Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Get-AD4IoTDeviceCVEs

This commit is contained in:
dicolanl 2021-08-03 20:54:39 +00:00
Родитель ba028688d5
Коммит 5328f89fed
7 изменённых файлов: 1272 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

640
Playbooks/Get-AD4IoTDeviceCVEs/alert-trigger/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,640 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Get-AD4IoTDeviceCVEs - Alert",
"description": "For each IoT device entity included in the alert, this playbook will get CVEs from the Azure Defender for IoT Sensor.",
"prerequisites": "",
"lastUpdateTime": "2021-08-03T00:00:00.000Z",
"entities": [ "IoTDevice" ],
"tags": [ "Enrichment" ],
"support": {
"tier": "community"
},
"author": {
"name": "Nicholas DiCola"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "Get-AD4IoTDeviceCVEs-Alert",
"type": "string"
},
"SensorURL": {
"type": "string",
"defaultValue": "<https://sensor.domain.local>",
"metadata": {
"description": "The URL of the Azure IoT Sensor."
}
},
"APIKey": {
"type": "string",
"defaultValue": "<APIKey>",
"metadata": {
"description": "The API key for the Azure Defender for IoT Sensor."
}
}
},
"variables": {
"AzureBlobConnectionName": "[concat('azureblob-', parameters('PlaybookName'))]",
"AzureStorageName": "[concat('sa', tolower(replace(replace(parameters('PlaybookName'), '-Alert', ''), '-', '')))]",
"ContainerName": "ad4iotcves",
"AzureKeyVaultName": "[concat('kv-', replace(parameters('PlaybookName'), '-Alert', ''))]",
"AzureKeyVaultConnectionName": "[concat('keyvault-', parameters('PlaybookName'))]",
"KeyName": "ad4iotcves",
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"singlequote": "'"
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"name": "[variables('AzureKeyVaultName')]",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"family": "A",
"name": "standard"
},
"tenantId": "[subscription().tenantId]",
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"accessPolicies": [
]
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2016-10-01",
"name": "[concat(variables('AzureKeyVaultName'), '/', variables('KeyName'))]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', variables('AzureKeyVaultName'))]"
],
"properties": {
"value": "[parameters('APIKey')]",
"contentType": "string",
"attributes": {
"enabled": true
}
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-04-01",
"name": "[variables('AzureStorageName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"accessTier": "Hot",
"minimumTlsVersion": "TLS1_2",
"supportsHttpsTrafficOnly": "true",
"allowBlobPublicAccess": "false",
"allowSharedKeyAccess": "true",
"networkAcls": {
"bypass": "AzureServices",
"defaultAction": "Allow",
"ipRules": []
}
}
},
{
"name": "[concat(variables('AzureStorageName'), '/default')]",
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2021-02-01",
"dependsOn": [
"[concat('Microsoft.Storage/storageAccounts/', variables('AzureStorageName'))]"
],
"properties": {
"deleteRetentionPolicy": {
"enabled": "false"
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('AzureStorageName'), '/default/', variables('ContainerName'))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('AzureStorageName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('AzureStorageName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureBlobConnectionName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/', variables('AzureStorageName'))]"
],
"properties": {
"displayName": "[variables('AzureBlobConnectionName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureblob')]"
},
"parameterValues": {
"accountName": "[variables('AzureStorageName')]",
"accessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('AzureStorageName')), '2019-04-01').keys[0].value]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureKeyVaultConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"alternativeParameterValues": {
"vaultName": "[variables('AzureKeyVaultName')]"
},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"LogicAppsCategory": "security",
"hidden-SentinelTemplateName": "Get-AD4IoTDeviceCVEs-alert",
"hidden-SentinelTemplateVersion": "1.0"
},
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureBlobConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureKeyVaultConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Alert_-_Get_incident": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
},
"runAfter": {},
"type": "ApiConnection"
},
"Filter_array": {
"inputs": {
"from": "@body('Parse_JSON')",
"where": "@equals(item()?['Type'], 'iotdevice')"
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "Query"
},
"For_each": {
"actions": {
"Condition": {
"actions": {
"Add_comment_to_incident_(V3)": {
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"message": "<p>The following CVEs are found for @{items('For_each')?['DeviceName']} from sensor @{items('For_each')?['DeviceId']}:<br>\n<br>\n@{body('Create_SAS_URI_by_path_(V2)')?['WebUrl']}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"runAfter": {
"Create_SAS_URI_by_path_(V2)": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Create_SAS_URI_by_path_(V2)": {
"inputs": {
"body": {
"Permissions": "Read"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureblob']['connectionId']"
}
},
"method": "post",
"path": "[concat('/v2/datasets/@{encodeURIComponent(', variables('singlequote'), variables('AzureStorageName'), variables('singlequote'),')}/CreateSharedLinkByPath')]",
"queries": {
