection-3": "[variables('playbook-1-connection-3')]", - "playbook2-Cohesity_Restore_From_Last_Snapshot": "playbook2-Cohesity_Restore_From_Last_Snapshot", - "_playbook2-Cohesity_Restore_From_Last_Snapshot": "[variables('playbook2-Cohesity_Restore_From_Last_Snapshot')]", - "playbook2-AzureblobConnectionName": "[concat('Azureblob-', parameters('playbook2-PlaybookName'))]", - "playbook2-MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('playbook2-PlaybookName'))]", - "playbook-2-connection-2": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azureblob')]", - "_playbook-2-connection-2": "[variables('playbook-2-connection-2')]", - "playbook3-SNOW-CreateAndUpdateIncident": "playbook3-SNOW-CreateAndUpdateIncident", - "_playbook3-SNOW-CreateAndUpdateIncident": "[variables('playbook3-SNOW-CreateAndUpdateIncident')]", - "playbook3-MicrosoftsentinelConnectionName": "[concat('Microsoftsentinel-', parameters('playbook3-PlaybookName'))]", - "playbook3-ServiceNowConnectionName": "[concat('Service-Now-', parameters('playbook3-PlaybookName'))]", - "playbook-3-connection-3": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Service-Now')]", - "_playbook-3-connection-3": "[variables('playbook-3-connection-3')]", - "sourceId": "cohesity.cohesity_sentinel_data_connector", - "_sourceId": "[variables('sourceId')]" + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook1-MicrosoftSentinelConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook1-MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[variables('_playbook-1-connection-2')]" + } + } }, - "resources": [{ - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "EmailID": { - "defaultValue": "[parameters('playbook1-EmailID')]", - "type": "string" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "Initialize_variable": { - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "EmailBody", - "type": "string" - }] - } - }, - "Send_an_email_(V2)": { - "runAfter": { - "Set_variable": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

@{variables('EmailBody')}

", - "Importance": "Normal", - "Subject": "Cohesity Alert", - "To": "@parameters('playbook1-EmailID')" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['outlook']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } - }, - "Set_variable": { - "runAfter": { - "Initialize_variable": [ - "Succeeded" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "EmailBody", - "value": "

Hello SecurityTeam,

You have a Cohesity incident from Azure Sentinel. Below is information:

Please review and update incident accordingly.

Cohesity Team

" - } - } - } + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook1-OutlookConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook1-OutlookConnectionName')]", + "api": { + "id": "[variables('_playbook-1-connection-3')]" + } + } + }, + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook1-MicrosoftSentinelConnectionName'))]", - "connectionName": "[variables('playbook1-MicrosoftSentinelConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "outlook": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook1-OutlookConnectionName'))]", - "connectionName": "[variables('playbook1-OutlookConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Outlook')]" - } - } - } - } - }, - "name": "[parameters('playbook1-PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-SentinelTemplateName": "My_Cohesity_Send_Incident_Email", - "hidden-SentinelTemplateVersion": "1.0" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2019-05-01", - "dependsOn": [ - "[resourceId('Microsoft.Web/connections', variables('playbook1-MicrosoftSentinelConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('playbook1-OutlookConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('playbook1-MicrosoftSentinelConnectionName')]", - "location": "[parameters('workspace-location')]", - "kind": "V1", - "properties": { - "displayName": "[variables('playbook1-MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[variables('_playbook-1-connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('playbook1-OutlookConnectionName')]", - "location": "[parameters('workspace-location')]", - "kind": "V1", - "properties": { - "displayName": "[variables('playbook1-OutlookConnectionName')]", - "api": { - "id": "[variables('_playbook-1-connection-3')]" - } - } - }, - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "Get_cid_from_blob_content": { - "runAfter": { - "Get_jobId_from_blob_content": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } - }, - "method": "get", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", - "queries": { - "inferContentType": true, - "path": "/extra-parameters/@{variables('helioID')}/cid", - "queryParametersSingleEncoded": true - } - } - }, - "Get_entityId_from_blob_content": { - "runAfter": { - "Get_jobInstanceId_from_blob_content": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } - }, - "method": "get", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", - "queries": { - "inferContentType": true, - "path": "/extra-parameters/@{variables('helioID')}/entityId", - "queryParametersSingleEncoded": true - } - } - }, - "Get_jobId_from_blob_content": { - "runAfter": { - "Initialize_HelioID": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } - }, - "method": "get", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", - "queries": { - "inferContentType": true, - "path": "/extra-parameters/@{variables('helioID')}/jobId", - "queryParametersSingleEncoded": true - } - } - }, - "Get_jobInstanceId_from_blob_content": { - "runAfter": { - "Get_jobStartTimeUsecs_from_blob_content": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } - }, - "method": "get", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", - "queries": { - "inferContentType": true, - "path": "/extra-parameters/@{variables('helioID')}/jobInstanceId", - "queryParametersSingleEncoded": true - } - } - }, - "Get_jobStartTimeUsecs_from_blob_content": { - "runAfter": { - "Get_cid_from_blob_content": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } - }, - "method": "get", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", - "queries": { - "inferContentType": true, - "path": "/extra-parameters/@{variables('helioID')}/jobStartTimeUsecs", - "queryParametersSingleEncoded": true - } - } - }, - "Get_object_from_blob_content": { - "runAfter": { - "Get_entityId_from_blob_content": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } - }, - "method": "get", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", - "queries": { - "inferContentType": true, - "path": "/extra-parameters/@{variables('helioID')}/object", - "queryParametersSingleEncoded": true - } - } - }, - "HTTP": { - "runAfter": { - "Get_object_from_blob_content": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "body": { - "name": "Sentinel_triggered_restore_task_@{body('Get_object_from_blob_content')}", - "objects": [{ - "jobId": "@int(string(body('Get_jobId_from_blob_content')))", - "jobRunId": "@int(string(body('Get_jobInstanceId_from_blob_content')))", - "protectionSourceId": "@int(string(body('Get_entityId_from_blob_content')))", - "sourceName": "@{body('Get_object_from_blob_content')}", - "startedTimeUsecs": "@int(string(body('Get_jobStartTimeUsecs_from_blob_content')))" - }], - "type": "kRecoverVMs", - "vmwareParameters": { - "powerOffAndRenameExistingVm": true, - "poweredOn": true, - "prefix": "Recover-", - "recoveryProcessType": "kCopyRecovery", - "suffix": "-VM" - } - }, - "headers": { - "Content-Type": "application/json", - "apiKey": "33e44eac-ce99-46df-7f4e-9ac39446a66e", - "clusterid": "@{body('Get_cid_from_blob_content')}" - }, - "method": "POST", - "uri": "https://helios.cohesity.com/irisservices/api/v1/public/restore/recover" - } - }, - "Initialize_Description": { - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "description", - "type": "string", - "value": "@triggerBody()?['object']?['properties']?['description']" - }] - } - }, - "Initialize_HelioID": { - "runAfter": { - "Initialize_Description": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "helioID", - "type": "string", - "value": "@{split(variables('description'), 'Helios ID: ')[1]}" - }] - } - } - } + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } }, - "parameters": { - "$connections": { - "value": { - "azureblob": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook2-AzureblobConnectionName'))]", - "connectionName": "[variables('playbook2-AzureblobConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azureblob')]" - }, - "azuresentinel": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook2-MicrosoftSentinelConnectionName'))]", - "connectionName": "[variables('playbook2-MicrosoftSentinelConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - } - } + "path": "/incident-creation" + } + } + }, + "actions": { + "Get_cid_from_blob_content": { + "runAfter": { + "Get_jobId_from_blob_content": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "get", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", + "queries": { + "inferContentType": true, + "path": "/extra-parameters/@{variables('helioID')}/cid", + "queryParametersSingleEncoded": true + } + } + }, + "Get_entityId_from_blob_content": { + "runAfter": { + "Get_jobInstanceId_from_blob_content": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "get", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", + "queries": { + "inferContentType": true, + "path": "/extra-parameters/@{variables('helioID')}/entityId", + "queryParametersSingleEncoded": true + } + } + }, + "Get_jobId_from_blob_content": { + "runAfter": { + "Initialize_HelioID": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "get", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", + "queries": { + "inferContentType": true, + "path": "/extra-parameters/@{variables('helioID')}/jobId", + "queryParametersSingleEncoded": true + } + } + }, + "Get_jobInstanceId_from_blob_content": { + "runAfter": { + "Get_jobStartTimeUsecs_from_blob_content": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "get", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", + "queries": { + "inferContentType": true, + "path": "/extra-parameters/@{variables('helioID')}/jobInstanceId", + "queryParametersSingleEncoded": true + } + } + }, + "Get_jobStartTimeUsecs_from_blob_content": { + "runAfter": { + "Get_cid_from_blob_content": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "get", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", + "queries": { + "inferContentType": true, + "path": "/extra-parameters/@{variables('helioID')}/jobStartTimeUsecs", + "queryParametersSingleEncoded": true + } + } + }, + "Get_object_from_blob_content": { + "runAfter": { + "Get_entityId_from_blob_content": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "get", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", + "queries": { + "inferContentType": true, + "path": "/extra-parameters/@{variables('helioID')}/object", + "queryParametersSingleEncoded": true + } + } + }, + "Get_secret": { + "runAfter": { + "Get_object_from_blob_content": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent('ApiKey')}/value" + } + }, + "HTTP": { + "runAfter": { + "Get_secret": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": { + "name": "Sentinel_triggered_restore_task_@{body('Get_object_from_blob_content')}", + "objects": [ + { + "jobId": "@int(string(body('Get_jobId_from_blob_content')))", + "jobRunId": "@int(string(body('Get_jobInstanceId_from_blob_content')))", + "protectionSourceId": "@int(string(body('Get_entityId_from_blob_content')))", + "sourceName": "@{body('Get_object_from_blob_content')}", + "startedTimeUsecs": "@int(string(body('Get_jobStartTimeUsecs_from_blob_content')))" } - } + ], + "type": "kRecoverVMs", + "vmwareParameters": { + "powerOffAndRenameExistingVm": true, + "poweredOn": true, + "prefix": "Recover-", + "recoveryProcessType": "kCopyRecovery", + "suffix": "-VM" + } + }, + "headers": { + "Content-Type": "application/json", + "apiKey": "@body('Get_secret')?['value']", + "clusterid": "@{body('Get_cid_from_blob_content')}" + }, + "method": "POST", + "uri": "https://helios.cohesity.com/irisservices/api/v1/public/restore/recover" + } }, - "name": "[parameters('playbook2-PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-SentinelTemplateName": "Cohesity_Restore_From_Last_Snapshot", - "hidden-SentinelTemplateVersion": "1.0" + "Initialize_Description": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "description", + "type": "string", + "value": "@triggerBody()?['object']?['properties']?