Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Fixed some bugs based on missing values in the returned json

This commit is contained in:
Sebmolendijk 2020-12-16 14:49:01 +01:00
Родитель 63954d2248
Коммит 3f6a00e769
2 изменённых файлов: 971 добавлений и 531 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

840
Playbooks/Get-AlertEntitiesEnrichment/Get-AlertEntitiesEnrichment.json
Просмотреть файл

@ -1,9 +1,8 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
// Template parameters
"parameters": {
"logicAppName": {
"logicAppName": {
"defaultValue": "Get-AlertEntitiesEnrichment",
"type": "String",
"metadata": {
@ -54,7 +53,7 @@
}
},
"resources": [
{
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[parameters('azuresentinel_Connection_Name')]",
@ -122,241 +121,616 @@
}
},
"actions": {
"Users_enrichment": {
"actions": {
"Get_accounts": {
"inputs": {
"body": "@triggerBody()?['Entities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/account"
},
"runAfter": {},
"type": "ApiConnection"
},
"For_each_user": {
"actions": {
"Call_UserEnrichment_LogicApp": {
"description": "Calls the logic app in charge or enriching user details with AAD information",
"inputs": {
"body": {
"userPrincipalName": "@items('For_each_user')?['AadUserId']"
},
"host": {
"triggerName": "manual",
"workflow": {
"id": "[parameters('UserEnrichmentLogicApp')]"
}
"Initialize_comments": {
"inputs": {
"variables": [
{
"name": "comments",
"type": "array"
}
},
"runAfter": {},
"type": "Workflow"
]
},
"Compose_comment_account_details": {
"inputs": "Account details\n
***************\n\n
userPrincipalName: @{body('Call_UserEnrichment_LogicApp')?['userPrincipalName']}\n
id: @{body('Call_UserEnrichment_LogicApp')?['id']}\n
AdminRoles: @{body('Call_UserEnrichment_LogicApp')?['adminRoles']}\n
isMfaRegistered: @{body('Call_UserEnrichment_LogicApp')?['isMfaRegistered']}\n
authMethodsMfa: @{body('Call_UserEnrichment_LogicApp')?['authMethodsMfa']}\n
isSsprRegistered: @{body('Call_UserEnrichment_LogicApp')?['isSsprRegistered']}\n
riskLevel: @{body('Call_UserEnrichment_LogicApp')?['riskLevel']}\n
riskState: @{body('Call_UserEnrichment_LogicApp')?['riskState']}\n
riskDetail: @{body('Call_UserEnrichment_LogicApp')?['riskDetail']}\n
riskLastUpdatedDateTime: @{body('Call_UserEnrichment_LogicApp')?['riskLastUpdatedDateTime']}\n
threatScore: @{body('Call_UserEnrichment_LogicApp')?['threatScore']}\n
threatScoreHistory: @{body('Call_UserEnrichment_LogicApp')?['threatScoreHistory']}\n
locations: @{body('Call_UserEnrichment_LogicApp')?['locations']}\n
ssprActivities: @{body('Call_UserEnrichment_LogicApp')?['ssprActivities']}\n
state: @{body('Call_UserEnrichment_LogicApp')?['state']}\n
AccountEnabled: @{body('Call_UserEnrichment_LogicApp')?['accountEnabled']}\n
createdDateTime: @{body('Call_UserEnrichment_LogicApp')?['createdDateTime']}\n
onPremisesDistinguishedName: @{body('Call_UserEnrichment_LogicApp')?['onPremisesDistinguishedName']}\n
onPremisesDomainName: @{body('Call_UserEnrichment_LogicApp')?['onPremisesDomainName']}\n
onPremisesLastSyncDateTime: @{body('Call_UserEnrichment_LogicApp')?['onPremisesLastSyncDateTime']}\n
onPremisesSamAccountName: @{body('Call_UserEnrichment_LogicApp')?['onPremisesSamAccountName']}\n
onPremisesSecurityIdentifier: @{body('Call_UserEnrichment_LogicApp')?['onPremisesSecurityIdentifier']}\n
onPremisesSyncEnabled: @{body('Call_UserEnrichment_LogicApp')?['onPremisesSyncEnabled']}\n
refreshTokensValidFromDateTime: @{body('Call_UserEnrichment_LogicApp')?['refreshTokensValidFromDateTime']}\n\n\n",
"runAfter": {
"Call_UserEnrichment_LogicApp": [
"Succeeded"
]
},
"type": "Compose"
},
"Add_account_comment_to_incident": {
"inputs": {
"body": {
"Value": "@{outputs('Compose_comment_account_details')}"
"runAfter": {},
"type": "InitializeVariable"
},
"Users_enrichment": {
"actions": {
"Get_accounts": {
"inputs": {
"body": "@triggerBody()?['Entities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/account"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
"runAfter": {},
"type": "ApiConnection"
},
"For_each_user": {
"actions": {
"Compose_username": {
"description": "If AAD object ID is missing, building UPN",
"inputs": "@if(empty(items('For_each_user')?['AadUserId']), concat(items('For_each_user')?['Name'], '@', items('For_each_user')?['UPNSuffix']), items('For_each_user')?['AadUserId'])",
"runAfter": {},
"type": "Compose"
},
"Call_UserEnrichment_LogicApp": {
"description": "Calls the logic app in charge or enriching user details with AAD information",
"inputs": {
"body": {
"userPrincipalName": "@{outputs('Compose_username')}"
},
"host": {
"triggerName": "manual",
"workflow": {
"id": "[parameters('UserEnrichmentLogicApp')]"
}
}
},
"runAfter": {
"Compose_username": [
"Succeeded"
]
},
"type": "Workflow"
},
"MDATP_devices_table": {
"inputs": {
"format": "HTML",
"from": "@body('Call_UserEnrichment_LogicApp')?['devices']?['mdatpDevices']"
},
"runAfter": {
"Inbox_rules_table": [
"Succeeded"
]
},
"type": "Table"
},
"AAD_Devices_table": {
"inputs": {
"format": "HTML",
"from": "@body('Call_UserEnrichment_LogicApp')?['devices']?['aadDevices']"
},
"runAfter": {
"MDATP_devices_table": [
"Succeeded",
"Failed"
]
},
"type": "Table"
},
"Threatscore_History_table": {
"inputs": {
"columns": [
{
"header": "Date",
"value": "@item()?['date']"
},
{
"header": "Score",
"value": "@item()?['score']"
},
{
"header": "ScoreHigherThanXPercent",
"value": "@item()?['percentile']"
}
],
"format": "HTML",
