From b4b7dcce8c80a788b36e2560eed301a479dc0884 Mon Sep 17 00:00:00 2001 From: Ying Huang Date: Thu, 16 Feb 2023 11:19:41 -0800 Subject: [PATCH 1/2] update the build related stuff. small change to metadata. --- .../Data/Solution_CohesitySecurity.json | 2 +- .../Package/createUiDefinition.json | 172 +- .../Package/mainTemplate.json | 4163 +++++++---------- .../CohesitySecurity/SolutionMetadata.json | 8 +- .../CohesitySecurity/build_one_solution.ps1 | 2 +- 5 files changed, 1868 insertions(+), 2479 deletions(-) diff --git a/Solutions/CohesitySecurity/Data/Solution_CohesitySecurity.json b/Solutions/CohesitySecurity/Data/Solution_CohesitySecurity.json index 04acb91d6a..d1b4708476 100644 --- a/Solutions/CohesitySecurity/Data/Solution_CohesitySecurity.json +++ b/Solutions/CohesitySecurity/Data/Solution_CohesitySecurity.json @@ -13,7 +13,7 @@ "Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/azuredeploy.json", "Playbooks/Cohesity_Delete_Incident_Blobs/azuredeploy.json" ], - "BasePath": "/home/cohesity/workspace/Azure-Sentinel/Solutions/CohesitySecurity", + "BasePath": "Solutions/CohesitySecurity", "Version": "2.0.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, diff --git a/Solutions/CohesitySecurity/Package/createUiDefinition.json b/Solutions/CohesitySecurity/Package/createUiDefinition.json index 44efcc0963..142a4a4115 100644 --- a/Solutions/CohesitySecurity/Package/createUiDefinition.json +++ b/Solutions/CohesitySecurity/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThis product integrates Cohesity Helios with Microsoft Sentinel to stay updated with the security events from your Cohesity environment and immediately respond to a ransomware attack or an anomaly\n\n**Data Connectors:** 1, **Playbooks:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThis product integrates Cohesity Helios with Microsoft Sentinel to stay updated with the security events from your Cohesity environment and immediately respond to a ransomware attack or an anomaly\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Playbooks:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,7 +60,17 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This product integrates Cohesity Helios with Microsoft Sentinel to stay updated with the security events from your Cohesity environment and immediately respond to a ransomware attack or an anomaly." + "text": "This Solution installs the data connector for CohesitySecurity. You can get CohesitySecurity custom log data in your Microsoft Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) Cohesity_CL in your Microsoft Sentinel / Azure Log Analytics workspace." + } + }, + { + "name": "dataconnectors-link1", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about normalized format", + "uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema" + } } }, { @@ -88,18 +98,154 @@ "name": "playbooks-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." - } - }, - { - "name": "playbooks-link", - "type": "Microsoft.Common.TextBlock", - "options": { + "text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Microsoft Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Microsoft Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.", "link": { "label": "Learn more", "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" } } + }, + { + "name": "playbook1", + "type": "Microsoft.Common.Section", + "label": "My_Cohesity_Send_Incident_Email", + "elements": [ + { + "name": "playbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This playbook ingests events from CohesitySecurity into Log Analytics using the API." + } + }, + { + "name": "playbook1-PlaybookName", + "type": "Microsoft.Common.TextBox", + "label": "Playbook Name", + "defaultValue": "My_Cohesity_Send_Incident_Email", + "toolTip": "Resource name for the logic app playbook. No spaces are allowed", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a playbook resource name" + } + }, + { + "name": "playbook1-EmailID", + "type": "Microsoft.Common.TextBox", + "label": "Email I D", + "defaultValue": "", + "toolTip": "Please enter Email I D", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter the Email I D" + } + } + ] + }, + { + "name": "playbook2", + "type": "Microsoft.Common.Section", + "label": "My_Cohesity_Restore_From_Last_Snapshot", + "elements": [ + { + "name": "playbook2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This playbook ingests events from CohesitySecurity into Log Analytics using the API." + } + }, + { + "name": "playbook2-PlaybookName", + "type": "Microsoft.Common.TextBox", + "label": "Playbook Name", + "defaultValue": "My_Cohesity_Restore_From_Last_Snapshot", + "toolTip": "Resource name for the logic app playbook. No spaces are allowed", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a playbook resource name" + } + } + ] + }, + { + "name": "playbook3", + "type": "Microsoft.Common.Section", + "label": "My_Cohesity_Close_Helios_Incident", + "elements": [ + { + "name": "playbook3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This playbook ingests events from CohesitySecurity into Log Analytics using the API." + } + }, + { + "name": "playbook3-PlaybookName", + "type": "Microsoft.Common.TextBox", + "label": "Playbook Name", + "defaultValue": "My_Cohesity_Close_Helios_Incident", + "toolTip": "Resource name for the logic app playbook. No spaces are allowed", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a playbook resource name" + } + } + ] + }, + { + "name": "playbook4", + "type": "Microsoft.Common.Section", + "label": "My_Cohesity_CreateOrUpdate_ServiceNow_Incident", + "elements": [ + { + "name": "playbook4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This playbook ingests events from CohesitySecurity into Log Analytics using the API." + } + }, + { + "name": "playbook4-PlaybookName", + "type": "Microsoft.Common.TextBox", + "label": "Playbook Name", + "defaultValue": "My_Cohesity_CreateOrUpdate_ServiceNow_Incident", + "toolTip": "Resource name for the logic app playbook. No spaces are allowed", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a playbook resource name" + } + } + ] + }, + { + "name": "playbook5", + "type": "Microsoft.Common.Section", + "label": "My_Cohesity_Delete_Incident_Blobs", + "elements": [ + { + "name": "playbook5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This playbook ingests events from CohesitySecurity into Log Analytics using the API." + } + }, + { + "name": "playbook5-PlaybookName", + "type": "Microsoft.Common.TextBox", + "label": "Playbook Name", + "defaultValue": "My_Cohesity_Delete_Incident_Blobs", + "toolTip": "Resource name for the logic app playbook. No spaces are allowed", + "constraints": { + "required": true, + "regex": "[a-z0-9A-Z]{1,256}$", + "validationMessage": "Please enter a playbook resource name" + } + } + ] } ] } @@ -107,7 +253,13 @@ "outputs": { "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", "location": "[location()]", - "workspace": "[basics('workspace')]" + "workspace": "[basics('workspace')]", + "playbook1-PlaybookName": "[steps('playbooks').playbook1.playbook1-PlaybookName]", + "playbook1-EmailID": "[steps('playbooks').playbook1.playbook1-EmailID]", + "playbook2-PlaybookName": "[steps('playbooks').playbook2.playbook2-PlaybookName]", + "playbook3-PlaybookName": "[steps('playbooks').playbook3.playbook3-PlaybookName]", + "playbook4-PlaybookName": "[steps('playbooks').playbook4.playbook4-PlaybookName]", + "playbook5-PlaybookName": "[steps('playbooks').playbook5.playbook5-PlaybookName]" } } } diff --git a/Solutions/CohesitySecurity/Package/mainTemplate.json b/Solutions/CohesitySecurity/Package/mainTemplate.json index a6b74cfa08..f4599ffbe2 100644 --- a/Solutions/CohesitySecurity/Package/mainTemplate.json +++ b/Solutions/CohesitySecurity/Package/mainTemplate.json @@ -1,2524 +1,1761 @@ { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "author": "Cohesity - support@cohesity.com", - "comments": "Solution template for CohesitySecurity" - }, - "parameters": { - "location": { - "type": "string", - "minLength": 1, - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" - } + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Cohesity - support@cohesity.com", + "comments": "Solution template for CohesitySecurity" }, - "workspace-location": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" - } + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "connector1-name": { + "type": "string", + "defaultValue": "63870354-b3f2-4fa9-8dc3-94a7926de6f0" + }, + "playbook1-PlaybookName": { + "defaultValue": "My_Cohesity_Send_Incident_Email", + "type": "string", + "minLength": 1, + "metadata": { + "description": "Resource name for the logic app playbook. No spaces are allowed" + } + }, + "EmailID": { + "defaultValue": "", + "type": "string", + "minLength": 1 + }, + "playbook2-PlaybookName": { + "defaultValue": "My_Cohesity_Restore_From_Last_Snapshot", + "type": "string", + "minLength": 1, + "metadata": { + "description": "Resource name for the logic app playbook. No spaces are allowed" + } + }, + "playbook3-PlaybookName": { + "defaultValue": "My_Cohesity_Close_Helios_Incident", + "type": "string", + "minLength": 1, + "metadata": { + "description": "Resource name for the logic app playbook. No spaces are allowed" + } + }, + "playbook4-PlaybookName": { + "defaultValue": "My_Cohesity_CreateOrUpdate_ServiceNow_Incident", + "type": "string", + "minLength": 1, + "metadata": { + "description": "Resource name for the logic app playbook. No spaces are allowed" + } + }, + "playbook5-PlaybookName": { + "defaultValue": "My_Cohesity_Delete_Incident_Blobs", + "type": "string", + "minLength": 1, + "metadata": { + "description": "Resource name for the logic app playbook. No spaces are allowed" + } + } }, - "workspace": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" - } - } - }, - "variables": { - "solutionId": "cohesity.cohesity_sentinel_data_connector", - "_solutionId": "[variables('solutionId')]", - "email": "support@cohesity.com", - "_email": "[variables('email')]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "uiConfigId1": "CohesityDataConnector", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "CohesityDataConnector", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", - "dataConnectorVersion1": "1.0.0", - "Cohesity_Send_Incident_Email": "Cohesity_Send_Incident_Email", - "_Cohesity_Send_Incident_Email": "[variables('Cohesity_Send_Incident_Email')]", - "playbookVersion1": "1.0", - "playbookContentId1": "Cohesity_Send_Incident_Email", - "_playbookContentId1": "[variables('playbookContentId1')]", - "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", - "playbookTemplateSpecName1": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1')))]", - "blanks": "[replace('b', 'b', '')]", - "Cohesity_Restore_From_Last_Snapshot": "Cohesity_Restore_From_Last_Snapshot", - "_Cohesity_Restore_From_Last_Snapshot": "[variables('Cohesity_Restore_From_Last_Snapshot')]", - "playbookVersion2": "1.0", - "playbookContentId2": "Cohesity_Restore_From_Last_Snapshot", - "_playbookContentId2": "[variables('playbookContentId2')]", - "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", - "playbookTemplateSpecName2": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2')))]", - "Cohesity_Close_Helios_Incident": "Cohesity_Close_Helios_Incident", - "_Cohesity_Close_Helios_Incident": "[variables('Cohesity_Close_Helios_Incident')]", - "playbookVersion3": "1.0", - "playbookContentId3": "Cohesity_Close_Helios_Incident", - "_playbookContentId3": "[variables('playbookContentId3')]", - "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", - "playbookTemplateSpecName3": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3')))]", - "Cohesity_CreateOrUpdate_ServiceNow_Incident": "Cohesity_CreateOrUpdate_ServiceNow_Incident", - "_Cohesity_CreateOrUpdate_ServiceNow_Incident": "[variables('Cohesity_CreateOrUpdate_ServiceNow_Incident')]", - "playbookVersion4": "1.0", - "playbookContentId4": "Cohesity_CreateOrUpdate_ServiceNow_Incident", - "_playbookContentId4": "[variables('playbookContentId4')]", - "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]", - "playbookTemplateSpecName4": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4')))]", - "Cohesity_Delete_Incident_Blobs": "Cohesity_Delete_Incident_Blobs", - "_Cohesity_Delete_Incident_Blobs": "[variables('Cohesity_Delete_Incident_Blobs')]", - "playbookVersion5": "1.0", - "playbookContentId5": "Cohesity_Delete_Incident_Blobs", - "_playbookContentId5": "[variables('playbookContentId5')]", - "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]", - "playbookTemplateSpecName5": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5')))]" - }, - "resources": [ - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "CohesitySecurity data connector with template", - "displayName": "CohesitySecurity template" - } + "variables": { + "connector1-source": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',parameters('connector1-name'))]", + "_connector1-source": "[variables('connector1-source')]", + "CohesityDataConnectorConnector": "CohesityDataConnectorConnector", + "_CohesityDataConnectorConnector": "[variables('CohesityDataConnectorConnector')]", + "playbook1-Cohesity_Send_Incident_Email": "playbook1-Cohesity_Send_Incident_Email", + "_playbook1-Cohesity_Send_Incident_Email": "[variables('playbook1-Cohesity_Send_Incident_Email')]", + "playbook1-MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('playbook1-PlaybookName'))]", + "playbook1-OutlookConnectionName": "[concat('Outlook-', parameters('playbook1-PlaybookName'))]", + "playbook-1-connection-2": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azuresentinel')]", + "_playbook-1-connection-2": "[variables('playbook-1-connection-2')]", + "playbook-1-connection-3": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Outlook')]", + "_playbook-1-connection-3": "[variables('playbook-1-connection-3')]", + "playbook2-Cohesity_Restore_From_Last_Snapshot": "playbook2-Cohesity_Restore_From_Last_Snapshot", + "_playbook2-Cohesity_Restore_From_Last_Snapshot": "[variables('playbook2-Cohesity_Restore_From_Last_Snapshot')]", + "playbook2-AzureblobConnectionName": "[concat('Azureblob-', parameters('playbook2-PlaybookName'))]", + "playbook2-MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('playbook2-PlaybookName'))]", + "playbook2-KeyvaultConnectionName": "[concat('Keyvault-', parameters('playbook2-PlaybookName'))]", + "playbook-2-connection-2": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azureblob')]", + "_playbook-2-connection-2": "[variables('playbook-2-connection-2')]", + "playbook-2-connection-4": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Keyvault')]", + "_playbook-2-connection-4": "[variables('playbook-2-connection-4')]", + "playbook3-Cohesity_Close_Helios_Incident": "playbook3-Cohesity_Close_Helios_Incident", + "_playbook3-Cohesity_Close_Helios_Incident": "[variables('playbook3-Cohesity_Close_Helios_Incident')]", + "playbook3-MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('playbook3-PlaybookName'))]", + "playbook3-KeyvaultConnectionName": "[concat('Keyvault-', parameters('playbook3-PlaybookName'))]", + "playbook4-Cohesity_CreateOrUpdate_ServiceNow_Incident": "playbook4-Cohesity_CreateOrUpdate_ServiceNow_Incident", + "_playbook4-Cohesity_CreateOrUpdate_ServiceNow_Incident": "[variables('playbook4-Cohesity_CreateOrUpdate_ServiceNow_Incident')]", + "playbook4-MicrosoftsentinelConnectionName": "[concat('Microsoftsentinel-', parameters('playbook4-PlaybookName'))]", + "playbook4-ServiceNowConnectionName": "[concat('Service-Now-', parameters('playbook4-PlaybookName'))]", + "playbook-4-connection-3": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Service-Now')]", + "_playbook-4-connection-3": "[variables('playbook-4-connection-3')]", + "playbook5-Cohesity_Delete_Incident_Blobs": "playbook5-Cohesity_Delete_Incident_Blobs", + "_playbook5-Cohesity_Delete_Incident_Blobs": "[variables('playbook5-Cohesity_Delete_Incident_Blobs')]", + "playbook5-AzureblobConnectionName": "[concat('Azureblob-', parameters('playbook5-PlaybookName'))]", + "playbook5-MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('playbook5-PlaybookName'))]", + "sourceId": "cohesity.cohesity_sentinel_data_connector", + "_sourceId": "[variables('sourceId')]" }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" - ], - "properties": { - "description": "CohesitySecurity data connector with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { + "resources": [{ + "id": "[variables('_connector1-source')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connector1-name'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "Cohesity (using Azure Function)", - "publisher": "Cohesity", - "descriptionMarkdown": "The Cohesity function apps provide the ability to ingest Cohesity Datahawk ransomware alerts into Microsoft Sentinel.", - "additionalRequirementBanner": ">This data connector depends on two functions apps - [one](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentProducer) gets the data about new incidents from Cohesity Datahawk, formats and adds them to the queue; [another one](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentConsumer) takes them from the queue and stores in the MS Sentinel Incidents table. The functions have their own configs and depends on Blob storage and KeyVault", - "graphQueries": [ - { - "metricName": "Cohesity logs", - "legend": "Cohesity_CL", - "baseQuery": "Cohesity_CL" - } - ], - "sampleQueries": [ - { - "description": "All Cohesity logs", - "query": "Cohesity_CL\n| sort by TimeGenerated desc" - } - ], - "dataTypes": [ - { - "name": "Cohesity_CL", - "lastDataReceivedQuery": "Cohesity_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "Cohesity_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(1d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "Azure Blob Storage connection string and container name", - "description": "Azure Blob Storage connection string and container name" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector uses Azure Functions that connect to the Azure Blob Storage and KeyVault. This might result in additional costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/), [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) and [Azure KeyVault pricing page](https://azure.microsoft.com/pricing/details/key-vault/) for details." - }, - { - "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": "**STEP 1 - Get a Cohesity DataHawk API key (see troubleshooting [instruction 1](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentProducer))**" - }, - { - "description": "**STEP 2 - Register Azure app ([link](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps)) and save Application (client) ID, Directory (tenant) ID, and Secret Value ([instructions](https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application)). Grant it Azure Storage (user_impersonation), Microsoft Graph (Application.ReadWrite.All, User.Read) permissions**" - }, - { - "description": "**STEP 3 - Deploy the connector and the associated Azure Functions**." - }, - { - "description": "Use this method for automated deployment of the Cohesity data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-Cohesity-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the parameters that you created at the previous steps\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy.", - "title": "Azure Resource Manager (ARM) Template" - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "CohesitySecurity", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Cohesity", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Partner", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.cohesity.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "CohesitySecurity", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Cohesity", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Partner", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.cohesity.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "Cohesity (using Azure Function)", - "publisher": "Cohesity", - "descriptionMarkdown": "The Cohesity function apps provide the ability to ingest Cohesity Datahawk ransomware alerts into Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Cohesity logs", - "legend": "Cohesity_CL", - "baseQuery": "Cohesity_CL" - } - ], - "dataTypes": [ - { - "name": "Cohesity_CL", - "lastDataReceivedQuery": "Cohesity_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "Cohesity_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(1d)" - ] - } - ], - "sampleQueries": [ - { - "description": "All Cohesity logs", - "query": "Cohesity_CL\n| sort by TimeGenerated desc" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "Azure Blob Storage connection string and container name", - "description": "Azure Blob Storage connection string and container name" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector uses Azure Functions that connect to the Azure Blob Storage and KeyVault. This might result in additional costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/), [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) and [Azure KeyVault pricing page](https://azure.microsoft.com/pricing/details/key-vault/) for details." - }, - { - "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": "**STEP 1 - Get a Cohesity DataHawk API key (see troubleshooting [instruction 1](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentProducer))**" - }, - { - "description": "**STEP 2 - Register Azure app ([link](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps)) and save Application (client) ID, Directory (tenant) ID, and Secret Value ([instructions](https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application)). Grant it Azure Storage (user_impersonation), Microsoft Graph (Application.ReadWrite.All, User.Read) permissions**" - }, - { - "description": "**STEP 3 - Deploy the connector and the associated Azure Functions**." - }, - { - "description": "Use this method for automated deployment of the Cohesity data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-Cohesity-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the parameters that you created at the previous steps\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy.", - "title": "Azure Resource Manager (ARM) Template" - } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": ">This data connector depends on two functions apps - [one](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentProducer) gets the data about new incidents from Cohesity Datahawk, formats and adds them to the queue; [another one](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentConsumer) takes them from the queue and stores in the MS Sentinel Incidents table. The functions have their own configs and depends on Blob storage and KeyVault" - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('playbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" - }, - "properties": { - "description": "My_Cohesity_Send_Incident_Email playbook", - "displayName": "My_Cohesity_Send_Incident_Email playbook" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('playbookTemplateSpecName1'),'/',variables('playbookVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName1'))]" - ], - "properties": { - "description": "My_Cohesity_Send_Incident_Email Playbook with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion1')]", - "parameters": { - "PlaybookName": { - "defaultValue": "My_Cohesity_Send_Incident_Email", - "type": "string" - }, - "EmailID": { - "type": "string", - "metadata": { - "description": "Enter value for EmailID" - } - } - }, - "variables": { - "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", - "OutlookConnectionName": "[[concat('Outlook-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Outlook')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "EmailID": { - "defaultValue": "[[parameters('EmailID')]", - "type": "string" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "Initialize_variable": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "EmailBody", - "type": "string" - } + "title": "Cohesity", + "publisher": "Cohesity", + "descriptionMarkdown": "The Cohesity function apps provide the ability to ingest Cohesity Datahawk ransomware alerts into Microsoft Sentinel.", + "graphQueries": [{ + "metricName": "Cohesity logs", + "legend": "Cohesity_CL", + "baseQuery": "Cohesity_CL" + }], + "sampleQueries": [{ + "description": "All Cohesity logs", + "query": "Cohesity_CL\n| sort by TimeGenerated desc" + }], + "dataTypes": [{ + "name": "Cohesity_CL", + "lastDataReceivedQuery": "Cohesity_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }], + "connectivityCriterias": [{ + "type": "IsConnectedQuery", + "value": [ + "Cohesity_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(1d)" ] - } + }], + "availability": { + "status": 1, + "isPreview": false }, - "Send_email_(V2)": { - "runAfter": { - "Set_variable_2": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