['description']" + } + ] + } }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2019-05-01", - "dependsOn": [ - "[resourceId('Microsoft.Web/connections', variables('playbook2-AzureblobConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('playbook2-MicrosoftSentinelConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('playbook2-AzureblobConnectionName')]", - "location": "[parameters('workspace-location')]", - "kind": "V1", - "properties": { - "displayName": "[variables('playbook2-AzureblobConnectionName')]", - "api": { - "id": "[variables('_playbook-2-connection-2')]" - } + "Initialize_HelioID": { + "runAfter": { + "Initialize_Description": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "helioID", + "type": "string", + "value": "@{split(variables('description'), 'Helios ID: ')[1]}" + } + ] + } } + } }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('playbook2-MicrosoftSentinelConnectionName')]", - "location": "[parameters('workspace-location')]", - "kind": "V1", - "properties": { - "displayName": "[variables('playbook2-MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[variables('_playbook-1-connection-2')]" + "parameters": { + "$connections": { + "value": { + "azureblob": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook2-AzureblobConnectionName'))]", + "connectionName": "[variables('playbook2-AzureblobConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azureblob')]" + }, + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook2-MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('playbook2-MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } } + }, + "keyvault": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook2-KeyvaultConnectionName'))]", + "connectionName": "[variables('playbook2-KeyvaultConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Keyvault')]" + } } - }, - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } + } + } + }, + "name": "[parameters('playbook2-PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-SentinelTemplateName": "Cohesity_Restore_From_Last_Snapshot", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2019-05-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook2-AzureblobConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook2-MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook2-KeyvaultConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook2-AzureblobConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook2-AzureblobConnectionName')]", + "api": { + "id": "[variables('_playbook-2-connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook2-MicrosoftSentinelConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook2-MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[variables('_playbook-1-connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook2-KeyvaultConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook2-KeyvaultConnectionName')]", + "api": { + "id": "[variables('_playbook-2-connection-4')]" + } + } + }, + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Condition_-_create_or_update_incident": { + "actions": { + "Create_Record": { + "runAfter": { + "Switch": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "comments": "Link to Microsoft Sentinel Incident: [code]Incident_URL[/code] ", + "description": "Incident description: @{triggerBody()?['object']?['properties']?['description']}; Severity: @{triggerBody()?['object']?['properties']?['severity']}; Alerts: @{join(triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames'],'; ')};", + "impact": "@variables('Creation severity')", + "number": "@triggerBody()?['object']?['name']", + "short_description": "@triggerBody()?['object']?['properties']?['title']", + "urgency": "@variables('Creation severity')" }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } + "host": { + "connection": { + "name": "@parameters('$connections')['service-now_1']['connectionId']" + } }, + "method": "post", + "path": "/api/now/v2/table/@{encodeURIComponent('incident')}", + "queries": { + "sysparm_display_value": true, + "sysparm_exclude_reference_link": false + } + } + }, + "Switch": { + "cases": { + "Case_Severity_High": { + "case": "High", + "actions": { + "Set_Severity_variable_to_High": { + "type": "SetVariable", + "inputs": { + "name": "Creation severity", + "value": "1" + } + } + } + }, + "Case_Severity_Medium": { + "case": "Medium", + "actions": { + "Set_Severity_variable_to_Medium": { + "type": "SetVariable", + "inputs": { + "name": "Creation severity", + "value": "2" + } + } + } + } + }, + "expression": "@triggerBody()?['object']?['properties']?['severity']", + "type": "Switch" + }, + "Update_incident": { + "runAfter": { + "Create_Record": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "tagsToAdd": { + "TagsToAdd": [ + { + "Tag": "SNOW System ID: @{body('Create_Record')?['result']?['sys_id']}" + } + ] + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + } + } + }, + "runAfter": { + "Initialize_variable_-_creation_severity": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "For_each": { + "foreach": "@triggerBody()?['object']?['properties']?['labels']", "actions": { - "Condition_-_create_or_update_incident": { + "Condition": { + "actions": { + "Condition_-_is_incident_closed": { "actions": { - "Create_Record": { - "runAfter": { - "Switch": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "comments": "Link to Microsoft Sentinel Incident: [code]Incident_URL[/code] ", - "description": "Incident description: @{triggerBody()?['object']?['properties']?['description']}; Severity: @{triggerBody()?['object']?['properties']?['severity']}; Alerts: @{join(triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames'],'; ')};", - "impact": "@variables('Creation severity')", - "number": "@triggerBody()?['object']?['name']", - "short_description": "@triggerBody()?['object']?['properties']?['title']", - "urgency": "@variables('Creation severity')" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['service-now_1']['connectionId']" - } - }, - "method": "post", - "path": "/api/now/v2/table/@{encodeURIComponent('incident')}", - "queries": { - "sysparm_display_value": true, - "sysparm_exclude_reference_link": false - } - } - }, - "Switch": { - "cases": { - "Case_Severity_High": { - "case": "High", - "actions": { - "Set_Severity_variable_to_High": { - "type": "SetVariable", - "inputs": { - "name": "Creation severity", - "value": "1" - } - } - } - }, - "Case_Severity_Medium": { - "case": "Medium", - "actions": { - "Set_Severity_variable_to_Medium": { - "type": "SetVariable", - "inputs": { - "name": "Creation severity", - "value": "2" - } - } - } - } - }, - "expression": "@triggerBody()?['object']?['properties']?['severity']", - "type": "Switch" - }, - "Update_incident": { - "runAfter": { - "Create_Record": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "tagsToAdd": { - "TagsToAdd": [{ - "Tag": "SNOW System ID: @{body('Create_Record')?['result']?['sys_id']}" - }] - } - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Incidents" + "Update_Record_-_Incident_closed": { + "type": "ApiConnection", + "inputs": { + "body": { + "caller_id": "@triggerBody()?['incidentUpdates']?['updatedBy']?['name']", + "close_code": "Resolved by Caller", + "close_notes": "Classification: @{triggerBody()?['object']?['properties']?