"path": "[concat(variables('ContainerName'),'/@{body(', variables('singlequote'),'Alert_-_Get_incident', variables('singlequote'),')?[', variables('singlequote'),'properties', variables('singlequote'),']?[', variables('singlequote'),'incidentNumber', variables('singlequote'),']}-@{items(', variables('singlequote'),'For_each', variables('singlequote'),')?[', variables('singlequote'),'IpAddress', variables('singlequote'),']?[', variables('singlequote'),'Address', variables('singlequote'),']}.json')]"
}
},
"runAfter": {
"Create_blob_(V2)": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Create_blob_(V2)": {
"inputs": {
"body": "@body('HTTP')",
"headers": {
"ReadFileMetadataFromServer": true
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureblob']['connectionId']"
}
},
"method": "post",
"path": "[concat('/v2/datasets/@{encodeURIComponent(encodeURIComponent(', variables('singlequote'), variables('AzureStorageName'), variables('singlequote'),'))}/files')]",
"queries": {
"folderPath": "[variables('ContainerName')]",
"name": "@{body('Alert_-_Get_incident')?['properties']?['incidentNumber']}-@{items('For_each')?['IpAddress']?['Address']}.json",
"queryParametersSingleEncoded": true
}
},
"runAfter": {},
"runtimeConfiguration": {
"contentTransfer": {
"transferMode": "Chunked"
}
},
"type": "ApiConnection"
}
},
"else": {
"actions": {
"Add_comment_to_incident_(V3)_2": {
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"message": "<p>No CVEs are found for @{items('For_each')?['DeviceName']} from sensor @{items('For_each')?['DeviceId']}.</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"runAfter": {},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('HTTP'))",
0
]
}
}
]
},
"runAfter": {
"For_each_2": [
"Succeeded"
]
},
"type": "If"
},
"For_each_2": {
"actions": {
"Append_to_array_variable": {
"inputs": {
"name": "CVEs",
"value": {
"attackVector": "@{items('For_each_2')?['attackVector']}",
"cveId": "@{items('For_each_2')?['cveId']}",
"ipAddress": "@{items('For_each_2')?['ipAddress']}",
"score": "@{items('For_each_2')?['score']}"
}
},
"runAfter": {},
"type": "AppendToArrayVariable"
}
},
"foreach": "@body('Parse_JSON_2')",
"runAfter": {
"Parse_JSON_2": [
"Succeeded"
]
},
"type": "Foreach"
},
"HTTP": {
"inputs": {
"headers": {
"Authorization": "@body('Get_secret')?['value']"
},
"method": "GET",
"uri": "@{variables('Server')}/api/v1/devices/@{items('For_each')?['IpAddress']?['Address']}/cves"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON_2": {
"inputs": {
"content": "@body('HTTP')",
"schema": {
"items": {
"properties": {
"attackVector": {
"type": "string"
},
"cveId": {
"type": "string"
},
"description": {
"type": "string"
},
"ipAddress": {
"type": "string"
},
"score": {
"type": "string"
}
},
"required": [],
"type": "object"
},
"type": "array"
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson"
}
},
"foreach": "@body('Filter_array')",
"runAfter": {
"Filter_array": [
"Succeeded"
]
},
"type": "Foreach"
},
"Get_secret": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['keyvault']['connectionId']"
}
},
"method": "get",
"path": "[concat('/secrets/@{encodeURIComponent(', variables('singlequote'), variables('KeyName'), variables('singlequote'), ')}/value')]"
},
"runAfter": {
"Alert_-_Get_incident": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "Server",
"type": "string",
"value": "[parameters('SensorURL')]"
}
]
},
"runAfter": {
"Get_secret": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_variable_2": {
"inputs": {
"variables": [
{
"name": "CVEs",
"type": "array"
}
]
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Parse_JSON": {
"inputs": {
"content": "@triggerBody()?['Entities']",
"schema": {
"items": {
"properties": {
"$id": {
"type": "string"
},
"$ref": {
"type": "string"
},
"DeviceId": {
"type": "string"
},
"DeviceName": {
"type": "string"
},
"DeviceType": {
"type": "string"
},
"IoTHub": {
"properties": {
"$id": {
"type": "string"
},
"ResourceId": {
"type": "string"
},
"Type": {
"type": "string"
}
},
"type": "object"
},
"IpAddress": {
"properties": {
"$id": {
"type": "string"
},
"Address": {
"type": "string"
},
"Type": {
"type": "string"
}
},
"type": "object"
},
"MacAddress": {
"type": "string"
},
"OperatingSystem": {
"type": "string"
},
"Protocols": {
"items": {
"type": "string"
},
"type": "array"
},
"Type": {
"type": "string"
},
"Vendor": {
"type": "string"
}
},
"required": [],
"type": "object"
},
"type": "array"
}
},
"runAfter": {
"Initialize_variable_2": [
"Succeeded"
]
},
"type": "ParseJson"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureblob": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureBlobConnectionName'))]",
"connectionName": "[variables('AzureBlobConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureblob')]"
},
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"keyvault": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureKeyVaultConnectionName'))]",
"connectionName": "[variables('AzureKeyVaultConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
}
},
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2016-10-01",
"name": "[concat(variables('AzureKeyVaultName'), '/add')]",
"dependsOn": [
"[resourceId('Microsoft.Logic/workflows', parameters('PlaybookName'))]"
],
"properties": {
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[reference(resourceId('Microsoft.Logic/workflows', parameters('PlaybookName')), '2019-05-01', 'full').identity.principalId]",
"permissions": {
"secrets": [
"Get",
"List"
]
}
}
]
}
}
]
}