@{variables('EmailBody')}

", - "Importance": "Normal", - "Subject": "Cohesity Alert", - "To": "@parameters('EmailID')" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['outlook']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } - }, - "Set_variable_2": { - "runAfter": { - "Initialize_variable": [ - "Succeeded" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "EmailBody", - "value": "

Hello SecurityTeam,

\n

You have a Cohesity incident from Microsoft Sentinel. Below is information:

\n\n\n\n

Please review and update incident accordingly.

\n

Cohesity Team

" - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "outlook": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('OutlookConnectionName'))]", - "connectionName": "[[variables('OutlookConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Outlook')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "My_Cohesity_Send_Incident_Email", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2019-05-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('OutlookConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('OutlookConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('OutlookConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId1')]", - "contentId": "[variables('_playbookContentId1')]", - "kind": "Playbook", - "version": "[variables('playbookVersion1')]", - "source": { - "kind": "Solution", - "name": "CohesitySecurity", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Cohesity", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Partner", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.cohesity.com" - } - } - } - ], - "metadata": { - "title": "Cohesity Incident Email", - "description": "This playbook sends an email to the recipient with the details related to the incidents.", - "prerequisites": "Create a distribution list (email) that will be used for sending out incident notifications.", - "postDeployment": [ - "To enable this playbook, you need to authorize Outlook connection." - ], - "lastUpdateTime": "2022-12-23T10:57:00Z", - "entities": [ - "Malware" - ], - "tags": [ - "SOAR", - "Email Notification", - "Threat Response" - ], - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('playbookTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" - }, - "properties": { - "description": "My_Cohesity_Restore_From_Last_Snapshot playbook", - "displayName": "My_Cohesity_Restore_From_Last_Snapshot playbook" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('playbookTemplateSpecName2'),'/',variables('playbookVersion2'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName2'))]" - ], - "properties": { - "description": "My_Cohesity_Restore_From_Last_Snapshot Playbook with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion2')]", - "parameters": { - "PlaybookName": { - "defaultValue": "My_Cohesity_Restore_From_Last_Snapshot", - "type": "String" - } - }, - "variables": { - "AzureblobConnectionName": "[[concat('Azureblob-', parameters('PlaybookName'))]", - "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", - "KeyvaultConnectionName": "[[concat('Keyvault-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureblob')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-3": "[[variables('connection-3')]", - "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]", - "_connection-4": "[[variables('connection-4')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureblobConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" - ], - "tags": { - "hidden-SentinelTemplateName": "Cohesity_Restore_From_Last_Snapshot", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "Get_cid_from_blob_content": { - "runAfter": { - "Get_jobId_from_blob_content": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } - }, - "method": "get", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", - "queries": { - "inferContentType": true, - "path": "/cohesity-extra-parameters/@{variables('helioID')}/cid", - "queryParametersSingleEncoded": true - } - } - }, - "Get_entityId_from_blob_content": { - "runAfter": { - "Get_jobInstanceId_from_blob_content": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } - }, - "method": "get", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", - "queries": { - "inferContentType": true, - "path": "/cohesity-extra-parameters/@{variables('helioID')}/entityId", - "queryParametersSingleEncoded": true - } - } - }, - "Get_jobId_from_blob_content": { - "runAfter": { - "Initialize_HelioID": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } - }, - "method": "get", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", - "queries": { - "inferContentType": true, - "path": "/cohesity-extra-parameters/@{variables('helioID')}/jobId", - "queryParametersSingleEncoded": true - } - } - }, - "Get_jobInstanceId_from_blob_content": { - "runAfter": { - "Get_jobStartTimeUsecs_from_blob_content": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } - }, - "method": "get", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", - "queries": { - "inferContentType": true, - "path": "/cohesity-extra-parameters/@{variables('helioID')}/jobInstanceId", - "queryParametersSingleEncoded": true - } - } - }, - "Get_jobStartTimeUsecs_from_blob_content": { - "runAfter": { - "Get_cid_from_blob_content": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } - }, - "method": "get", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", - "queries": { - "inferContentType": true, - "path": "/cohesity-extra-parameters/@{variables('helioID')}/jobStartTimeUsecs", - "queryParametersSingleEncoded": true - } - } - }, - "Get_object_from_blob_content": { - "runAfter": { - "Get_entityId_from_blob_content": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } - }, - "method": "get", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", - "queries": { - "inferContentType": true, - "path": "/cohesity-extra-parameters/@{variables('helioID')}/object", - "queryParametersSingleEncoded": true - } - } - }, - "Get_secret": { - "runAfter": { - "Get_object_from_blob_content": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['keyvault']['connectionId']" - } - }, - "method": "get", - "path": "/secrets/@{encodeURIComponent('ApiKey')}/value" - } - }, - "HTTP": { - "runAfter": { - "Get_secret": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "body": { - "name": "Sentinel_triggered_restore_task_@{body('Get_object_from_blob_content')}", - "objects": [ + "permissions": { + "resourceProvider": [{ + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, { - "jobId": "@int(string(body('Get_jobId_from_blob_content')))", - "jobRunId": "@int(string(body('Get_jobInstanceId_from_blob_content')))", - "protectionSourceId": "@int(string(body('Get_entityId_from_blob_content')))", - "sourceName": "@{body('Get_object_from_blob_content')}", - "startedTimeUsecs": "@int(string(body('Get_jobStartTimeUsecs_from_blob_content')))" + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } } - ], - "type": "kRecoverVMs", - "vmwareParameters": { - "powerOffAndRenameExistingVm": true, - "poweredOn": true, - "prefix": "Recover-", - "recoveryProcessType": "kCopyRecovery", - "suffix": "-VM" - } - }, - "headers": { - "Content-Type": "application/json", - "apiKey": "@body('Get_secret')?['value']", - "clusterid": "@{body('Get_cid_from_blob_content')}" - }, - "method": "POST", - "uri": "https://helios.cohesity.com/irisservices/api/v1/public/restore/recover" - } + ], + "customs": [{ + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Azure Blob Storage connection string and container name", + "description": "Azure Blob Storage connection string and container name" + } + ] }, - "Initialize_Description": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "description", - "type": "string", - "value": "@triggerBody()?['object']?['properties']?['description']" - } - ] - } - }, - "Initialize_HelioID": { - "runAfter": { - "Initialize_Description": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "helioID", - "type": "string", - "value": "@{split(variables('description'), 'Helios ID: ')[1]}" - } - ] - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azureblob": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureblobConnectionName'))]", - "connectionName": "[[variables('AzureblobConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureblob')]" - }, - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } + "instructionSteps": [{ + "description": ">**NOTE:** This connector uses Azure Functions that connect to the Azure Blob Storage and KeyVault. This might result in additional costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/), [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) and [Azure KeyVault pricing page](https://azure.microsoft.com/pricing/details/key-vault/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Get a Cohesity DataHawk API key (see troubleshooting [instruction 1](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentProducer))**" + }, + { + "description": "**STEP 2 - Register Azure app ([link](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps)) and save Application (client) ID, Directory (tenant) ID, and Secret Value ([instructions](https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application)). Grant it Azure Storage (user_impersonation), Microsoft Graph (Application.ReadWrite.All, User.Read) permissions**" + }, + { + "description": "**STEP 3 - Deploy the connector and the associated Azure Functions**." + }, + { + "description": "Use this method for automated deployment of the Cohesity data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-Cohesity-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the parameters that you created at the previous steps\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy.", + "title": "Azure