"from": "@body('Call_UserEnrichment_LogicApp')?['threatScoreHistory']?['body']"
},
"runAfter": {
"Call_UserEnrichment_LogicApp": [
"Succeeded"
]
},
"type": "Table"
},
"Admin_roles_table": {
"inputs": {
"columns": [
{
"header": "Name",
"value": "@item()?['displayName']"
},
{
"header": "Description",
"value": "@item()?['description']"
},
{
"header": "Built-in",
"value": "@item()?['isBuiltIn']"
},
{
"header": "Enabled",
"value": "@item()?['isEnabled']"
}
],
"format": "HTML",
"from": "@body('Call_UserEnrichment_LogicApp')?['adminRoles']"
},
"runAfter": {
"Locations_table": [
"Succeeded",
"Failed"
]
},
"type": "Table"
},
"Manager_table": {
"inputs": {
"columns": [
{
"header": "DisplayName",
"value": "@item()?['displayName']"
},
{
"header": "UserPrincipalName",
"value": "@item()?['userPrincipalName']"
},
{
"header": "Mail",
"value": "@item()?['mail']"
},
{
"header": "JobTitle",
"value": "@item()?['jobTitle']"
},
{
"header": "MobilePhone",
"value": "@item()?['mobilePhone']"
}
],
"format": "HTML",
"from": "@createArray(body('Call_UserEnrichment_LogicApp')?['manager'])"
},
"runAfter": {
"Admin_roles_table": [
"Succeeded",
"Failed"
]
},
"type": "Table"
},
"Inbox_rules_table": {
"inputs": {
"columns": [
{
"header": "Sequence",
"value": "@item()?['sequence']"
},
{
"header": "Name",
"value": "@item()?['displayName']"
},
{
"header": "Enabled",
"value": "@item()?['isEnabled']"
},
{
"header": "Conditions",
"value": "@item()?['conditions']"
},
{
"header": "Actions",
"value": "@item()?['actions']"
}
],
"format": "HTML",
"from": "@body('Call_UserEnrichment_LogicApp')?['mailboxInboxRules']"
},
"runAfter": {
"Manager_table": [
"Succeeded",
"Failed"
]
},
"type": "Table"
},
"Locations_table": {
"inputs": {
"columns": [
{
"header": "Country",
"value": "@item()?['country']"
},
{
"header": "UsagePercentage",
"value": "@item()?['percentageTotalActivities']"
},
{
"header": "LastActivity",
"value": "@item()?['lastActivity']"
},
{
"header": "ActivitiesLast30Days",
"value": "@item()?['activities']"
}
],
"format": "HTML",
"from": "@body('Call_UserEnrichment_LogicApp')?['locationsUsage']"
},
"runAfter": {
"Threatscore_History_table": [
"Succeeded",
"Failed"
]
},
"type": "Table"
},
"Compose_comments_part1": {
"inputs": "<h2>User Location details</h2>
<table style=\"width:75%\">
<tr>
<th>Company:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['companyName']}</td>
</tr>
<tr>
<th>Job Title:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['jobTitle']}</td>
</tr>
<tr>
<th>Department:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['department']}</td>
</tr>
<tr>
<th>Country:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['country']}</td>
</tr>
<tr>
<th>City:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['city']}</td>
</tr>
<tr>
<th>Office Location:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['officeLocation']}</td>
</tr>
<tr>
<th>Street Address:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['streetAddress']}</td>
</tr>
<tr>
<th>Postal Code:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['postalCode']}</td>
</tr>
<tr>
<th>Preffered Language:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['preferredLanguage']}</td>
</tr>
<tr>
<th>Business Phone:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['businessPhones']}</td>
</tr>
<tr>
<th>Mobile Phone:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['mobilePhone']}</td>
</tr>",
"runAfter": {
"AAD_Devices_table": [
"Succeeded"
]
},
"type": "Compose"
},
"Append_to_comments_part1": {
"inputs": {
"name": "comments",
"value": "@outputs('Compose_comments_part1')"
},
"runAfter": {
"Compose_comments_part1": [
"Succeeded"
]
},
"type": "AppendToArrayVariable"
},
"Compose_comments_part2": {
"inputs": "<h2>User details</h2>
<table style=\"width:75%\">
<tr>
<th>UserPrincipalName:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['userPrincipalName']}</td>
</tr>
<tr>
<th>Display Name:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['displayName']}</td>
</tr>
<tr>
<th>Employee Id:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['employeeId']}</td>
</tr>
<tr>
<th>Manager:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['manager']}</td>
</tr>
<tr>
<th>User id:</th>
<td> @{body('Call_UserEnrichment_LogicApp')?['id']}</td>
</tr>
<tr>
<th>Admin roles:</th>
<td>@{body('Admin_roles_table')}</td>
</tr>
<th>Mfa Registered:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['isMfaRegistered']}</td>
</tr>
<tr>
<th>Registered Mfa Methods:</th>
<td> @{body('Call_UserEnrichment_LogicApp')?['authMethodsMfa']}</td>
</tr>
<tr>
<th>Sspr Registered:</th>
<td> @{body('Call_UserEnrichment_LogicApp')?['isSsprRegistered']}</td>
</tr>",
"runAfter": {
"AAD_Devices_table": [
"Succeeded"
]
},
"type": "Compose"
},
"Append_to_comments_part2": {
"inputs": {
"name": "comments",
"value": "@outputs('Compose_comments_part2')"
},
"runAfter": {
"Compose_comments_part2": [
"Succeeded"
]
},
"type": "AppendToArrayVariable"
},
"Compose_comments_part3": {
"inputs": "<h2>Additional details</h2><table style=\"width:75%\">
<tr><th>Locations usage:</th>
<td>@{body('Locations_table')}</td></tr><tr>
<th>MCAS Threat Score:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['threatScore']}</td>
</tr>
<tr>
<th>Threat Score History:</th>
<td>@{body('Threatscore_History_table')}</td>
</tr>
<tr>
<th>AAD Risk Level:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['riskLevel']}</td>
</tr>
<tr>
<th>AAD Risk State:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['riskState']}</td>
