From 4242f9138c965823f7aa695be5b63eb474bd8397 Mon Sep 17 00:00:00 2001 From: Ali-Yazdani Date: Fri, 16 Oct 2020 15:40:18 +0200 Subject: [PATCH] Add Incident-Email-Notification playbook --- .../azuredeploy.json | 415 ++++++++++++++++++ .../Incident-Email-Notification/readme.md | 12 + 2 files changed, 427 insertions(+) create mode 100644 Playbooks/Incident-Email-Notification/azuredeploy.json create mode 100644 Playbooks/Incident-Email-Notification/readme.md diff --git a/Playbooks/Incident-Email-Notification/azuredeploy.json b/Playbooks/Incident-Email-Notification/azuredeploy.json new file mode 100644 index 0000000000..e96c3653b2 --- /dev/null +++ b/Playbooks/Incident-Email-Notification/azuredeploy.json @@ -0,0 +1,415 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "comments": "A playbook for a new incidnet creation email notification.", + "author": "Ali Yazdani" + }, + "parameters": { + "PlaybookName": { + "defaultValue": "new-inc-notification", + "type": "String" + }, + "DeployserUserName": { + "defaultValue": "@", + "type": "string" + }, + "MailList": { + "defaultValue": "@;@;...", + "type": "String" + }, + "SentinelWSResourceGroup": { + "defaultValue": "az-sentinel-rg", + "type": "String" + }, + "SenrinelWSName": { + "defaultValue": "az-sentinel-ws-name", + "type": "String" + }, + "SentinelSubID": { + "defaultValue": "00000000-0000-0000-0000-000000000000", + "type": "String" + } + }, + "variables": { + "o365ConnectionName": "[concat('o365-', parameters('PlaybookName'))]", + "sentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]", + "azuremonitorlogsConnectionName": "[concat('azuremon-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('sentinelConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[parameters('DeployserUserName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('o365ConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[parameters('DeployserUserName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('azuremonitorlogsConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[parameters('DeployserUserName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "tags": { + "LogicAppsCategory": "security" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('sentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('azuremonitorlogsConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + } + } + }, + "actions": { + "Append_to_string_variable_2": { + "runAfter": { + "For_each": [ + "Succeeded" + ] + }, + "type": "AppendToStringVariable", + "inputs": { + "name": "varHTMLTable", + "value": "" + } + }, + "Condition": { + "actions": { + "Send_an_email_(V2)_2": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

In the following is more information about the new Azure Sentinel incident:
\n@{variables('varHTMLTable')}
\n
\n*Note: Please review and let us know whether this incident is false positive.
\n
\nAzSec Team

", + "Subject": "An Incident trigered on Azure Sentinel", + "To": "[parameters('MailList')]" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + }, + "runAfter": { + "Append_to_string_variable_2": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@length(body('Run_query_and_list_results')?['value'])", + 0 + ] + } + } + ] + }, + "type": "If" + }, + "For_each": { + "foreach": "@body('Parse_JSON')?['value']", + "actions": { + "Append_to_string_variable": { + "runAfter": { + "Switch": [ + "Succeeded" + ] + }, + "type": "AppendToStringVariable", + "inputs": { + "name": "varHTMLTable", + "value": "\n @{items('For_each')?['IncidentNumber']}\n @{items('For_each')?['CreatedTime']}\n @{items('For_each')?['Severity']}\n @{items('For_each')?['Title']}\n @{items('For_each')?['Description']}\n Incident in Azure Sentinal\n" + } + }, + "Switch": { + "runAfter": {}, + "cases": { + "Case": { + "case": "Low", + "actions": { + "Set_variable": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "varSeverityColour", + "value": "@{variables('varStyle').rowStyleLowValues}" + } + } + } + }, + "Case_2": { + "case": "High", + "actions": { + "Set_variable_2": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "varSeverityColour", + "value": "@{variables('varStyle').rowStyleHighValues}" + } + } + } + }, + "Case_3": { + "case": "Informational", + "actions": { + "Set_variable_3": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "varSeverityColour", + "value": "@{variables('varStyle').rowStyleInfoValues}" + } + } + } + }, + "Case_4": { + "case": "Medium", + "actions": { + "Set_variable_4": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "varSeverityColour", + "value": "@{variables('varStyle').rowStyleMedValues}" + } + } + } + } + }, + "default": { + "actions": {} + }, + "expression": "@items('For_each')?