Resource Manager (ARM) Template" } - }, - "keyvault": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", - "connectionName": "[[variables('KeyvaultConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - } - } - } + ], + "additionalRequirementBanner": ">This data connector depends on two functions apps - [one](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentProducer) gets the data about new incidents from Cohesity Datahawk, formats and adds them to the queue; [another one](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentConsumer) takes them from the queue and stores in the MS Sentinel Incidents table. The functions have their own configs and depends on Blob storage and KeyVault" } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureblobConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureblobConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('KeyvaultConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('KeyvaultConnectionName')]", - "api": { - "id": "[[variables('_connection-4')]" - }, - "parameterValueType": "Alternative", - "alternativeParameterValues": { - "vaultName": "[[concat('cohesitypro', uniqueString(resourceGroup().id))]" - }, - "nonSecretParameterValues": { - "vaultName": "[[concat('cohesitypro', uniqueString(resourceGroup().id))]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId2')]", - "contentId": "[variables('_playbookContentId2')]", - "kind": "Playbook", - "version": "[variables('playbookVersion2')]", - "source": { - "kind": "Solution", - "name": "CohesitySecurity", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Cohesity", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Partner", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.cohesity.com" - } - } } - ], - "metadata": { - "title": "Restore From Last Cohesity Snapshot", - "description": "This playbook restores the latest good Data Hawk (Helios) snapshot.", - "prerequisites": "Deploy the Cohesity configuration and function apps (see details [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CohesitySecurity/Playbooks/Cohesity_Restore_From_Last_Snapshot/readme.md)).", - "postDeployment": [ - "Authorize all connections." - ], - "lastUpdateTime": "2023-01-13T10:02:00Z", - "entities": [ - "Malware" - ], - "tags": [ - "DataHawk", - "SOAR", - "Cohesity", - "Threat Response" - ], - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('playbookTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" - }, - "properties": { - "description": "My_Cohesity_Close_Helios_Incident playbook", - "displayName": "My_Cohesity_Close_Helios_Incident playbook" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('playbookTemplateSpecName3'),'/',variables('playbookVersion3'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName3'))]" - ], - "properties": { - "description": "My_Cohesity_Close_Helios_Incident Playbook with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion3')]", - "parameters": { - "PlaybookName": { - "defaultValue": "My_Cohesity_Close_Helios_Incident", - "type": "String" - } - }, - "variables": { - "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", - "KeyvaultConnectionName": "[[concat('Keyvault-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" - ], - "tags": { - "hidden-SentinelTemplateName": "Cohesity_Close_Helios_Incident", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "properties": { + }, + { + "properties": { "provisioningState": "Succeeded", "state": "Enabled", "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" + "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "Get_secret": { - "runAfter": { - "Initialize_HelioID": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['keyvault']['connectionId']" - } - }, - "method": "get", - "path": "/secrets/@{encodeURIComponent('ApiKey')}/value" - } - }, - "HTTP": { - "runAfter": { - "Get_secret": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "body": { - "status": "kSuppressed" - }, - "headers": { - "Content-Type": "application/json", - "apiKey": "@body('Get_secret')?['value']" - }, - "method": "Patch", - "uri": "https://helios.cohesity.com/mcm/alerts/@{variables('helioID')}" - } - }, - "Initialize_Description": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "description", - "type": "string", - "value": "@triggerBody()?['object']?['properties']?['description']" - } - ] - } - }, - "Initialize_HelioID": { - "runAfter": { - "Initialize_Description": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "helioID", - "type": "string", - "value": "@{split(variables('description'), 'Helios ID: ')[1]}" - } - ] - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } + "EmailID": { + "defaultValue": "[parameters('EmailID')]", + "type": "string" } - }, - "keyvault": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", - "connectionName": "[[variables('KeyvaultConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } } - } - } - } - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('KeyvaultConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "api": { - "id": "[[variables('_connection-3')]", - "type": "Microsoft.Web/locations/managedApis" - }, - "parameterValueType": "Alternative", - "alternativeParameterValues": { - "vaultName": "[[concat('cohesitypro', uniqueString(resourceGroup().id))]" - }, - "nonSecretParameterValues": { - "vaultName": "[[concat('cohesitypro', uniqueString(resourceGroup().id))]" - }, - "displayName": "[[variables('KeyvaultConnectionName')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId3')]", - "contentId": "[variables('_playbookContentId3')]", - "kind": "Playbook", - "version": "[variables('playbookVersion3')]", - "source": { - "kind": "Solution", - "name": "CohesitySecurity", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Cohesity", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Partner", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.cohesity.com" - } - } - } - ], - "metadata": { - "title": "Close Cohesity Helios Incident", - "description": "This playbook closes the corresponding Cohesity DataHawk (Helios) ticket.", - "prerequisites": "Deploy the Cohesity configuration and function apps (see details [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CohesitySecurity/Playbooks/Cohesity_Close_Helios_Incident/readme.md)).", - "postDeployment": [ - "Grant KeyVault permissions to your playbook." - ], - "lastUpdateTime": "2023-01-13T10:02:00Z", - "entities": [ - "Malware" - ], - "tags": [ - "DataHawk", - "SOAR", - "Cohesity", - "Threat Response" - ], - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('playbookTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" - }, - "properties": { - "description": "My_Cohesity_CreateOrUpdate_ServiceNow_Incident playbook", - "displayName": "My_Cohesity_CreateOrUpdate_ServiceNow_Incident playbook" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('playbookTemplateSpecName4'),'/',variables('playbookVersion4'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName4'))]" - ], - "properties": { - "description": "My_Cohesity_CreateOrUpdate_ServiceNow_Incident Playbook with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion4')]", - "parameters": { - "PlaybookName": { - "defaultValue": "My_Cohesity_CreateOrUpdate_ServiceNow_Incident", - "type": "string" - } - }, - "variables": { - "MicrosoftsentinelConnectionName": "[[concat('Microsoftsentinel-', parameters('PlaybookName'))]", - "ServiceNowConnectionName": "[[concat('Service-Now-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Service-Now')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "Condition_-_create_or_update_incident": { - "actions": { - "Create_Record": { - "runAfter": { - "Switch": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "comments": "Link to Microsoft Sentinel Incident: [code]Incident_URL[/code] ", - "description": "Incident description: @{triggerBody()?['object']?['properties']?['description']};\nSeverity: @{triggerBody()?['object']?['properties']?['severity']};\nAlerts: @{join(triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames'],'; ')};", - "impact": "@variables('Creation severity')", - "number": "@triggerBody()?['object']?['name']", - "short_description": "@triggerBody()?['object']?['properties']?['title']", - "urgency": "@variables('Creation severity')" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['service-now_1']['connectionId']" - } - }, - "method": "post", - "path": "/api/now/v2/table/@{encodeURIComponent('incident')}", - "queries": { - "sysparm_display_value": true, - "sysparm_exclude_reference_link": false + }, + "actions": { + "Initialize_variable": { + "type": "InitializeVariable", + "inputs": { + "variables": [{ + "name": "EmailBody", + "type": "string" + }] } - } }, - "Switch": { - "cases": { - "Case_Severity_High": { - "case": "High", - "actions": { - "Set_Severity_variable_to_High": { - "type": "SetVariable", - "inputs": { - "name": "Creation severity", - "value": "1" - } - } - } - }, - "Case_Severity_Medium": { - "case": "Medium", - "actions": { - "Set_Severity_variable_to_Medium": { - "type": "SetVariable", - "inputs": { - "name": "Creation severity", - "value": "2" - } - } - } - } - }, - "expression": "@triggerBody()?['object']?['properties']?['severity']", - "type": "Switch" - }, - "Update_incident": { - "runAfter": { - "Create_Record": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "tagsToAdd": { - "TagsToAdd": [ - { - "Tag": "SNOW System ID: @{body('Create_Record')?['result']?['sys_id']}" - } + "Send_email_(V2)": { + "runAfter": { + "Set_variable_2": [ + "Succeeded" ] - } }, - "host": { - "connection": { - "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" - } + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

