Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Initial Work on Playbook. Deploys via Template but need to fix LA config and HTTP which is set for old tenant

This commit is contained in:
Dennis Pike 2021-02-19 18:36:47 -05:00
Родитель df63e8a60f
Коммит 5d524cdaa3
2 изменённых файлов: 697 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

688
Playbooks/Get-MDEFileActivityWithin30Mins/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,688 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "<PlaybookName>",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"DefenderForEndpointConnectionName": "[concat('defenderforendpoint-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"AzureLogAnalyticsConnectionName": "[concat('azureloganalytics-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('DefenderForEndpointConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/wdatp')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureLogAnalyticsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('DefenderForEndpointConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureLogAnalyticsConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
}
}
},
"actions": {
"Alert_-_Get_incident": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
}
},
"Entities_-_Get_Hosts": {
"runAfter": {
"Alert_-_Get_incident": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['Entities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/host"
}
},
"For_each": {
"foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
"actions": {
"Condition_2": {
"actions": {
"Add_comment_to_incident_(V3)_3": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"message": "<p>@{variables('results')} File Action Taken within 30 mins of this Incident<br>\nKQL query : IncidentFileActions_CL | where IncidentID_d == @{body('Alert_-_Get_incident')?['properties']?['incidentNumber']}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"For_each_2": {
"foreach": "@body('Parse_JSON')?['Results']",
"actions": {
"Send_Data": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": "@{addProperty(items('For_each_2'), 'IncidentID', body('Alert_-_Get_incident')?['properties']?['incidentNumber'] )}",
"headers": {
"Log-Type": "IncidentFileActions_CL"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
}
}
},
"runAfter": {
"Add_comment_to_incident_(V3)_3": [
"Succeeded"
]
},
"type": "Foreach"
}
},
"runAfter": {
"Set_variable_2": [
"Succeeded"
]
},
"else": {
"actions": {
"Add_comment_to_incident_(V3)_4": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"message": "<p>No File Actions found within 30 minutes of this incident</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
}
}
},
"expression": {
"and": [
{
"greaterOrEquals": [
"@variables('results')",
1
]
}
]
},
"type": "If"
},
"HTTP": {
"runAfter": {
"Machines_-_Get_single_machine": [
"Succeeded"
]
},
"type": "Http",
"inputs": {
"authentication": {
"audience": "https://api.security.microsoft.com",
"clientId": "dfc8819e-b74e-42f8-958f-92c211a0b38b",
"secret": "ljjK-69Q5bJbm43UU-At7NdeWDrhIX_28~",
"tenant": "abb8c19b-dacd-4348-8207-474c74869d7d",
"type": "ActiveDirectoryOAuth"
},
"body": {
"Query": "let timeOfEvent = datetime('@{body('Alert_-_Get_incident')?['properties']?['createdTimeUtc']}'); let offset = 30; let timeOfEventOffset = datetime_add('minute',offset,timeOfEvent); let device = '@{body('Machines_-_Get_single_machine')?['id']}'; DeviceFileEvents | where Timestamp between (timeOfEvent .. timeOfEventOffset) | where DeviceId == device"
},
"headers": {
"Content-Type": "application/json"
},
"method": "POST",
"uri": "https://api.security.microsoft.com/api/advancedHunting/run"
}
},
"Machines_-_Get_single_machine": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['wdatp']['connectionId']"
}
},
"method": "get",
"path": "/api/machines/@{encodeURIComponent(items('For_each')?['HostName'])}"
}
},
"Parse_JSON": {
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('HTTP')",
"schema": {
"properties": {
"Results": {
"items": {
"properties": {
"ActionType": {
"type": "string"
},
"AdditionalFields": {
"type": "string"
},
"AppGuardContainerId": {
"type": "string"
},
"DeviceId": {
"type": "string"
},
"DeviceName": {
"type": "string"
},
"FileName": {
"type": "string"
},
"FileOriginIP": {
"type": "string"
},
"FileOriginReferrerUrl": {
"type": "string"
},
"FileOriginUrl": {
"type": "string"
},
"FileSize": {
"type": [
"integer",
"null"
]
},
"FolderPath": {
"type": "string"
},
"InitiatingProcessAccountDomain": {
"type": "string"
},
"InitiatingProcessAccountName": {
"type": "string"
},
"InitiatingProcessAccountObjectId": {
"type": "string"
},
"InitiatingProcessAccountSid": {
"type": "string"
},
"InitiatingProcessAccountUpn": {
"type": "string"
},
"InitiatingProcessCommandLine": {
"type": "string"
},
"InitiatingProcessCreationTime": {
"type": "string"
},
"InitiatingProcessFileName": {
"type": "string"
},
"InitiatingProcessFileSize": {
"type": "integer"
},
"InitiatingProcessFolderPath": {
"type": "string"
},
"InitiatingProcessId": {
"type": "integer"
},
"InitiatingProcessIntegrityLevel": {
"type": "string"
},
"InitiatingProcessMD5": {
"type": "string"
},
"InitiatingProcessParentCreationTime": {
"type": "string"
},
"InitiatingProcessParentFileName": {
"type": "string"
},
"InitiatingProcessParentId": {
"type": "integer"
},
"InitiatingProcessSHA1": {
"type": "string"