['Severity']", + "type": "Switch" + } + }, + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Initialize_variable": { + "runAfter": { + "Run_query_and_list_results": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "varStyle", + "type": "object", + "value": { + "cellStyle": "style=\"font-family: Calibri; padding: 5px; border: 1px solid black;\"", + "headerStyle": "style=\"font-family: Helvetica; padding: 5px; border: 1px solid black;\"", + "numcellStyle": "style=\"font-family: Calibri; padding: 5px; border: 1px solid black;text-align: center;\"", + "rowStyleHighValues": "style=\"font-size:110%;background-color:#b32400; padding: 5px; border: 1px solid black;text-align: center;\"", + "rowStyleInfoValues": "style=\"background-color:#a6a6a6; padding: 5px; border: 1px solid black;text-align: center;\"", + "rowStyleLowValues": "style=\"background-color:#ffcc00; padding: 5px; border: 1px solid black;text-align: center;\"", + "rowStyleMedValues": "style=\"background-color:#ff6600; padding: 5px; border: 1px solid black;text-align: center;\"", + "tableStyle": "style=\"border-collapse: collapse;\"" + } + } + ] + } + }, + "Initialize_variable_2": { + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "varHTMLTable", + "type": "string", + "value": "\n \n \n \n \n \n \n \n " + } + ] + } + }, + "Initialize_variable_3": { + "runAfter": { + "Initialize_variable_2": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "varSeverityColour", + "type": "string", + "value": "@{variables('varStyle').rowStyleHighValues}" + } + ] + } + }, + "Parse_JSON": { + "runAfter": { + "Initialize_variable_3": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Run_query_and_list_results')", + "schema": { + "properties": { + "value": { + "items": { + "properties": { + "CreatedTime": { + "type": "string" + }, + "Description": { + "type": "string" + }, + "IncidentNumber": { + "type": "integer" + }, + "IncidentUrl": { + "type": "string" + }, + "Severity": { + "type": "string" + }, + "Title": { + "type": "string" + } + }, + "required": [ + "IncidentNumber", + "CreatedTime", + "Severity", + "Title", + "Description", + "IncidentUrl" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "Run_query_and_list_results": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": "SecurityIncident\n| where AlertIds contains \"@{triggerBody()?['SystemAlertId']}\"\n| project IncidentNumber, CreatedTime,Severity, Title, Description, IncidentUrl", + "host": { + "connection": { + "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" + } + }, + "method": "post", + "path": "/queryData", + "queries": { + "resourcegroups": "[parameters('SentinelWSResourceGroup')]", + "resourcename": "[parameters('SenrinelWSName')]", + "resourcetype": "Log Analytics Workspace", + "subscriptions": "[parameters('SentinelSubID')]", + "timerange": "24h" + } + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuremonitorlogs": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('azuremonitorlogsConnectionName'))]", + "connectionName": "[variables('azuremonitorlogsConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]" + }, + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('sentinelConnectionName'))]", + "connectionName": "[variables('sentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + }, + "office365": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]", + "connectionName": "[variables('o365ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]" + } + } + } + } + } + } + ] +} diff --git a/Playbooks/Incident-Email-Notification/readme.md b/Playbooks/Incident-Email-Notification/readme.md new file mode 100644 index 0000000000..4ec572e8d4 --- /dev/null +++ b/Playbooks/Incident-Email-Notification/readme.md @@ -0,0 +1,12 @@ +# Incident-Email-Notification +author: Ali Yazdani + +This playbook will send an Email notification when a new incident is opened in Azure Sentinel. +The palybook uses HTML template for email notification. + + + + + + +
Incident NumberCreated TimeSeverityTitleDescriptionIncident URL