Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Incorporate suggested changes

This commit is contained in:
Smitha Sundareswaran 2022-03-30 23:12:10 -07:00
Родитель 804169c32f
Коммит 578261d38b
5 изменённых файлов: 210 добавлений и 84 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

6
Playbooks/PaloAlto-PAN-OS/PaloAltoCustomConnector/azuredeploy.json
Просмотреть файл

@ -1,6 +1,10 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"comments": "This PaloAlto custom connector uses PAN-OS API to perform different actions on the PAN-OS VM",
"author": "Sindhu Talluri,PAN-OS"
},
"parameters": {
"PaloAlto_PAN-OS_Rest_API_CustomConnector_Name": {
"defaultValue": "PAN-OSRestApiCustomConnector",
@ -17,7 +21,7 @@
}
},
"Service_EndPoint": {
"defaultValue": "https://fb.com",
"defaultValue": "https://{yourPaloAltoDomain}",
"type": "String",
"metadata": {
"description": "enter the PaloAlto endpoint (ex: https://{yourPaloAltoDomain})"

92
Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetSystemInfo/azuredeploy.json
Просмотреть файл

@ -5,11 +5,10 @@
"title": "Get System Info - Palo Alto PAN-OS XML API",
"description": "This playbook gets a threat PCAP from the Panorama machine for a particular threat. ",
"mainSteps": [
"1.For each alert, check if the alert is a Palo Alto alert.",
"1. For each incident, check if the alert is a Palo Alto incident.",
"2. If it is, extract the firewall device name.",
"3. Make a call to the device, and get the system info.",
"4. Create a Sentinel Incident for the alert.",
"5. Update the Sentinel Incident with the system info."
"4. Update the Sentinel Incident with the system info."
],
"prerequisites": [
"1. Palo Alto PAN-OS custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region.",
@ -50,23 +49,62 @@
"LogAnalyticsResourceName": {
"type": "string",
"metadata": {
"description": "Name of the cLog Analytics instance for logging"
"description": "Name of the Log Analytics instance for logging"
}
}
},
"variables": {
"subscriptionId": "[subscription().subscriptionId]",
"location": "[resourceGroup().location]",
"AzureSentinelConnector": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/connections/azuresentinel')]",
"AzureMonitorLogsConnector": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/connections/azuremonitorlogs')]",
"PaloAltoConnector": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/connections/', parameters('CustomConnectorName'))]"
"AzureMonitorConnectionName": "[concat('azuremonitor-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"PaloAltoConnectorConnectionName": "[concat('PaloAltoConnector-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('PaloAltoConnectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureMonitorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "westus2",
"location": "[variables('location')]",
"identity": {
"type": "SystemAssigned"
},
@ -82,7 +120,7 @@
}
},
"triggers": {
"Microsoft_Sentinel_alert": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
@ -101,18 +139,18 @@
"For_each": {
"foreach": "@body('Run_query_and_list_results')?['value']",
"actions": {
"If_alert_is_a_Palo_Alto_alert": {
"If_incident_is_a_Palo_Alto_incident": {
"actions": {
"Add_comment_to_incident_(V3)": {
"runAfter": {
"Alert_-_Get_incident": [
"Query_Palo_Alto_XML_API": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>@{body('Query_Palo_Alto_XML_API')}</p>"
},
"host": {
@ -124,23 +162,6 @@
"path": "/Incidents/Comment"
}
},
"Alert_-_Get_incident": {
"runAfter": {
"Query_Palo_Alto_XML_API": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
}
},
"Query_Palo_Alto_XML_API": {
"runAfter": {},
"type": "ApiConnection",
@ -209,17 +230,22 @@
"$connections": {
"value": {
"azuremonitorlogs": {
"connectionId": "[variables('AzureMonitorLogsConnector')]",
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureMonitorConnectionName'))]",
"connectionName": "azuremonitorlogs",
"id": "[concat('/subscriptions/', subscription().subscriptionId,'/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/azuremonitorlogs')]"
},
"azuresentinel": {
"connectionId": "[variables('AzureSentinelConnector')]",
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "azuresentinel",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/azuresentinel')]"
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"paloaltoconnector": {
"connectionId": "[variables('PaloAltoConnector')]",
"connectionId": "[resourceId('Microsoft.Web/connections', variables('PaloAltoConnectorConnectionName'))]",
"connectionName": "paloaltoconnector",
"id": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]"
}

2
Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetSystemInfo/readme.md
Просмотреть файл

@ -17,7 +17,7 @@ When a new Sentinel incident is created, this playbook gets triggered and perfor
### Prerequisites
1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page.
2. Generate an API key.[Refer this link on how to generate the API Key](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation)
3. Address group should be created for PAN-OS and this should be used while creating playbooks.
3. This playbook only works for Palo Alto incidents.
### Deployment instructions

192
Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetThreatPCAP/azuredeploy.json
Просмотреть файл

