Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #11383 from acitatorq/TorqPlaybookContribution 

Contributed a new Azure Sentinel solution for Torq which includes a n…
This commit is contained in:
v-atulyadav 2024-11-21 15:17:53 +05:30 коммит произвёл GitHub
Родитель efb2dc0058 36f8ea8f9d
Коммит 314e4086e0
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
12 изменённых файлов: 740 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

23
Logos/Torq.svg Normal file
Просмотреть файл

@ -0,0 +1,23 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 27.2.0, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg version="1.1" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 465.2 153" xml:space="preserve">
<g id="ad0ff500-28cf-48cb-a9eb-87923a39e235">
<path id="61c7e63d-3ff9-4208-853f-fee0c4db6100" d="M24.1,42.6h27.7V21.4H24.1V0H0l0,94.1c0,15.4,9.6,25.4,24.4,25.4h27.6V97.4h-28V42.6z"/>
<path id="032b136e-d2e8-4252-9bd5-8939ea51db97" d="M135.1,25.8c-7.9-4.4-16.9-6.6-26.6-6.6s-18.7,2.2-26.6,6.6C73.9,30.2,67.6,36.4,63,44.2
c-4.5,7.8-6.8,16.6-6.8,26.3s2.3,18.4,6.8,26.2c4.5,7.8,10.8,14,18.8,18.4c7.9,4.4,16.9,6.7,26.7,6.7s18.7-2.2,26.6-6.7
c7.9-4.4,14.2-10.6,18.8-18.4c4.5-7.8,6.8-16.6,6.8-26.2s-2.3-18.4-6.8-26.2S143,30.2,135.1,25.8L135.1,25.8z M136.1,70.5
c0,8.3-2.6,15.1-7.8,20.4c-5.2,5.3-11.8,7.9-19.8,7.9s-14.7-2.7-19.8-7.9c-5.2-5.3-7.8-12.1-7.8-20.4s2.6-15.1,7.8-20.4
c5.2-5.3,11.8-7.9,19.8-7.9s14.7,2.7,19.8,7.9C133.4,55.3,136.1,62.2,136.1,70.5z"/>
<path id="29051368-da39-4ce7-979a-1faf1186d6aa" d="M172,43.2v76.5h24.1V42.9h28.1V21h-29.4C180.1,21,172,34.1,172,43.2z"/>
<path id="3e80d3bf-565a-404a-b33b-fb4f981fc26a" d="M309.5,21.4v8.1c-8.2-6.4-18.5-10.2-30.2-10.4c-6.9,0.1-13.5,1.4-19.5,3.9c-6.2,2.6-12.1,6.5-16.5,10.9
c-4.3,4.4-7.8,9.9-10.4,16.3c-2.7,6.7-4,13.5-4,20.3s1.4,14.1,4.1,20.7c2.4,5.9,5.9,11.1,10.6,16c4.3,4.4,9.9,8.1,16.3,10.8
c6,2.5,12.6,3.7,20.2,3.7c10.8,0,19.2-2.6,28-8.5l0.1,39.8h24.3V21.4H309.5L309.5,21.4z M301.2,90.6c-5.7,5.8-11.6,8.2-19.8,8.2
c-8.6,0-15-2.5-20.4-8c-5.6-5.7-8.1-11.9-8.1-20.2s2.8-14.9,8.4-20.6c5.3-5.4,11.5-7.8,20.2-7.8c7.9,0,14.1,2.6,19.7,8.2
c5.6,5.6,8.1,11.8,8.1,20.2S306.8,85,301.2,90.6L301.2,90.6z"/>
</g>
<g id="e09b82cb-c61c-4aaf-8c2d-c80d2be1b8b7">
<path d="M465.2,29.4c0-4.8-5.3-9.2-10.7-9.2h-47.7v22.5h58.4C465.2,42.7,465.2,29.3,465.2,29.4z"/>
<rect x="359.3" y="58.9" width="105.9" height="22.5"/>
<path d="M359.4,97.7v13c0,4.9,5.3,9.5,10.7,9.5h48.7V97.7L359.4,97.7L359.4,97.7z"/>
</g>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 2.0 KiB

16
Solutions/Torq/Data/Solution_Torq.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"Name": "Torq",
"Author": "Torq - support@torq.io",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Torq.svg\" width=\"75px\" height=\"75px\">",
"Description": "[Torq](https://www.recordedfuture.com/) is the AI-Driven Hyperautomation Platform that helps security teams automate more faster",
"Analytic Rules": [],
"Playbooks": [
"Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json"
],
"Workbooks": [],
"BasePath": "Users\\acitatorq\\git\\github\\Azure-Sentinel\\Solutions\\Torq",
"Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
}

Двоичные данные
Solutions/Torq/Package/3.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

