update ReversingLabs solution to v3.0.1
This commit is contained in:
Aaron Hoffmann
Родитель
b6589c671a
Коммит
533248f8d7
|
|
@ -1,40 +1,5 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!-- Generator: Adobe Illustrator 21.1.0, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
|
||||
<svg version="1.1" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 841.9 595.3" xml:space="preserve">
|
||||
<g>
|
||||
<g>
|
||||
<path class="st0" d="M279.3,303.1h-30.8l-27.9,92.2H173v-92.2h-20.6v109.6h84l9.7-30.7h35.2l9.4,30.7h22.5L279.3,303.1z M250,365
|
||||
l9.3-30.2c1.6-5.5,2.7-11.4,3.8-17.3h1.3c1,5.9,2.2,11.8,3.8,17.3l9.1,30.2H250z" fill="#F6143F"/>
|
||||
<path class="st0" d="M349.8,413.5c-12.5,0-17.8-0.3-31.7-0.9V303.1c14.5-0.6,19.8-0.9,32.3-0.9c29.3,0,47.5,5.2,47.5,29.8v1.3
|
||||
c0,9.4-4.1,18.6-13.9,23c10.3,4.3,14.5,13.7,14.5,23.1v1.5C398.5,408.3,378.1,413.5,349.8,413.5 M377.8,332.7
|
||||
c0-12.5-9.9-13.6-27.4-13.6h-12.2v29.7h18.6c17,0,21.1-5.6,21.1-14.7V332.7z M378.3,379.3c-0.1-9.6-4.6-15.6-21.4-15.6h-18.7v32.9
|
||||
h5.6c22.4,0,34.5-0.1,34.5-15.6V379.3z" fill="#F6143F"/>
|
||||
<path class="st0" d="M446,415c-14.3,0-29.1-1.9-34.5-3.4v-15.8c9,0.9,19.2,1.8,32.9,1.8c13.3,0,19.6-3.7,19.6-13.6
|
||||
c0-7.1-2.8-11.1-13.7-15.6l-16.5-6.8c-16.2-6.6-24.9-15.9-24.9-31.9c0-21.2,13.3-28.9,39.2-28.9c13.8,0,26.8,2.2,32,3.5V320
|
||||
c-8.4-0.7-19.6-1.9-31.1-1.9c-12.8,0-19.8,2.2-19.8,11.1c0,6.6,3.1,10,14,14.5l14.9,6.1c19.2,7.8,26.8,15.6,26.8,34.2
|
||||
C484.9,403.8,470.6,415,446,415" fill="#F6143F"/>
|
||||
</g>
|
||||
<g>
|
||||
<path class="st1" d="M52.9,292.1l25.8-44.7c-11.7-5-18.9-13.7-18.9-30.4v-1c0-28.9,21.8-34.2,48.2-34.2c11.1,0,21,0.3,30.7,0.7
|
||||
v109.6h-20.1v-40.4h-10.2c-3.4,0-6.6,0-9.6-0.1l-24.2,40.6H52.9z M80,217.2c0,14.2,8.4,18.1,27.3,18.1c3.8,0,7.5,0,11.4-0.2v-36
|
||||
c-26.8,0-38.6,0.2-38.6,17.1V217.2z" fill="#231F20"/>
|
||||
<path class="st1" d="M291.5,182.5l-22.6,75.9c-1.9,6.4-3.2,13.7-4.4,19.6h-0.3c-1.5-5.8-2.5-13.3-4.4-19.6l-22.6-75.9h-84.9v109.6
|
||||
h69.8v-16.9H173V244h46v-16.5h-46v-27.9h48.1l27.9,92.5h30.1l33.2-109.6H291.5z" fill="#231F20"/>
|
||||
<polygon class="st1" points="318,292.1 318,182.5 387.7,182.5 387.7,199.6 338.6,199.6 338.6,227.5 384.6,227.5 384.6,244
|
||||
338.6,244 338.6,275.1 387.7,275.1 387.7,292.1" fill="#231F20"/>
|
||||
<path class="st1" d="M463.7,292.1l-24.2-40.5c-2.9,0.1-6.2,0.1-9.6,0.1h-10.2v40.4h-20.1V182.5c9.7-0.4,19.6-0.7,30.7-0.7
|
||||
c26.4,0,48.2,5.3,48.2,34.2v1c0,16.7-7.2,25.4-18.9,30.4l25.8,44.7H463.7z M458.4,216.3c0-17-11.8-17.1-38.6-17.1v36
|
||||
c3.8,0.2,7.5,0.2,11.4,0.2c18.9,0,27.3-4,27.3-18.1V216.3z" fill="#231F20"/>
|
||||
<path class="st1" d="M525.1,294.5c-14.3,0-29.1-1.9-34.5-3.4v-15.8c9,0.9,19.2,1.8,32.9,1.8c13.3,0,19.6-3.7,19.6-13.6
|
||||
c0-7.1-2.8-11.1-13.7-15.6l-16.5-6.8c-16.2-6.6-24.9-15.9-24.9-31.9c0-21.2,13.3-28.9,39.2-28.9c13.9,0,26.8,2.2,32,3.5v15.6
|
||||
c-8.4-0.7-19.6-1.9-31.1-1.9c-12.8,0-19.8,2.2-19.8,11.1c0,6.6,3.1,10,14,14.5l14.9,6c19.2,7.8,26.8,15.6,26.8,34.2
|
||||
C564,283.2,549.7,294.5,525.1,294.5" fill="#231F20"/>
|
||||
<rect x="573" y="182.5" class="st1" width="20.6" height="109.6" fill="#231F20"/>
|
||||
<path class="st1" d="M671.5,292.1l-35.1-65c-2.7-5-5.8-10.9-8.3-16.4h-0.3c0.3,6.2,0.6,13,0.6,19.6v61.8h-18.9V182.5h23.9l35,63.7
|
||||
c2.6,5,6,11.4,8.4,16.7h0.3c-0.5-6.5-0.6-14.2-0.6-20.8v-59.6h19v109.6H671.5z" fill="#231F20"/>
|
||||
<path class="st1" d="M753.2,294.5c-25.1,0-45.9-9.7-45.9-49.4v-15.5c0-41.9,23.6-49.3,46.3-49.3c16.1,0,31.9,2.7,35.2,3.7v15.8
|
||||
c-7.1-0.6-24.2-1.5-31.7-1.5c-17.8,0-29.3,4-29.3,31.3V245c0,25.1,9.1,31.4,26.8,31.4c5.5,0,10.9-0.2,14.7-0.4v-26.6l-8.4,0v-15.7
|
||||
h28v57.4C783,292.4,769,294.5,753.2,294.5" fill="#231F20"/>
|
||||
</g>
|
||||
</g>
|
||||
<svg width="35" height="35" viewBox="0 0 35 35" fill="none" xmlns="http://www.w3.org/2000/svg">
|
||||
<path d="M34.8095 0.0800781H0V34.8896H34.8095V0.0800781Z" fill="#F6143F"/>
|
||||
<path d="M19.9053 25.1271V9.94824H22.764V22.7109H29.1984V25.1271H19.9053Z" fill="white"/>
|
||||
<path d="M5.16895 25.1267L8.7446 18.9401C7.12494 18.2498 6.12482 17.0461 6.12482 14.7361V14.5945C6.12482 10.594 9.15173 9.85938 12.807 9.85938C14.3382 9.85938 15.71 9.90363 17.0553 9.95673V25.1356H14.2762V19.542H12.869C12.3999 19.542 11.9485 19.542 11.5414 19.5243L8.19586 25.1444H5.16895V25.1267ZM8.93046 14.7538C8.93046 16.7186 10.0987 17.2674 12.7097 17.2674C13.2407 17.2674 13.7541 17.2674 14.2851 17.2497V12.2667C10.5678 12.2667 8.93046 12.2844 8.93046 14.6387V14.7626V14.7538Z" fill="white"/>
|
||||
</svg>
|
||||
|
|
|
|||
|
До Ширина: | Высота: | Размер: 3.3 KiB После Ширина: | Высота: | Размер: 767 B |
|
|
@ -2,18 +2,22 @@
|
|||
"Name": "ReversingLabs",
|
||||
"Author": "ReversingLabs - support@reversinglabs.com",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/reversinglabs.svg\" width=\"75px\" height=\"75px\">",
|
||||
"Description": "The ReversingLabs content pack solution for Microsoft Sentinel includes resources designed to automate your security operations using the power of TitaniumCloud APIs and visualize your threat intelligence capabilities using included workbooks.",
|
||||
"Description": "The ReversingLabs Content Pack solution for Microsoft Sentinel includes a number of Microsoft Sentinel resources designed to automate your security operations using the power of Spectra Intelligence (formerly TitaniumCloud) and Spectra Analyze (formerly A1000) APIs.",
|
||||
"WorkbookDescription": "The ReversingLabs-CapabilitiesOverview workbook provides a high level look at your threat intellgience capabilties and how they relate to your operations.",
|
||||
"Workbooks": [
|
||||
"Workbooks/ReversingLabs-CapabilitiesOverview/ReversingLabs-CapabilitiesOverview.json"
|
||||
],
|
||||
"WorkbookDescription": "The ReversingLabs-CapabilitiesOverview workbook provides a high level look at your threat intelligence capabilities and how they relate to your operations.",
|
||||
"WorkbookBladeDescription": "The ReversingLabs-CapabilitiesOverview workbook provides a high level look at your threat intelligence capabilities and how they relate to your operations.",
|
||||
"WorkbookBladeDescription": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.",
|
||||
"Analytic Rules": [],
|
||||
"PlaybooksBladeDescription": "This solution installs the following Playbook templates. After installing the solution, playbooks can be managed in the Manage solution view. ",
|
||||
"Playbooks": [
|
||||
"Playbooks/ReversingLabs-EnrichFilehash/azuredeploy.json",
|
||||
"Playbooks/ReversingLabs-CheckQuota/azuredeploy.json"
|
||||
"Playbooks/SpectraIntelligence-EnrichFilehash/azuredeploy.json",
|
||||
"Playbooks/ReversingLabs-CheckQuota/azuredeploy.json",
|
||||
"Playbooks/SpectraAnalyze-EnrichFileHash/azuredeploy.json",
|
||||
"Playbooks/SpectraIntelligence-EnrichNetworkEntities/azuredeploy.json",
|
||||
"Playbooks/SpectraAnalyze-EnrichNetworkEntities/azuredeploy.json"
|
||||
],
|
||||
"PlaybooksBladeDescription": "This solution installs the following Playbook templates. After installing the solution, playbooks can be managed in the Manage solution view.",
|
||||
"PlaybookDescription": "The solution install playbooks that help automate your security operations with ReversingLabs Spectra Intelligence and Spectra Analyze.",
|
||||
"Parsers": [],
|
||||
"SavedSearches": [],
|
||||
"Hunting Queries": [],
|
||||
|
|
@ -21,7 +25,7 @@
|
|||
"Watchlists": [],
|
||||
"WatchlistDescription": [],
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\ReversingLabs",
|
||||
"Version": "3.0.0",
|
||||
"Version": "3.0.1",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1Pconnector": false
|
||||
|
|
|
|||
Двоичный файл не отображается.