Двоичные данные
Playbooks/Get-AD4IoTDeviceCVEs/alert-trigger/images/Get-AD4IoTDeviceCVEs_alert.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 36 KiB

601
Playbooks/Get-AD4IoTDeviceCVEs/incident-trigger/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,601 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Get-AD4IoTDeviceCVEs - Incident",
"description": "For each IoT device entity included in the alert, this playbook will get CVEs from the Azure Defender for IoT Sensor.",
"prerequisites": "",
"lastUpdateTime": "2021-08-03T00:00:00.000Z",
"entities": [ "IoTDevice" ],
"tags": [ "Enrichment" ],
"support": {
"tier": "community"
},
"author": {
"name": "Nicholas DiCola"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "Get-AD4IoTDeviceCVEs-Incident",
"type": "string"
},
"SensorURL": {
"type": "string",
"defaultValue": "<https://sensor.domain.local>",
"metadata": {
"description": "The URL of the Azure IoT Sensor."
}
},
"APIKey": {
"type": "string",
"defaultValue": "<APIKey>",
"metadata": {
"description": "The API key for the Azure Defender for IoT Sensor."
}
}
},
"variables": {
"AzureBlobConnectionName": "[concat('azureblob-', parameters('PlaybookName'))]",
"AzureStorageName": "[concat('sa', tolower(replace(replace(parameters('PlaybookName'), '-Alert', ''), '-', '')))]",
"ContainerName": "ad4iotcves",
"AzureKeyVaultName": "[concat('kv-', replace(parameters('PlaybookName'), '-Alert', ''))]",
"AzureKeyVaultConnectionName": "[concat('keyvault-', parameters('PlaybookName'))]",
"KeyName": "ad4iotcves",
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"singlequote": "'"
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"name": "[variables('AzureKeyVaultName')]",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"family": "A",
"name": "standard"
},
"tenantId": "[subscription().tenantId]",
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true,
"accessPolicies": [
]
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2016-10-01",
"name": "[concat(variables('AzureKeyVaultName'), '/', variables('KeyName'))]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', variables('AzureKeyVaultName'))]"
],
"properties": {
"value": "[parameters('APIKey')]",
"contentType": "string",
"attributes": {
"enabled": true
}
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-04-01",
"name": "[variables('AzureStorageName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"accessTier": "Hot",
"minimumTlsVersion": "TLS1_2",
"supportsHttpsTrafficOnly": "true",
"allowBlobPublicAccess": "false",
"allowSharedKeyAccess": "true",
"networkAcls": {
"bypass": "AzureServices",
"defaultAction": "Allow",
"ipRules": []
}
}
},
{
"name": "[concat(variables('AzureStorageName'), '/default')]",
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2021-02-01",
"dependsOn": [
"[concat('Microsoft.Storage/storageAccounts/', variables('AzureStorageName'))]"
],
"properties": {
"deleteRetentionPolicy": {
"enabled": "false"
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('AzureStorageName'), '/default/', variables('ContainerName'))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('AzureStorageName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('AzureStorageName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureBlobConnectionName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/', variables('AzureStorageName'))]"
],
"properties": {
"displayName": "[variables('AzureBlobConnectionName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureblob')]"
},
"parameterValues": {
"accountName": "[variables('AzureStorageName')]",
"accessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('AzureStorageName')), '2019-04-01').keys[0].value]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureKeyVaultConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"alternativeParameterValues": {
"vaultName": "[variables('AzureKeyVaultName')]"
},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"LogicAppsCategory": "security",
"hidden-SentinelTemplateName": "Get-AD4IoTDeviceCVEs-incident",
"hidden-SentinelTemplateVersion": "1.0"
},
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureBlobConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureKeyVaultConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Filter_array": {
"inputs": {
"from": "@body('Parse_JSON')",
"where": "@equals(item()?['Type'], 'iotdevice')"
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "Query"
},
"For_each": {
"actions": {
"Condition": {
"actions": {
"Add_comment_to_incident_(V3)": {
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>The following CVEs are found for @{items('For_each')?['DeviceName']} from sensor @{items('For_each')?['DeviceId']}:<br>\n<br>\n@{body('Create_SAS_URI_by_path_(V2)')?['WebUrl']}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"runAfter": {
"Create_SAS_URI_by_path_(V2)": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Create_SAS_URI_by_path_(V2)": {
"inputs": {
"body": {
"Permissions": "Read"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureblob']['connectionId']"
}
},
"method": "post",