@ -5,12 +5,11 @@
"title": "Get Threat PCAP - Palo Alto PAN-OS XML API",
"description": "This playbook gets a threat PCAP from the Panorama machine for a particular threat. ",
"mainSteps": [
"1.For each alert, check if the alert is a Palo Alto alert.",
"1. For each incident, check if the alert is a Palo Alto incident.",
"2. If it is, extract the session ID, the PCAP ID, the firewall device name, the time at which the PCAP was generated.",
"3. Make a call to the Panorama, and get the PCAP.",
"4. Upload the PCAP to a blob storage account.",
"5. Create a Sentinel Incident for the alert.",
"6. Update the Sentinel Incident with a link to the blob store file."
"5. Update the Sentinel Incident with a link to the blob store file."
],
"prerequisites": [
"1. Palo Alto PAN-OS custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region.",
@ -57,19 +56,133 @@
}
},
"variables": {
"AzureBlobConnectionName": "[concat('azureblob-', parameters('PlaybookName'))]",
"AzureStorageName": "panosthreatpcapssa",
"subscriptionId": "[subscription().subscriptionId]",
"location": "[resourceGroup().location]",
"AzureSentinelConnector": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/connections/azuresentinel')]",
"AzureBlobConnector": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/connections/azureblob')]",
"AzureMonitorLogsConnector": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/connections/azuremonitorlogs')]",
"PaloAltoConnector": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/connections/', parameters('CustomConnectorName'))]"
"AzureMonitorConnectionName": "[concat('azuremonitor-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"ContainerName": "panosthreatpcaps",
"PaloAltoConnectorConnectionName": "[concat('PaloAltoConnector-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-04-01",
"name": "[variables('AzureStorageName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"accessTier": "Hot",
"minimumTlsVersion": "TLS1_2",
"supportsHttpsTrafficOnly": "true",
"allowBlobPublicAccess": "false",
"allowSharedKeyAccess": "true",
"networkAcls": {
"bypass": "AzureServices",
"defaultAction": "Allow",
"ipRules": []
}
}
},
{
"name": "[concat(variables('AzureStorageName'), '/default')]",
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2021-02-01",
"dependsOn": [
"[concat('Microsoft.Storage/storageAccounts/', variables('AzureStorageName'))]"
],
"properties": {
"deleteRetentionPolicy": {
"enabled": "false"
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('AzureStorageName'), '/default/', variables('ContainerName'))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('AzureStorageName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('AzureStorageName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureBlobConnectionName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/', variables('AzureStorageName'))]"
],
"properties": {
"displayName": "[variables('AzureBlobConnectionName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureblob')]"
},
"parameterValues": {
"accountName": "[variables('AzureStorageName')]",
"accessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('AzureStorageName')), '2019-04-01').keys[0].value]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('PaloAltoConnectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureMonitorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "westus2",
"location": "[variables('location')]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureBlobConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('PaloAltoConnectorConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"identity": {
"type": "SystemAssigned"
},
@ -85,7 +198,7 @@
}
},
"triggers": {
"Microsoft_Sentinel_alert": {
"incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
@ -96,7 +209,7 @@
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
"path": "/incident-creation"
}
}
},
@ -104,20 +217,20 @@
"For_each": {
"foreach": "@body('Run_query_and_list_results')?['value']",
"actions": {
"If_alert_is_a_Palo_Alto_alert": {
"If_incident_is_a_Palo_Alto_incident": {
"actions": {
"If_PCAP_ID_Exists": {
"actions": {
"Add_comment_to_incident_(V3)": {
"runAfter": {
"Alert_-_Get_incident": [
"Create_blob_(V2)": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>@{body('Create_blob_(V2)')?['Path']}</p>"
},
"host": {
@ -129,23 +242,6 @@
"path": "/Incidents/Comment"
}
},
"Alert_-_Get_incident": {
"runAfter": {
"Create_blob_(V2)": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
}
},
"Create_blob_(V2)": {
"runAfter": {
"Query_Palo_Alto_XML_API": [
@ -167,7 +263,7 @@
"path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('defendpaloaltopcapsdev'))}/files",
"queries": {
"folderPath": "pcapblobs-palo-alto",
"name": "@{concat(string('paloalto',items('For_each')['PcapID']), string(triggerBody()?['TimeGenerated']), '.pcap')}",
"name": "@{concat(string('paloalto',items('For_each')['PcapID']), string(items('For_each')['TimeGenerated']), '.pcap')}",
"queryParametersSingleEncoded": true
}
},
@ -192,7 +288,7 @@
"category": "threat-pcap",
"device_name": "@items('For_each')['MonitoringDeviceName']",
"pcap-id": "@items('For_each')['PcapID']",
"search-time": "@triggerBody()?['TimeGenerated']",
"search-time": "@{items('For_each')['TimeGenerated']}",
"sessionId": "@items('For_each')['SessionID']",
"type": "export"
}
@ -272,28 +368,28 @@
"$connections": {
"value": {
"azureblob": {
"connectionId": "[variables('AzureBlobConnector')]",
"connectionName": "azureblob",
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureBlobConnectionName'))]",
"connectionName": "[variables('AzureBlobConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId,'/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/azureblob')]"
},
"azuremonitorlogs": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureMonitorConnectionName'))]",
"connectionName": "[variables('AzureMonitorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
},
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
},
"id": "[concat('/subscriptions/', subscription().subscriptionId,'/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/azureblob')]"
},
"azuremonitorlogs": {
"connectionId": "[variables('AzureMonitorLogsConnector')]",
"connectionName": "azuremonitorlogs",
"id": "[concat('/subscriptions/', subscription().subscriptionId,'/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/azuremonitorlogs')]"
},
"azuresentinel": {
"connectionId": "[variables('AzureSentinelConnector')]",
"connectionName": "azuresentinel",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/azuresentinel')]"
}
},
"paloaltoconnector": {
"connectionId": "[variables('PaloAltoConnector')]",
"connectionName": "paloaltoconnector",
"connectionId": "[resourceId('Microsoft.Web/connections', variables('PaloAltoConnectorConnectionName'))]",
"connectionName": "[variables('PaloAltoConnectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]"
}
}

2
Playbooks/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetThreatPCAP/readme.md
Просмотреть файл

@ -19,7 +19,7 @@ When a new Sentinel incident is created, this playbook gets triggered and perfor
### Prerequisites
1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page.
2. Generate an API key.[Refer this link on how to generate the API Key](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation)
3. Address group should be created for PAN-OS and this should be used while creating playbooks.
3. This playbook only works for Palo Alto incidents with a threat PCAP where the PCAP ID is not null or zero.
### Deployment instructions