@{variables('EmailBody')}

", + "Importance": "Normal", + "Subject": "Cohesity Alert", + "To": "@parameters('EmailID')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['outlook']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + }, + "Set_variable_2": { + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] }, - "method": "put", - "path": "/Incidents" - } + "type": "SetVariable", + "inputs": { + "name": "EmailBody", + "value": "

Hello SecurityTeam,

You have a Cohesity incident from Microsoft Sentinel. Below is information:

Please review and update incident accordingly.

Cohesity Team

" + } } - }, - "runAfter": { - "Initialize_variable_-_creation_severity": [ - "Succeeded" - ] - }, - "else": { - "actions": { - "For_each": { - "foreach": "@triggerBody()?['object']?['properties']?['labels']", + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook1-MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('playbook1-MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "outlook": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook1-OutlookConnectionName'))]", + "connectionName": "[variables('playbook1-OutlookConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Outlook')]" + } + } + } + } + }, + "name": "[parameters('playbook1-PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-SentinelTemplateName": "My_Cohesity_Send_Incident_Email", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2019-05-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook1-MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook1-OutlookConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook1-MicrosoftSentinelConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook1-MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[variables('_playbook-1-connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook1-OutlookConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook1-OutlookConnectionName')]", + "api": { + "id": "[variables('_playbook-1-connection-3')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[parameters('playbook2-PlaybookName')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook2-AzureblobConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook2-MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook2-KeyvaultConnectionName'))]" + ], + "tags": { + "hidden-SentinelTemplateName": "Cohesity_Restore_From_Last_Snapshot", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Get_cid_from_blob_content": { + "runAfter": { + "Get_jobId_from_blob_content": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "get", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", + "queries": { + "inferContentType": true, + "path": "/cohesity-extra-parameters/@{variables('helioID')}/cid", + "queryParametersSingleEncoded": true + } + } + }, + "Get_entityId_from_blob_content": { + "runAfter": { + "Get_jobInstanceId_from_blob_content": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "get", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", + "queries": { + "inferContentType": true, + "path": "/cohesity-extra-parameters/@{variables('helioID')}/entityId", + "queryParametersSingleEncoded": true + } + } + }, + "Get_jobId_from_blob_content": { + "runAfter": { + "Initialize_HelioID": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "get", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", + "queries": { + "inferContentType": true, + "path": "/cohesity-extra-parameters/@{variables('helioID')}/jobId", + "queryParametersSingleEncoded": true + } + } + }, + "Get_jobInstanceId_from_blob_content": { + "runAfter": { + "Get_jobStartTimeUsecs_from_blob_content": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "get", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", + "queries": { + "inferContentType": true, + "path": "/cohesity-extra-parameters/@{variables('helioID')}/jobInstanceId", + "queryParametersSingleEncoded": true + } + } + }, + "Get_jobStartTimeUsecs_from_blob_content": { + "runAfter": { + "Get_cid_from_blob_content": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "get", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", + "queries": { + "inferContentType": true, + "path": "/cohesity-extra-parameters/@{variables('helioID')}/jobStartTimeUsecs", + "queryParametersSingleEncoded": true + } + } + }, + "Get_object_from_blob_content": { + "runAfter": { + "Get_entityId_from_blob_content": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "get", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath", + "queries": { + "inferContentType": true, + "path": "/cohesity-extra-parameters/@{variables('helioID')}/object", + "queryParametersSingleEncoded": true + } + } + }, + "Get_secret": { + "runAfter": { + "Get_object_from_blob_content": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent('ApiKey')}/value" + } + }, + "HTTP": { + "runAfter": { + "Get_secret": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": { + "name": "Sentinel_triggered_restore_task_@{body('Get_object_from_blob_content')}", + "objects": [{ + "jobId": "@int(string(body('Get_jobId_from_blob_content')))", + "jobRunId": "@int(string(body('Get_jobInstanceId_from_blob_content')))", + "protectionSourceId": "@int(string(body('Get_entityId_from_blob_content')))", + "sourceName": "@{body('Get_object_from_blob_content')}", + "startedTimeUsecs": "@int(string(body('Get_jobStartTimeUsecs_from_blob_content')))" + }], + "type": "kRecoverVMs", + "vmwareParameters": { + "powerOffAndRenameExistingVm": true, + "poweredOn": true, + "prefix": "Recover-", + "recoveryProcessType": "kCopyRecovery", + "suffix": "-VM" + } + }, + "headers": { + "Content-Type": "application/json", + "apiKey": "@body('Get_secret')?['value']", + "clusterid": "@{body('Get_cid_from_blob_content')}" + }, + "method": "POST", + "uri": "https://helios.cohesity.com/irisservices/api/v1/public/restore/recover" + } + }, + "Initialize_Description": { + "type": "InitializeVariable", + "inputs": { + "variables": [{ + "name": "description", + "type": "string", + "value": "@triggerBody()?['object']?['properties']?['description']" + }] + } + }, + "Initialize_HelioID": { + "runAfter": { + "Initialize_Description": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [{ + "name": "helioID", + "type": "string", + "value": "@{split(variables('description'), 'Helios ID: ')[1]}" + }] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azureblob": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook2-AzureblobConnectionName'))]", + "connectionName": "[variables('playbook2-AzureblobConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azureblob')]" + }, + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook2-MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('playbook2-MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "keyvault": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook2-KeyvaultConnectionName'))]", + "connectionName": "[variables('playbook2-KeyvaultConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Keyvault')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook2-AzureblobConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook2-AzureblobConnectionName')]", + "api": { + "id": "[variables('_playbook-2-connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook2-MicrosoftSentinelConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook2-MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[variables('_playbook-1-connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook2-KeyvaultConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook2-KeyvaultConnectionName')]", + "api": { + "id": "[variables('_playbook-2-connection-4')]" + }, + "parameterValueType": "Alternative", + "alternativeParameterValues": { + "vaultName": "[concat('cohesitypro', uniqueString(resourceGroup().id))]" + }, + "nonSecretParameterValues": { + "vaultName": "[concat('cohesitypro', uniqueString(resourceGroup().id))]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('playbook3-PlaybookName')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook3-MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook3-KeyvaultConnectionName'))]" + ], + "tags": { + "hidden-SentinelTemplateName": "Cohesity_Close_Helios_Incident", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Get_secret": { + "runAfter": { + "Initialize_HelioID": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent('ApiKey')}/value" + } + }, + "HTTP": { + "runAfter": { + "Get_secret": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": { + "status": "kSuppressed" + }, + "headers": { + "Content-Type": "application/json", + "apiKey": "@body('Get_secret')?['value']" + }, + "method": "Patch", + "uri": "https://helios.cohesity.com/mcm/alerts/@{variables('helioID')}" + } + }, + "Initialize_Description": { + "type": "InitializeVariable", + "inputs": { + "variables": [{ + "name": "description", + "type": "string", + "value": "@triggerBody()?['object']?['properties']?['description']" + }] + } + }, + "Initialize_HelioID": { + "runAfter": { + "Initialize_Description": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [{ + "name": "helioID", + "type": "string", + "value": "@{split(variables('description'), 'Helios ID: ')[1]}" + }] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook3-MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('playbook3-MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "keyvault": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook3-KeyvaultConnectionName'))]", + "connectionName": "[variables('playbook3-KeyvaultConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Keyvault')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook3-MicrosoftSentinelConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook3-MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[variables('_playbook-1-connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook3-KeyvaultConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "api": { + "id": "[variables('_playbook-2-connection-4')]", + "type": "Microsoft.Web/locations/managedApis" + }, + "parameterValueType": "Alternative", + "alternativeParameterValues": { + "vaultName": "[concat('cohesitypro', uniqueString(resourceGroup().id))]" + }, + "nonSecretParameterValues": { + "vaultName": "[concat('cohesitypro', uniqueString(resourceGroup().id))]" + }, + "displayName": "[variables('playbook3-KeyvaultConnectionName')]" + } + }, + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Condition_-_create_or_update_incident": { "actions": { - "Condition": { - "actions": { - "Condition_-_is_incident_closed": { - "actions": { - "Update_Record_-_Incident_closed": { - "type": "ApiConnection", - "inputs": { - "body": { - "caller_id": "@triggerBody()?['incidentUpdates']?['updatedBy']?['name']", - "close_code": "Resolved by Caller", - "close_notes": "Classification: @{triggerBody()?['object']?['properties']?['classification']}\nClassification reason: @{triggerBody()?['object']?['properties']?['classificationReason']}\nClassification comment: @{triggerBody()?['object']?['properties']?['classificationComment']}", - "state": "7" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['service-now_1']['connectionId']" - } - }, - "method": "put", - "path": "/api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('SNOW System ID'))}", - "queries": { - "sysparm_display_value": false, - "sysparm_exclude_reference_link": true - } - } - } - }, + "Create_Record": { "runAfter": { - "Set_variable_-_SNOW_System_ID": [ - "Succeeded" - ] + "Switch": [ + "Succeeded" + ] }, - "else": { - "actions": { - "Condition_-_alert_updated": { - "actions": { - "Compose_alert": { - "runAfter": { - "For_each_-_new_alert": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "Alerts: @{variables('New alert')}" - }, - "For_each_-_new_alert": { - "foreach": "@triggerBody()?['incidentUpdates']?['alerts']", - "actions": { - "Append_to_string_variable_-_alert": { - "type": "AppendToStringVariable", - "inputs": { - "name": "New alert", - "value": "@concat(items('For_each_-_new_alert')?['properties']?