update to new MS Teams action
This commit is contained in:
Родитель
623526fbce
Коммит
430763a1ab
|
@ -1,12 +1,12 @@
|
||||||
|
|
||||||
{
|
{
|
||||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||||
"contentVersion": "1.0.0.0",
|
"contentVersion": "1.0.0.0",
|
||||||
"metadata": {
|
"metadata": {
|
||||||
"title": "Prompt User - Alert",
|
"title": "Prompt User - Alert",
|
||||||
"description": "This playbook will ask the user if they completed the action from the alert in Azure Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.",
|
"description": "This playbook will ask the user if they completed the action from the alert in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.",
|
||||||
"prerequisites": "1. You will need the Team Id and Channel Id.",
|
"prerequisites": "1. You will need the Team Id and Channel Id.",
|
||||||
"lastUpdateTime": "2021-07-14T00:00:00.000Z",
|
"postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections." ],
|
||||||
|
"lastUpdateTime": "2022-03-22T00:00:00.000Z",
|
||||||
"entities": [ "Account" ],
|
"entities": [ "Account" ],
|
||||||
"tags": [ "Remediation" ],
|
"tags": [ "Remediation" ],
|
||||||
"support": {
|
"support": {
|
||||||
|
@ -22,15 +22,15 @@
|
||||||
"type": "string"
|
"type": "string"
|
||||||
},
|
},
|
||||||
"TeamsId": {
|
"TeamsId": {
|
||||||
"metadata": {
|
"metadata": {
|
||||||
"description": "Enter the Teams Group ID"
|
"description": "Enter the Teams Group ID"
|
||||||
},
|
},
|
||||||
"type": "string"
|
"type": "string"
|
||||||
},
|
},
|
||||||
"TeamsChannelId": {
|
"TeamsChannelId": {
|
||||||
"metadata": {
|
"metadata": {
|
||||||
"description": "Enter the Teams Channel ID"
|
"description": "Enter the Teams Channel ID"
|
||||||
},
|
},
|
||||||
"type": "string"
|
"type": "string"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -103,7 +103,7 @@
|
||||||
"tags": {
|
"tags": {
|
||||||
"LogicAppsCategory": "security",
|
"LogicAppsCategory": "security",
|
||||||
"hidden-SentinelTemplateName": "Prompt-User_alert",
|
"hidden-SentinelTemplateName": "Prompt-User_alert",
|
||||||
"hidden-SentinelTemplateVersion": "1.0"
|
"hidden-SentinelTemplateVersion": "1.1"
|
||||||
},
|
},
|
||||||
"identity": {
|
"identity": {
|
||||||
"type": "SystemAssigned"
|
"type": "SystemAssigned"
|
||||||
|
@ -216,12 +216,13 @@
|
||||||
"runAfter": {},
|
"runAfter": {},
|
||||||
"type": "ApiConnection"
|
"type": "ApiConnection"
|
||||||
},
|
},
|
||||||
"Post_a_message_(V3)": {
|
"Post_message_in_a_chat_or_channel": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"body": {
|
"body": {
|
||||||
"body": {
|
"messageBody": "<p>New alert from Azure Sentinel.<br>\nPlease investigate ASAP.<br>\nSeverity : @{body('Alert_-_Get_incident')?['properties']?['severity']}<br>\nDescription: @{body('Alert_-_Get_incident')?['properties']?['description']}<br>\n<br>\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.</p>",
|
||||||
"content": "<p>New alert from Azure Sentinel.<br>\nPlease investigate ASAP.<br>\nSeverity : @{body('Alert_-_Get_incident')?['properties']?['severity']}<br>\nDescription: @{body('Alert_-_Get_incident')?['properties']?['description']}<br>\n<br>\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.</p>",
|
"recipient": {
|
||||||
"contentType": "html"
|
"channelId": "[parameters('TeamsChannelId')]",
|
||||||
|
"groupId": "[parameters('TeamsId')]"
|
||||||
},
|
},
|
||||||
"subject": "Incident @{body('Alert_-_Get_incident')?['properties']?['incidentNumber']} - @{body('Alert_-_Get_incident')?['properties']?['title']}"
|
"subject": "Incident @{body('Alert_-_Get_incident')?['properties']?['incidentNumber']} - @{body('Alert_-_Get_incident')?['properties']?['title']}"