['classification']} Classification reason: @{triggerBody()?['object']?['properties']?['classificationReason']} Classification comment: @{triggerBody()?['object']?['properties']?['classificationComment']}", + "state": "7" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['service-now_1']['connectionId']" } + }, + "method": "put", + "path": "/api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('SNOW System ID'))}", + "queries": { + "sysparm_display_value": false, + "sysparm_exclude_reference_link": true + } } + } }, "runAfter": { - "Initialize_variable_-_creation_severity": [ - "Succeeded" - ] + "Set_variable_-_SNOW_System_ID": [ + "Succeeded" + ] }, "else": { - "actions": { - "For_each": { - "foreach": "@triggerBody()?['object']?['properties']?['labels']", - "actions": { - "Condition": { - "actions": { - "Condition_-_is_incident_closed": { - "actions": { - "Update_Record_-_Incident_closed": { - "type": "ApiConnection", - "inputs": { - "body": { - "caller_id": "@triggerBody()?['incidentUpdates']?['updatedBy']?['name']", - "close_code": "Resolved by Caller", - "close_notes": "Classification: @{triggerBody()?['object']?['properties']?['classification']} Classification reason: @{triggerBody()?['object']?['properties']?['classificationReason']} Classification comment: @{triggerBody()?['object']?['properties']?['classificationComment']}", - "state": "7" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['service-now_1']['connectionId']" - } - }, - "method": "put", - "path": "/api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('SNOW System ID'))}", - "queries": { - "sysparm_display_value": false, - "sysparm_exclude_reference_link": true - } - } - } - }, - "runAfter": { - "Set_variable_-_SNOW_System_ID": [ - "Succeeded" - ] - }, - "else": { - "actions": { - "Condition_-_alert_updated": { - "actions": { - "Compose_alert": { - "runAfter": { - "For_each_-_new_alert": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "Alerts: @{variables('New alert')}" - }, - "For_each_-_new_alert": { - "foreach": "@triggerBody()?['incidentUpdates']?['alerts']", - "actions": { - "Append_to_string_variable_-_alert": { - "type": "AppendToStringVariable", - "inputs": { - "name": "New alert", - "value": "@concat(items('For_each_-_new_alert')?['properties']?['alertDisplayName'], '; ')" - } - } - }, - "type": "Foreach" - } - }, - "runAfter": { - "Condition_-_comment_updated": [ - "Succeeded" - ] - }, - "expression": { - "and": [{ - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Alerts" - ] - }] - }, - "type": "If" - }, - "Condition_-_comment_updated": { - "actions": { - "Compose_comment": { - "runAfter": { - "For_each_-_new_comment": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "Comment: @{variables('New comments')}" - }, - "For_each_-_new_comment": { - "foreach": "@triggerBody()?['incidentUpdates']?['comments']", - "actions": { - "Append_to_string_variable_-_comment": { - "type": "AppendToStringVariable", - "inputs": { - "name": "New comments", - "value": "@concat(items('For_each_-_new_comment')?['properties']?['message'], '; ')" - } - } - }, - "type": "Foreach" - } - }, - "expression": { - "and": [{ - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Comments" - ] - }] - }, - "type": "If" - }, - "Condition_-_owner_update": { - "actions": { - "Append_to_string_variable_-_owner": { - "type": "AppendToStringVariable", - "inputs": { - "name": "New owner", - "value": "@triggerBody()?['object']?['properties']?['owner']?['assignedTo']" - } - }, - "Compose_owner": { - "runAfter": { - "Append_to_string_variable_-_owner": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "Owner: @{variables('New owner')}" - } - }, - "runAfter": { - "Condition_-_tag_updated": [ - "Succeeded" - ] - }, - "expression": { - "and": [{ - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Owner" - ] - }] - }, - "type": "If" - }, - "Condition_-_severity_update": { - "actions": { - "Append_to_string_variable_-_severity": { - "type": "AppendToStringVariable", - "inputs": { - "name": "New severity", - "value": "@triggerBody()?['object']?['properties']?['severity']" - } - }, - "Compose_severity": { - "runAfter": { - "Append_to_string_variable_-_severity": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "Severity: @{variables('New severity')}" - } - }, - "runAfter": { - "Condition_-_owner_update": [ - "Succeeded" - ] - }, - "expression": { - "and": [{ - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Severity" - ] - }] - }, - "type": "If" - }, - "Condition_-_status_update": { - "actions": { - "Append_to_string_variable_-_status": { - "type": "AppendToStringVariable", - "inputs": { - "name": "New status", - "value": "@triggerBody()?['object']?['properties']?['status']" - } - }, - "Compose_status": { - "runAfter": { - "Append_to_string_variable_-_status": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "Status: @{variables('New status')}" - } - }, - "runAfter": { - "Condition_-_tactics_update": [ - "Succeeded" - ] - }, - "expression": { - "and": [{ - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Status" - ] - }] - }, - "type": "If" - }, - "Condition_-_tactics_update": { - "actions": { - "Compose_tactics": { - "type": "Compose", - "inputs": "Tactics: @{join(triggerBody()?['incidentUpdates']?['tactics'], '; ')}" - } - }, - "runAfter": { - "Condition_-_severity_update": [ - "Succeeded" - ] - }, - "expression": { - "and": [{ - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Tactics" - ] - }] - }, - "type": "If" - }, - "Condition_-_tag_updated": { - "actions": { - "Compose_tag": { - "runAfter": { - "For_each_-_new_tag": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "Tags: @{variables('New tag')}" - }, - "For_each_-_new_tag": { - "foreach": "@triggerBody()?['incidentUpdates']?['labels']", - "actions": { - "Append_to_string_variable_-_tag": { - "type": "AppendToStringVariable", - "inputs": { - "name": "New tag", - "value": "@concat(items('For_each_-_new_tag')?['labelName'], '; ')" - } - } - }, - "type": "Foreach" - } - }, - "runAfter": { - "Condition_-_alert_updated": [ - "Succeeded" - ] - }, - "expression": { - "and": [{ - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Labels" - ] - }] - }, - "type": "If" - }, - "Update_Record_-_incident_not_closed": { - "runAfter": { - "Condition_-_status_update": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "comments": "Microsoft Sentinel incident is updated: Update fields: @{join(triggerBody()?['incidentUpdates']?['updatedFields'], '; ')} Update by: @{triggerBody()?['incidentUpdates']?['updatedBy']?