</tr>
<tr>
<th>AAD Risk Details:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['riskDetail']}</td>
</tr>
<tr>
<th>AAD Risk Last Update:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['riskLastUpdatedDateTime']}</td>
</tr>
<tr>
<th>Self-Service Password Reset Activities:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['ssprActivities']}</td>
</tr>",
"runAfter": {
"AAD_Devices_table": [
"Succeeded"
]
},
"type": "Compose"
},
"Append_to_comments_part3": {
"inputs": {
"name": "comments",
"value": "@outputs('Compose_comments_part3')"
},
"runAfter": {
"Compose_comments_part3": [
"Succeeded"
]
},
"type": "AppendToArrayVariable"
},
"Compose_comments_part4": {
"inputs": "<h2>Mailbox and Devices details</h2>
<table style=\"width:75%\">
<tr>
<th>Mail:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['mail']}</td>
</tr>
<tr>
<th>Out-Of-Office is enabled:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['mailboxOofEnabled']}</td>
</tr>
<tr>
<th>Out-Of-Office Message:</th>
<td>@{createArray(body('Call_UserEnrichment_LogicApp')?['mailboxOofMessage'])}</td>
</tr>
<tr>
<th>Mailbox Inbox Rules:</th>
<td>@{replace(body('Inbox_rules_table'), '&quot;', '\"')}</td>
</tr>",
"runAfter": {
"AAD_Devices_table": [
"Succeeded"
]
},
"type": "Compose"
},
"Append_to_comments_part4": {
"inputs": {
"name": "comments",
"value": "@outputs('Compose_comments_part4')"
},
"runAfter": {
"Compose_comments_part4": [
"Succeeded"
]
},
"type": "AppendToArrayVariable"
},
"Compose_comments_part5": {
"inputs": "<h2>Account details</h2>
<table style=\"width:75%\">
<tr>
<th>Account is Enabled:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['accountEnabled']}</td>
</tr>
<tr>
<th>Creation Time:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['createdDateTime']}</td>
</tr>
<tr>
<th>On-Premises DN:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['onPremisesDistinguishedName']}</td>
</tr>
<tr>
<th>On-Premises Domain Name:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['onPremisesDomainName']}</td>
</tr>
<tr>
<th>On-Premises Last DirSync:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['onPremisesLastSyncDateTime']}</td>
</tr>
<tr>
<th>On-Premises SamAccountName:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['onPremisesSamAccountName']}</td>
</tr>
<tr>
<th>On-Premises SID:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['onPremisesSecurityIdentifier']}</td>
</tr>
<tr>
<th>On-Premises SyncEnabled:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['onPremisesSyncEnabled']}</td>
</tr>
<tr>
<th>Refresh Token Valid From:</th>
<td>@{body('Call_UserEnrichment_LogicApp')?['refreshTokensValidFromDateTime']}}</td>
</tr>",
"runAfter": {
"AAD_Devices_table": [
"Succeeded"
]
},
"type": "Compose"
},
"Append_to_comments_part5": {
"inputs": {
"name": "comments",
"value": "@outputs('Compose_comments_part5')"
},
"runAfter": {
"Compose_comments_part5": [
"Succeeded"
]
},
"type": "AppendToArrayVariable"
},
"Compose_comments_part6": {
"inputs": "<h2>Devices details</h2>
<table style=\"width:75%\">
<tr>
<th>Azure AD Devices:</th>
<td>@{replace(body('AAD_Devices_table'), '&quot;', '\"')}</td>
</tr>
<tr>
<th>MDATP Devices:</th>
<td>@{replace(body('MDATP_Devices_table'), '&quot;', '\"')}</td>
</tr>",
"runAfter": {
"AAD_Devices_table": [
"Succeeded"
]
},
"type": "Compose"
},
"Append_to_comments_part6": {
"inputs": {
"name": "comments",
"value": "@outputs('Compose_comments_part6')"
},
"runAfter": {
"Compose_comments_part6": [
"Succeeded"
]
},
"type": "AppendToArrayVariable"
},
"Send_Data_to_Sentinel": {
"runAfter": {
"Call_UserEnrichment_LogicApp": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": "@{body('Call_UserEnrichment_LogicApp')}",
"headers": {
"Log-Type": "Users"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
}
}
},
"method": "put",
"path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Alert')}/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
},
"runAfter": {
"Compose_comment_account_details": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Compose_user_comment_details": {
"inputs": "User details\n
************\n\n
department: @{body('Call_UserEnrichment_LogicApp')?['department']}\n
jobTitle: @{body('Call_UserEnrichment_LogicApp')?['jobTitle']}\n
displayName: @{body('Call_UserEnrichment_LogicApp')?['displayName']}\n
givenName: @{body('Call_UserEnrichment_LogicApp')?['givenName']}\n
surname: @{body('Call_UserEnrichment_LogicApp')?['surname']}\n
companyName: @{body('Call_UserEnrichment_LogicApp')?['companyName']}\n
country: @{body('Call_UserEnrichment_LogicApp')?['country']}\n
officeLocation: @{body('Call_UserEnrichment_LogicApp')?['officeLocation']}\n
city: @{body('Call_UserEnrichment_LogicApp')?['city']}\n
streetAddress: @{body('Call_UserEnrichment_LogicApp')?['streetAddress']}\n
postalCode: @{body('Call_UserEnrichment_LogicApp')?['postalCode']}\n
preferredLanguage: @{body('Call_UserEnrichment_LogicApp')?['preferredLanguage']}\n
businessPhones: @{body('Call_UserEnrichment_LogicApp')?['businessPhones']?[0]}\n
mobilePhone: @{body('Call_UserEnrichment_LogicApp')?['mobilePhone']}\n
employeeId: @{body('Call_UserEnrichment_LogicApp')?['employeeId']}\n
manager: @{body('Call_UserEnrichment_LogicApp')?['manager']}\n",
"runAfter": {
"Call_UserEnrichment_LogicApp": [
"Succeeded"
]
},
"type": "Compose"
},
"Add_user_comment_to_incident": {
"inputs": {
"body": {
"Value": "@{outputs('Compose_user_comment_details')}"