89
Solutions/Torq/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,89 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Torq.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Torq/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Torq](https://www.recordedfuture.com/) is the AI-Driven Hyperautomation Platform that helps security teams automate more faster\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "playbooks",
"label": "Playbooks",
"subLabel": {
"preValidation": "Configure the playbooks",
"postValidation": "Done"
},
"bladeTitle": "Playbooks",
"elements": [
{
"name": "playbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
}
},
{
"name": "playbooks-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

343
Solutions/Torq/Package/mainTemplate.json Normal file
Просмотреть файл

@ -0,0 +1,343 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Torq - support@torq.io",
"comments": "Solution template for Torq"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
},
"variables": {
"email": "support@torq.io",
"_email": "[variables('email')]",
"_solutionName": "Torq",
"_solutionVersion": "3.0.0",
"solutionId": "torq.torq_sentinel_solution",
"_solutionId": "[variables('solutionId')]",
"Torq-Sentinel-Incident-Trigger": "Torq-Sentinel-Incident-Trigger",
"_Torq-Sentinel-Incident-Trigger": "[variables('Torq-Sentinel-Incident-Trigger')]",
"TemplateEmptyArray": "[json('[]')]",
"playbookVersion1": "1.0",
"playbookContentId1": "Torq-Sentinel-Incident-Trigger",
"_playbookContentId1": "[variables('playbookContentId1')]",
"playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
"playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Sentinel_Incident_Sync_to_Torq Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
"parameters": {
"PlaybookName": {
"defaultValue": "Sentinel_Incident_Sync_to_Torq",
"type": "String"
},
"Torq_Webhook_Enpoint_URL": {
"defaultValue": "https://hooks.torq.io/v1/webhooks/125a9209-9ed6-4216-b5cd-10567f2164f5",
"type": "String"
},
"Torq_Webhook_Auth_Header_Name": {
"defaultValue": "X-Torq-Auth",
"type": "String"
},
"Torq_Webhook_Auth_Header_Secret": {
"defaultValue": "secr3tP@ssw0rd",
"type": "String"
}
},
"variables": {
"AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
"connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
"_connection-1": "[[variables('connection-1')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('AzureSentinelConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('AzureSentinelConnectionName')]",
"parameterValueType": "Alternative",
"api": {
"id": "[[variables('_connection-1')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[[parameters('PlaybookName')]",
"location": "[[variables('workspace-location-inline')]",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"Torq_Webhook_Enpoint_URL": {
"defaultValue": "[[parameters('Torq_Webhook_Enpoint_URL')]",
"type": "String"
},
"Torq_Webhook_Auth_Header_Name": {
"defaultValue": "[[parameters('Torq_Webhook_Auth_Header_Name')]",
"type": "String"
},
"Torq_Webhook_Auth_Header_Secret": {
"defaultValue": "[[parameters('Torq_Webhook_Auth_Header_Secret')]",
"type": "String"
},
"$connections": {
"type": "Object"
}
},
"staticResults": {
"HTTP0": {
"status": "Succeeded",
"outputs": {
"statusCode": "OK"
}
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"path": "/incident-creation"
},
"conditions": "[variables('TemplateEmptyArray')]",
"runtimeConfiguration": {
"concurrency": {
"runs": 10,
"maximumWaitingRuns": 50
}
}
}
},
"actions": {
"Send_Notification_to_Torq": {
"limit": {
"timeout": "PT30S"
},
"type": "Http",
"inputs": {
"uri": "@parameters('Torq_Webhook_Enpoint_URL')",
"method": "POST",
"headers": {
"@{parameters('Torq_Webhook_Auth_Header_Name')}": "@{parameters('Torq_Webhook_Auth_Header_Secret')}"
},
"body": "@triggerBody()"
},
"operationOptions": "DisableAsyncPattern"
},
"Terminate_Success": {
"runAfter": {
"Send_Notification_to_Torq": [
"Succeeded"
]
},
"type": "Terminate",
"inputs": {
"runStatus": "Succeeded"
}
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[[variables('AzureSentinelConnectionName')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
},
"tags": {
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
"properties": {
"parentId": "[variables('playbookId1')]",
"contentId": "[variables('_playbookContentId1')]",
"kind": "Playbook",
"version": "[variables('playbookVersion1')]",
"source": {
"kind": "Solution",
"name": "Torq",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Torq",
"email": "[variables('_email')]"
},
"support": {
"name": "Torq Support Team",
"email": "support@torq.io",
"tier": "Partner",
"link": "https://support.torq.io"
}
}
}
],
"metadata": {
"title": "Notify Sentinel Incident Creation and Update to Torq Webhook",
"description": "Sends an HTTPS request to a webhook trigger in Torq everytime a new Incident is created or updated in Microsoft Sentinel",
"documentation": "https://kb.torq.io/en/articles/9024676-configure-microsoft-sentinel-and-torq-to-trigger-torq-workflows-on-incident-creation-and-update",
"prerequisites": [
"Prior to the deployment of this playbook, create a new Microsoft Sentinel Trigger integration in Torq",
"Take note of the endpoint URL, the authentication header name, and the authentication header secret configured in the Microsoft Sentinel Trigger integration"
],
"postDeployment": [
"After deployment browse to your Microsoft Sentinel workspace > Configuration > Automation, Click Create and select Automation rule to create a new automation rule meant to send a notification to Torq when a new Sentinel Incident is created.",
"Give the automation rule a meaningful name",
"From the Trigger drop-down menu, select When incident is created or updated",
"From the Actions drop-down menu, select Run playbook",
"From the playbook selection drop-down, select the playbook Sentinel_Incident_Sync_to_Torq and click the Apply button"
],
"lastUpdateTime": "2024-11-19T00:00:00Z",
"releaseNotes": [
{
"version": "1.0",
"title": "Torq Sentinel Incident Trigger",
"notes": [
"Initial version"
]
}
]
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId1')]",
"contentKind": "Playbook",
"displayName": "Sentinel_Incident_Sync_to_Torq",
"contentProductId": "[variables('_playbookcontentProductId1')]",
"id": "[variables('_playbookcontentProductId1')]",
"version": "[variables('playbookVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.0",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Torq",
"publisherDisplayName": "Torq Support Team",
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Torq/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p><a href=\"https://www.recordedfuture.com/\">Torq</a> is the AI-Driven Hyperautomation Platform that helps security teams automate more faster</p>\n<p><strong>Playbooks:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
"icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Torq.svg\" width=\"75px\" height=\"75px\">",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
"name": "Torq",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Torq",
"email": "[variables('_email')]"
},
"support": {
"name": "Torq Support Team",
"email": "support@torq.io",
"tier": "Partner",
"link": "https://support.torq.io"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "Playbook",
"contentId": "[variables('_Torq-Sentinel-Incident-Trigger')]",
"version": "[variables('playbookVersion1')]"
}
]
},
"firstPublishDate": "2024-11-19",
"providers": [
"Torq"
],
"categories": {
"domains": [
"Application"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
}
],
"outputs": {}
}