|
|
@ -6,7 +6,7 @@
|
|||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/reversinglabs.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe ReversingLabs content pack solution for Microsoft Sentinel includes resources designed to automate your security operations using the power of TitaniumCloud APIs and visualize your threat intelligence capabilities using included workbooks.\n\n**Workbooks:** 1, **Playbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/reversinglabs.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ReversingLabs/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe ReversingLabs Content Pack solution for Microsoft Sentinel includes a number of Microsoft Sentinel resources designed to automate your security operations using the power of Spectra Intelligence (formerly TitaniumCloud) and Spectra Analyze (formerly A1000) APIs.\n\n**Workbooks:** 1, **Playbooks:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
|
|
@ -64,7 +64,7 @@
|
|||
"name": "workbooks-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "The ReversingLabs-CapabilitiesOverview workbook provides a high level look at your threat intelligence capabilities and how they relate to your operations."
|
||||
"text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences."
|
||||
}
|
||||
},
|
||||
{
|
||||
|
|
@ -106,7 +106,7 @@
|
|||
"name": "playbooks-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This solution installs the following Playbook templates. After installing the solution, playbooks can be managed in the Manage solution view. "
|
||||
"text": "This solution installs the following Playbook templates. After installing the solution, playbooks can be managed in the Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
|
|
|
|||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
|
@ -0,0 +1,32 @@
|
|||
{
|
||||
"location": {
|
||||
"type": "string",
|
||||
"minLength": 1,
|
||||
"defaultValue": "[resourceGroup().location]",
|
||||
"metadata": {
|
||||
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
|
||||
}
|
||||
},
|
||||
"workspace-location": {
|
||||
"type": "string",
|
||||
"defaultValue": "",
|
||||
"metadata": {
|
||||
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
|
||||
}
|
||||
},
|
||||
"workspace": {
|
||||
"defaultValue": "",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
|
||||
}
|
||||
},
|
||||
"workbook1-name": {
|
||||
"type": "string",
|
||||
"defaultValue": "ReversingLabs-CapabilitiesOverview",
|
||||
"minLength": 1,
|
||||
"metadata": {
|
||||
"description": "Name for the workbook"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -13,8 +13,8 @@ You'll need the following:
|
|||
## Deployment instructions
|
||||
1. Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FReversingLabs%2FPlaybooks%2FReversingLabs-CheckQuotas%2Fazuredeploy.json)
|
||||
[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FReversingLabs%2FPlaybooks%2FReversingLabs-CheckQuotas%2Fazuredeploy.json)
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FReversingLabs%2FPlaybooks%2FReversingLabs-CheckQuota%2Fazuredeploy.json)
|
||||
[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FReversingLabs%2FPlaybooks%2FReversingLabs-CheckQuota%2Fazuredeploy.json)
|
||||
|
||||
## Post-deployment
|
||||
a. Authorize connections (Perform this action if needed)
|
||||
|
|
|
|||
|
|
@ -5,12 +5,20 @@
|
|||
"title": "ReversingLabs-CheckQuota",
|
||||
"description": "This playbook will check your ReversingLabs TitaniumCloud API quota and provide usage details. To be used in conjunction with the ReversingLabs-CapabilitiesOverview workbook.",
|
||||
"prerequisites": [
|
||||
"ReversingLabs TitaniumCloud license",
|
||||
"ReversingLabs TitaniumCloud username and password"
|
||||
"ReversingLabs Spectra Intelligence license",
|
||||
"ReversingLabs Spectra Intelligence username and password"
|
||||
],
|
||||
"lastUpdateTime": "2023-02-21T10:00:00.000Z",
|
||||
"lastUpdateTime": "2024-07-18T10:00:00.000Z",
|
||||
"postDeploymentSteps": ["None"],
|
||||
"version": "1.0.0",
|
||||
"entities": [],
|
||||
"tags": [""],
|
||||
"tags": [ "Enrichment" ],
|
||||
"support": {
|
||||
"name": "ReversingLabs",
|
||||
"tier": "Partner",
|
||||
"email": "support@reversinglabs.com",
|
||||
"link": "https://support.reversinglabs.com/hc/en-us"
|
||||
},
|
||||
"author": {
|
||||
"name": "Aaron Hoffmann"
|
||||
}
|
||||
|
|
@ -44,7 +52,7 @@
|
|||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"apiVersion": "2018-07-01-preview",
|
||||
"name": "[variables('connectionName_keyvault')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
|
|
@ -60,7 +68,7 @@
|
|||
},
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"apiVersion": "2018-07-01-preview",
|
||||
"name": "[variables('connectionName_azureloganalyticsdatacollector')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
|
|
|
|||
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 105 KiB |
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 107 KiB |
|
|
@ -0,0 +1,27 @@
|
|||
# SpectraAnalyze-EnrichFileHash
|
||||
|
||||
Author: Aaron Hoffmann (ReversingLabs)
|
||||
|
||||
This playbook enriches file hash entities with information from a ReversingLabs Spectra Analyze (formerly A1000) appliance.
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FReversingLabs%2FPlaybooks%2FSpectraAnalyze-EnrichFileHash%2Fazuredeploy.json)
|
||||
[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FReversingLabs%2FPlaybooks%2FSpectraAnalyze-EnrichFileHash%2Fazuredeploy.json)
|
||||
## Prerequisites
|
||||
|
||||
You'll need the following:
|
||||
* A ReversingLabs Spectra Analyze Appliance URL
|
||||
* A Spectra Analyze API Token
|
||||
|
||||
|
||||
## Post-deployment
|
||||
|
||||
After deploying the template, you'll want to update the playbook connections with your Spectra Analyze API token.
|
||||
|
||||
## Screenshots
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [ReversingLabs content pack installation guide](https://reversinglabs-marketplace.azureedge.net/help/ReversingLabsSentinelContentHubInstall.pdf)
|
||||
- [Video - How to install and configure the ReversingLabs content pack](https://www.youtube.com/watch?v=gLjMDz618O0)
|
||||
|
|
@ -0,0 +1,503 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "SpectraAnalyze-EnrichFileHash",
|
||||
"description": "This playbook will enrich a Microsoft Sentinel incident with file hash information from a Spectra Analyze appliance. A comment will be added to the incident with details about the file.",
|
||||
"prerequisites": [
|
||||
"ReversingLabs Spectra Analyze URL",
|
||||
"ReversingLabs Spectra Analyze API Token"
|
||||
],
|
||||
"lastUpdateTime": "2024-07-17T10:00:00.000Z",
|
||||
"postDeploymentSteps": ["None"],
|
||||
"version": "1.0.0",
|
||||
"entities": [ "FileHash" ],
|
||||
"tags": [ "Enrichment" ],
|
||||
"support": {
|
||||
"name": "ReversingLabs",
|
||||
"tier": "Partner",
|
||||
"email": "support@reversinglabs.com",
|
||||
"link": "https://support.reversinglabs.com/hc/en-us"
|
||||
},
|
||||
"author": {
|
||||
"name": "Aaron Hoffmann"
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "SpectraAnalyze-EnrichFileHash",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Name of the playbook (Logic Apps resources) which will be created"
|
||||
}
|
||||
},
|
||||
"a1000BaseUrl": {
|
||||
"defaultValue": "https://a1000.reversinglabs.com",
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
|
||||
"ReversingLabsA1000ConnectionName": "[concat('reversinglabs1000-', parameters('PlaybookName'))]"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2018-07-01-preview",
|
||||
"name": "[variables('AzureSentinelConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2018-07-01-preview",
|
||||
"name": "[variables('ReversingLabsA1000ConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"displayName": "[variables('ReversingLabsA1000ConnectionName')]",
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/reversinglabsa1000')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"apiVersion": "2019-05-01",
|
||||
"name": "[parameters('PlaybookName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||
"[resourceId('Microsoft.Web/connections', variables('ReversingLabsA1000ConnectionName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"state": "Enabled",
|
||||
"definition": {
|
||||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"defaultValue": {},
|
||||
"type": "Object"
|
||||
}
|
||||
},
|
||||
"triggers": {
|
||||
"Microsoft_Sentinel_incident": {
|
||||
"type": "ApiConnectionWebhook",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"path": "/incident-creation"
|
||||
}
|
||||
}
|
||||
},
|
||||
"actions": {
|
||||
"Entities_-_Get_FileHashes": {
|
||||
"runAfter": {
|
||||
"Spectra_Analyze_URL": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/entities/filehash"
|
||||
}
|
||||
},
|
||||
"For_each_file_hash_entity": {
|
||||
"foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']",
|
||||
"actions": {
|
||||
"Add_comment_to_incident_(V3)": {
|
||||
"runAfter": {
|
||||
"Condition_-_hash_not_found": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"message": "<p>@{outputs('Compose_RL_logo')}</p><p><b><strong>ЯEVERSINGLABS</strong></b><b><strong> - Spectra Analyze File Hash Enrichment</strong></b>@{variables('classification result')}</p>"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/Incidents/Comment"
|
||||
}
|
||||
},
|
||||
"Clear_classification_result": {
|
||||
"runAfter": {
|
||||
"Retrieve_the_static_analysis_report": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "SetVariable",
|
||||
"inputs": {
|
||||
"name": "classification result",
|
||||
"value": " "
|
||||
}
|
||||
},
|
||||
"Condition_-_hash_not_found": {
|
||||
"actions": {
|
||||
"Set_classification_result": {
|
||||
"runAfter": {},
|
||||
"type": "SetVariable",
|
||||
"inputs": {
|
||||
"name": "classification result",
|
||||
"value": "<table><tr><td style=\"font-weight: bold;\">Hash (@{items('For_each_file_hash_entity')?['algorithm']})</td><td>@{items('For_each_file_hash_entity')?['hashValue']}</td></tr><tr><td style=\"font-weight: bold;\">Status</td><td style=\"background-color: grey; font-weight: bold; color: white\">LOCAL COPY NOT AVAILABLE</td></tr><tr><td style=\"font-weight: bold;\">Status Description</td><td>The sample does not exist on the local Spectra Analyze appliance.</td></tr><tr><td style=\"font-weight: bold;\">Report Link</td><td>N/A</td></tr></table>"