"foreach": "@body('Get_accounts')?['Accounts']",
"runAfter": {
"Get_accounts": [
"Succeeded"
]
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Alert')}/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
},
"runAfter": {
"Compose_user_comment_details": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Compose_devices_comment_details": {
"inputs": "User devices\n
************\n\n
mdatpDevvices: @{body('Call_UserEnrichment_LogicApp')?['devices']?['mdatpDevices']}\n
aadDevices: @{body('Call_UserEnrichment_LogicApp')?['devices']?['aadDevices']}\n",
"runAfter": {
"Call_UserEnrichment_LogicApp": [
"Succeeded"
]
},
"type": "Compose"
},
"Add_devices_comment_to_incident": {
"inputs": {
"body": {
"Value": "@{outputs('Compose_devices_comment_details')}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Alert')}/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
},
"runAfter": {
"Compose_devices_comment_details": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Compose_mailbox_comment_details": {
"inputs": "Mailbox details\n
***************\n\n
mail: @{body('Call_UserEnrichment_LogicApp')?['mail']}\n
mailboxInboxRules: @{body('Call_UserEnrichment_LogicApp')?['mailboxInboxRules']}\n
mailboxOofEnabled: @{body('Call_UserEnrichment_LogicApp')?['mailboxOofEnabled']}\n
mailboxOofMessage: @{body('Call_UserEnrichment_LogicApp')?['mailboxOofMessage']}\n",
"runAfter": {
"Call_UserEnrichment_LogicApp": [
"Succeeded"
]
},
"type": "Compose"
},
"Add_mailbox_comment_to_incident": {
"inputs": {
"body": {
"Value": "@{outputs('Compose_mailbox_comment_details')}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Alert')}/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
},
"runAfter": {
"Compose_mailbox_comment_details": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Send_Data_to_Sentinel": {
"runAfter": {
"Call_UserEnrichment_LogicApp": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": "@{body('Call_UserEnrichment_LogicApp')}",
"headers": {
"Log-Type": "Users"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
"type": "Foreach"
}
}
},
"runAfter": {
"Initialize_comments": [
"Succeeded"
]
},
"type": "Scope"
},
"foreach": "@body('Get_accounts')?['Accounts']",
"runAfter": {
"Get_accounts": [
"Succeeded"
]
},
"type": "Foreach"
}
},
"runAfter": {},
"type": "Scope"
}
"Post_comments": {
"actions": {
"Post_all_comments": {
"actions": {
"Add_account_comment_to_incident": {
"inputs": {
"body": {
"Value": "@{items('Post_all_comments')}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Alert')}/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
},
"runAfter": {},
"type": "ApiConnection"
}
},
"foreach": "@variables('comments')",
"runAfter": {},
"type": "Foreach"
}
},
"runAfter": {
"Users_enrichment": [
"Succeeded"
]
},
"type": "Scope"
}
},
"outputs": {}
},
@ -365,7 +739,7 @@
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', parameters('azuresentinel_Connection_Name'))]",
"connectionName": "[parameters('azuresentinel_Connection_Name')]" ,
"connectionName": "[parameters('azuresentinel_Connection_Name')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/', 'azuresentinel')]"
},
"[parameters('logAnalytics_connectionName')]": {
@ -378,10 +752,10 @@
}
}
}
],
"outputs": {
"logicAppUrl": {
"type": "string",
"value": "[listCallbackURL(concat(resourceId('Microsoft.Logic/workflows/', parameters('logicAppName')), '/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered'), '2016-06-01').value]"

662
Playbooks/Get-AlertEntitiesEnrichment/UserEnrichment.template.json
Просмотреть файл

@ -1,30 +1,39 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"logicAppName": {
"defaultValue": "UserEnrichment",
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"logicAppName": {
"defaultValue": "UserEnrichment",
"type": "string",
"metadata": {
"description": "The name of the logic app to create."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"servicePrincipal": {
"type": "secureObject"
"metadata": {
"description": "The name of the logic app to create."
}
},
"mcasAPI": {
"type": "secureobject"
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"servicePrincipal-tenantId": {
"type": "string"
},
"servicePrincipal-clientId": {
"type": "string"
},
"servicePrincipal-clientSecret": {
"type": "securestring"
},
"mcas-apiToken": {
"type": "securestring"
},
"mcas-tenantUrl": {
"type": "string"
}
},
"variables": {},
"resources": [
},
"variables": {},
"resources": [
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
@ -39,13 +48,25 @@
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"servicePrincipal": {
"type": "secureobject",
"defaultValue": "[parameters('servicePrincipal')]"
"servicePrincipal-tenantId": {
"type": "string",
"defaultValue": "[parameters('servicePrincipal-tenantId')]"
},
"mcasAPI": {
"defaultValue": "[parameters('mcasAPI')]",
"type": "secureobject"
"servicePrincipal-clientSecret": {
"type": "securestring",
"defaultValue": "[parameters('servicePrincipal-clientSecret')]"
},
"servicePrincipal-clientId": {
"type": "string",
"defaultValue": "[parameters('servicePrincipal-clientId')]"
},
"mcas-apiToken": {
"defaultValue": "[parameters('mcas-apiToken')]",
"type": "securestring"
},
"mcas-tenantUrl": {
"defaultValue": "[parameters('mcas-tenantUrl')]",
"type": "string"
}
},
"triggers": {
@ -64,7 +85,7 @@
}
}
},
"actions": {
"actions": {
"Parse_trigger": {
"runAfter": {},
"type": "ParseJson",
@ -193,6 +214,22 @@
]
}
},
"Initialize_signins": {
"inputs": {
"variables": [