"path": "[concat('/v2/datasets/@{encodeURIComponent(', variables('singlequote'), variables('AzureStorageName'), variables('singlequote'),')}/CreateSharedLinkByPath')]",
"queries": {
"path": "[concat(variables('ContainerName'),'/@{body(', variables('singlequote'),'Alert_-_Get_incident', variables('singlequote'),')?[', variables('singlequote'),'properties', variables('singlequote'),']?[', variables('singlequote'),'incidentNumber', variables('singlequote'),']}-@{items(', variables('singlequote'),'For_each', variables('singlequote'),')?[', variables('singlequote'),'IpAddress', variables('singlequote'),']?[', variables('singlequote'),'Address', variables('singlequote'),']}.json')]"
}
},
"runAfter": {
"Create_blob_(V2)": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Create_blob_(V2)": {
"inputs": {
"body": "@body('HTTP')",
"headers": {
"ReadFileMetadataFromServer": true
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureblob']['connectionId']"
}
},
"method": "post",
"path": "[concat('/v2/datasets/@{encodeURIComponent(encodeURIComponent(', variables('singlequote'), variables('AzureStorageName'), variables('singlequote'),'))}/files')]",
"queries": {
"folderPath": "[variables('ContainerName')]",
"name": "-@{items('For_each')?['IpAddress']?['Address']}.json",
"queryParametersSingleEncoded": true
}
},
"runAfter": {},
"runtimeConfiguration": {
"contentTransfer": {
"transferMode": "Chunked"
}
},
"type": "ApiConnection"
}
},
"else": {
"actions": {
"Add_comment_to_incident_(V3)_2": {
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>No CVEs are found for @{items('For_each')?['DeviceName']} from sensor @{items('For_each')?['DeviceId']}.</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"runAfter": {},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('HTTP'))",
0
]
}
}
]
},
"runAfter": {
"For_each_2": [
"Succeeded"
]
},
"type": "If"
},
"For_each_2": {
"actions": {
"Append_to_array_variable": {
"inputs": {
"name": "CVEs",
"value": {
"attackVector": "@{items('For_each_2')?['attackVector']}",
"cveId": "@{items('For_each_2')?['cveId']}",
"ipAddress": "@{items('For_each_2')?['ipAddress']}",
"score": "@{items('For_each_2')?['score']}"
}
},
"runAfter": {},
"type": "AppendToArrayVariable"
}
},
"foreach": "@body('Parse_JSON_2')",
"runAfter": {
"Parse_JSON_2": [
"Succeeded"
]
},
"type": "Foreach"
},
"HTTP": {
"inputs": {
"headers": {
"Authorization": "@body('Get_secret')?['value']"
},
"method": "GET",
"uri": "@{variables('Server')}/api/v1/devices/@{items('For_each')?['IpAddress']?['Address']}/cves"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON_2": {
"inputs": {
"content": "@body('HTTP')",
"schema": {
"items": {
"properties": {
"attackVector": {
"type": "string"
},
"cveId": {
"type": "string"
},
"description": {
"type": "string"
},
"ipAddress": {
"type": "string"
},
"score": {
"type": "string"
}
},
"required": [],
"type": "object"
},
"type": "array"
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson"
}
},
"foreach": "@body('Filter_array')",
"runAfter": {
"Filter_array": [
"Succeeded"
]
},
"type": "Foreach"
},
"Get_secret": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['keyvault']['connectionId']"
}
},
"method": "get",
"path": "[concat('/secrets/@{encodeURIComponent(', variables('singlequote'), variables('KeyName'), variables('singlequote'), ')}/value')]"
},
"runAfter": {},
"type": "ApiConnection"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "Server",
"type": "string",
"value": "[parameters('SensorURL')]"
}
]
},
"runAfter": {
"Get_secret": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_variable_2": {
"inputs": {
"variables": [
{
"name": "CVEs",
"type": "array"
}
]
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Parse_JSON": {
"inputs": {
"content": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"schema": {
"items": {
"properties": {
"$id": {
"type": "string"
},
"$ref": {
"type": "string"
},
"DeviceId": {
"type": "string"
},
"DeviceName": {
"type": "string"
},
"DeviceType": {
"type": "string"
},
"IoTHub": {
"properties": {
"$id": {
"type": "string"
},
"ResourceId": {
"type": "string"
},
"Type": {
"type": "string"
}
},
"type": "object"
},
"IpAddress": {
"properties": {
"$id": {
"type": "string"
},
"Address": {
"type": "string"
},
"Type": {
"type": "string"
}
},
"type": "object"
},
"MacAddress": {
"type": "string"
},
"OperatingSystem": {
"type": "string"
},
"Protocols": {
"items": {
"type": "string"
},
"type": "array"
},
"Type": {
"type": "string"
},
"Vendor": {
"type": "string"
}
},
"required": [],
"type": "object"
},
"type": "array"
}
},
"runAfter": {
"Initialize_variable_2": [
"Succeeded"
]
},
"type": "ParseJson"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureblob": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureBlobConnectionName'))]",
"connectionName": "[variables('AzureBlobConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureblob')]"
},
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"keyvault": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureKeyVaultConnectionName'))]",
"connectionName": "[variables('AzureKeyVaultConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
}
}
]
}

Двоичные данные
Playbooks/Get-AD4IoTDeviceCVEs/incident-trigger/images/Get-AD4IoTDeviceCVEs_incident.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 33 KiB

Двоичные данные
Playbooks/Get-AD4IoTDeviceCVEs/incident-trigger/images/designerScreenshotDark1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 31 KiB

Двоичные данные
Playbooks/Get-AD4IoTDeviceCVEs/incident-trigger/images/designerScreenshotLight1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 39 KiB

31
Playbooks/Get-AD4IoTDeviceCVEs/readme.md Normal file
Просмотреть файл

@ -0,0 +1,31 @@
# Get-AD4IoTDeviceCVEs
author: Nicholas DiCola
This playbook will get device CVEs from the Azure Defender for IoT sensor. The CVEs will be written to a JSON blob in Azure Storage and a link will be added to the Azure Sentinel Incident comments.
## Quick Deployment
**Deploy with incident trigger** (recommended)
After deployment, attach this playbook to an **automation rule** so it runs when the incident is created.
[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FGet-AD4IoTDeviceCVEs%2Fincident-trigger%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FGet-AD4IoTDeviceCVEs%2Fincident-trigger%2Fazuredeploy.json)
**Deploy with alert trigger**
After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will rune when an alert is created.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FGet-AD4IoTDeviceCVEs%2Falert-trigger%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FGet-AD4IoTDeviceCVEs%2Falert-trigger%2Fazuredeploy.json)
## Prerequisites
- The Azure Defender for IoT Sensor must be accessible from the Azure Logic App.
- You will need to generate an API key. The Key will be stored in Azure Key Vault with only the Logic App system identity able to access it. For instructions to generate an API Key [see](https://docs.microsoft.com/azure/defender-for-iot/organizations/references-work-with-defender-for-iot-apis#getting-started).
## Screenshots
**Incident Trigger**<br>
![Incident Trigger](./incident-trigger/images/Get-AD4IoTDeviceCVEs_incident.png)
**Alert Trigger**<br>
![Alert Trigger](./alert-trigger/images/Get-AD4IoTDeviceCVEs_alert.png)