|
||||
}
|
||||
}
|
||||
},
|
||||
"runAfter": {
|
||||
"Clear_classification_result": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"else": {
|
||||
"actions": {
|
||||
"Switch_on_classification": {
|
||||
"runAfter": {},
|
||||
"cases": {
|
||||
"Case_goodware": {
|
||||
"case": "goodware",
|
||||
"actions": {
|
||||
"Set_classification_result_4": {
|
||||
"runAfter": {},
|
||||
"type": "SetVariable",
|
||||
"inputs": {
|
||||
"name": "classification result",
|
||||
"value": "<table><tr><td style=\"font-weight: bold;\">Hash (@{items('For_each_file_hash_entity')?['algorithm']})</td><td>@{items('For_each_file_hash_entity')?['hashValue']}</td></tr><tr><td style=\"font-weight: bold;\">Classification</td><td style=\"background-color: green; font-weight: bold; color: white\">GOODWARE</td></tr><tr><td style=\"font-weight: bold;\">Threat Name</td><td>@{body('Parse_JSON_response')?['classification_result']}</td></tr><tr><td style=\"font-weight: bold;\">Last Seen</td><td>@{body('Parse_JSON_response')?['last_seen']}</td></tr><tr><td style=\"font-weight: bold;\">Report Link</td><td style=\"word-break: break-all\">@{variables('Spectra Analyze Base URL')}/@{items('For_each_file_hash_entity')?['hashValue']}</td></tr><tr><td style=\"font-weight: bold;\">Story</td><td style=\"word-break: break-all\">@{body('Retrieve_the_static_analysis_report')?['story']}</td></tr></table>"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"Case_malicious": {
|
||||
"case": "malicious",
|
||||
"actions": {
|
||||
"Set_classification_result_2": {
|
||||
"runAfter": {},
|
||||
"type": "SetVariable",
|
||||
"inputs": {
|
||||
"name": "classification result",
|
||||
"value": "<table><tr><td style=\"font-weight: bold;\">Hash (@{items('For_each_file_hash_entity')?['algorithm']})</td><td>@{items('For_each_file_hash_entity')?['hashValue']}</td></tr><tr><td style=\"font-weight: bold;\">Classification</td><td style=\"background-color: red; font-weight: bold; color: white\">MALICIOUS</td></tr><tr><td style=\"font-weight: bold;\">Threat Name</td><td>@{body('Parse_JSON_response')?['classification_result']}</td></tr><tr><td style=\"font-weight: bold;\">Last Seen</td><td>@{body('Parse_JSON_response')?['last_seen']}</td></tr><tr><td style=\"font-weight: bold;\">Report Link</td><td style=\"word-break: break-all\">@{variables('Spectra Analyze Base URL')}/@{items('For_each_file_hash_entity')?['hashValue']}</td></tr><tr><td style=\"font-weight: bold;\">Story</td><td style=\"word-break: break-all\">@{body('Retrieve_the_static_analysis_report')?['story']}</td></tr></table>"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"Case_suspicious": {
|
||||
"case": "suspicious",
|
||||
"actions": {
|
||||
"Set_classification_result_3": {
|
||||
"runAfter": {},
|
||||
"type": "SetVariable",
|
||||
"inputs": {
|
||||
"name": "classification result",
|
||||
"value": "<table><tr><td style=\"font-weight: bold;\">Hash (@{items('For_each_file_hash_entity')?['algorithm']})</td><td>@{items('For_each_file_hash_entity')?['hashValue']}</td></tr><tr><td style=\"font-weight: bold;\">Classification</td><td style=\"background-color: orange; font-weight: bold; color: black\">SUSPICIOUS</td></tr><tr><td style=\"font-weight: bold;\">Threat Name</td><td>@{body('Parse_JSON_response')?['classification_result']}</td></tr><tr><td style=\"font-weight: bold;\">Last Seen</td><td>@{body('Parse_JSON_response')?['last_seen']}</td></tr><tr><td style=\"font-weight: bold;\">Report Link</td><td style=\"word-break: break-all\">@{variables('Spectra Analyze Base URL')}/@{items('For_each_file_hash_entity')?['hashValue']}</td></tr><tr><td style=\"font-weight: bold;\">Story</td><td style=\"word-break: break-all\">@{body('Retrieve_the_static_analysis_report')?['story']}</td></tr></table>"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"default": {
|
||||
"actions": {}
|
||||
},
|
||||
"expression": "@body('Parse_JSON_response')?['classification']",
|
||||
"type": "Switch"
|
||||
}
|
||||
}
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"contains": [
|
||||
"@body('Parse_JSON_response')",
|
||||
"Hash not found"
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"type": "If"
|
||||
},
|
||||
"Parse_JSON_response": {
|
||||
"runAfter": {
|
||||
"Retrieve_classification_for_a_sample": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ParseJson",
|
||||
"inputs": {
|
||||
"content": "@body('Retrieve_classification_for_a_sample')",
|
||||
"schema": {
|
||||
"properties": {
|
||||
"classification": {
|
||||
"type": [
|
||||
"string",
|
||||
"null"
|
||||
]
|
||||
},
|
||||
"classification_origin": {},
|
||||
"classification_reason": {
|
||||
"type": [
|
||||
"string",
|
||||
"null"
|
||||
]
|
||||
},
|
||||
"classification_result": {
|
||||
"type": [
|
||||
"string",
|
||||
"null"
|
||||
]
|
||||
},
|
||||
"cloud_last_lookup": {
|
||||
"type": [
|
||||
"string",
|
||||
"null"
|
||||
]
|
||||
},
|
||||
"data_source": {
|
||||
"type": [
|
||||
"string",
|
||||
"null"
|
||||
]
|
||||
},
|
||||
"first_seen": {
|
||||
"type": [
|
||||
"string",
|
||||
"null"
|
||||
]
|
||||
},
|
||||
"last_seen": {
|
||||
"type": [
|
||||
"string",
|
||||
"null"
|
||||
]
|
||||
},
|
||||
"md5": {
|
||||
"type": [
|
||||
"string",
|
||||
"null"
|
||||
]
|
||||
},
|
||||
"message": {
|
||||
"type": [
|
||||
"string",
|
||||
"null"
|
||||
]
|
||||
},
|
||||
"riskscore": {
|
||||
"type": [
|
||||
"integer",
|
||||
"null"
|
||||
]
|
||||
},
|
||||
"sha1": {
|
||||
"type": [
|
||||
"string",
|
||||
"null"
|
||||
]
|
||||
},
|
||||
"sha256": {
|
||||
"type": [
|
||||
"string",
|
||||
"null"
|
||||
]
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Retrieve_classification_for_a_sample": {
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"headers": {
|
||||
"User-Agent": "ReversingLabs Azure Connector A1000 v1.1.0"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['reversinglabsa1000']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "get",
|
||||
"path": "/api/samples/v3/@{encodeURIComponent(items('For_each_file_hash_entity')?['hashValue'])}/classification/"
|
||||
}
|
||||
},
|
||||
"Retrieve_the_static_analysis_report": {
|
||||
"runAfter": {
|
||||
"Parse_JSON_response": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"headers": {
|
||||
"User-Agent": "ReversingLabs Azure Connector A1000 v1.1.0"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['reversinglabsa1000']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "get",
|
||||
"path": "/api/v2/samples/@{encodeURIComponent(items('For_each_file_hash_entity')?['hashValue'])}/ticore/"
|
||||
}
|
||||
}
|
||||
},
|
||||
"runAfter": {
|
||||
"Initialize_classification_result": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach",
|
||||
"runtimeConfiguration": {
|
||||
"concurrency": {
|
||||
"repetitions": 1
|
||||
}
|
||||
}
|
||||
},
|
||||
"Initialize_classification_reason": {
|
||||
"runAfter": {
|
||||
"Initialize_results_body": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "classification_reason",
|
||||
"type": "string"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"Initialize_classification_result": {
|
||||
"runAfter": {
|
||||
"Initialize_variable_filenames": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "classification result",
|
||||
"type": "string"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"Initialize_results_body": {
|
||||
"runAfter": {
|
||||
"Initialize_results_table": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "results_body",
|
||||
"type": "string"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"Initialize_results_table": {
|
||||
"runAfter": {
|
||||
"Entities_-_Get_FileHashes": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "results_comment",
|
||||
"type": "string",
|
||||
"value": "<table>\n <tr>"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"Initialize_variable_filenames": {
|
||||
"runAfter": {
|
||||
"Initialize_classification_reason": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "filenames",
|
||||
"type": "string"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"Spectra_Analyze_URL": {
|
||||
"runAfter": {
|
||||
"Compose_RL_logo": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "Spectra Analyze Base URL",
|
||||
"type": "string",
|
||||
"value": "[parameters('a1000BaseUrl')]"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"Compose_RL_logo": {
|
||||
"inputs": "<img src=\"https://www.reversinglabs.com/hubfs/RL%20Logo/rl-logo-long.svg\"></img>",
|
||||
"runAfter": {},
|
||||
"type": "Compose"
|
||||
}
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"value": {
|
||||
"azuresentinel": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||
"connectionName": "azuresentinel",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
},
|
||||
"reversinglabsa1000": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('ReversingLabsA1000ConnectionName'))]",
|
||||
"connectionName": "reversinglabsa1000",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/reversinglabsa1000')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
Двоичные данные
Solutions/ReversingLabs/Playbooks/SpectraAnalyze-EnrichFileHash/playbook.jpg
Normal file
Двоичные данные
Solutions/ReversingLabs/Playbooks/SpectraAnalyze-EnrichFileHash/playbook.jpg
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 199 KiB |
|
|
@ -0,0 +1,32 @@
|
|||
# SpectraAnalyze-EnrichNetworkEntities
|
||||
|
||||
Author: Aaron Hoffmann (ReversingLabs)
|
||||
|
||||
## Summary
|
||||
This playbook enriches network entities (IP addresses, URLs, and domains) with information from a ReversingLabs Spectra Analyze (formerly A1000) appliance.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
You'll need the following:
|
||||
* A ReversingLabs Spectra Analyze host URL
|
||||
* A ReversingLabs Spectra Analyze API token
|
||||
|
||||
|
||||
## Deployment instructions
|
||||
1. Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FReversingLabs%2FPlaybooks%2FSpectraAnalyze-EnrichNetworkEntities%2Fazuredeploy.json)
|
||||
[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FReversingLabs%2FPlaybooks%2FSpectraAnalyze-EnrichNetworkEntities%2Fazuredeploy.json)
|
||||
|
||||
## Post-deployment
|
||||
|
||||
After deploying the template, you'll want to update the playbook connections with your Spectra Analyze API token.