['alertDisplayName'], '; ')" - } - } - }, - "type": "Foreach" - } - }, - "runAfter": { - "Condition_-_comment_updated": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Alerts" - ] - } - ] - }, - "type": "If" - }, - "Condition_-_comment_updated": { - "actions": { - "Compose_comment": { - "runAfter": { - "For_each_-_new_comment": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "Comment: @{variables('New comments')}" - }, - "For_each_-_new_comment": { - "foreach": "@triggerBody()?['incidentUpdates']?['comments']", - "actions": { - "Append_to_string_variable_-_comment": { - "type": "AppendToStringVariable", - "inputs": { - "name": "New comments", - "value": "@concat(items('For_each_-_new_comment')?['properties']?['message'], '; ')" - } - } - }, - "type": "Foreach" - } - }, - "expression": { - "and": [ - { - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Comments" - ] - } - ] - }, - "type": "If" - }, - "Condition_-_owner_update": { - "actions": { - "Append_to_string_variable_-_owner": { - "type": "AppendToStringVariable", - "inputs": { - "name": "New owner", - "value": "@triggerBody()?['object']?['properties']?['owner']?['assignedTo']" - } - }, - "Compose_owner": { - "runAfter": { - "Append_to_string_variable_-_owner": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "Owner: @{variables('New owner')}" - } - }, - "runAfter": { - "Condition_-_tag_updated": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Owner" - ] - } - ] - }, - "type": "If" - }, - "Condition_-_severity_update": { - "actions": { - "Append_to_string_variable_-_severity": { - "type": "AppendToStringVariable", - "inputs": { - "name": "New severity", - "value": "@triggerBody()?['object']?['properties']?['severity']" - } - }, - "Compose_severity": { - "runAfter": { - "Append_to_string_variable_-_severity": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "Severity: @{variables('New severity')}" - } - }, - "runAfter": { - "Condition_-_owner_update": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Severity" - ] - } - ] - }, - "type": "If" - }, - "Condition_-_status_update": { - "actions": { - "Append_to_string_variable_-_status": { - "type": "AppendToStringVariable", - "inputs": { - "name": "New status", - "value": "@triggerBody()?['object']?['properties']?['status']" - } - }, - "Compose_status": { - "runAfter": { - "Append_to_string_variable_-_status": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "Status: @{variables('New status')}" - } - }, - "runAfter": { - "Condition_-_tactics_update": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Status" - ] - } - ] - }, - "type": "If" - }, - "Condition_-_tactics_update": { - "actions": { - "Compose_tactics": { - "type": "Compose", - "inputs": "Tactics: @{join(triggerBody()?['incidentUpdates']?['tactics'], '; ')}" - } - }, - "runAfter": { - "Condition_-_severity_update": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Tactics" - ] - } - ] - }, - "type": "If" - }, - "Condition_-_tag_updated": { - "actions": { - "Compose_tag": { - "runAfter": { - "For_each_-_new_tag": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "Tags: @{variables('New tag')}" - }, - "For_each_-_new_tag": { - "foreach": "@triggerBody()?['incidentUpdates']?['labels']", - "actions": { - "Append_to_string_variable_-_tag": { - "type": "AppendToStringVariable", - "inputs": { - "name": "New tag", - "value": "@concat(items('For_each_-_new_tag')?['labelName'], '; ')" - } - } - }, - "type": "Foreach" - } - }, - "runAfter": { - "Condition_-_alert_updated": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "contains": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "Labels" - ] - } - ] - }, - "type": "If" - }, - "Update_Record_-_incident_not_closed": { - "runAfter": { - "Condition_-_status_update": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "comments": "Microsoft Sentinel incident is updated:\n\nUpdate fields: @{join(triggerBody()?['incidentUpdates']?['updatedFields'], '; ')}\nUpdate by: @{triggerBody()?['incidentUpdates']?['updatedBy']?['name']}\n\nNew values:\n@{outputs('Compose_alert')}\n@{outputs('Compose_severity')}\n@{outputs('Compose_owner')}\n@{outputs('Compose_status')}\n@{outputs('Compose_tag')}\n@{outputs('Compose_comment')}\n@{outputs('Compose_tactics')}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['service-now_1']['connectionId']" - } - }, - "method": "put", - "path": "/api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('SNOW System ID'))}", - "queries": { - "sysparm_display_value": false, - "sysparm_exclude_reference_link": true - } - } - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@triggerBody()?['object']?['properties']?['status']", - "Closed" - ] - } - ] - }, - "type": "If" - }, - "Set_variable_-_SNOW_System_ID": { - "type": "SetVariable", + "type": "ApiConnection", "inputs": { - "name": "SNOW System ID", - "value": "@{split(items('For_each')?['labelName'],': ')[1]}" + "body": { + "comments": "Link to Microsoft Sentinel Incident: [code]Incident_URL[/code] ", + "description": "Incident description: @{triggerBody()?['object']?['properties']?['description']}; Severity: @{triggerBody()?['object']?['properties']?['severity']}; Alerts: @{join(triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames'],'; ')};", + "impact": "@variables('Creation severity')", + "number": "@triggerBody()?['object']?['name']", + "short_description": "@triggerBody()?['object']?['properties']?['title']", + "urgency": "@variables('Creation severity')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['service-now_1']['connectionId']" + } + }, + "method": "post", + "path": "/api/now/v2/table/@{encodeURIComponent('incident')}", + "queries": { + "sysparm_display_value": true, + "sysparm_exclude_reference_link": false + } } - } }, - "expression": { - "and": [ - { - "contains": [ - "@items('For_each')?['labelName']", - "SNOW" - ] + "Switch": { + "cases": { + "Case_Severity_High": { + "case": "High", + "actions": { + "Set_Severity_variable_to_High": { + "type": "SetVariable", + "inputs": { + "name": "Creation severity", + "value": "1" + } + } + } + }, + "Case_Severity_Medium": { + "case": "Medium", + "actions": { + "Set_Severity_variable_to_Medium": { + "type": "SetVariable", + "inputs": { + "name": "Creation severity", + "value": "2" + } + } + } + } + }, + "expression": "@triggerBody()?['object']?['properties']?['severity']", + "type": "Switch" + }, + "Update_incident": { + "runAfter": { + "Create_Record": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "tagsToAdd": { + "TagsToAdd": [{ + "Tag": "SNOW System ID: @{body('Create_Record')?['result']?['sys_id']}" + }] + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" } - ] + } + }, + "runAfter": { + "Initialize_variable_-_creation_severity": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "For_each": { + "foreach": "@triggerBody()?['object']?['properties']?['labels']", + "actions": { + "Condition": { + "actions": { + "Condition_-_is_incident_closed": { + "actions": { + "Update_Record_-_Incident_closed": { + "type": "ApiConnection", + "inputs": { + "body": { + "caller_id": "@triggerBody()?['incidentUpdates']?['updatedBy']?['name']", + "close_code": "Resolved by Caller", + "close_notes": "Classification: @{triggerBody()?['object']?['properties']?['classification']} Classification reason: @{triggerBody()?['object']?['properties']?['classificationReason']} Classification comment: @{triggerBody()?['object']?['properties']?['classificationComment']}", + "state": "7" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['service-now_1']['connectionId']" + } + }, + "method": "put", + "path": "/api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('SNOW System ID'))}", + "queries": { + "sysparm_display_value": false, + "sysparm_exclude_reference_link": true + } + } + } + }, + "runAfter": { + "Set_variable_-_SNOW_System_ID": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_-_alert_updated": { + "actions": { + "Compose_alert": { + "runAfter": { + "For_each_-_new_alert": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "Alerts: @{variables('New alert')}" + }, + "For_each_-_new_alert": { + "foreach": "@triggerBody()?['incidentUpdates']?['alerts']", + "actions": { + "Append_to_string_variable_-_alert": { + "type": "AppendToStringVariable", + "inputs": { + "name": "New alert", + "value": "@concat(items('For_each_-_new_alert')?['properties']?['alertDisplayName'], '; ')" + } + } + }, + "type": "Foreach" + } + }, + "runAfter": { + "Condition_-_comment_updated": [ + "Succeeded" + ] + }, + "expression": { + "and": [{ + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Alerts" + ] + }] + }, + "type": "If" + }, + "Condition_-_comment_updated": { + "actions": { + "Compose_comment": { + "runAfter": { + "For_each_-_new_comment": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "Comment: @{variables('New comments')}" + }, + "For_each_-_new_comment": { + "foreach": "@triggerBody()?['incidentUpdates']?['comments']", + "actions": { + "Append_to_string_variable_-_comment": { + "type": "AppendToStringVariable", + "inputs": { + "name": "New comments", + "value": "@concat(items('For_each_-_new_comment')?['properties']?['message'], '; ')" + } + } + }, + "type": "Foreach" + } + }, + "expression": { + "and": [{ + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Comments" + ] + }] + }, + "type": "If" + }, + "Condition_-_owner_update": { + "actions": { + "Append_to_string_variable_-_owner": { + "type": "AppendToStringVariable", + "inputs": { + "name": "New owner", + "value": "@triggerBody()?['object']?['properties']?['owner']?['assignedTo']" + } + }, + "Compose_owner": { + "runAfter": { + "Append_to_string_variable_-_owner": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "Owner: @{variables('New owner')}" + } + }, + "runAfter": { + "Condition_-_tag_updated": [ + "Succeeded" + ] + }, + "expression": { + "and": [{ + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Owner" + ] + }] + }, + "type": "If" + }, + "Condition_-_severity_update": { + "actions": { + "Append_to_string_variable_-_severity": { + "type": "AppendToStringVariable", + "inputs": { + "name": "New severity", + "value": "@triggerBody()?['object']?['properties']?['severity']" + } + }, + "Compose_severity": { + "runAfter": { + "Append_to_string_variable_-_severity": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "Severity: @{variables('New severity')}" + } + }, + "runAfter": { + "Condition_-_owner_update": [ + "Succeeded" + ] + }, + "expression": { + "and": [{ + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Severity" + ] + }] + }, + "type": "If" + }, + "Condition_-_status_update": { + "actions": { + "Append_to_string_variable_-_status": { + "type": "AppendToStringVariable", + "inputs": { + "name": "New status", + "value": "@triggerBody()?['object']?['properties']?['status']" + } + }, + "Compose_status": { + "runAfter": { + "Append_to_string_variable_-_status": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "Status: @{variables('New status')}" + } + }, + "runAfter": { + "Condition_-_tactics_update": [ + "Succeeded" + ] + }, + "expression": { + "and": [{ + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Status" + ] + }] + }, + "type": "If" + }, + "Condition_-_tactics_update": { + "actions": { + "Compose_tactics": { + "type": "Compose", + "inputs": "Tactics: @{join(triggerBody()?['incidentUpdates']?['tactics'], '; ')}" + } + }, + "runAfter": { + "Condition_-_severity_update": [ + "Succeeded" + ] + }, + "expression": { + "and": [{ + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Tactics" + ] + }] + }, + "type": "If" + }, + "Condition_-_tag_updated": { + "actions": { + "Compose_tag": { + "runAfter": { + "For_each_-_new_tag": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "Tags: @{variables('New tag')}" + }, + "For_each_-_new_tag": { + "foreach": "@triggerBody()?['incidentUpdates']?['labels']", + "actions": { + "Append_to_string_variable_-_tag": { + "type": "AppendToStringVariable", + "inputs": { + "name": "New tag", + "value": "@concat(items('For_each_-_new_tag')?