24
Solutions/Torq/Package/testParameters.json Normal file
Просмотреть файл

@ -0,0 +1,24 @@
{
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
}

183
Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,183 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Notify Sentinel Incident Creation and Update to Torq Webhook",
"description": "Sends an HTTPS request to a webhook trigger in Torq everytime a new Incident is created or updated in Microsoft Sentinel",
"documentation": "https://kb.torq.io/en/articles/9024676-configure-microsoft-sentinel-and-torq-to-trigger-torq-workflows-on-incident-creation-and-update",
"prerequisites": [
"Prior to the deployment of this playbook, create a new Microsoft Sentinel Trigger integration in Torq",
"Take note of the endpoint URL, the authentication header name, and the authentication header secret configured in the Microsoft Sentinel Trigger integration"
],
"postDeployment": [
"After deployment browse to your Microsoft Sentinel workspace > Configuration > Automation, Click Create and select Automation rule to create a new automation rule meant to send a notification to Torq when a new Sentinel Incident is created.",
"Give the automation rule a meaningful name",
"From the Trigger drop-down menu, select When incident is created or updated",
"From the Actions drop-down menu, select Run playbook",
"From the playbook selection drop-down, select the playbook Sentinel_Incident_Sync_to_Torq and click the Apply button"
],
"lastUpdateTime": "2024-11-19T00:00:00.000Z",
"author": {
"name": "Torq"
},
"releaseNotes": [
{
"version": "1.0",
"title": "Torq Sentinel Incident Trigger",
"notes": [ "Initial version" ]
}
]
},
"parameters": {
"PlaybookName": {
"defaultValue": "Sentinel_Incident_Sync_to_Torq",
"type": "String"
},
"Torq_Webhook_Enpoint_URL": {
"defaultValue": "https://hooks.torq.io/v1/webhooks/125a9209-9ed6-4216-b5cd-10567f2164f5",
"type": "String"
},
"Torq_Webhook_Auth_Header_Name": {
"defaultValue": "X-Torq-Auth",
"type": "String"
},
"Torq_Webhook_Auth_Header_Secret": {
"defaultValue": "secr3tP@ssw0rd",
"type": "String"
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('AzureSentinelConnectionName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"Torq_Webhook_Enpoint_URL": {
"defaultValue": "[parameters('Torq_Webhook_Enpoint_URL')]",
"type": "String"
},
"Torq_Webhook_Auth_Header_Name": {
"defaultValue": "[parameters('Torq_Webhook_Auth_Header_Name')]",
"type": "String"
},
"Torq_Webhook_Auth_Header_Secret": {
"defaultValue": "[parameters('Torq_Webhook_Auth_Header_Secret')]",
"type": "String"
},
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"staticResults": {
"HTTP0": {
"status": "Succeeded",
"outputs": {
"statusCode": "OK"
}
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"path": "/incident-creation"
},
"conditions": [],
"runtimeConfiguration": {
"concurrency": {
"runs": 10,
"maximumWaitingRuns": 50
}
}
}
},
"actions": {
"Send_Notification_to_Torq": {
"runAfter": {},
"limit": {
"timeout": "PT30S"
},
"type": "Http",
"inputs": {
"uri": "@parameters('Torq_Webhook_Enpoint_URL')",
"method": "POST",
"headers": {
"@{parameters('Torq_Webhook_Auth_Header_Name')}": "@{parameters('Torq_Webhook_Auth_Header_Secret')}"
},
"body": "@triggerBody()"
},
"operationOptions": "DisableAsyncPattern"
},
"Terminate_Success": {
"runAfter": {
"Send_Notification_to_Torq": [
"Succeeded"
]
},
"type": "Terminate",
"inputs": {
"runStatus": "Succeeded"
}
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
}
}
]
}