['name']} New values: @{outputs('Compose_alert')} @{outputs('Compose_severity')} @{outputs('Compose_owner')} @{outputs('Compose_status')} @{outputs('Compose_tag')} @{outputs('Compose_comment')} @{outputs('Compose_tactics')}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['service-now_1']['connectionId']" - } - }, - "method": "put", - "path": "/api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('SNOW System ID'))}", - "queries": { - "sysparm_display_value": false, - "sysparm_exclude_reference_link": true - } - } - } - } - }, - "expression": { - "and": [{ - "equals": [ - "@triggerBody()?['object']?['properties']?['status']", - "Closed" - ] - }] - }, - "type": "If" - }, - "Set_variable_-_SNOW_System_ID": { - "type": "SetVariable", - "inputs": { - "name": "SNOW System ID", - "value": "@{split(items('For_each')?['labelName'],': ')[1]}" - } - } - }, - "expression": { - "and": [{ - "contains": [ - "@items('For_each')?['labelName']", - "SNOW" - ] - }] - }, - "type": "If" - } - }, - "type": "Foreach" + "actions": { + "Condition_-_alert_updated": { + "actions": { + "Compose_alert": { + "runAfter": { + "For_each_-_new_alert": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "Alerts: @{variables('New alert')}" + }, + "For_each_-_new_alert": { + "foreach": "@triggerBody()?['incidentUpdates']?['alerts']", + "actions": { + "Append_to_string_variable_-_alert": { + "type": "AppendToStringVariable", + "inputs": { + "name": "New alert", + "value": "@concat(items('For_each_-_new_alert')?['properties']?['alertDisplayName'], '; ')" + } + } + }, + "type": "Foreach" } + }, + "runAfter": { + "Condition_-_comment_updated": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Alerts" + ] + } + ] + }, + "type": "If" + }, + "Condition_-_comment_updated": { + "actions": { + "Compose_comment": { + "runAfter": { + "For_each_-_new_comment": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "Comment: @{variables('New comments')}" + }, + "For_each_-_new_comment": { + "foreach": "@triggerBody()?['incidentUpdates']?['comments']", + "actions": { + "Append_to_string_variable_-_comment": { + "type": "AppendToStringVariable", + "inputs": { + "name": "New comments", + "value": "@concat(items('For_each_-_new_comment')?['properties']?['message'], '; ')" + } + } + }, + "type": "Foreach" + } + }, + "expression": { + "and": [ + { + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Comments" + ] + } + ] + }, + "type": "If" + }, + "Condition_-_owner_update": { + "actions": { + "Append_to_string_variable_-_owner": { + "type": "AppendToStringVariable", + "inputs": { + "name": "New owner", + "value": "@triggerBody()?['object']?['properties']?['owner']?['assignedTo']" + } + }, + "Compose_owner": { + "runAfter": { + "Append_to_string_variable_-_owner": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "Owner: @{variables('New owner')}" + } + }, + "runAfter": { + "Condition_-_tag_updated": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Owner" + ] + } + ] + }, + "type": "If" + }, + "Condition_-_severity_update": { + "actions": { + "Append_to_string_variable_-_severity": { + "type": "AppendToStringVariable", + "inputs": { + "name": "New severity", + "value": "@triggerBody()?['object']?['properties']?['severity']" + } + }, + "Compose_severity": { + "runAfter": { + "Append_to_string_variable_-_severity": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "Severity: @{variables('New severity')}" + } + }, + "runAfter": { + "Condition_-_owner_update": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Severity" + ] + } + ] + }, + "type": "If" + }, + "Condition_-_status_update": { + "actions": { + "Append_to_string_variable_-_status": { + "type": "AppendToStringVariable", + "inputs": { + "name": "New status", + "value": "@triggerBody()?['object']?['properties']?['status']" + } + }, + "Compose_status": { + "runAfter": { + "Append_to_string_variable_-_status": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "Status: @{variables('New status')}" + } + }, + "runAfter": { + "Condition_-_tactics_update": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Status" + ] + } + ] + }, + "type": "If" + }, + "Condition_-_tactics_update": { + "actions": { + "Compose_tactics": { + "type": "Compose", + "inputs": "Tactics: @{join(triggerBody()?['incidentUpdates']?['tactics'], '; ')}" + } + }, + "runAfter": { + "Condition_-_severity_update": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Tactics" + ] + } + ] + }, + "type": "If" + }, + "Condition_-_tag_updated": { + "actions": { + "Compose_tag": { + "runAfter": { + "For_each_-_new_tag": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "Tags: @{variables('New tag')}" + }, + "For_each_-_new_tag": { + "foreach": "@triggerBody()?['incidentUpdates']?['labels']", + "actions": { + "Append_to_string_variable_-_tag": { + "type": "AppendToStringVariable", + "inputs": { + "name": "New tag", + "value": "@concat(items('For_each_-_new_tag')?['labelName'], '; ')" + } + } + }, + "type": "Foreach" + } + }, + "runAfter": { + "Condition_-_alert_updated": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Labels" + ] + } + ] + }, + "type": "If" + }, + "Update_Record_-_incident_not_closed": { + "runAfter": { + "Condition_-_status_update": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "comments": "Microsoft Sentinel incident is updated: Update fields: @{join(triggerBody()?['incidentUpdates']?['updatedFields'], '; ')} Update by: @{triggerBody()?['incidentUpdates']?['updatedBy']?['name']} New values: @{outputs('Compose_alert')} @{outputs('Compose_severity')} @{outputs('Compose_owner')} @{outputs('Compose_status')} @{outputs('Compose_tag')} @{outputs('Compose_comment')} @{outputs('Compose_tactics')}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['service-now_1']['connectionId']" + } + }, + "method": "put", + "path": "/api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('SNOW System ID'))}", + "queries": { + "sysparm_display_value": false, + "sysparm_exclude_reference_link": true + } + } } + } }, "expression": { - "and": [{ - "equals": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "@null" - ] - }] + "and": [ + { + "equals": [ + "@triggerBody()?['object']?['properties']?['status']", + "Closed" + ] + } + ] }, "type": "If" - }, - "Initialize_variable_-_SNOW_System_ID": { - "type": "InitializeVariable", + }, + "Set_variable_-_SNOW_System_ID": { + "type": "SetVariable", "inputs": { - "variables": [{ - "name": "SNOW System ID", - "type": "string" - }] + "name": "SNOW System ID", + "value": "@{split(items('For_each')?['labelName'],': ')[1]}" } + } }, - "Initialize_variable_-_alert": { - "runAfter": { - "Initialize_variable_-_comment": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "New alert", - "type": "string" - }] + "expression": { + "and": [ + { + "contains": [ + "@items('For_each')?