['labelName'], '; ')" + } + } + }, + "type": "Foreach" + } + }, + "runAfter": { + "Condition_-_alert_updated": [ + "Succeeded" + ] + }, + "expression": { + "and": [{ + "contains": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "Labels" + ] + }] + }, + "type": "If" + }, + "Update_Record_-_incident_not_closed": { + "runAfter": { + "Condition_-_status_update": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "comments": "Microsoft Sentinel incident is updated: Update fields: @{join(triggerBody()?['incidentUpdates']?['updatedFields'], '; ')} Update by: @{triggerBody()?['incidentUpdates']?['updatedBy']?['name']} New values: @{outputs('Compose_alert')} @{outputs('Compose_severity')} @{outputs('Compose_owner')} @{outputs('Compose_status')} @{outputs('Compose_tag')} @{outputs('Compose_comment')} @{outputs('Compose_tactics')}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['service-now_1']['connectionId']" + } + }, + "method": "put", + "path": "/api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('SNOW System ID'))}", + "queries": { + "sysparm_display_value": false, + "sysparm_exclude_reference_link": true + } + } + } + } + }, + "expression": { + "and": [{ + "equals": [ + "@triggerBody()?['object']?['properties']?['status']", + "Closed" + ] + }] + }, + "type": "If" + }, + "Set_variable_-_SNOW_System_ID": { + "type": "SetVariable", + "inputs": { + "name": "SNOW System ID", + "value": "@{split(items('For_each')?['labelName'],': ')[1]}" + } + } + }, + "expression": { + "and": [{ + "contains": [ + "@items('For_each')?['labelName']", + "SNOW" + ] + }] + }, + "type": "If" + } + }, + "type": "Foreach" + } + } + }, + "expression": { + "and": [{ + "equals": [ + "@triggerBody()?['incidentUpdates']?['updatedFields']", + "@null" + ] + }] + }, + "type": "If" + }, + "Initialize_variable_-_SNOW_System_ID": { + "type": "InitializeVariable", + "inputs": { + "variables": [{ + "name": "SNOW System ID", + "type": "string" + }] + } + }, + "Initialize_variable_-_alert": { + "runAfter": { + "Initialize_variable_-_comment": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [{ + "name": "New alert", + "type": "string" + }] + } + }, + "Initialize_variable_-_comment": { + "runAfter": { + "Initialize_variable_-_SNOW_System_ID": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [{ + "name": "New comments", + "type": "string" + }] + } + }, + "Initialize_variable_-_creation_severity": { + "runAfter": { + "Initialize_variable_-_status": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [{ + "name": "Creation severity", + "type": "string", + "value": "3" + }] + } + }, + "Initialize_variable_-_owner": { + "runAfter": { + "Initialize_variable_-_tag": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [{ + "name": "New owner", + "type": "string" + }] + } + }, + "Initialize_variable_-_severity": { + "runAfter": { + "Initialize_variable_-_owner": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [{ + "name": "New severity", + "type": "string" + }] + } + }, + "Initialize_variable_-_status": { + "runAfter": { + "Initialize_variable_-_severity": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [{ + "name": "New status", + "type": "string" + }] + } + }, + "Initialize_variable_-_tag": { + "runAfter": { + "Initialize_variable_-_alert": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [{ + "name": "New tag", + "type": "string" + }] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "microsoftsentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook4-MicrosoftsentinelConnectionName'))]", + "connectionName": "[variables('playbook4-MicrosoftsentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "service-now_1": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook4-ServiceNowConnectionName'))]", + "connectionName": "[variables('playbook4-ServiceNowConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Service-Now')]" + } + } + } + } + }, + "name": "[parameters('playbook4-PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-SentinelTemplateName": "Cohesity_CreateOrUpdate_ServiceNow_Incident", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2019-05-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook4-MicrosoftsentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook4-ServiceNowConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook4-MicrosoftsentinelConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook4-MicrosoftsentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[variables('_playbook-1-connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook4-ServiceNowConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook4-ServiceNowConnectionName')]", + "api": { + "id": "[variables('_playbook-4-connection-3')]" + } + } + }, + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.@{variables('azureManagementUrl')}/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "PlaybookName": { + "type": "string", + "defaultValue": "[parameters('playbook5-PlaybookName')]" + } + }, + "staticResults": { + "Delete_blob_(V2)0": { + "status": "Succeeded", + "outputs": { + "statusCode": "OK" + } + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" }, - "type": "If" - } + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "For_each": { + "foreach": "@body('Lists_blobs_(V2)')?['value']", + "actions": { + "Delete_blob_(V2)": { + "type": "ApiConnection", + "inputs": { + "headers": { + "SkipDeleteIfFileNotFoundOnServer": false + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "delete", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/files/@{encodeURIComponent(encodeURIComponent(items('For_each')?['Path']))}" + }, + "runtimeConfiguration": { + "staticResult": { + "staticResultOptions": "Disabled", + "name": "Delete_blob_(V2)0" + } + } + } + }, + "runAfter": { + "Lists_blobs_(V2)": [ + "Succeeded" + ] }, "type": "Foreach" - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@triggerBody()?['incidentUpdates']?['updatedFields']", - "@null" - ] - } - ] - }, - "type": "If" - }, - "Initialize_variable_-_SNOW_System_ID": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "SNOW System ID", - "type": "string" - } - ] - } - }, - "Initialize_variable_-_alert": { - "runAfter": { - "Initialize_variable_-_comment": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "New alert", - "type": "string" - } - ] - } - }, - "Initialize_variable_-_comment": { - "runAfter": { - "Initialize_variable_-_SNOW_System_ID": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "New comments", - "type": "string" - } - ] - } - }, - "Initialize_variable_-_creation_severity": { - "runAfter": { - "Initialize_variable_-_status": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "Creation severity", - "type": "string", - "value": "3" - } - ] - } - }, - "Initialize_variable_-_owner": { - "runAfter": { - "Initialize_variable_-_tag": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "New owner", - "type": "string" - } - ] - } - }, - "Initialize_variable_-_severity": { - "runAfter": { - "Initialize_variable_-_owner": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "New severity", - "type": "string" - } - ] - } - }, - "Initialize_variable_-_status": { - "runAfter": { - "Initialize_variable_-_severity": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "New status", - "type": "string" - } - ] - } - }, - "Initialize_variable_-_tag": { - "runAfter": { - "Initialize_variable_-_alert": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "New tag", - "type": "string" - } - ] - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "microsoftsentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftsentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftsentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "service-now_1": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('ServiceNowConnectionName'))]", - "connectionName": "[[variables('ServiceNowConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Service-Now')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "Cohesity_CreateOrUpdate_ServiceNow_Incident", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2019-05-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftsentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('ServiceNowConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftsentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftsentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('ServiceNowConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('ServiceNowConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId4')]", - "contentId": "[variables('_playbookContentId4')]", - "kind": "Playbook", - "version": "[variables('playbookVersion4')]", - "source": { - "kind": "Solution", - "name": "CohesitySecurity", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Cohesity", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Partner", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.cohesity.com" - } - } - } - ], - "metadata": { - "title": "Cohesity Create or Update ServiceNow incident", - "description": "This playbook creates and updates the incident in the ServiceNow platform.", - "prerequisites": "Create an account for ServiceNow.", - "postDeployment": [ - "1. Update ServiceNow credentials in the playbook.", - "2. For the playbook to run, there is a need to assign the Microsoft Sentinel Responder role to the playbook's managed identity.", - "3. (Recommendation) You can create an automation rule to close the corresponding ServiceNow ticket when the corresponding Sentinel ticket is closed." - ], - "lastUpdateTime": "2022-12-23T10:02:00Z", - "entities": [ - "Malware" - ], - "tags": [ - "ServiceNow", - "SOAR", - "Notification", - "Threat Response" - ], - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('playbookTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" - }, - "properties": { - "description": "My_Cohesity_Delete_Incident_Blobs playbook", - "displayName": "My_Cohesity_Delete_Incident_Blobs playbook" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('playbookTemplateSpecName5'),'/',variables('playbookVersion5'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName5'))]" - ], - "properties": { - "description": "My_Cohesity_Delete_Incident_Blobs Playbook with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion5')]", - "parameters": { - "PlaybookName": { - "type": "string", - "defaultValue": "My_Cohesity_Delete_Incident_Blobs", - "metadata": { - "description": "Enter value for PlaybookName" - } - } - }, - "variables": { - "AzureblobConnectionName": "[[concat('Azureblob-', parameters('PlaybookName'))]", - "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureblob')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "PlaybookName": { - "type": "string", - "defaultValue": "[[parameters('PlaybookName')]" - } - }, - "staticResults": { - "Delete_blob_(V2)0": { - "status": "Succeeded", - "outputs": { - "statusCode": "OK" - } - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "For_each": { - "foreach": "@body('Lists_blobs_(V2)')?['value']", - "actions": { - "Delete_blob_(V2)": { - "type": "ApiConnection", - "inputs": { - "headers": { - "SkipDeleteIfFileNotFoundOnServer": false - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } - }, - "method": "delete", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/files/@{encodeURIComponent(encodeURIComponent(items('For_each')?['Path']))}" - }, - "runtimeConfiguration": { - "staticResult": { - "staticResultOptions": "Disabled", - "name": "Delete_blob_(V2)0" + "Initialize_Description": { + "type": "InitializeVariable", + "inputs": { + "variables": [{ + "name": "description", + "type": "string", + "value": "@triggerBody()?['object']?['properties']?['description']" + }] } - } - } - }, - "runAfter": { - "Lists_blobs_(V2)": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Initialize_Description": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "description", - "type": "string", - "value": "@triggerBody()?['object']?['properties']?