|
||||
|
||||
## Screenshots
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [ReversingLabs content pack installation guide](https://reversinglabs-marketplace.azureedge.net/help/ReversingLabsSentinelContentHubInstall.pdf)
|
||||
- [Video - How to install and configure the ReversingLabs content pack](https://www.youtube.com/watch?v=gLjMDz618O0)
|
||||
|
|
@ -0,0 +1,859 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "SpectraAnalyze-EnrichNetworkEntities",
|
||||
"description": "This playbook will enrich a network entities (IP addresses, URLs, and domain names) with information from a Spectra Analyze appliance. A comment will be added to the incident with details about the entity.",
|
||||
"prerequisites": [
|
||||
"ReversingLabs Spectra Analyze URL",
|
||||
"ReversingLabs Spectra Analyze API Token"
|
||||
],
|
||||
"lastUpdateTime": "2024-07-17T10:00:00.000Z",
|
||||
"postDeploymentSteps": ["None"],
|
||||
"version": "1.0.0",
|
||||
"entities": ["Ip", "Url", "DomainName"],
|
||||
"tags": ["Enrichment"],
|
||||
"support": {
|
||||
"name": "ReversingLabs",
|
||||
"tier": "Partner",
|
||||
"email": "support@reversinglabs.com",
|
||||
"link": "https://support.reversinglabs.com/hc/en-us"
|
||||
},
|
||||
"author": {
|
||||
"name": "Aaron Hoffmann"
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "SpectraAnalyze-EnrichNetworkEntities",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Name of the playbook (Logic Apps resources) which will be created"
|
||||
}
|
||||
},
|
||||
"a1000BaseUrl": {
|
||||
"defaultValue": "https://a1000.reversinglabs.com",
|
||||
"type":"string"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
|
||||
"ReversingLabsA1000ConnectionName": "[concat('reversinglabs1000-', parameters('PlaybookName'))]"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2018-07-01-preview",
|
||||
"name": "[variables('AzureSentinelConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2018-07-01-preview",
|
||||
"name": "[variables('ReversingLabsA1000ConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"displayName": "[variables('ReversingLabsA1000ConnectionName')]",
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/reversinglabsa1000')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"apiVersion": "2019-05-01",
|
||||
"name": "[parameters('PlaybookName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"identity": {
|
||||
"type": "SystemAssigned"
|
||||
},
|
||||
"dependson": [
|
||||
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||
"[resourceId('Microsoft.Web/connections', variables('ReversingLabsA1000ConnectionName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"state": "Enabled",
|
||||
"definition": {
|
||||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"defaultValue": {},
|
||||
"type": "Object"
|
||||
}
|
||||
},
|
||||
"triggers": {
|
||||
"Microsoft_Sentinel_incident": {
|
||||
"type": "ApiConnectionWebhook",
|
||||
"inputs": {
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"path": "/incident-creation"
|
||||
}
|
||||
}
|
||||
},
|
||||
"actions": {
|
||||
"Compose_RL_logo": {
|
||||
"inputs": "<img src=\"https://www.reversinglabs.com/hubfs/RL%20Logo/rl-logo-long.svg\"></img> ",
|
||||
"runAfter": {},
|
||||
"type": "Compose"
|
||||
},
|
||||
"Condition": {
|
||||
"actions": {
|
||||
"Add_comment_to_incident_(V3)_1": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"message": "<p>@{outputs('Compose_RL_logo')}</p><p><b><strong style=\"font-size: 16px;\">URL Enrichment</strong></b>@{variables('url comment')}</p>"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/Incidents/Comment"
|
||||
},
|
||||
"runAfter": {
|
||||
"Close_URL_comment_table": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Close_URL_comment_table": {
|
||||
"inputs": {
|
||||
"name": "url comment",
|
||||
"value": "</table>"
|
||||
},
|
||||
"runAfter": {
|
||||
"For_each_URL_entity": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
},
|
||||
"For_each_URL_entity": {
|
||||
"actions": {
|
||||
"Append_to_string_variable_4": {
|
||||
"inputs": {
|
||||
"name": "url comment",
|
||||
"value": "@{outputs('Dedupe_categories_array')}</td><td>@{body('Retrieve_information_for_a_URL_1')?['last_seen']}</td></tr>"
|
||||
},
|
||||
"runAfter": {
|
||||
"Dedupe_categories_array": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
},
|
||||
"Dedupe_categories_array": {
|
||||
"inputs": "@union(variables('categories array'), variables('categories array'))",
|
||||
"runAfter": {
|
||||
"For_each_third_party_source": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Compose"
|
||||
},
|
||||
"For_each_third_party_source": {
|
||||
"actions": {
|
||||
"Condition_if_source_has_categories": {
|
||||
"actions": {
|
||||
"For_each_category": {
|
||||
"actions": {
|
||||
"Append_to_array_variable": {
|
||||
"inputs": {
|
||||
"name": "categories array",
|
||||
"value": "@items('For_each_category')"
|
||||
},
|
||||
"type": "AppendToArrayVariable"
|
||||
}
|
||||
},
|
||||
"foreach": "@items('For_each_third_party_source')?['categories']",
|
||||
"type": "Foreach"
|
||||
}
|
||||
},
|
||||
"else": {
|
||||
"actions": {}
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"contains": [
|
||||
"@items('For_each_third_party_source')",
|
||||
"categories"
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"type": "If"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['sources']",
|
||||
"runAfter": {
|
||||
"Switch_classification": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"Retrieve_information_for_a_URL_1": {
|
||||
"inputs": {
|
||||
"headers": {
|
||||
"User-Agent": "ReversingLabs Azure Connector A1000 v1.1.0"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['reversinglabsa1000']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "get",
|
||||
"path": "/api/network-threat-intel/url/",
|
||||
"queries": {
|
||||
"url": "@item()?['Url']"
|
||||
}
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Switch_classification": {
|
||||
"cases": {
|
||||
"Case_goodware": {
|
||||
"actions": {
|
||||
"Append_to_string_variable_2": {
|
||||
"inputs": {
|
||||
"name": "url comment",
|
||||
"value": "<tr><td>@{concat(substring(item()?['Url'], 0, indexOf(item()?['Url'], '.')),'[.]',substring(item()?['Url'], add(indexOf(item()?['Url'], '.'), 1), sub(length(item()?['Url']), add(indexOf(item()?['Url'], '.'), 1))))}</td><td style=\"background-color:green;color:white;font-weight:bold\">@{body('Retrieve_information_for_a_URL_1')?['classification']}</td><td>@{body('Retrieve_information_for_a_URL_1')?['reason']}</td><td><strong style=\"color:red\">malicious:</strong> @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['malicious']}<br/><strong style=\"color:grey\">undetected:</strong> @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['undetected']}</br><strong style=\"color: green\">clean:</strong> @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['clean']}<br/>total: @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['total']}</td><td>"
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
}
|
||||
},
|
||||
"case": "goodware"
|
||||
},
|
||||
"Case_malicious": {
|
||||
"actions": {
|
||||
"Append_to_string_variable": {
|
||||
"inputs": {
|
||||
"name": "url comment",
|
||||
"value": "<tr><td>@{concat(substring(item()?['Url'], 0, indexOf(item()?['Url'], '.')),'[.]',substring(item()?['Url'], add(indexOf(item()?['Url'], '.'), 1), sub(length(item()?['Url']), add(indexOf(item()?['Url'], '.'), 1))))}</td><td style=\"background-color:red;color:white;font-weight:bold\">@{body('Retrieve_information_for_a_URL_1')?['classification']}</td><td>@{body('Retrieve_information_for_a_URL_1')?['reason']}</td><td><strong style=\"color:red\">malicious:</strong> @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['malicious']}<br/><strong style=\"color:grey\">undetected:</strong> @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['undetected']}</br><strong style=\"color: green\">clean:</strong> @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['clean']}<br/>total: @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['total']}</td><td>"
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
}
|
||||
},
|
||||
"case": "malicious"
|
||||
},
|
||||
"Case_suspicious": {
|
||||
"actions": {
|
||||
"Append_to_string_variable_1": {
|
||||
"inputs": {
|
||||
"name": "url comment",
|
||||
"value": "<tr><td>@{concat(substring(item()?['Url'], 0, indexOf(item()?['Url'], '.')),'[.]',substring(item()?['Url'], add(indexOf(item()?['Url'], '.'), 1), sub(length(item()?['Url']), add(indexOf(item()?['Url'], '.'), 1))))}</td><td style=\"background-color:orange;color:black;font-weight:bold\">@{body('Retrieve_information_for_a_URL_1')?['classification']}</td><td>@{body('Retrieve_information_for_a_URL_1')?['reason']}</td><td><strong style=\"color:red\">malicious:</strong> @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['malicious']}<br/><strong style=\"color:grey\">undetected:</strong> @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['undetected']}</br><strong style=\"color: green\">clean:</strong> @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['clean']}<br/>total: @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['total']}</td><td>"
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
}
|
||||
},
|
||||
"case": "suspicious"
|
||||
},
|
||||
"Case_unknown": {
|
||||
"actions": {
|
||||
"Append_to_string_variable_3": {
|
||||
"inputs": {
|
||||
"name": "url comment",
|
||||
"value": "<tr><td>@{concat(substring(item()?['Url'], 0, indexOf(item()?['Url'], '.')),'[.]',substring(item()?['Url'], add(indexOf(item()?['Url'], '.'), 1), sub(length(item()?['Url']), add(indexOf(item()?['Url'], '.'), 1))))}</td><td style=\"background-color:grey;color:black;font-weight:bold\">@{body('Retrieve_information_for_a_URL_1')?['classification']}</td><td>@{body('Retrieve_information_for_a_URL_1')?['reason']}</td><td><strong style=\"color:red\">malicious:</strong> @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['malicious']}<br/><strong style=\"color:grey\">undetected:</strong> @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['undetected']}</br><strong style=\"color: green\">clean:</strong> @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['clean']}<br/>total: @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['total']}</td><td>"
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
}
|
||||
},
|
||||
"case": "unknown"
|
||||
}
|
||||
},
|
||||
"default": {
|
||||
"actions": {
|
||||
"Append_to_URL_comment": {
|
||||
"inputs": {
|
||||
"name": "url comment",
|
||||
"value": "<tr><td>@{concat(substring(item()?['Url'], 0, indexOf(item()?['Url'], '.')),'[.]',substring(item()?['Url'], add(indexOf(item()?['Url'], '.'), 1), sub(length(item()?['Url']), add(indexOf(item()?['Url'], '.'), 1))))}</td><td>@{body('Retrieve_information_for_a_URL_1')?['classification']}</td><td>@{body('Retrieve_information_for_a_URL_1')?['reason']}</td><td>@{body('Retrieve_information_for_a_URL_1')?['reason']}</td><td><strong style=\"color:red\">malicious:</strong> @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['malicious']}<br/><strong style=\"color:grey\">undetected:</strong> @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['undetected']}</br><strong style=\"color: green\">clean:</strong> @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['clean']}<br/>total: @{body('Retrieve_information_for_a_URL_1')?['third_party_reputations']?['statistics']['total']}</td><td>"
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
}
|
||||
}
|
||||
},
|
||||
"expression": "@body('Retrieve_information_for_a_URL_1')?['classification']",
|
||||
"runAfter": {
|
||||
"Retrieve_information_for_a_URL_1": [
|
||||
"Succeeded",
|
||||
"Failed",
|
||||
"Skipped",
|
||||
"TimedOut"
|
||||
]
|
||||
},
|
||||
"type": "Switch"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Entities_-_Get_URLs')?['URLs']",
|
||||
"type": "Foreach"
|
||||
}
|
||||
},
|
||||
"else": {
|
||||
"actions": {}
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"greater": [
|
||||
"@length(body('Entities_-_Get_URLs')?['URLs'])",
|
||||
0
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Initialize_url_categories": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "If"
|
||||
},
|
||||
"Condition_1": {
|
||||
"actions": {
|
||||
"Add_comment_to_incident_(V3)_2": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"message": "<p>@{outputs('Compose_RL_logo')}</p><p><b><strong style=\"font-size: 18px;\">Domain Enrichment</strong></b>@{variables('domain comment')}</p><p><b><strong>DNS Records</strong></b> @{variables('dns records')}</p>"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/Incidents/Comment"
|
||||
},
|
||||
"runAfter": {
|
||||
"Close_domain_comment_table": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Close_domain_comment_table": {
|
||||
"inputs": {
|
||||
"name": "domain comment",
|
||||
"value": "</table>"
|
||||
},
|
||||
"runAfter": {
|
||||
"For_each_DNS_domain_entity": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
},
|
||||
"For_each_DNS_domain_entity": {
|
||||
"actions": {
|
||||
"Append_last_seen_to_domain_enrichmen": {
|
||||
"inputs": {
|
||||
"name": "domain comment",
|
||||
"value": "</td><td>@{body('Retrieve_information_for_a_domain_1')?['last_seen']}</td></tr>"
|
||||
},
|
||||
"runAfter": {
|
||||
"For_each_top_threat": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
},
|
||||
"Append_to_domain_comment": {
|
||||
"inputs": {
|
||||