['labelName']", + "SNOW" + ] } + ] }, - "Initialize_variable_-_comment": { - "runAfter": { - "Initialize_variable_-_SNOW_System_ID": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "New comments", - "type": "string" - }] - } - }, - "Initialize_variable_-_creation_severity": { - "runAfter": { - "Initialize_variable_-_status": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "Creation severity", - "type": "string", - "value": "3" - }] - } - }, - "Initialize_variable_-_owner": { - "runAfter": { - "Initialize_variable_-_tag": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "New owner", - "type": "string" - }] - } - }, - "Initialize_variable_-_severity": { - "runAfter": { - "Initialize_variable_-_owner": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "New severity", - "type": "string" - }] - } - }, - "Initialize_variable_-_status": { - "runAfter": { - "Initialize_variable_-_severity": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "New status", - "type": "string" - }] - } - }, - "Initialize_variable_-_tag": { - "runAfter": { - "Initialize_variable_-_alert": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [{ - "name": "New tag", - "type": "string" - }] - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "microsoftsentinel": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook3-MicrosoftsentinelConnectionName'))]", - "connectionName": "[variables('playbook3-MicrosoftsentinelConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Microsoftsentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "service-now_1": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook3-ServiceNowConnectionName'))]", - "connectionName": "[variables('playbook3-ServiceNowConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Service-Now')]" - } - } - } + "type": "If" + } + }, + "type": "Foreach" + } } - }, - "name": "[parameters('playbook3-PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-SentinelTemplateName": "SNOW-CreateAndUpdateIncident", - "hidden-SentinelTemplateVersion": "1.0" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2019-05-01", - "dependsOn": [ - "[resourceId('Microsoft.Web/connections', variables('playbook3-MicrosoftsentinelConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('playbook3-ServiceNowConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('playbook3-MicrosoftsentinelConnectionName')]", - "location": "[parameters('workspace-location')]", - "kind": "V1", - "properties": { - "displayName": "[variables('playbook3-MicrosoftsentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[variables('_playbook-1-connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('playbook3-ServiceNowConnectionName')]", - "location": "[parameters('workspace-location')]", - "kind": "V1", - "properties": { - "displayName": "[variables('playbook3-ServiceNowConnectionName')]", - "api": { - "id": "[variables('_playbook-3-connection-3')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2021-03-01-preview", - "properties": { - "version": "2.0.0", - "kind": "Solution", - "contentId": "[variables('_sourceId')]", - "parentId": "[variables('_sourceId')]", - "source": { - "kind": "Solution", - "name": "CohesitySecurity", - "sourceId": "[variables('_sourceId')]" - }, - "author": { - "name": "Cohesity", - "email": "support@cohesity.com" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Partner", - "link": "https://support.cohesity.com" - }, - "dependencies": { - "operator": "AND", - "criteria": [{ - "kind": "Playbook", - "contentId": "[variables('_playbook1-Cohesity_Send_Incident_Email')]", - "version": "2.0.0" - }, - { - "kind": "Playbook", - "contentId": "[variables('_playbook2-Cohesity_Restore_From_Last_Snapshot')]", - "version": "2.0.0" - }, - { - "kind": "Playbook", - "contentId": "[variables('_playbook3-SNOW-CreateAndUpdateIncident')]", - "version": "2.0.0" - } + }, + "expression": { + "and": [ + { + "equals": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "@null" ] - }, - "firstPublishDate": "2022-10-10", - "providers": [ - "Cohesity" - ], - "categories": { - "domains": [ - "Security - Cloud Security", - "Security - Automation (SOAR)" - ] - } + } + ] + }, + "type": "If" }, - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]" + "Initialize_variable_-_SNOW_System_ID": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "SNOW System ID", + "type": "string" + } + ] + } + }, + "Initialize_variable_-_alert": { + "runAfter": { + "Initialize_variable_-_comment": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "New alert", + "type": "string" + } + ] + } + }, + "Initialize_variable_-_comment": { + "runAfter": { + "Initialize_variable_-_SNOW_System_ID": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "New comments", + "type": "string" + } + ] + } + }, + "Initialize_variable_-_creation_severity": { + "runAfter": { + "Initialize_variable_-_status": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Creation severity", + "type": "string", + "value": "3" + } + ] + } + }, + "Initialize_variable_-_owner": { + "runAfter": { + "Initialize_variable_-_tag": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "New owner", + "type": "string" + } + ] + } + }, + "Initialize_variable_-_severity": { + "runAfter": { + "Initialize_variable_-_owner": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "New severity", + "type": "string" + } + ] + } + }, + "Initialize_variable_-_status": { + "runAfter": { + "Initialize_variable_-_severity": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "New status", + "type": "string" + } + ] + } + }, + "Initialize_variable_-_tag": { + "runAfter": { + "Initialize_variable_-_alert": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "New tag", + "type": "string" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "microsoftsentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook3-MicrosoftsentinelConnectionName'))]", + "connectionName": "[variables('playbook3-MicrosoftsentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Microsoftsentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "service-now_1": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook3-ServiceNowConnectionName'))]", + "connectionName": "[variables('playbook3-ServiceNowConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Service-Now')]" + } + } + } } - ], - "outputs": {} + }, + "name": "[parameters('playbook3-PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-SentinelTemplateName": "Cohesity_CreateOrUpdate_ServiceNow_Incident", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2019-05-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook3-MicrosoftsentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook3-ServiceNowConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook3-MicrosoftsentinelConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook3-MicrosoftsentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[variables('_playbook-3-connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook3-ServiceNowConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook3-ServiceNowConnectionName')]", + "api": { + "id": "[variables('_playbook-3-connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2021-03-01-preview", + "properties": { + "version": "2.0.0", + "kind": "Solution", + "contentId": "[variables('_sourceId')]", + "parentId": "[variables('_sourceId')]", + "source": { + "kind": "Solution", + "name": "CohesitySecurity", + "sourceId": "[variables('_sourceId')]" + }, + "author": { + "name": "Cohesity", + "email": "support@cohesity.com" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Partner", + "link": "https://support.cohesity.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Playbook", + "contentId": "[variables('_playbook1-Cohesity_Send_Incident_Email')]", + "version": "2.0.0" + }, + { + "kind": "Playbook", + "contentId": "[variables('_playbook2-Cohesity_Restore_From_Last_Snapshot')]", + "version": "2.0.0" + }, + { + "kind": "Playbook", + "contentId": "[variables('_playbook3-Cohesity_CreateOrUpdate_ServiceNow_Incident')]", + "version": "2.0.0" + } + ] + }, + "firstPublishDate": "2022-10-10", + "providers": [ + "Cohesity" + ], + "categories": { + "domains": [ + "Security - Cloud Security", + "Security - Automation (SOAR)" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]" + } + ], + "outputs": {} } diff --git a/Solutions/CohesitySecurity/Playbooks/SNOW-CreateAndUpdateIncident/azuredeploy.json b/Solutions/CohesitySecurity/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/azuredeploy.json similarity index 99% rename from Solutions/CohesitySecurity/Playbooks/SNOW-CreateAndUpdateIncident/azuredeploy.json rename to Solutions/CohesitySecurity/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/azuredeploy.json index b2a505246d..4cbe1225a6 100644 --- a/Solutions/CohesitySecurity/Playbooks/SNOW-CreateAndUpdateIncident/azuredeploy.json +++ b/Solutions/CohesitySecurity/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/azuredeploy.json @@ -20,7 +20,7 @@ }, "parameters": { "PlaybookName": { - "defaultValue": "SNOW-CreateAndUpdateIncident", + "defaultValue": "Cohesity_CreateOrUpdate_ServiceNow_Incident", "type": "string" } }, @@ -656,7 +656,7 @@ "type": "Microsoft.Logic/workflows", "location": "[resourceGroup().location]", "tags": { - "hidden-SentinelTemplateName": "SNOW-CreateAndUpdateIncident", + "hidden-SentinelTemplateName": "Cohesity_CreateOrUpdate_ServiceNow_Incident", "hidden-SentinelTemplateVersion": "1.0" }, "identity": { @@ -679,7 +679,7 @@ "customParameterValues": {}, "parameterValueType": "Alternative", "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Microsoftsentinel')]" } } }, diff --git a/Solutions/CohesitySecurity/Playbooks/SNOW-CreateAndUpdateIncident/readme.md b/Solutions/CohesitySecurity/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/readme.md similarity index 65% rename from Solutions/CohesitySecurity/Playbooks/SNOW-CreateAndUpdateIncident/readme.md rename to Solutions/CohesitySecurity/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/readme.md index 9210eb9f6b..6283d0dcf0 100644 --- a/Solutions/CohesitySecurity/Playbooks/SNOW-CreateAndUpdateIncident/readme.md +++ b/Solutions/CohesitySecurity/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/readme.md @@ -1,13 +1,13 @@ -# Cohesity Create or Update ServiceNow Incident +# Cohesity Create or Update ServiceNow Incident ## Summary -This playbook creates a ticket in ServiceNow. It can be also used for updating ticket information or closing it. For example, an automation rule can be created to close the ServiceNow ticket by running this playbook when the corresponding Sentinel ticket is closed ([details](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/Servicenow/Playbooks/SNOW-CreateAndUpdateIncident/readme.md)). +This playbook creates a ticket in ServiceNow. It can be also used for updating ticket information or closing it. For example, an automation rule can be created to close the ServiceNow ticket by running this playbook when the corresponding Sentinel ticket is closed ([details](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/Servicenow/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/readme.md)). ## Prerequisites 1. Create an account for [ServiceNow](https://signon.service-now.com/x_snc_sso_auth.do). ## Deployment instructions 1. Deploy the playbook by clicking on the "Deploy to Azure" button. This will take you to deploying an ARM Template wizard. -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fcohesity%2FAzure-Sentinel%2FCohesitySecurity.internal%2FSolutions%2FCohesitySecurity%2FPlaybooks%2FSNOW-CreateAndUpdateIncident%2Fazuredeploy.json) +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fcohesity%2FAzure-Sentinel%2FCohesitySecurity.internal%2FSolutions%2FCohesitySecurity%2FPlaybooks%2FCohesity_CreateOrUpdate_ServiceNow_Incident%2Fazuredeploy.json) 2. Fill in the required parameters: * __Playbook Name:__ Enter the playbook name here. @@ -16,13 +16,12 @@ This playbook creates a ticket in ServiceNow. It can be also used for updating t * Go to _Logic Apps_. * Choose your app (playbook). * Select _Development Tools\API Connections_. -* Select a connection you'd like to authorize. Usually, such a connection contains your playbook name. For example, if your playbook is called **My-SNOW-CreateAndUpdateIncident**, then the connection _can_ be called _Service-Now-_**My-SNOW-CreateAndUpdateIncident**. -* Click on _General\Edit API Connection_. -* Enter path to your instance, e.g. dev12345. +* Select a connection you'd like to authorize. +* Click on General\Edit API Connection. +* Enter path to your instance, e.g. https://dev12345.service-now.com. * Enter username. * Enter password. * Click Save. -**Note:** Your ServiceNow credentials can be found in your ServiceNow instance account profile (see _Instance Action\Manage Instance Password_). Alternatively, you can follow these steps to achieve the same goal. This would be especially useful if the previous steps didn’t work for you. * Go to _Logic Apps_. @@ -38,15 +37,5 @@ Alternatively, you can follow these steps to achieve the same goal. This would b * Choose the _Access Control (IAM)_ option