['description']" - } - ] - } - }, - "Initialize_variable": { - "runAfter": { - "Initialize_Description": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "heliosID", - "type": "string", - "value": "@{split(variables('description'), 'Helios ID: ')[1]}" - } - ] - } - }, - "Lists_blobs_(V2)": { - "runAfter": { - "Initialize_variable": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureblob']['connectionId']" - } }, - "method": "get", - "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/foldersV2/@{encodeURIComponent(encodeURIComponent('/cohesity-extra-parameters/',variables('heliosID'),'/'))}", - "queries": { - "useFlatListing": true + "Initialize_variable": { + "runAfter": { + "Initialize_Description": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [{ + "name": "heliosID", + "type": "string", + "value": "@{split(variables('description'), 'Helios ID: ')[1]}" + }] + } + }, + "Lists_blobs_(V2)": { + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "get", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/foldersV2/@{encodeURIComponent(encodeURIComponent('/cohesity-extra-parameters/',variables('heliosID'),'/'))}", + "queries": { + "useFlatListing": true + } + } } - } } - } }, "parameters": { - "$connections": { - "value": { - "azureblob": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureblobConnectionName'))]", - "connectionName": "[[variables('AzureblobConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureblob')]" - }, - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } + "$connections": { + "value": { + "azureblob": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook5-AzureblobConnectionName'))]", + "connectionName": "[variables('playbook5-AzureblobConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azureblob')]" + }, + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('playbook5-MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('playbook5-MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } } - } } - } } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "identity": { + }, + "name": "[parameters('playbook5-PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[parameters('workspace-location')]", + "identity": { "type": "SystemAssigned" - }, - "tags": { + }, + "tags": { "hidden-SentinelTemplateName": "Cohesity_Delete_Incident_Blobs", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureblobConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" - ] + "hidden-SentinelTemplateVersion": "1.0" }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureblobConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureblobConnectionName')]", + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('playbook5-AzureblobConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('playbook5-MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook5-AzureblobConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook5-AzureblobConnectionName')]", "api": { - "id": "[[variables('_connection-2')]" + "id": "[variables('_playbook-2-connection-2')]" } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('playbook5-MicrosoftSentinelConnectionName')]", + "location": "[parameters('workspace-location')]", + "kind": "V1", + "properties": { + "displayName": "[variables('playbook5-MicrosoftSentinelConnectionName')]", "parameterValueType": "Alternative", "api": { - "id": "[[variables('_connection-3')]" + "id": "[variables('_playbook-1-connection-2')]" } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId5')]", - "contentId": "[variables('_playbookContentId5')]", - "kind": "Playbook", - "version": "[variables('playbookVersion5')]", + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2021-03-01-preview", + "properties": { + "version": "2.0.0", + "kind": "Solution", + "contentId": "[variables('_sourceId')]", + "parentId": "[variables('_sourceId')]", "source": { - "kind": "Solution", - "name": "CohesitySecurity", - "sourceId": "[variables('_solutionId')]" + "kind": "Solution", + "name": "CohesitySecurity", + "sourceId": "[variables('_sourceId')]" }, "author": { - "name": "Cohesity", - "email": "[variables('_email')]" + "name": "Cohesity", + "email": "support@cohesity.com" }, "support": { - "tier": "Partner", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.cohesity.com" + "name": "Cohesity", + "email": "support@cohesity.com", + "tier": "Partner", + "link": "https://support.cohesity.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [{ + "kind": "DataConnector", + "contentId": "[variables('_CohesityDataConnectorConnector')]", + "version": "2.0.0" + }, + { + "kind": "Playbook", + "contentId": "[variables('_playbook1-Cohesity_Send_Incident_Email')]", + "version": "2.0.0" + }, + { + "kind": "Playbook", + "contentId": "[variables('_playbook2-Cohesity_Restore_From_Last_Snapshot')]", + "version": "2.0.0" + }, + { + "kind": "Playbook", + "contentId": "[variables('_playbook3-Cohesity_Close_Helios_Incident')]", + "version": "2.0.0" + }, + { + "kind": "Playbook", + "contentId": "[variables('_playbook4-Cohesity_CreateOrUpdate_ServiceNow_Incident')]", + "version": "2.0.0" + }, + { + "kind": "Playbook", + "contentId": "[variables('_playbook5-Cohesity_Delete_Incident_Blobs')]", + "version": "2.0.0" + } + ] + }, + "firstPublishDate": "2022-10-10", + "providers": [ + "Cohesity" + ], + "categories": { + "domains": [ + "Security - Cloud Security", + "Security - Automation (SOAR)" + ] } - } - } - ], - "metadata": { - "title": "Delete Cohesity incident blobs", - "description": "This playbook deletes the blobs on Azure storage created by an incident that is generated by Cohesity function apps.", - "prerequisites": "Deploy the Cohesity configuration and function apps (see details [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CohesitySecurity/Playbooks/Cohesity_Delete_Incident_Blobs/readme.md)).", - "postDeployment": [ - "Authorize all connections." - ], - "lastUpdateTime": "2023-01-27T10:57:00Z", - "entities": [ - "Malware" - ], - "tags": [ - "Cleanup" - ], - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]" } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "properties": { - "version": "2.0.0", - "kind": "Solution", - "contentSchemaVersion": "2.0.0", - "contentId": "[variables('_solutionId')]", - "parentId": "[variables('_solutionId')]", - "source": { - "kind": "Solution", - "name": "CohesitySecurity", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Cohesity", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Partner", - "link": "https://support.cohesity.com" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Cohesity_Send_Incident_Email')]", - "version": "[variables('playbookVersion1')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Cohesity_Restore_From_Last_Snapshot')]", - "version": "[variables('playbookVersion2')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Cohesity_Close_Helios_Incident')]", - "version": "[variables('playbookVersion3')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Cohesity_CreateOrUpdate_ServiceNow_Incident')]", - "version": "[variables('playbookVersion4')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Cohesity_Delete_Incident_Blobs')]", - "version": "[variables('playbookVersion5')]" - } - ] - }, - "firstPublishDate": "2022-10-10", - "providers": [ - "Cohesity" - ], - "categories": { - "domains": [ - "Security - Cloud Security", - "Security - Automation (SOAR)" - ] - } - }, - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" - } - ], - "outputs": {} + ], + "outputs": {} } diff --git a/Solutions/CohesitySecurity/SolutionMetadata.json b/Solutions/CohesitySecurity/SolutionMetadata.json index 52c0acbeb0..37ca2974f7 100644 --- a/Solutions/CohesitySecurity/SolutionMetadata.json +++ b/Solutions/CohesitySecurity/SolutionMetadata.json @@ -8,8 +8,8 @@ }, "support": { "tier": "Partner", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.cohesity.com" + "name": "Cohesity", + "email": "support@cohesity.com", + "link": "https://support.cohesity.com/" } -} \ No newline at end of file +} diff --git a/Solutions/CohesitySecurity/build_one_solution.ps1 b/Solutions/CohesitySecurity/build_one_solution.ps1 index 81d2d5546e..bbd77a24e4 100644 --- a/Solutions/CohesitySecurity/build_one_solution.ps1 +++ b/Solutions/CohesitySecurity/build_one_solution.ps1 @@ -2,7 +2,7 @@ $jsonConversionDepth = 50 $SolutionJsonPath = $args[0] $RepoRoot = Split-path -Parent $PSScriptRoot | Split-Path -Parent $SolutionRoot = Join-Path -Path $RepoRoot -ChildPath "Tools" | Join-Path -ChildPath "Create-Azure-Sentinel-Solution" -$path = Join-Path -Path $SolutionRoot -ChildPath "input" +$path = Join-Path -Path $RepoRoot -ChildPath "Solutions" | Join-Path -ChildPath "CohesitySecurity" | Join-Path -ChildPath "Data" function handleEmptyInstructionProperties ($inputObj) { $outputObj = $inputObj | From 5127b80fdeae73342ce5c74e98499fb358137454 Mon Sep 17 00:00:00 2001 From: Ying Huang Date: Thu, 16 Feb 2023 14:55:44 -0800 Subject: [PATCH 2/2] add this file, but which still not working yet. ./Solutions/CohesitySecurity/Package/mainTemplate.json.sh update the build script. --- .../Package/createUiDefinition.json | 2 +- .../CohesitySecurity/Package/mainTemplate.json.sh | 14 ++++++++++++++ Solutions/CohesitySecurity/build_one_solution.ps1 | 2 +- 3 files changed, 16 insertions(+), 2 deletions(-) create mode 100755 Solutions/CohesitySecurity/Package/mainTemplate.json.sh diff --git a/Solutions/CohesitySecurity/Package/createUiDefinition.json b/Solutions/CohesitySecurity/Package/createUiDefinition.json index 142a4a4115..2dceb0d898 100644 --- a/Solutions/CohesitySecurity/Package/createUiDefinition.json +++ b/Solutions/CohesitySecurity/Package/createUiDefinition.json @@ -60,7 +60,7 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This Solution installs the data connector for CohesitySecurity. You can get CohesitySecurity custom log data in your Microsoft Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) Cohesity_CL in your Microsoft Sentinel / Azure Log Analytics workspace." + "text": "This product integrates Cohesity Helios with Microsoft Sentinel to stay updated with the security events from your Cohesity environment and immediately respond to a ransomware attack or an anomaly." } }, { diff --git a/Solutions/CohesitySecurity/Package/mainTemplate.json.sh b/Solutions/CohesitySecurity/Package/mainTemplate.json.sh new file mode 100755 index 0000000000..6d9b8fc9dd --- /dev/null +++ b/Solutions/CohesitySecurity/Package/mainTemplate.json.sh @@ -0,0 +1,14 @@ +#!/bin/zsh +SCRIPT=$(realpath "$0") +SCRIPTPATH=$(dirname "$SCRIPT") +cd "$SCRIPTPATH" + +. ../json_parser.sh + +az deployment group create \ + --name ExampleDeployment \ + --resource-group "$resourcegroup" \ + --template-file ./mainTemplate.json \ + --parameters EmailID=cohesity-siem@outlook.com \ + --parameters connector1-name=$(uuidgen) \ + --parameters location=eastasia diff --git a/Solutions/CohesitySecurity/build_one_solution.ps1 b/Solutions/CohesitySecurity/build_one_solution.ps1 index bbd77a24e4..12370be3bd 100644 --- a/Solutions/CohesitySecurity/build_one_solution.ps1 +++ b/Solutions/CohesitySecurity/build_one_solution.ps1 @@ -696,7 +696,7 @@ foreach ($objectProperties in $contentToImport.PsObject.Properties) { $customLogsText = "$baseDescriptionText This data connector creates custom log table(s) $(getAllDataTypeNames $connectorData.dataTypes) in your Microsoft Sentinel / Azure Log Analytics workspace." $syslogText = "$baseDescriptionText The logs will be received in the Syslog table in your Microsoft Sentinel / Azure Log Analytics workspace." $commonSecurityLogText = "$baseDescriptionText The logs will be received in the CommonSecurityLog table in your Microsoft Sentinel / Azure Log Analytics workspace." - $connectorDescriptionText = $(if ($connectorDataType -eq $commonSecurityLog) { $commonSecurityLogText } elseif ($connectorDataType -eq $syslog) { $syslogText } else { $customLogsText }) + $connectorDescriptionText = "This product integrates Cohesity Helios with Microsoft Sentinel to stay updated with the security events from your Cohesity environment and immediately respond to a ransomware attack or an anomaly." $baseDataConnectorStep = [PSCustomObject] @{ name = "dataconnectors";