{
"name": "signins",
"type": "array"
}
]
},
"runAfter": {
"Initialize_ssprActivities": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"User": {
"actions": {
"Get_user_details": {
@ -201,9 +238,9 @@
"inputs": {
"authentication": {
"audience": "https://graph.microsoft.com/",
"clientId": "[parameters('servicePrincipal').clientId]",
"secret": "[parameters('servicePrincipal').clientSecret]",
"tenant": "[parameters('servicePrincipal').tenantId]",
"clientId": "[parameters('servicePrincipal-clientId')]",
"secret": "[parameters('servicePrincipal-clientSecret')]",
"tenant": "[parameters('servicePrincipal-tenantId')]",
"type": "ActiveDirectoryOAuth"
},
"method": "GET",
@ -221,119 +258,6 @@
"Case_200_OK": {
"case": 200,
"actions": {
"Get_user_AAD_risk_status": {
"runAfter": {
"Parse_MFA-SSPR": [
"Succeeded"
]
},
"type": "Http",
"inputs": {
"authentication": {
"audience": "https://graph.microsoft.com/",
"clientId": "[parameters('servicePrincipal').clientId]",
"secret": "[parameters('servicePrincipal').clientSecret]",
"tenant": "[parameters('servicePrincipal').tenantId]",
"type": "ActiveDirectoryOAuth"
},
"method": "GET",
"uri": "https://graph.microsoft.com/beta/riskyUsers/@{body('Parse_user_details')?['id']}/"
}
},
"Get_user_MFA-SSPR_status": {
"runAfter": {
"Parse_user_manager": [
"Succeeded",
"Failed"
]
},
"type": "Http",
"inputs": {
"authentication": {
"audience": "https://graph.microsoft.com/",
"clientId": "[parameters('servicePrincipal').clientId]",
"secret": "[parameters('servicePrincipal').clientSecret]",
"tenant": "[parameters('servicePrincipal').tenantId]",
"type": "ActiveDirectoryOAuth"
},
"method": "GET",
"uri": "https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails?$filter=userPrincipalName eq '@{body('Parse_trigger')?['userPrincipalName']}'"
}
},
"Get_user_manager": {
"runAfter": {
"Parse_user_details": [
"Succeeded"
]
},
"type": "Http",
"inputs": {
"authentication": {
"audience": "https://graph.microsoft.com/",
"clientId": "[parameters('servicePrincipal').clientId]",
"secret": "[parameters('servicePrincipal').clientSecret]",
"tenant": "[parameters('servicePrincipal').tenantId]",
"type": "ActiveDirectoryOAuth"
},
"method": "GET",
"uri": "https://graph.microsoft.com/beta/users/@{body('Parse_trigger')?['userPrincipalName']}/manager"
}
},
"Parse_MFA-SSPR": {
"runAfter": {
"Get_user_MFA-SSPR_status": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('Get_user_MFA-SSPR_status')",
"schema": {
"properties": {
"@@odata.context": {
"type": "string"
},
"value": {
"items": {
"properties": {
"authMethods": {
"items": {
"type": "string"
},
"type": "array"
},
"id": {
"type": "string"
},
"isCapable": {
"type": "boolean"
},
"isEnabled": {
"type": "boolean"
},
"isMfaRegistered": {
"type": "boolean"
},
"isRegistered": {
"type": "boolean"
},
"userDisplayName": {
"type": "string"
},
"userPrincipalName": {
"type": "string"
}
},
"required": [],
"type": "object"
},
"type": "array"
}
},
"type": "object"
}
}
},
"Parse_user_details": {
"runAfter": {},
"type": "ParseJson",
@ -426,129 +350,128 @@
}
}
},
"Parse_user_manager": {
"Get_user_manager": {
"runAfter": {
"Parse_user_details": [
"Succeeded"
]
},
"type": "Http",
"inputs": {
"authentication": {
"audience": "https://graph.microsoft.com/",
"clientId": "[parameters('servicePrincipal-clientId')]",
"secret": "[parameters('servicePrincipal-clientSecret')]",
"tenant": "[parameters('servicePrincipal-tenantId')]",
"type": "ActiveDirectoryOAuth"
},
"method": "GET",
"uri": "https://graph.microsoft.com/beta/users/@{body('Parse_trigger')?['userPrincipalName']}/manager"
}
},
"Get_user_MFA-SSPR_status": {
"runAfter": {
"Get_user_manager": [
"Succeeded",
"Failed"
]
},
"type": "ParseJson",
"type": "Http",
"inputs": {
"content": "@body('Get_user_details')",
"schema": {
"properties": {
"@@odata.context": {},
"accountEnabled": {
"type": "boolean"
},
"ageGroup": {},
"businessPhones": {
"items": {},
"type": "array"
},
"city": {},
"companyName": {},
"consentProvidedForMinor": {},
"country": {},
"createdDateTime": {},
"creationType": {},
"deletedDateTime": {},
"department": {},
"deviceKeys": {
"type": "array"
},
"displayName": {},
"employeeId": {},
"externalUserState": {},
"externalUserStateChangeDateTime": {},
"faxNumber": {},
"givenName": {},
"id": {},
"identities": {
"items": {
"properties": {
"issuer": {},
"issuerAssignedId": {},
"signInType": {}
},
"required": [],
"type": "object"
},
"type": "array"
},
"imAddresses": {
"items": {},
"type": "array"
},
"isResourceAccount": {},
"jobTitle": {},
"legalAgeGroupClassification": {},
"mail": {},
"mailNickname": {},
"mobilePhone": {},
"officeLocation": {},
"onPremisesDistinguishedName": {},
"onPremisesDomainName": {},
"onPremisesImmutableId": {},
"onPremisesLastSyncDateTime": {},
"onPremisesSamAccountName": {},
"onPremisesSecurityIdentifier": {},
"onPremisesSyncEnabled": {},
"onPremisesUserPrincipalName": {},
"otherMails": {
"items": {},
"type": "array"
},
"passwordPolicies": {},
"passwordProfile": {},
"postalCode": {},
"preferredDataLocation": {},
"preferredLanguage": {},
"proxyAddresses": {
"items": {},
"type": "array"
},
"refreshTokensValidFromDateTime": {},
"showInAddressList": {},
"signInSessionsValidFromDateTime": {},
"state": {},
"streetAddress": {},
"surname": {},
"usageLocation": {},
"userPrincipalName": {},
"userType": {}
},
"type": "object"
}
"authentication": {
"audience": "https://graph.microsoft.com/",
"clientId": "[parameters('servicePrincipal-clientId')]",