"name": "domain comment",
|
||||
"value": "<tr><td>@{replace(item()?['DomainName'], '.', '[.]')}</td><td><strong style=\"color:red\">malicious:</strong> @{body('Retrieve_information_for_a_domain_1')?['third_party_reputations']?['statistics']['malicious']}<br/><strong style=\"color:grey\">undetected:</strong> @{body('Retrieve_information_for_a_domain_1')?['third_party_reputations']?['statistics']['undetected']}<br/><strong style=\"color: green\">clean:</strong> @{body('Retrieve_information_for_a_domain_1')?['third_party_reputations']?['statistics']['clean']}<br/>total: @{body('Retrieve_information_for_a_domain_1')?['third_party_reputations']?['statistics']['total']}</td></td><td><strong style=\"color: red\">malicious:</strong> @{body('Retrieve_information_for_a_domain_1')?['downloaded_files_statistics']['malicious']}<br/><strong style=\"color: grey\">unknown:</strong> @{body('Retrieve_information_for_a_domain_1')?['downloaded_files_statistics']['unknown']}<br/><strong style=\"color: orange\">suspicious:</strong> @{body('Retrieve_information_for_a_domain_1')?['downloaded_files_statistics']['suspicious']}<br/><strong style=\"color:green\">known:</strong> @{body('Retrieve_information_for_a_domain_1')?['downloaded_files_statistics']['goodware']}<br/>total: @{body('Retrieve_information_for_a_domain_1')?['downloaded_files_statistics']['total']}</td><td>"
|
||||
},
|
||||
"runAfter": {
|
||||
"Retrieve_information_for_a_domain_1": [
|
||||
"Succeeded",
|
||||
"TimedOut",
|
||||
"Skipped",
|
||||
"Failed"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
},
|
||||
"Close_dns_records_table": {
|
||||
"inputs": {
|
||||
"name": "dns records",
|
||||
"value": "</table>"
|
||||
},
|
||||
"runAfter": {
|
||||
"For_each_dns_record": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
},
|
||||
"For_each_dns_record": {
|
||||
"actions": {
|
||||
"Append_dns_record_to_dns_table": {
|
||||
"inputs": {
|
||||
"name": "dns records",
|
||||
"value": "<tr><td>@{items('For_each_dns_record')?['type']}</td><td><pre> @{items('For_each_dns_record')?['value']}</pre></td><td> @{items('For_each_dns_record')?['provider']}</td></tr>"
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Retrieve_information_for_a_domain_1')?['last_dns_records']",
|
||||
"runAfter": {
|
||||
"Append_to_domain_comment": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"For_each_top_threat": {
|
||||
"actions": {
|
||||
"Append_to_string_variable_8": {
|
||||
"inputs": {
|
||||
"name": "domain comment",
|
||||
"value": "@{items('For_each_top_threat')?['threat_name']} <br/>"
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Retrieve_information_for_a_domain_1')?['top_threats']",
|
||||
"runAfter": {
|
||||
"Close_dns_records_table": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"Retrieve_information_for_a_domain_1": {
|
||||
"inputs": {
|
||||
"headers": {
|
||||
"User-Agent": "ReversingLabs Azure Connector A1000 v1.1.0"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['reversinglabsa1000']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "get",
|
||||
"path": "/api/network-threat-intel/domain/@{encodeURIComponent(item()?['DomainName'])}/"
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Entities_-_Get_DNS')?['Dnsresolutions']",
|
||||
"type": "Foreach"
|
||||
}
|
||||
},
|
||||
"else": {
|
||||
"actions": {}
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"greater": [
|
||||
"@length(body('Entities_-_Get_DNS')?['Dnsresolutions'])",
|
||||
0
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Initialize_dns_records_table": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "If"
|
||||
},
|
||||
"Condition_2": {
|
||||
"actions": {
|
||||
"Add_comment_to_incident_(V3)": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"message": "<p>@{outputs('Compose_RL_logo')}</p><p><b><strong style=\"font-size: 16px;\">IP Address Enrichment</strong></b>@{variables('ip comment')}</p>"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/Incidents/Comment"
|
||||
},
|
||||
"runAfter": {
|
||||
"Close_IP_comment_table": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Close_IP_comment_table": {
|
||||
"inputs": {
|
||||
"name": "ip comment",
|
||||
"value": "</table>"
|
||||
},
|
||||
"runAfter": {
|
||||
"For_each_IP_entity": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
},
|
||||
"For_each_IP_entity": {
|
||||
"actions": {
|
||||
"Append_categories_to_comment": {
|
||||
"inputs": {
|
||||
"name": "ip comment",
|
||||
"value": "@{outputs('Dedupe_categories')}</td><td>@{outputs('Dedupe_ip_threats')}</td><td>@{body('Retrieve_information_for_an_IP_address_1')?['last_seen']}</td></tr>"
|
||||
},
|
||||
"runAfter": {
|
||||
"Dedupe_categories": [
|
||||
"Succeeded"
|
||||
],
|
||||
"Dedupe_ip_threats": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
},
|
||||
"Append_to_IP_comment": {
|
||||
"inputs": {
|
||||
"name": "ip comment",
|
||||
"value": "<tr><td>@{item()?['Address']}</td><td><strong style=\"color:red\">malicious:</strong> @{body('Retrieve_information_for_an_IP_address_1')?['third_party_reputations']?['statistics']['malicious']}<br/><strong style=\"color:grey\">undetected:</strong> @{body('Retrieve_information_for_an_IP_address_1')?['third_party_reputations']?['statistics']['undetected']}<br/><strong style=\"color: green\">clean:</strong> @{body('Retrieve_information_for_an_IP_address_1')?['third_party_reputations']?['statistics']['clean']}<br/>total: @{body('Retrieve_information_for_an_IP_address_1')?['third_party_reputations']?['statistics']['total']}</td><td><strong style=\"color: red\">malicious:</strong> @{body('Retrieve_information_for_an_IP_address_1')?['downloaded_files_statistics']['malicious']}<br/><strong style=\"color: grey\">unknown:</strong> @{body('Retrieve_information_for_an_IP_address_1')?['downloaded_files_statistics']['unknown']}<br/><strong style=\"color: orange\">suspicious:</strong> @{body('Retrieve_information_for_an_IP_address_1')?['downloaded_files_statistics']['suspicious']}<br/><strong style=\"color:green\">known:</strong> @{body('Retrieve_information_for_an_IP_address_1')?['downloaded_files_statistics']['goodware']}<br/>total: @{body('Retrieve_information_for_an_IP_address_1')?['downloaded_files_statistics']['total']}</td><td>"
|
||||
},
|
||||
"runAfter": {
|
||||
"Retrieve_information_for_an_IP_address_1": [
|
||||
"Succeeded",
|
||||
"TimedOut",
|
||||
"Failed",
|
||||
"Skipped"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
},
|
||||
"Dedupe_categories": {
|
||||
"inputs": "@union(variables('categories'), variables('categories'))",
|
||||
"runAfter": {
|
||||
"For_each_third_party_source_1": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Compose"
|
||||
},
|
||||
"Dedupe_ip_threats": {
|
||||
"inputs": "@union(variables('ip top threats'), variables('ip top threats'))",
|
||||
"runAfter": {
|
||||
"For_each_top_threat_1": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Compose"
|
||||
},
|
||||
"For_each_third_party_source_1": {
|
||||
"actions": {
|
||||
"Condition_if_category_available": {
|
||||
"actions": {
|
||||
"For_each_categories_1": {
|
||||
"actions": {
|
||||
"Append_to_array_variable_1": {
|
||||
"inputs": {
|
||||
"name": "categories",
|
||||
"value": "@items('For_each_categories_1')"
|
||||
},
|
||||
"type": "AppendToArrayVariable"
|
||||
}
|
||||
},
|
||||
"foreach": "@items('For_each_third_party_source_1')?['categories']",
|
||||
"type": "Foreach"
|
||||
}
|
||||
},
|
||||
"else": {
|
||||
"actions": {}
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"contains": [
|
||||
"@items('For_each_third_party_source_1')",
|
||||
"categories"
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"type": "If"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Retrieve_information_for_an_IP_address_1')?['third_party_reputations']?['sources']",
|
||||
"runAfter": {
|
||||
"Append_to_IP_comment": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"For_each_top_threat_1": {
|
||||
"actions": {
|
||||
"Append_to_array_variable_2": {
|
||||
"inputs": {
|
||||
"name": "ip top threats",
|
||||
"value": "@items('For_each_top_threat_1')?['threat_name']"
|
||||
},
|
||||
"type": "AppendToArrayVariable"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Retrieve_information_for_an_IP_address_1')?['top_threats']",
|
||||
"runAfter": {
|
||||
"Append_to_IP_comment": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"Retrieve_information_for_an_IP_address_1": {
|
||||
"inputs": {
|
||||
"headers": {
|
||||
"User-Agent": "ReversingLabs Azure Connector A1000 v1.1.0"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['reversinglabsa1000']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "get",
|
||||
"path": "/api/network-threat-intel/ip/@{encodeURIComponent(item()?['Address'])}/report/"
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Entities_-_Get_IPs')?['IPs']",
|
||||
"type": "Foreach"
|
||||
}
|
||||
},
|
||||
"else": {
|
||||
"actions": {}
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"greater": [
|
||||
"@length(body('Entities_-_Get_IPs')?['IPs'])",
|
||||
0
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Initialize_topthreats_array_1": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "If"
|
||||
},
|
||||
"Entities_-_Get_DNS": {
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/entities/dnsresolution"
|
||||
},
|
||||
"runAfter": {
|
||||
"Compose_RL_logo": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Entities_-_Get_IPs": {
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/entities/ip"
|
||||
},
|
||||
"runAfter": {
|
||||
"Compose_RL_logo": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Entities_-_Get_URLs": {
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/entities/url"
|
||||
},
|
||||
"runAfter": {
|
||||
"Compose_RL_logo": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Initialize_IP_categories_array": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "categories",
|
||||
"type": "array"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Initialize_variable_ip_comment": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable"
|
||||
},
|
||||
"Initialize_dns_records_table": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "dns records",
|
||||
"type": "string",
|
||||
"value": "<table style=\"width: 100%\"><tr><th>Type</th><th>Value</th><th>Provider</th></tr>"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Initialize_variable_domain_comment": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable"
|
||||
},
|
||||
"Initialize_topthreats_array_1": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "ip top threats",
|
||||
"type": "array"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Initialize_IP_categories_array": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable"
|
||||
},
|
||||
"Initialize_url_categories": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "categories array",
|
||||
"type": "array"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Initialize_variable_URL_comment": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable"
|
||||
},
|
||||
"Initialize_variable_URL_comment": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "url comment",
|
||||
"type": "string",
|
||||
"value": "<table style=\"width:100%\"><tr><th>URL</th><th>Classification</th><th>Reason</th><th>Reputation</th><th>Categories</th><th>LastSeen</th></tr>"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Entities_-_Get_URLs": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable"
|
||||
},
|
||||
"Initialize_variable_domain_comment": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "domain comment",
|
||||
"type": "string",
|
||||
"value": "<table style=\"width: 100%\"><tr><th>Domain</th><th>Reputation</th><th>DownloadedFiles</th><th>TopThreats</th><th>LastSeen</th></tr>"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Entities_-_Get_DNS": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable"
|
||||
},
|
||||
"Initialize_variable_ip_comment": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "ip comment",
|
||||
"type": "string",
|
||||
"value": "<table style=\"width:100%\"><tr><th>IPAddress</th><th>Reputation</th><th>DownloadedFiles</th><th>Categories</th><th>TopThreats</th><th>LastSeen</th></tr>"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Entities_-_Get_IPs": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable"
|
||||
}
|
||||
},
|
||||
"outputs": {}
|
||||
},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"value": {
|
||||
"azuresentinel": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||
"connectionName": "azuresentinel",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
},
|
||||
"reversinglabsa1000": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('ReversingLabsA1000ConnectionName'))]",
|
||||
"connectionName": "reversinglabs1000",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/reversinglabsa1000')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
Двоичные данные
Solutions/ReversingLabs/Playbooks/SpectraAnalyze-EnrichNetworkEntities/playbook.png
Normal file
Двоичные данные
Solutions/ReversingLabs/Playbooks/SpectraAnalyze-EnrichNetworkEntities/playbook.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 121 KiB |
|
|
@ -1,23 +1,22 @@
|
|||
# ReversingLabs-EnrichFileHash
|
||||
# SpectraIntelligence-EnrichFileHash
|
||||
|
||||
Author: Aaron Hoffmann (ReversingLabs)
|
||||
|
||||
## Summary
|
||||
This playbook enriches file hash entities with information from the ReversingLabs TitaniumCloud API.