from the left pane. * Click on _Add > Add Role Assignment_ and add _Microsoft Sentinel Responder_ managed identity role to the playbook. -3. (Recommendation). Create automation rule to close ServiceNow tickets when the corresponding ticket is closed. -* Choose _Automation_ in the _Configuration_ pane. -* Select _Create/Automation rule_. -* In the _Create new automation rule_ window, enter your new rule name, e.g. _Close ServiceNow Ticket_. -* In the _Trigger_ list, select _When incident is updated_. -* Add the condition _Tag contains_ **SNOW System ID:**. -* Add the condition _Status chaged to_ **Close**. -* In _Actions/Run playbook_ select your playbook. -* Click _Apply_. - # References - - [Cohesity support documentation](https://docs.cohesity.com/ui/login?redirectPath=%2FHomePage%2FContent%2FTechGuides%2FTechnicalGuides.htm). + - [Cohesity support documentation](https://docs.cohesity.com/ui/login?redirectPath=%2FHomePage%2FContent%2FTechGuides%2FTechnicalGuides.htm) diff --git a/Solutions/CohesitySecurity/Playbooks/Cohesity_Restore_From_Last_Snapshot/azuredeploy.json b/Solutions/CohesitySecurity/Playbooks/Cohesity_Restore_From_Last_Snapshot/azuredeploy.json index a31c9ab4cd..900dd266f0 100644 --- a/Solutions/CohesitySecurity/Playbooks/Cohesity_Restore_From_Last_Snapshot/azuredeploy.json +++ b/Solutions/CohesitySecurity/Playbooks/Cohesity_Restore_From_Last_Snapshot/azuredeploy.json @@ -26,7 +26,8 @@ }, "variables": { "AzureblobConnectionName": "[concat('Azureblob-', parameters('PlaybookName'))]", - "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]" + "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]" }, "resources": [{ "properties": { @@ -190,12 +191,29 @@ } } }, - "HTTP": { + "Get_secret": { "runAfter": { "Get_object_from_blob_content": [ "Succeeded" ] }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent('ApiKey')}/value" + } + }, + "HTTP": { + "runAfter": { + "Get_secret": [ + "Succeeded" + ] + }, "type": "Http", "inputs": { "body": { @@ -218,7 +236,7 @@ }, "headers": { "Content-Type": "application/json", - "apiKey": "33e44eac-ce99-46df-7f4e-9ac39446a66e", + "apiKey": "@body('Get_secret')?['value']", "clusterid": "@{body('Get_cid_from_blob_content')}" }, "method": "POST", @@ -271,6 +289,11 @@ "type": "ManagedServiceIdentity" } } + }, + "keyvault": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", + "connectionName": "[variables('KeyvaultConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]" } } } @@ -289,7 +312,8 @@ "apiVersion": "2019-05-01", "dependsOn": [ "[resourceId('Microsoft.Web/connections', variables('AzureblobConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" ] }, { @@ -320,6 +344,20 @@ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" } } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('KeyvaultConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('KeyvaultConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]" + } + } } ] } diff --git a/Solutions/CohesitySecurity/Playbooks/Cohesity_Send_Incident_Email/azuredeploy.json b/Solutions/CohesitySecurity/Playbooks/Cohesity_Send_Incident_Email/azuredeploy.json index e88888153b..96ee88653a 100644 --- a/Solutions/CohesitySecurity/Playbooks/Cohesity_Send_Incident_Email/azuredeploy.json +++ b/Solutions/CohesitySecurity/Playbooks/Cohesity_Send_Incident_Email/azuredeploy.json @@ -78,9 +78,9 @@ }] } }, - "Send_an_email_(V2)": { + "Send_email_(V2)": { "runAfter": { - "Set_variable": [ + "Set_variable_2": [ "Succeeded" ] }, @@ -101,7 +101,7 @@ "path": "/v2/Mail" } }, - "Set_variable": { + "Set_variable_2": { "runAfter": { "Initialize_variable": [ "Succeeded" diff --git a/Solutions/CohesitySecurity/readme.md b/Solutions/CohesitySecurity/readme.md index 4bd36a7e82..ca2f6f7c9f 100644 --- a/Solutions/CohesitySecurity/readme.md +++ b/Solutions/CohesitySecurity/readme.md @@ -14,13 +14,13 @@ __Disclaimer:__ You can skip these steps and use one of the pre-built packages f 4. Follow [readme.md](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/README.md) for post-build manual validation. ## Deployment -The package consists of the following Azure functions ([install pre-requisites](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel#readme)) -* _IncidentProducer_ to retrieve Helios alerts via a special REST API ([deployment steps](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/readme.md)) -* _IncidentConsumer_ to create incidents in MS Sentinel ([deployment steps](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/readme.md)) +The package consists of the following Azure functions ([install pre-requisites](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel#readme)) +* _IncidentProducer_ to retrieve Helios alerts via a special REST API ([deployment steps](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentProducer/readme.md)) +* _IncidentConsumer_ to create incidents in MS Sentinel ([deployment steps](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentConsumer/readme.md)) It also has a few playbooks for automation. * *Cohesity_Send_Incident_Email* to send an email to the recipient with the incident details ([deployment steps](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Playbooks/Cohesity_Send_Incident_Email#readme.md)). -* *Cohesity_CreateOrUpdate_ServiceNow_Incident* to create and update the incident in the ServiceNow platform ([deployment steps](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Playbooks/SNOW-CreateAndUpdateIncident#readme.md)). +* *Cohesity_CreateOrUpdate_ServiceNow_Incident* to create and update the incident in the ServiceNow platform ([deployment steps](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident#readme.md)). * *Cohesity_Restore_From_Last_Snapshot* to restore data from the latest clean snapshot in Helios ([deployment steps](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Playbooks/Cohesity_Restore_From_Last_Snapshot#readme.md)) ## Misc diff --git a/Tools/Create-Azure-Sentinel-Solution/input/Solution_CohesitySecurity.json b/Tools/Create-Azure-Sentinel-Solution/input/Solution_CohesitySecurity.json index 630dd3c85a..4885754f57 100644 --- a/Tools/Create-Azure-Sentinel-Solution/input/Solution_CohesitySecurity.json +++ b/Tools/Create-Azure-Sentinel-Solution/input/Solution_CohesitySecurity.json @@ -5,7 +5,7 @@ "Playbooks": [ "Playbooks/Cohesity_Send_Incident_Email/azuredeploy.json", "Playbooks/Cohesity_Restore_From_Last_Snapshot/azuredeploy.json", - "Playbooks/SNOW-CreateAndUpdateIncident/azuredeploy.json" + "Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/azuredeploy.json" ], "BasePath": "Solutions/CohesitySecurity", "Version": "2.0.0",