"secret": "[parameters('servicePrincipal-clientSecret')]",
"tenant": "[parameters('servicePrincipal-tenantId')]",
"type": "ActiveDirectoryOAuth"
},
"method": "GET",
"uri": "https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails?$filter=userPrincipalName eq '@{body('Get_user_details')?['userPrincipalName']}'"
}
},
"Parse_user_risk_status": {
"Parse_MFA-SSPR": {
"runAfter": {
"Get_user_AAD_risk_status": [
"Get_user_MFA-SSPR_status": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('Get_user_AAD_risk_status')",
"content": "@body('Get_user_MFA-SSPR_status')",
"schema": {
"properties": {
"@@odata.context": {},
"id": {},
"isDeleted": {},
"isGuest": {},
"isProcessing": {},
"riskDetail": {},
"riskLastUpdatedDateTime": {},
"riskLevel": {},
"riskState": {},
"userDisplayName": {},
"userPrincipalName": {}
"@@odata.context": {
"type": "string"
},
"value": {
"items": {
"properties": {
"authMethods": {
"items": {
"type": "string"
},
"type": "array"
},
"id": {
"type": "string"
},
"isCapable": {
"type": "boolean"
},
"isEnabled": {
"type": "boolean"
},
"isMfaRegistered": {
"type": "boolean"
},
"isRegistered": {
"type": "boolean"
},
"userDisplayName": {
"type": "string"
},
"userPrincipalName": {
"type": "string"
}
},
"required": [],
"type": "object"
},
"type": "array"
}
},
"type": "object"
}
}
},
"Get_user_AAD_risk_status": {
"runAfter": {
"Parse_MFA-SSPR": [
"Succeeded"
]
},
"type": "Http",
"inputs": {
"authentication": {
"audience": "https://graph.microsoft.com/",
"clientId": "[parameters('servicePrincipal-clientId')]",
"secret": "[parameters('servicePrincipal-clientSecret')]",
"tenant": "[parameters('servicePrincipal-tenantId')]",
"type": "ActiveDirectoryOAuth"
},
"method": "GET",
"uri": "https://graph.microsoft.com/beta/riskyUsers/@{body('Parse_user_details')?['id']}/"
}
},
"Compose_riskStatus": {
"inputs": "@outputs('Get_user_AAD_risk_status')['statusCode']",
"runAfter": {
"Get_user_AAD_risk_status": [
"Succeeded",
"Failed"
]
},
"type": "Compose"
}
}
}
@ -582,12 +505,142 @@
}
},
"runAfter": {
"Initialize_ssprActivities": [
"Initialize_signins": [
"Succeeded"
]
},
"type": "Scope"
},
},
"User_signins": {
"actions": {
"Compose_filter": {
"description": "Get signings from the last 7 days",
"inputs": "(userPrincipalName eq '@{body('Get_user_details')?['userPrincipalName']}' and (createdDateTime ge @{addDays(startOfDay(utcNow()) , -7)}))",
"runAfter": {},
"type": "Compose"
},
"Get_user_signins": {
"inputs": {
"authentication": {
"audience": "https://graph.microsoft.com/",
"clientId": "[parameters('servicePrincipal-clientId')]",
"secret": "[parameters('servicePrincipal-clientSecret')]",
"tenant": "[parameters('servicePrincipal-tenantId')]",
"type": "ActiveDirectoryOAuth"
},
"headers": {
"Content-Type": "application/json"
},
"method": "GET",
"uri": "https://graph.microsoft.com/beta/auditLogs/signIns?$filter=@{outputs('Compose_filter')}"
},
"runAfter": {
"Compose_filter": [
"Succeeded"
]
},
"type": "Http"
},
"For_each_signin": {
"actions": {
"Get_applied_CA_policies": {
"inputs": {
"from": "@items('For_each_signin')?['appliedConditionalAccessPolicies']",
"where": "@equals(item()?['result'], 'success')"
},
"runAfter": {},
"type": "Query"
},
"Compose_Signins": {
"inputs": {
"authenticationMethodsUsed": "@items('For_each_signin')?['authenticationMethodsUsed']",
"authenticationRequirement": "@items('For_each_signin')?['authenticationRequirement']",
"authenticationDetails": "@items('For_each_signin')?['authenticationDetails']",
"appDisplayName": "@items('For_each_signin')?['appDisplayName']",
"appId": "@items('For_each_signin')?['appId']",
"appliedConditionalAccessPolicies": "@body('Get_applied_CA_policies')",
"ipAddress": "@items('For_each_signin')?['ipAddress']",
"clientAppUsed": "@items('For_each_signin')?['clientAppUsed']",
"conditionalAccessStatus": "@items('For_each_signin')?['conditionalAccessStatus']",
"deviceId": "@items('For_each_signin')?['deviceDetail']?['deviceId']",
"deviceName": "@items('For_each_signin')?['deviceDetail']?['displayName']",
"deviceIsCompliant": "@items('For_each_signin')?['deviceDetail']?['isCompliant']",
"deviceIsManaged": "@items('For_each_signin')?['deviceDetail']?['isManaged']",
"deviceTrustType": "@items('For_each_signin')?['deviceDetail']?['trustType']",
"isInteractive": "@items('For_each_signin')?['isInteractive']",
"location": "@concat(items('For_each_signin')?['location']?['countryOrRegion'], ', ', items('For_each_signin')?['location']?['state'], ', ', items('For_each_signin')?['location']?['city'])",
"mfaDetail": "@items('For_each_signin')?['mfaDetail']",
"riskDetail": "@items('For_each_signin')?['riskDetail']",
"riskLevelAggregated": "@items('For_each_signin')?['riskLevelAggregated']",
"riskLevelDuringSignIn": "@items('For_each_signin')?['riskLevelDuringSignIn']",
"riskState": "@items('For_each_signin')?['riskState']",
"riskEventTypes": "@items('For_each_signin')?['riskEventTypes']",
"riskEventTypes_v2": "@items('For_each_signin')?['riskEventTypes_v2']",
"resourceDisplayName": "@items('For_each_signin')?['resourceDisplayName']",
"resourceId": "@items('For_each_signin')?['resourceId']",
"statusAdditionalDetails": "@items('For_each_signin')?['status']?['additionalDetails']",
"statusCode": "@items('For_each_signin')?['status']?['errorCode']",
"statusFailureReason": "@items('For_each_signin')?['status']?['failureReason']",
"userAgent": "@items('For_each_signin')?['userAgent']"
},
"runAfter": {
"Get_applied_CA_policies": [
"Succeeded"
]
},
"type": "Compose"