|
||||
This playbook enriches file hash entities with information from ReversingLabs Spectra Intelligence (formerly TitaniumCloud).
|
||||
|
||||
## Prerequisites
|
||||
|
||||
You'll need the following:
|
||||
* A ReversingLabs TitaniumCloud subscription
|
||||
* A ReversingLabs TitaniumCloud username
|
||||
* A ReversingLabs TitaniumCloud password
|
||||
* A ReversingLabs Spectra Intelligence username
|
||||
* A ReversingLabs Spectra Intelligence password
|
||||
|
||||
|
||||
## Deployment instructions
|
||||
1. Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FReversingLabs%2FPlaybooks%2FReversingLabs-EnrichFileHash%2Fazuredeploy.json)
|
||||
[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FReversingLabs%2FPlaybooks%2FReversingLabs-EnrichFileHash%2Fazuredeploy.json)
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FReversingLabs%2FPlaybooks%2FSpectraIntelligence-EnrichFileHash%2Fazuredeploy.json)
|
||||
[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FReversingLabs%2FPlaybooks%2FSpectraIntelligence-EnrichFileHash%2Fazuredeploy.json)
|
||||
|
||||
## Post-deployment
|
||||
|
||||
|
|
@ -33,7 +32,7 @@ Once deployment is complete, you will need to authorize each connection.
|
|||
|
||||
## Screenshots
|
||||
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
|
|
@ -2,13 +2,14 @@
|
|||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "ReversingLabs-EnrichFileHash",
|
||||
"description": "This playbook will enrich a Microsoft Sentinel Incident with file hash information from ReversingLabs TitaniumCloud. A comment will be added to the incident with details about the file.",
|
||||
"title": "SpectraIntelligence-EnrichFileHash",
|
||||
"description": "This playbook will enrich a Microsoft Sentinel Incident with file hash information from ReversingLabs Spectra Intelligence (formerly TitaniumCloud). A comment will be added to the incident with details about the file.",
|
||||
"prerequisites": [
|
||||
"ReversingLabs TitaniumCloud license",
|
||||
"ReversingLabs TitaniumCloud username and password"
|
||||
"ReversingLabs Spectra Intelligence license",
|
||||
"ReversingLabs Spectra Intelligence username and password"
|
||||
],
|
||||
"lastUpdateTime": "2023-08-03T10:00:00.000Z",
|
||||
"postDeploymentSteps": ["None"],
|
||||
"version": "2.0.0",
|
||||
"entities": ["FileHash"],
|
||||
"tags": ["Enrichment"],
|
||||
|
|
@ -24,7 +25,7 @@
|
|||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "ReversingLabs-EnrichFileHash",
|
||||
"defaultValue": "SpectraIntelligence-EnrichFileHash",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Name of the playbook (Logic Apps resources) which will be created"
|
||||
|
|
@ -38,7 +39,7 @@
|
|||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"apiVersion": "2018-07-01-preview",
|
||||
"name": "[variables('AzureSentinelConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
|
|
@ -50,20 +51,20 @@
|
|||
},
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"apiVersion": "2018-07-01-preview",
|
||||
"name": "[variables('ReversingLabsConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"displayName": "[variables('ReversingLabsConnectionName')]",
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/reversinglabstitaniu')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"apiVersion": "2017-07-01",
|
||||
"apiVersion": "2019-05-01",
|
||||
"name": "[parameters('PlaybookName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"dependson": [
|
||||
|
До Ширина: | Высота: | Размер: 107 KiB После Ширина: | Высота: | Размер: 107 KiB |
|
|
@ -0,0 +1,40 @@
|
|||
# SpectraIntelligence-EnrichNetworkEntities
|
||||
|
||||
Author: Aaron Hoffmann (ReversingLabs)
|
||||
|
||||
## Summary
|
||||
This playbook enriches network entities (IP addresses, URLs, and domains) with information from ReversingLabs Spectra Intelligence (formerly TitaniumCloud).
|
||||
|
||||
## Prerequisites
|
||||
|
||||
You'll need the following:
|
||||
* A ReversingLabs Spectra Intelligence username
|
||||
* A ReversingLabs Spectra Intelligence password
|
||||
|
||||
|
||||
## Deployment instructions
|
||||
1. Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FReversingLabs%2FPlaybooks%2FSpectraIntelligence-EnrichNetworkEntities%2Fazuredeploy.json)
|
||||
[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FReversingLabs%2FPlaybooks%2FSpectraIntelligence-EnrichNetworkEntities%2Fazuredeploy.json)
|
||||
|
||||
## Post-deployment
|
||||
|
||||
a. Authorize connections (Perform this action if needed)
|
||||
Once deployment is complete, you will need to authorize each connection.
|
||||
|
||||
1. Click the Microsoft Sentinel connection resource
|
||||
2. Click edit API connection
|
||||
3. Click Authorize
|
||||
4. Sign in
|
||||
5. Click Save
|
||||
6. Repeat steps for the ReversingLabs TitaniumCloud Connection (For authorizing the connection, a TitaniumCloud username and password needs to be provided)
|
||||
|
||||
## Screenshots
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [ReversingLabs content pack installation guide](https://reversinglabs-marketplace.azureedge.net/help/ReversingLabsSentinelContentHubInstall.pdf)
|
||||
- [Video - How to install and configure the ReversingLabs content pack](https://www.youtube.com/watch?v=gLjMDz618O0)
|
||||
|
|
@ -0,0 +1,799 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "SpectraIntelligence-EnrichNetworkEntities",
|
||||
"description": "This playbook will enrich a Microsoft Sentinel Incident with information about network entities (IP addresses, URLs, and domain names) from ReversingLabs Spectra Intelligence (formerly TitaniumCloud). A comment will be added to the incident with details about the entity.",
|
||||
"prerequisites": [
|
||||
"ReversingLabs Spectra Intelligence license",
|
||||
"ReversingLabs Spectra Intelligence username and password"
|
||||
],
|
||||
"lastUpdateTime": "2024-07-18T10:00:00.000Z",
|
||||
"postDeploymentSteps": ["None"],
|
||||
"version": "2.1.0",
|
||||
"entities": [ "Ip", "Url", "DomainName" ],
|
||||
"tags": [ "Enrichment" ],
|
||||
"support": {
|
||||
"name": "ReversingLabs",
|
||||
"tier": "Partner",
|
||||
"email": "support@reversinglabs.com",
|
||||
"link": "https://support.reversinglabs.com/hc/en-us"
|
||||
},
|
||||
"author": {
|
||||
"name": "Aaron Hoffmann"
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "SpectraIntelligence-EnrichNetworkEntities",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Name of the playbook (Logic Apps resources) which will be created"
|
||||
}
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
|
||||
"ReversingLabsConnectionName": "[concat('reversinglabs-', parameters('PlaybookName'))]"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2018-07-01-preview",
|
||||
"name": "[variables('AzureSentinelConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2018-07-01-preview",
|
||||
"name": "[variables('ReversingLabsConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"displayName": "[variables('ReversingLabsConnectionName')]",
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/reversinglabstitaniu')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"apiVersion": "2019-05-01",
|
||||
"name": "[parameters('PlaybookName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"state": "Enabled",
|
||||
"definition": {
|
||||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"defaultValue": {},
|
||||
"type": "Object"
|
||||
}
|
||||
},
|
||||
"triggers": {
|
||||
"Microsoft_Sentinel_incident": {
|
||||
"type": "ApiConnectionWebhook",
|
||||
"inputs": {
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"path": "/incident-creation"
|
||||
}
|
||||
}
|
||||
},
|
||||
"actions": {
|
||||
"Compose_RL_logo": {
|
||||
"inputs": "<img src=\"https://www.reversinglabs.com/hubfs/RL%20Logo/rl-logo-long.svg\"></img>",
|
||||
"runAfter": {},
|
||||
"type": "Compose"
|
||||
},
|
||||
"Condition": {
|
||||
"actions": {
|
||||
"Add_comment_to_incident_(V3)_1": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"message": "<p>@{outputs('Compose_RL_logo')}</p><p><b><strong style=\"font-size: 16px;\">URL Enrichment</strong></b>@{variables('url comment')}</p>"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/Incidents/Comment"
|
||||
},
|
||||
"runAfter": {
|
||||
"Close_URL_comment_table": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Close_URL_comment_table": {
|
||||
"inputs": {
|
||||
"name": "url comment",
|
||||
"value": "</table>"
|
||||
},
|
||||
"runAfter": {
|
||||
"For_each_URL_entity": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
},
|
||||
"For_each_URL_entity": {
|
||||
"actions": {
|
||||
"Dedupe_categories": {
|
||||
"inputs": "@union(variables('url categories'), variables('url categories'))",
|
||||
"runAfter": {
|
||||
"For_each_third_party_source": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Compose"
|
||||
},
|
||||
"For_each_third_party_source": {
|
||||
"actions": {
|
||||
"Condition_if_source_has_categories": {
|
||||
"actions": {
|
||||
"For_each_source_category": {
|
||||
"actions": {
|
||||
"Append_to_array_variable": {
|
||||
"inputs": {
|
||||
"name": "url categories",
|
||||
"value": "@items('For_each_third_party_source')"
|
||||
},
|
||||
"type": "AppendToArrayVariable"
|
||||
}
|
||||
},
|
||||
"foreach": "@items('For_each_third_party_source')?['categories']",
|
||||
"type": "Foreach"
|
||||
}
|
||||
},
|
||||
"else": {
|
||||
"actions": {}
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"contains": [
|
||||
"@items('For_each_third_party_source')",
|
||||
"categories"
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"type": "If"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Get_the_URL_report')?['rl']?['third_party_reputations']?['sources']",
|
||||
"runAfter": {
|
||||
"Get_the_URL_report": [
|
||||
"Succeeded",
|
||||
"Failed",
|
||||
"Skipped",
|
||||
"TimedOut"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"Get_the_URL_report": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"rl": {
|
||||
"query": {
|
||||
"response_format": "json",
|
||||
"url": "@item()?['Url']"
|
||||
}
|
||||
}
|
||||
},
|
||||
"headers": {
|
||||
"User-Agent": "ReversingLabs Azure Connector TitaniumCloud v1.4.0"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['reversinglabstitaniu']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/api/networking/url/v1/report/query/json"
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Switch_classification": {
|
||||
"cases": {
|
||||
"Case_known": {
|
||||
"actions": {
|
||||
"Append_to_string_variable_2": {
|
||||
"inputs": {
|
||||
"name": "url comment",
|
||||