|
||||||
},
|
},
|
||||||
|
@ -231,7 +232,7 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"method": "post",
|
"method": "post",
|
||||||
"path": "[concat('/v3/beta/teams/@{encodeURIComponent(', parameters('TeamsId'),')}/channels/@{encodeURIComponent(', parameters('TeamsChannelId'), ')}/messages')]"
|
"path": "/beta/teams/conversation/message/poster/@{encodeURIComponent('User')}/location/@{encodeURIComponent('Channel')}"
|
||||||
},
|
},
|
||||||
"runAfter": {
|
"runAfter": {
|
||||||
"Add_comment_to_incident_(V3)_2": [
|
"Add_comment_to_incident_(V3)_2": [
|
||||||
|
@ -369,4 +370,4 @@
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
|
@ -0,0 +1,8 @@
|
||||||
|
### 1.1 Added new Post a Teams message action
|
||||||
|
|
||||||
|
- Replaced old Post a Teams message action with the new Post message in a chat or channel action
|
||||||
|
- Update to readme file - adding post deployment steps
|
||||||
|
|
||||||
|
### 1.0
|
||||||
|
|
||||||
|
- Initial version
|
|
@ -1,12 +1,12 @@
|
||||||
|
|
||||||
{
|
{
|
||||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||||
"contentVersion": "1.0.0.0",
|
"contentVersion": "1.0.0.0",
|
||||||
"metadata": {
|
"metadata": {
|
||||||
"title": "Prompt User - Incident",
|
"title": "Prompt User - Incident",
|
||||||
"description": "This playbook will ask the user if they completed the action from the Incident in Azure Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.",
|
"description": "This playbook will ask the user if they completed the action from the Incident in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.",
|
||||||
"prerequisites": "1. You will need the Team Id and Channel Id.",
|
"prerequisites": "1. You will need the Team Id and Channel Id.",
|
||||||
"lastUpdateTime": "2021-07-14T00:00:00.000Z",
|
"postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections." ],
|
||||||
|
"lastUpdateTime": "2022-03-22T00:00:00.000Z",
|
||||||
"entities": [ "Account" ],
|
"entities": [ "Account" ],
|
||||||
"tags": [ "Remediation" ],
|
"tags": [ "Remediation" ],
|
||||||
"support": {
|
"support": {
|
||||||
|
@ -20,17 +20,17 @@
|
||||||
"PlaybookName": {
|
"PlaybookName": {
|
||||||
"defaultValue": "Prompt-User-Incident",
|
"defaultValue": "Prompt-User-Incident",
|
||||||
"type": "string"
|
"type": "string"
|
||||||
},
|
},
|
||||||
"TeamsId": {
|
"TeamsId": {
|
||||||
"metadata": {
|
"metadata": {
|
||||||
"description": "Enter the Teams Group ID"
|
"description": "Enter the Teams Group ID"
|
||||||
},
|
},
|
||||||
"type": "string"
|
"type": "string"
|
||||||
},
|
},
|
||||||
"TeamsChannelId": {
|
"TeamsChannelId": {
|
||||||
"metadata": {
|
"metadata": {
|
||||||
"description": "Enter the Teams Channel ID"
|
"description": "Enter the Teams Channel ID"
|
||||||
},
|
},
|
||||||
"type": "string"
|
"type": "string"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -103,7 +103,7 @@
|
||||||
"tags": {
|
"tags": {
|
||||||
"LogicAppsCategory": "security",
|
"LogicAppsCategory": "security",
|
||||||
"hidden-SentinelTemplateName": "Prompt-User",
|
"hidden-SentinelTemplateName": "Prompt-User",
|
||||||
"hidden-SentinelTemplateVersion": "1.0"
|
"hidden-SentinelTemplateVersion": "1.1"
|
||||||
},
|
},
|
||||||
"identity": {
|
"identity": {
|
||||||
"type": "SystemAssigned"
|
"type": "SystemAssigned"
|
||||||
|
@ -199,22 +199,23 @@
|
||||||
"runAfter": {},
|
"runAfter": {},
|
||||||
"type": "ApiConnection"
|
"type": "ApiConnection"
|
||||||
},
|
},
|
||||||
"Post_a_message_(V3)": {
|
"Post_message_in_a_chat_or_channel": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"body": {
|
"body": {
|
||||||
"body": {
|