Двоичные данные
Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/playbook_screenshot.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 40 KiB

43
Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/readme.md Normal file
Просмотреть файл

@ -0,0 +1,43 @@
# Torq-Sentinel-Incident-Trigger
## Summary
When a new Sentinel Incident is created or updated, this playbook gets triggered and sends a notification (HTTPS POST Request) to a Microsoft Sentinel Webhook in Torq.
<img src="./playbook_screenshot.png" width="50%"/><br>
### Prerequisites
1. Prior to the deployment of this playbook, create a new Microsoft Sentinel Trigger integration in Torq.
2. Take note of the endpoint URL, the authentication header name, and the authentication header secret configured in the Microsoft Sentinel Trigger integration.
### Deployment instructions
1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
2. Fill in the required paramters:
* Playbook Name: Enter the playbook name here
* Torq_Webhook_Enpoint_URL: Enter the endpoint URL for the Microsoft Sentinel Trigger integration previously created in Torq.
* Torq_Webhook_Auth_Header_Name: Enter the authentication header name for the Microsoft Sentinel Trigger integration previously created in Torq.
* Torq_Webhook_Auth_Header_Secret: Enter the authentication header secret for the Microsoft Sentinel Trigger integration previously created in Torq.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FTorq%2FPlaybooks%2FPlaybooks%2FTorq-Sentinel-Incident-Trigger%2Fazuredeploy.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FTorq%2FPlaybooks%2FPlaybooks%2FTorq-Sentinel-Incident-Trigger%2Fazuredeploy.json)
### Post-Deployment instructions
1. Browse to your Microsoft Sentinel workspace > Configuration > Automation
2. Click "+ Create" and select "Automation rule" to create a new automation rule meant to send a notification to Torq when a new Sentinel Incident is **created**.
3. Give the automation rule a meaningful name, like "Notify Torq when new Sentinel Incident is created".
4. From the "Trigger" drop-down menu, select **"When incident is created"**.
5. Leave "Conditions" to its default values.
6. From the "Actions" drop-down menu, select "Run playbook".
7. From the playbook selection drop-down, select the playbook "Sentinel_Incident_Sync_to_Torq"
8. Click the "Apply" button.
9. Click "+ Create" again and select "Automation rule" to create a new automation rule meant to send a notification to Torq when an existing Sentinel Incident is **updated**.
10. Give the automation rule a meaningful name, like "Notify Torq when a Sentinel Incident is updated".
11. From the "Trigger" drop-down menu, select **"When incident is updated"**
12. Leave "Conditions" to its default values.
13. From the "Actions" drop-down menu, select "Run playbook".
14. From the playbook selection drop-down, select the playbook "Sentinel_Incident_Sync_to_Torq"
15. Click the "Apply" button.

Двоичные данные
Solutions/Torq/Playbooks/logo.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 3.4 KiB

4
Solutions/Torq/ReleaseNotes.md Normal file
Просмотреть файл

@ -0,0 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
| 3.0.0 | 21-11-2023 | Initial Solution Release |

15
Solutions/Torq/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "torq",
"offerId": "torq_sentinel_solution",
"firstPublishDate": "2024-11-19",
"providers": ["Torq"],
"categories": {
"domains" : ["Application"]
},
"support": {
"name": "Torq Support Team",
"email": "support@torq.io",
"tier": "Partner",
"link": "https://support.torq.io"
}
}