"value": "<tr><td>@{concat(substring(item()?['Url'], 0, indexOf(item()?['Url'], '.')),'[.]',substring(item()?['Url'], add(indexOf(item()?['Url'], '.'), 1), sub(length(item()?['Url']), add(indexOf(item()?['Url'], '.'), 1))))}</td><td style=\"background-color:green;color:white;font-weight:bold\">@{body('Get_the_URL_report')?['rl']?['classification']}</td><td>@{body('Get_the_URL_report')?['rl']?['reason']}</td><td><strong style=\"color:red\">malicious:</strong> @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['malicious']}<br/><strong style=\"color:grey\">undetected:</strong> @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['undetected']}</br><strong style=\"color: green\">clean:</strong> @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['clean']}<br/>total: @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['total']}</td><td>@{outputs('Dedupe_categories')}</td><td>@{body('Get_the_URL_report')?['rl']?['last_seen']}</td></tr>"
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
}
|
||||
},
|
||||
"case": "known"
|
||||
},
|
||||
"Case_malicious": {
|
||||
"actions": {
|
||||
"Append_to_string_variable": {
|
||||
"inputs": {
|
||||
"name": "url comment",
|
||||
"value": "<tr><td>@{concat(substring(item()?['Url'], 0, indexOf(item()?['Url'], '.')),'[.]',substring(item()?['Url'], add(indexOf(item()?['Url'], '.'), 1), sub(length(item()?['Url']), add(indexOf(item()?['Url'], '.'), 1))))}</td><td style=\"background-color:red;color:white;font-weight:bold\">@{body('Get_the_URL_report')?['rl']?['classification']}</td><td>@{body('Get_the_URL_report')?['rl']?['reason']}</td><td><strong style=\"color:red\">malicious:</strong> @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['malicious']}<br/><strong style=\"color:grey\">undetected:</strong> @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['undetected']}</br><strong style=\"color: green\">clean:</strong> @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['clean']}<br/>total: @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['total']}</td><td>@{outputs('Dedupe_categories')}</td><td>@{body('Get_the_URL_report')?['rl']?['last_seen']}</td></tr>"
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
}
|
||||
},
|
||||
"case": "malicious"
|
||||
},
|
||||
"Case_suspicious": {
|
||||
"actions": {
|
||||
"Append_to_string_variable_1": {
|
||||
"inputs": {
|
||||
"name": "url comment",
|
||||
"value": "<tr><td>@{concat(substring(item()?['Url'], 0, indexOf(item()?['Url'], '.')),'[.]',substring(item()?['Url'], add(indexOf(item()?['Url'], '.'), 1), sub(length(item()?['Url']), add(indexOf(item()?['Url'], '.'), 1))))}</td><td style=\"background-color:orange;color:black;font-weight:bold\">@{body('Get_the_URL_report')?['rl']?['classification']}</td><td>@{body('Get_the_URL_report')?['rl']?['reason']}</td><td><strong style=\"color:red\">malicious:</strong> @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['malicious']}<br/><strong style=\"color:grey\">undetected:</strong> @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['undetected']}</br><strong style=\"color: green\">clean:</strong> @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['clean']}<br/>total: @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['total']}</td><td>@{outputs('Dedupe_categories')}</td><td>@{body('Get_the_URL_report')?['rl']?['last_seen']}</td></tr>"
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
}
|
||||
},
|
||||
"case": "suspicious"
|
||||
},
|
||||
"Case_unknown": {
|
||||
"actions": {
|
||||
"Append_to_string_variable_3": {
|
||||
"inputs": {
|
||||
"name": "url comment",
|
||||
"value": "<tr><td>@{concat(substring(item()?['Url'], 0, indexOf(item()?['Url'], '.')),'[.]',substring(item()?['Url'], add(indexOf(item()?['Url'], '.'), 1), sub(length(item()?['Url']), add(indexOf(item()?['Url'], '.'), 1))))}</td><td style=\"background-color:grey;color:black;font-weight:bold\">@{body('Get_the_URL_report')?['rl']?['classification']}</td><td>@{body('Get_the_URL_report')?['rl']?['reason']}</td><td><strong style=\"color:red\">malicious:</strong> @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['malicious']}<br/><strong style=\"color:grey\">undetected:</strong> @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['undetected']}</br><strong style=\"color: green\">clean:</strong> @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['clean']}<br/>total: @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['total']}</td><td>@{outputs('Dedupe_categories')}</td><td>@{body('Get_the_URL_report')?['rl']?['last_seen']}</td></tr>"
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
}
|
||||
},
|
||||
"case": "unknown"
|
||||
}
|
||||
},
|
||||
"default": {
|
||||
"actions": {
|
||||
"Append_to_URL_comment": {
|
||||
"inputs": {
|
||||
"name": "url comment",
|
||||
"value": "<tr><td>@{concat(substring(item()?['Url'], 0, indexOf(item()?['Url'], '.')),'[.]',substring(item()?['Url'], add(indexOf(item()?['Url'], '.'), 1), sub(length(item()?['Url']), add(indexOf(item()?['Url'], '.'), 1))))}</td><td>@{body('Get_the_URL_report')?['rl']?['classification']}</td><td>@{body('Get_the_URL_report')?['rl']?['reason']}</td><td><strong style=\"color:red\">malicious:</strong> @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['malicious']}<br/><strong style=\"color:grey\">undetected:</strong> @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['undetected']}</br><strong style=\"color: green\">clean:</strong> @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['clean']}<br/>total: @{body('Get_the_URL_report')?['rl']?['third_party_reputations']?['statistics']['total']}</td><td>@{outputs('Dedupe_categories')}</td><td>@{body('Get_the_URL_report')?['rl']?['last_seen']}</td></tr>"
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
}
|
||||
}
|
||||
},
|
||||
"expression": "@body('Get_the_URL_report')?['rl']?['classification']",
|
||||
"runAfter": {
|
||||
"Dedupe_categories": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Switch"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Entities_-_Get_URLs')?['URLs']",
|
||||
"type": "Foreach"
|
||||
}
|
||||
},
|
||||
"else": {
|
||||
"actions": {}
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"greater": [
|
||||
"@length(body('Entities_-_Get_URLs')?['URLs'])",
|
||||
0
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Initialize_url_categories_array": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "If"
|
||||
},
|
||||
"Condition_1": {
|
||||
"actions": {
|
||||
"Add_comment_to_incident_(V3)_2": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"message": "<p>@{outputs('Compose_RL_logo')}</p><p><b><strong style=\"font-size: 16px;\">Domain Enrichment</strong></b>@{variables('domain comment')}</p><p><b><strong>DNS Records</strong></b>@{variables('dns records')}</p>"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/Incidents/Comment"
|
||||
},
|
||||
"runAfter": {
|
||||
"Close_domain_comment_table": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Close_domain_comment_table": {
|
||||
"inputs": {
|
||||
"name": "domain comment",
|
||||
"value": "</table>"
|
||||
},
|
||||
"runAfter": {
|
||||
"For_each_DNS_domain_entity": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
},
|
||||
"For_each_DNS_domain_entity": {
|
||||
"actions": {
|
||||
"Append_last_seen_to_domain_enrichment": {
|
||||
"inputs": {
|
||||
"name": "domain comment",
|
||||
"value": "</td><td>@{body('Get_the_domain_report')?['rl']?['last_seen']}</td></tr>"
|
||||
},
|
||||
"runAfter": {
|
||||
"For_each_top_threat": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
},
|
||||
"Append_to_domain_comment": {
|
||||
"inputs": {
|
||||
"name": "domain comment",
|
||||
"value": "<tr><td>@{replace(item()?['DomainName'], '.', '[.]')}</td><td><strong style=\"color:red\">malicious:</strong> @{body('Get_the_domain_report')?['rl']?['third_party_reputations']?['statistics']['malicious']}<br/><strong style=\"color:grey\">undetected:</strong> @{body('Get_the_domain_report')?['rl']?['third_party_reputations']?['statistics']['undetected']}<br/><strong style=\"color: green\">clean:</strong> @{body('Get_the_domain_report')?['rl']?['third_party_reputations']?['statistics']['clean']}<br/>total: @{body('Get_the_domain_report')?['rl']?['third_party_reputations']?['statistics']['total']}</td></td><td><strong style=\"color: red\">malicious:</strong> @{body('Get_the_domain_report')?['rl']?['downloaded_files_statistics']['malicious']}<br/><strong style=\"color: grey\">unknown:</strong> @{body('Get_the_domain_report')?['rl']?['downloaded_files_statistics']['unknown']}<br/><strong style=\"color: orange\">suspicious:</strong> @{body('Get_the_domain_report')?['rl']?['downloaded_files_statistics']['suspicious']}<br/><strong style=\"color:green\">known:</strong> @{body('Get_the_domain_report')?['rl']?['downloaded_files_statistics']['known']}<br/>total: @{body('Get_the_domain_report')?['rl']?['downloaded_files_statistics']['total']}</td><td>"
|
||||
},
|
||||
"runAfter": {
|
||||
"Get_the_domain_report": [
|
||||
"Succeeded",
|
||||
"TimedOut",
|
||||
"Skipped",
|
||||
"Failed"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
},
|
||||
"Close_dns_records_table": {
|
||||
"inputs": {
|
||||
"name": "dns records",
|
||||
"value": "</table>"
|
||||
},
|
||||
"runAfter": {
|
||||
"For_each_dns_record": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
},
|
||||
"For_each_dns_record": {
|
||||
"actions": {
|
||||
"Append_dns_record_to_dns_comment": {
|
||||
"inputs": {
|
||||
"name": "dns records",
|
||||
"value": "<tr><td> @{items('For_each_dns_record')?['type']}</td><td>@{items('For_each_dns_record')?['value']}</td><td>@{items('For_each_dns_record')?['provider']}</td></tr>"
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Get_the_domain_report')?['rl']?['last_dns_records']",
|
||||
"runAfter": {
|
||||
"Append_last_seen_to_domain_enrichment": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"For_each_top_threat": {
|
||||
"actions": {
|
||||
"Append_to_string_variable_8": {
|
||||
"inputs": {
|
||||
"name": "domain comment",
|
||||
"value": "@{items('For_each_top_threat')?['threat_name']} "
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Get_the_domain_report')?['rl']?['top_threats']",
|
||||
"runAfter": {
|
||||
"Append_to_domain_comment": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"Get_the_domain_report": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"rl": {
|
||||
"query": {
|
||||
"domain": "@item()?['DomainName']",
|
||||
"response_format": "json"
|
||||
}
|
||||
}
|
||||
},
|
||||
"headers": {
|
||||