},
"Append_to_signins": {
"inputs": {
"name": "signins",
"value": "@outputs('Compose_Signins')"
},
"runAfter": {
"Compose_Signins": [
"Succeeded"
]
},
"type": "AppendToArrayVariable"
}
},
"foreach": "@body('Get_user_signins')?['value']",
"runAfter": {
"Get_user_signins": [
"Succeeded"
]
},
"type": "Foreach"
},
"Dedup_signins": {
"inputs": "@union(variables('signins'), variables('signins'))",
"runAfter": {
"For_each_signin": [
"Succeeded"
]
},
"type": "Compose"
},
"Set_signins": {
"inputs": {
"name": "signins",
"value": "@outputs('Dedup_signins')"
},
"runAfter": {
"Dedup_signins": [
"Succeeded"
]
},
"type": "SetVariable"
}
},
"runAfter": {
"User": [
"Succeeded"
]
},
"type": "Scope"
},
"Devices": {
"actions": {
"Get_user_owned_devices": {
@ -596,13 +649,13 @@
"inputs": {
"authentication": {
"audience": "https://graph.microsoft.com/",
"clientId": "[parameters('servicePrincipal').clientId]",
"secret": "[parameters('servicePrincipal').clientSecret]",
"tenant": "[parameters('servicePrincipal').tenantId]",
"clientId": "[parameters('servicePrincipal-clientId')]",
"secret": "[parameters('servicePrincipal-clientSecret')]",
"tenant": "[parameters('servicePrincipal-tenantId')]",
"type": "ActiveDirectoryOAuth"
},
"method": "GET",
"uri": "https://graph.microsoft.com/beta/users/@{body('Parse_trigger')?['userPrincipalName']}/ownedDevices "
"uri": "https://graph.microsoft.com/beta/users/@{body('Get_user_details')?['userPrincipalName']}/ownedDevices "
}
},
"Parse_user_owned_devices": {
@ -718,25 +771,33 @@
},
"type": "Foreach"
},
"Advanced_Hunting": {
"Compose_samAccountName": {
"inputs": "@if(empty(body('Get_user_details')?['onPremisesSamAccountName']), split(body('Get_user_details')?['userPrincipalName'], '@')?[0], body('Get_user_details')?['onPremisesSamAccountName'])",
"runAfter": {
"For_each_device": [
"Succeeded"
]
},
"type": "Compose"
},
"Advanced_Hunting": {
"runAfter": {
"Compose_samAccountName": [
"Succeeded"
]
},
"type": "Http",
"inputs": {
"authentication": {
"audience": "https://api.securitycenter.windows.com/",
"clientId": "[parameters('servicePrincipal').clientId]",
"secret": "[parameters('servicePrincipal').clientSecret]",
"tenant": "[parameters('servicePrincipal').tenantId]",
"clientId": "[parameters('servicePrincipal-clientId')]",
"secret": "[parameters('servicePrincipal-clientSecret')]",
"tenant": "[parameters('servicePrincipal-tenantId')]",
"type": "ActiveDirectoryOAuth"
},
"body": {
"Query":
"let timeToSearch = ago(14d); DeviceInfo | where (LoggedOnUsers contains \"@{body('Get_user_details')?['onPremisesSamAccountName']}\") or (LoggedOnUsers contains \"@{body('Get_user_details')?['userPrincipalName']}\") and Timestamp > timeToSearch | distinct DeviceName, DeviceId, PublicIP | summarize IPAddressHistory = make_list(PublicIP) by DeviceName, DeviceId"
"Query": "let timeToSearch = ago(14d); DeviceInfo | where (LoggedOnUsers contains \"@{body('Get_user_details')?['onPremisesSamAccountName']}\") or (LoggedOnUsers contains \"@{body('Get_user_details')?['userPrincipalName']}\") and Timestamp > timeToSearch | distinct DeviceName, DeviceId, PublicIP | summarize IPAddressHistory = make_list(PublicIP) by DeviceName, DeviceId"
},
"method": "POST",
"uri": "https://api.securitycenter.windows.com/api/advancedqueries/run"
@ -762,9 +823,9 @@
"inputs": {
"authentication": {
"audience": "https://graph.microsoft.com/",
"clientId": "[parameters('servicePrincipal').clientId]",
"secret": "[parameters('servicePrincipal').clientSecret]",
"tenant": "[parameters('servicePrincipal').tenantId]",
"clientId": "[parameters('servicePrincipal-clientId')]",
"secret": "[parameters('servicePrincipal-clientSecret')]",
"tenant": "[parameters('servicePrincipal-tenantId')]",
"type": "ActiveDirectoryOAuth"
},
"body": "@outputs('Groups')",
@ -772,7 +833,7 @@
"Content-Type": "application/json"
},
"method": "POST",
"uri": "https://graph.microsoft.com/beta/users/@{body('Parse_trigger')?['userPrincipalName']}/checkMemberGroups"
"uri": "https://graph.microsoft.com/beta/users/@{body('Get_user_details')?['userPrincipalName']}/checkMemberGroups"
}
},
"Foreach_role": {
@ -812,9 +873,9 @@
"inputs": {
"authentication": {
"audience": "https://graph.microsoft.com/",
"clientId": "[parameters('servicePrincipal').clientId]",
"secret": "[parameters('servicePrincipal').clientSecret]",
"tenant": "[parameters('servicePrincipal').tenantId]",
"clientId": "[parameters('servicePrincipal-clientId')]",
"secret": "[parameters('servicePrincipal-clientSecret')]",
"tenant": "[parameters('servicePrincipal-tenantId')]",
"type": "ActiveDirectoryOAuth"
},
"method": "GET",
@ -866,9 +927,9 @@
"inputs": {
"authentication": {
"audience": "https://graph.microsoft.com/",
"clientId": "[parameters('servicePrincipal').clientId]",
"secret": "[parameters('servicePrincipal').clientSecret]",
"tenant": "[parameters('servicePrincipal').tenantId]",
"clientId": "[parameters('servicePrincipal-clientId')]",
"secret": "[parameters('servicePrincipal-clientSecret')]",
"tenant": "[parameters('servicePrincipal-tenantId')]",
"type": "ActiveDirectoryOAuth"
},
"headers": {
@ -1010,13 +1071,13 @@
"inputs": {
"authentication": {
"audience": "https://graph.microsoft.com/",
"clientId": "[parameters('servicePrincipal').clientId]",
"secret": "[parameters('servicePrincipal').clientSecret]",
"tenant": "[parameters('servicePrincipal').tenantId]",
"clientId": "[parameters('servicePrincipal-clientId')]",
"secret": "[parameters('servicePrincipal-clientSecret')]",