"messageBody": "<p>New alert from Azure Sentinel.<br>\nPlease investigate ASAP.<br>\nSeverity : @{triggerBody()?['object']?['properties']?['severity']}<br>\nDescription: @{triggerBody()?['object']?['properties']?['description']}<br>\n<br>\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.</p>",
|
||||||
"content": "<p>New alert from Azure Sentinel.<br>\nPlease investigate ASAP.<br>\nSeverity : @{triggerBody()?['object']?['properties']?['severity']}<br>\nDescription: @{triggerBody()?['object']?['properties']?['description']}<br>\n<br>\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.</p>",
|
"recipient": {
|
||||||
"contentType": "html"
|
"channelId": "[parameters('TeamsChannelId')]",
|
||||||
|
"groupId": "[parameters('TeamsId')]"
|
||||||
},
|
},
|
||||||
"subject": "Incident @{triggerBody()?['object']?['properties']?['incidentNumber']} - @{triggerBody()?['object']?['properties']?['title']}"
|
"subject": "Incident @{triggerBody()?['object']?['properties']?['incidentNumber']} - @{triggerBody()?['object']?['properties']?['title']}"
|
||||||
},
|
},
|
||||||
"host": {
|
"host": {
|
||||||
"connection": {
|
"connection": {
|
||||||
"name": "@parameters('$connections')['teams_1']['connectionId']"
|
"name": "@parameters('$connections')['teams']['connectionId']"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"method": "post",
|
"method": "post",
|
||||||
"path": "[concat('/v3/beta/teams/@{encodeURIComponent(', parameters('TeamsId'),')}/channels/@{encodeURIComponent(', parameters('TeamsChannelId'), ')}/messages')]"
|
"path": "/beta/teams/conversation/message/poster/@{encodeURIComponent('User')}/location/@{encodeURIComponent('Channel')}"
|
||||||
},
|
},
|
||||||
"runAfter": {
|
"runAfter": {
|
||||||
"Add_comment_to_incident_(V3)_2": [
|
"Add_comment_to_incident_(V3)_2": [
|
||||||
|
@ -352,4 +353,4 @@
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
|
@ -0,0 +1,8 @@
|
||||||
|
### 1.1 Added new Post a Teams message action
|
||||||
|
|
||||||
|
- Replaced old Post a Teams message action with the new Post message in a chat or channel action
|
||||||
|
- Update to readme file - adding post deployment steps
|
||||||
|
|
||||||
|
### 1.0
|
||||||
|
|
||||||
|
- Initial version
|
|
@ -1,7 +1,7 @@
|
||||||
# Prompt-User
|
# Prompt-User
|
||||||
author: Nicholas DiCola
|
author: Nicholas DiCola
|
||||||
|
|
||||||
This playbook will ask the user if they completed the action from the Incident in Azure Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.
|
This playbook will ask the user if they completed the action from the Incident in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.
|
||||||
|
|
||||||
## Quick Deployment
|
## Quick Deployment
|
||||||
**Deploy with incident trigger** (recommended)
|
**Deploy with incident trigger** (recommended)
|
||||||
|
@ -25,6 +25,10 @@ After deployment, you can run this playbook manually on an alert or attach it to
|
||||||
|
|
||||||
- [This](https://www.linkedin.com/pulse/3-ways-locate-microsoft-team-id-christopher-barber-/) blog shows some simple methods to get the Team Id. You will need the Team Id and Channel Id.
|
- [This](https://www.linkedin.com/pulse/3-ways-locate-microsoft-team-id-christopher-barber-/) blog shows some simple methods to get the Team Id. You will need the Team Id and Channel Id.
|
||||||
|
|
||||||
|
## Post deployment
|
||||||
|
|
||||||
|
1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity
|
||||||
|
2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections
|
||||||
|
|
||||||
## Screenshots
|
## Screenshots
|
||||||
**Incident Trigger**<br>
|
**Incident Trigger**<br>
|
||||||
|
|
Загрузка…
Ссылка в новой задаче