},
"InitiatingProcessSHA256": {
"type": "string"
},
"InitiatingProcessTokenElevation": {
"type": "string"
},
"InitiatingProcessVersionInfoCompanyName": {
"type": "string"
},
"InitiatingProcessVersionInfoFileDescription": {
"type": "string"
},
"InitiatingProcessVersionInfoInternalFileName": {
"type": "string"
},
"InitiatingProcessVersionInfoOriginalFileName": {
"type": "string"
},
"InitiatingProcessVersionInfoProductName": {
"type": "string"
},
"InitiatingProcessVersionInfoProductVersion": {
"type": "string"
},
"IsAzureInfoProtectionApplied": {},
"MD5": {
"type": "string"
},
"PreviousFileName": {
"type": "string"
},
"PreviousFolderPath": {
"type": "string"
},
"ReportId": {
"type": "integer"
},
"RequestAccountDomain": {
"type": "string"
},
"RequestAccountName": {
"type": "string"
},
"RequestAccountSid": {
"type": "string"
},
"RequestProtocol": {
"type": "string"
},
"RequestSourceIP": {
"type": "string"
},
"RequestSourcePort": {},
"SHA1": {
"type": "string"
},
"SHA256": {
"type": "string"
},
"SensitivityLabel": {
"type": "string"
},
"SensitivitySubLabel": {
"type": "string"
},
"ShareName": {
"type": "string"
},
"Timestamp": {
"type": "string"
}
},
"required": [
"Timestamp",
"DeviceId",
"DeviceName",
"ActionType",
"FileName",
"FolderPath",
"SHA1",
"SHA256",
"MD5",
"FileOriginUrl",
"FileOriginReferrerUrl",
"FileOriginIP",
"PreviousFolderPath",
"PreviousFileName",
"FileSize",
"InitiatingProcessAccountDomain",
"InitiatingProcessAccountName",
"InitiatingProcessAccountSid",
"InitiatingProcessAccountUpn",
"InitiatingProcessAccountObjectId",
"InitiatingProcessMD5",
"InitiatingProcessSHA1",
"InitiatingProcessSHA256",
"InitiatingProcessVersionInfoCompanyName",
"InitiatingProcessVersionInfoProductName",
"InitiatingProcessVersionInfoProductVersion",
"InitiatingProcessVersionInfoInternalFileName",
"InitiatingProcessVersionInfoOriginalFileName",
"InitiatingProcessVersionInfoFileDescription",
"InitiatingProcessFolderPath",
"InitiatingProcessFileName",
"InitiatingProcessFileSize",
"InitiatingProcessId",
"InitiatingProcessCommandLine",
"InitiatingProcessCreationTime",
"InitiatingProcessIntegrityLevel",
"InitiatingProcessTokenElevation",
"InitiatingProcessParentId",
"InitiatingProcessParentFileName",
"InitiatingProcessParentCreationTime",
"RequestProtocol",
"RequestSourceIP",
"RequestSourcePort",
"RequestAccountName",
"RequestAccountDomain",
"RequestAccountSid",
"ShareName",
"SensitivityLabel",
"SensitivitySubLabel",
"IsAzureInfoProtectionApplied",
"ReportId",
"AppGuardContainerId",
"AdditionalFields"
],
"type": "object"
},
"type": "array"
},
"Schema": {
"items": {
"properties": {
"Name": {
"type": "string"
},
"Type": {
"type": "string"
}
},
"required": [
"Name",
"Type"
],
"type": "object"
},
"type": "array"
},
"Stats": {
"properties": {
"ExecutionTime": {
"type": "number"
},
"dataset_statistics": {
"items": {
"properties": {
"table_row_count": {
"type": "integer"
},
"table_size": {
"type": "integer"
}
},
"required": [
"table_row_count",
"table_size"
],
"type": "object"
},
"type": "array"
},
"resource_usage": {
"properties": {
"cache": {
"properties": {
"disk": {
"properties": {
"hits": {
"type": "integer"
},
"misses": {
"type": "integer"
},
"total": {
"type": "integer"
}
},
"type": "object"
},
"memory": {
"properties": {
"hits": {
"type": "integer"
},
"misses": {
"type": "integer"
},
"total": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
},
"cpu": {
"properties": {
"kernel": {
"type": "string"
},
"total cpu": {
"type": "string"
},
"user": {
"type": "string"
}
},
"type": "object"
},
"memory": {
"properties": {
"peak_per_node": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
}
}
},
"Set_variable": {
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "results",
"value": "@length(body('Parse_JSON')?['Results'])"
}
},
"Set_variable_2": {
"runAfter": {
"Set_variable": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "resultJSON",
"value": "@{body('Parse_JSON')?['Results']}"
}
}
},
"runAfter": {
"Initialize_variable_2": [
"Succeeded"
]
},
"type": "Foreach"
},
"Initialize_variable": {
"runAfter": {
"Entities_-_Get_Hosts": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "results",
"type": "integer",
"value": 0
}
]
}
},
"Initialize_variable_2": {
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "resultJSON",
"type": "string"
}
]
}
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"wdatp": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('DefenderForEndpointConnectionName'))]",
"connectionName": "[variables('DefenderForEndpointConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/wdatp')]"
},
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
},
"azureloganalyticsdatacollector": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureLogAnalyticsConnectionName'))]",
"connectionName": "[variables('AzureLogAnalyticsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
}
}
}
}
}
}
]
}

9
Playbooks/Get-MDEFileActivityWithin30Mins/readme.md Normal file
Просмотреть файл

@ -0,0 +1,9 @@
# Get-MDEFileActivityWithin30Mins
author: Dennis Pike
## Overview
This Playbook queries Microsoft Defender for Endpoint telemetry data for all File Events (Read, Write, Modify, Delete) that occur within 30 minutes of the incident and adds a comment to the incident specifying the number of File Events and a link to the query results.
## Required Paramaters
NEED TO FILL IN