"tenant": "[parameters('servicePrincipal-tenantId')]",
"type": "ActiveDirectoryOAuth"
},
"method": "GET",
"uri": "https://graph.microsoft.com/beta/users/@{body('Parse_trigger')?['userPrincipalName']}/mailFolders/@{items('For_each_inbox_rule')?['actions']?['moveToFolder']}"
"uri": "https://graph.microsoft.com/beta/users/@{body('Get_user_details')?['userPrincipalName']}/mailFolders/@{items('For_each_inbox_rule')?['actions']?['moveToFolder']}"
}
},
"Parse_inbox_folder": {
@ -1102,9 +1163,9 @@
"inputs": {
"authentication": {
"audience": "https://graph.microsoft.com/",
"clientId": "[parameters('servicePrincipal').clientId]",
"secret": "[parameters('servicePrincipal').clientSecret]",
"tenant": "[parameters('servicePrincipal').tenantId]",
"clientId": "[parameters('servicePrincipal-clientId')]",
"secret": "[parameters('servicePrincipal-clientSecret')]",
"tenant": "[parameters('servicePrincipal-tenantId')]",
"type": "ActiveDirectoryOAuth"
},
"body": {
@ -1114,7 +1175,7 @@
"MailTipsOptions": "automaticReplies"
},
"method": "POST",
"uri": "https://graph.microsoft.com/beta/users/@{body('Parse_trigger')?['userPrincipalName']}/getMailTips"
"uri": "https://graph.microsoft.com/beta/users/@{body('Get_user_details')?['userPrincipalName']}/getMailTips"
}
},
"Get_user_inbox_rules": {
@ -1123,13 +1184,13 @@
"inputs": {
"authentication": {
"audience": "https://graph.microsoft.com/",
"clientId": "[parameters('servicePrincipal').clientId]",
"secret": "[parameters('servicePrincipal').clientSecret]",
"tenant": "[parameters('servicePrincipal').tenantId]",
"clientId": "[parameters('servicePrincipal-clientId')]",
"secret": "[parameters('servicePrincipal-clientSecret')]",
"tenant": "[parameters('servicePrincipal-tenantId')]",
"type": "ActiveDirectoryOAuth"
},
"method": "GET",
"uri": "https://graph.microsoft.com/beta/users/@{body('Parse_trigger')?['userPrincipalName']}/mailFolders/inbox/messageRules"
"uri": "https://graph.microsoft.com/beta/users/@{body('Get_user_details')?['userPrincipalName']}/mailFolders/inbox/messageRules"
}
},
"Parse_inbox_rules": {
@ -1293,13 +1354,13 @@
"inputs": {
"authentication": {
"audience": "https://graph.microsoft.com/",
"clientId": "[parameters('servicePrincipal').clientId]",
"secret": "[parameters('servicePrincipal').clientSecret]",
"tenant": "[parameters('servicePrincipal').tenantId]",
"clientId": "[parameters('servicePrincipal-clientId')]",
"secret": "[parameters('servicePrincipal-clientSecret')]",
"tenant": "[parameters('servicePrincipal-tenantId')]",
"type": "ActiveDirectoryOAuth"
},
"method": "GET",
"uri": "https://graph.microsoft.com/beta/reports/userCredentialUsageDetails?$filter=userPrincipalName eq '@{body('Parse_trigger')?['userPrincipalName']}'"
"uri": "https://graph.microsoft.com/beta/reports/userCredentialUsageDetails?$filter=userPrincipalName eq '@{body('Get_user_details')?['userPrincipalName']}'"
}
},
"Parse_SSPR": {
@ -1346,7 +1407,7 @@
},
"type": "Scope"
},
"Mcas_Profile" :{
"Mcas_Profile": {
"actions": {
"Compose_userMcasId": {
"description": "Calculate MCAS user id based on AAD object id",
@ -1355,7 +1416,7 @@
"runAfter": {}
},
"Set_userMcasId": {
"description":"convert the value to base64 - this value will be used in API calls",
"description": "convert the value to base64 - this value will be used in API calls",
"inputs": {
"name": "userMcasId",
"value": "@{base64(outputs('Compose_userMcasId'))}"
@ -1377,13 +1438,13 @@
"type": "Http",
"inputs": {
"headers": {
"Authorization": "[concat('token ',parameters('mcasAPI').apiToken)]",
"Authorization": "[concat('token ',parameters('mcas-apiToken'))]",
"Content-Type": "application/json"
},
"method": "GET",
"uri": "@{parameters('mcasAPI').tenantUrl}/cas/api/v1/activities_locations/by_user/?username=@{variables('userMcasId')}/"
"uri": "@{parameters('mcas-tenantUrl')}/cas/api/v1/activities_locations/by_user/?username=@{variables('userMcasId')}/"
}
},
"Get_total_activities": {
"actions": {
@ -1405,7 +1466,7 @@
"type": "Foreach"
},
"For_each_location": {
"actions": {
"actions": {
"Compose_location_percentage": {
"inputs": "@div(mul(items('For_each_location')[1], 100), variables('locationsTotalActivities'))",
"runAfter": {},
@ -1456,13 +1517,13 @@
"type": "Http",
"inputs": {
"headers": {
"Authorization": "[concat('token ',parameters('mcasAPI').apiToken)]",
"Authorization": "[concat('token ',parameters('mcas-apiToken'))]",
"Content-Type": "application/json"
},
"method": "GET",
"uri": "@{parameters('mcasAPI').tenantUrl}/cas/api/v1/entities/@{variables('userMcasId')}/"
"uri": "@{parameters('mcas-tenantUrl')}/cas/api/v1/entities/@{variables('userMcasId')}/"
}
},
"Select_threatScore_properties": {
"inputs": {
@ -1543,6 +1604,7 @@
"riskState": "@body('Get_user_AAD_risk_status')?['riskState']",
"riskDetail": "@body('Get_user_AAD_risk_status')?['riskDetail']",
"riskLastUpdatedDateTime": "@body('Get_user_AAD_risk_status')?['riskLastUpdatedDateTime']",
"signinsLast7days": "@variables('signins')",
"ssprActivities": "@variables('ssprActivities')",
"state": "@body('Get_user_details')?['state']",
"streetAddress": "@body('Get_user_details')?['streetAddress']",
@ -1568,6 +1630,10 @@
"Mcas_profile": [
"Succeeded",
"Failed"
],
"User_signins": [
"Succeeded",
"Failed"
]
},
"type": "Scope"
@ -1593,8 +1659,8 @@
}
}
],
"outputs": {
"outputs": {
"logicAppUrl": {
"type": "string",
"value": "[listCallbackURL(concat(resourceId('Microsoft.Logic/workflows/', parameters('logicAppName')), '/triggers/manual'), '2016-06-01').value]"