"User-Agent": "ReversingLabs Azure Connector TitaniumCloud v1.4.0"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['reversinglabstitaniu']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/api/networking/domain/report/v1/query/json"
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Entities_-_Get_DNS')?['Dnsresolutions']",
|
||||
"type": "Foreach"
|
||||
}
|
||||
},
|
||||
"else": {
|
||||
"actions": {}
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"greater": [
|
||||
"@length(body('Entities_-_Get_DNS')?['Dnsresolutions'])",
|
||||
0
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Initialize_dns_records_table": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "If"
|
||||
},
|
||||
"Condition_2": {
|
||||
"actions": {
|
||||
"Add_comment_to_incident_(V3)": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"message": "<p>@{outputs('Compose_RL_logo')}</p><p><b><strong style=\"font-size: 16px;\">IP Address Enrichment</strong></b>@{variables('ip comment')}</p>"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/Incidents/Comment"
|
||||
},
|
||||
"runAfter": {
|
||||
"Close_IP_comment_table": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Close_IP_comment_table": {
|
||||
"inputs": {
|
||||
"name": "ip comment",
|
||||
"value": "</table>"
|
||||
},
|
||||
"runAfter": {
|
||||
"For_each_IP_entity": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
},
|
||||
"For_each_IP_entity": {
|
||||
"actions": {
|
||||
"Append_to_IP_comment": {
|
||||
"inputs": {
|
||||
"name": "ip comment",
|
||||
"value": "<tr><td>@{item()?['Address']}</td><td><strong style=\"color:red\">malicious:</strong> @{body('Get_the_IP_address_report')?['rl']?['third_party_reputations']?['statistics']['malicious']}<br/><strong style=\"color:grey\">undetected:</strong> @{body('Get_the_IP_address_report')?['rl']?['third_party_reputations']?['statistics']['undetected']}<br/><strong style=\"color: green\">clean:</strong> @{body('Get_the_IP_address_report')?['rl']?['third_party_reputations']?['statistics']['clean']}<br/>total: @{body('Get_the_IP_address_report')?['rl']?['third_party_reputations']?['statistics']['total']}</td><td><strong style=\"color: red\">malicious:</strong> @{body('Get_the_IP_address_report')?['rl']?['downloaded_files_statistics']['malicious']}<br/><strong style=\"color: grey\">unknown:</strong> @{body('Get_the_IP_address_report')?['rl']?['downloaded_files_statistics']['unknown']}<br/><strong style=\"color: orange\">suspicious:</strong> @{body('Get_the_IP_address_report')?['rl']?['downloaded_files_statistics']['suspicious']}<br/><strong style=\"color:green\">known:</strong> @{body('Get_the_IP_address_report')?['rl']?['downloaded_files_statistics']['known']}<br/>total: @{body('Get_the_IP_address_report')?['rl']?['downloaded_files_statistics']['total']}</td><td>@{outputs('Dedupe_IP_categories')}</td><td>@{body('Get_the_IP_address_report')?['rl']?['last_seen']}</td></tr>"
|
||||
},
|
||||
"runAfter": {
|
||||
"Dedupe_IP_categories": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable"
|
||||
},
|
||||
"Dedupe_IP_categories": {
|
||||
"inputs": "@union(variables('ip categories'), variables('ip categories'))",
|
||||
"runAfter": {
|
||||
"For_each_third_party_source_2": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Compose"
|
||||
},
|
||||
"For_each_third_party_source_2": {
|
||||
"actions": {
|
||||
"Condition_if_source_has_categories_2": {
|
||||
"actions": {
|
||||
"For_each_category_2": {
|
||||
"actions": {
|
||||
"Append_to_array_variable_1": {
|
||||
"inputs": {
|
||||
"name": "ip categories",
|
||||
"value": "@items('For_each_category_2')"
|
||||
},
|
||||
"type": "AppendToArrayVariable"
|
||||
}
|
||||
},
|
||||
"foreach": "@items('For_each_third_party_source_2')?['categories']",
|
||||
"type": "Foreach"
|
||||
}
|
||||
},
|
||||
"else": {
|
||||
"actions": {}
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"contains": [
|
||||
"@items('For_each_third_party_source_2')",
|
||||
"categories"
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"type": "If"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Get_the_IP_address_report')?['rl']?['third_party_reputations']?['sources']",
|
||||
"runAfter": {
|
||||
"Get_the_IP_address_report": [
|
||||
"Succeeded",
|
||||
"TimedOut",
|
||||
"Failed",
|
||||
"Skipped"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"Get_the_IP_address_report": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"rl": {
|
||||
"query": {
|
||||
"ip": "@item()?['Address']",
|
||||
"response_format": "json"
|
||||
}
|
||||
}
|
||||
},
|
||||
"headers": {
|
||||
"User-Agent": "ReversingLabs Azure Connector TitaniumCloud v1.4.0"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['reversinglabstitaniu']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/api/networking/ip/report/v1/query/json"
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Entities_-_Get_IPs')?['IPs']",
|
||||
"type": "Foreach"
|
||||
}
|
||||
},
|
||||
"else": {
|
||||
"actions": {}
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"greater": [
|
||||
"@length(body('Entities_-_Get_IPs')?['IPs'])",
|
||||
0
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Initialize_ip_categories_array": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "If"
|
||||
},
|
||||
"Entities_-_Get_DNS": {
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/entities/dnsresolution"
|
||||
},
|
||||
"runAfter": {
|
||||
"Compose_RL_logo": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Entities_-_Get_IPs": {
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/entities/ip"
|
||||
},
|
||||
"runAfter": {
|
||||
"Compose_RL_logo": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Entities_-_Get_URLs": {
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/entities/url"
|
||||
},
|
||||
"runAfter": {
|
||||
"Compose_RL_logo": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Initialize_dns_records_table": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "dns records",
|
||||
"type": "string",
|
||||
"value": "<table style=\"width:100%\"><tr><th>Type</th><th>Value</th><th>Provider</th></tr>"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Initialize_variable_domain_comment": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable"
|
||||
},
|
||||
"Initialize_ip_categories_array": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "ip categories",
|
||||
"type": "array"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Initialize_variable_ip_comment": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable"
|
||||
},
|
||||
"Initialize_url_categories_array": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "url categories",
|
||||
"type": "array"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Initialize_variable_URL_comment": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable"
|
||||
},
|
||||
"Initialize_variable_URL_comment": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "url comment",
|
||||
"type": "string",
|
||||
"value": "<table style=\"width:100%\"><tr><th>URL</th><th>Classification</th><th>Reason</th><th>Reputation</th><th>Categories</th><th>LastSeen</th></tr>"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Entities_-_Get_URLs": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable"
|
||||
},
|
||||
"Initialize_variable_domain_comment": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "domain comment",
|
||||
"type": "string",
|
||||
"value": "<table style=\"width:100%\"><tr><th>Domain</th><th>Reputation</th><th>DownloadedFiles</th><th>TopThreats</th><th>LastSeen</th></tr>"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Entities_-_Get_DNS": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable"
|
||||
},
|
||||
"Initialize_variable_ip_comment": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "ip comment",
|
||||
"type": "string",
|
||||
"value": "<table style=\"width:100%\"><tr><th>IPAddress</th><th>Reputation</th><th>DownloadedFiles</th><th>Categories</th><th>LastSeen</th></tr>"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Entities_-_Get_IPs": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable"
|
||||
}
|
||||
},
|
||||
"outputs": {}
|
||||
},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"value": {
|
||||
"azuresentinel": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||
"connectionName": "azuresentinel",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
},
|
||||
"reversinglabstitaniu": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('ReversingLabsConnectionName'))]",
|
||||
"connectionName": "reversinglabstitaniu",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/reversinglabstitaniu')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
Двоичные данные
Solutions/ReversingLabs/Playbooks/SpectraIntelligence-EnrichNetworkEntities/playbook.png
Normal file
Двоичные данные
Solutions/ReversingLabs/Playbooks/SpectraIntelligence-EnrichNetworkEntities/playbook.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 121 KiB |
|
|
@ -1,3 +1,4 @@
|
|||
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|
||||
|-------------|--------------------------------|---------------------------------------------|
|
||||
| 3.0.1 | 17-07-2024 | **What's New** <br/> - Playbook \| SpectraAnalyze-EnrichNetworkEntities: New playbook that enriches network entities (IP addresses, URLs, and domain names) with data from a Spectra Analyze appliance \| v1.0.0<br/> - Playbook \| SpectraIntelligence-EnrichNetworkEntities: New playbook that enriches network entities (IP addresses, URLs, and domain names) with data from Spectra Intelligence. \| v1.0.0 <br/> - Playbook \| SpectraAnalyze-EnrichFileHash: New playbook exmaple for enriching file hash entities with data from a Spectra Analyze apliance \| v1.0.0 <br/> **What's Changed** <br/> - Playbook \| ReversingLabs-EnrichFileHash has been renamed to SpectraIntelligence-EnrichFileHash |
|
||||
| 3.0.0 | 09-08-2023 | **Playbook** \| ReversingLabs-EnrichFileHash: Updated to use new TitaniumCloud Logic App connector; Added AV scan results \| v2.0.0 <br/> **Workbook** \| ReversingLabs-CapabilitiesOverview: Remove hardcoded parameter value "ti_feed_check"; Update indicator quality query to be more accurate for uniqueness check \| v1.1.2 |
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"publisherId": "reversinglabs1597673283347",
|
||||
"offerId": "rl_offer_content_hub_aoae",
|
||||
"firstPublishDate": "2022-08-08",
|
||||
"lastPublishDate": "2023-08-08",
|
||||
"lastPublishDate": "2024-07-17",
|
||||
"providers": ["ReversingLabs"],
|
||||
"categories": {
|
||||
"domains" : ["Security - Threat Intelligence"],
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче