Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

RecordedFuture-Alert-Importer fixes

This commit is contained in:
RecordedFutureOskbo 2024-08-23 11:35:48 +02:00
Родитель 11ef436850
Коммит 5d5d19d303
5 изменённых файлов: 103 добавлений и 90 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
Solutions/Recorded Future/Data/Solution_RecordedFuture.json
Просмотреть файл

@ -42,7 +42,7 @@
"Workbooks/RecordedFutureMalwareThreatHunting.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Recorded Future",
"Version": "3.2.7",
"Version": "3.2.8",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false

Двоичные данные
Solutions/Recorded Future/Package/3.2.8.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

173
Solutions/Recorded Future/Package/mainTemplate.json
Просмотреть файл

@ -97,7 +97,7 @@
"email": "support@recordedfuture.com",
"_email": "[variables('email')]",
"_solutionName": "Recorded Future",
"_solutionVersion": "3.2.7",
"_solutionVersion": "3.2.8",
"solutionId": "recordedfuture1605638642586.recorded_future_sentinel_solution",
"_solutionId": "[variables('solutionId')]",
"analyticRuleObject1": {
@ -190,7 +190,7 @@
"_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]",
"RecordedFuture-Alert-Importer": "RecordedFuture-Alert-Importer",
"_RecordedFuture-Alert-Importer": "[variables('RecordedFuture-Alert-Importer')]",
"playbookVersion3": "1.0",
"playbookVersion3": "1.3",
"playbookContentId3": "RecordedFuture-Alert-Importer",
"_playbookContentId3": "[variables('playbookContentId3')]",
"playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]",
@ -343,7 +343,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFutureDomainMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.7",
"description": "RecordedFutureDomainMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@ -482,7 +482,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFutureDomainMalwareC2inSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.7",
"description": "RecordedFutureDomainMalwareC2inSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@ -622,7 +622,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFutureHashObservedInUndergroundinCommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.2.7",
"description": "RecordedFutureHashObservedInUndergroundinCommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@ -778,7 +778,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFutureIPMalwareC2inAzureActivityEvents_AnalyticalRules Analytics Rule with template version 3.2.7",
"description": "RecordedFutureIPMalwareC2inAzureActivityEvents_AnalyticalRules Analytics Rule with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@ -909,7 +909,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFutureIPMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.7",
"description": "RecordedFutureIPMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@ -1054,7 +1054,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.7",
"description": "RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@ -1183,7 +1183,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFutureThreatHuntingHashAllActors_AnalyticalRules Analytics Rule with template version 3.2.7",
"description": "RecordedFutureThreatHuntingHashAllActors_AnalyticalRules Analytics Rule with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@ -1249,23 +1249,23 @@
"ActorInformation": "RecordedFuturePortalLink"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "{{Description}}",
"alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{Hash}} from the {{Type}} table.\\n",
"alertDynamicProperties": [
{
"value": "RecordedFuturePortalLink",
"alertProperty": "AlertLink"
"alertProperty": "AlertLink",
"value": "RecordedFuturePortalLink"
}
],
"alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{Hash}} from the {{Type}} table.\\n"
"alertDisplayNameFormat": "{{Description}}"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"matchingMethod": "AllEntities",
"reopenClosedIncident": false,
"lookbackDuration": "1h",
"enabled": true
},
"createIncident": true
"matchingMethod": "AllEntities",
"enabled": true,
"lookbackDuration": "1h"
}
}
}
},
@ -1320,7 +1320,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFutureThreatHuntingIPAllActors_AnalyticalRules Analytics Rule with template version 3.2.7",
"description": "RecordedFutureThreatHuntingIPAllActors_AnalyticalRules Analytics Rule with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@ -1380,23 +1380,23 @@
"ActorInformation": "RecordedFuturePortalLink"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "{{Description}}",
"alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{NetworkIP}} from the {{Type}} table.\\n",
"alertDynamicProperties": [
{
"value": "RecordedFuturePortalLink",
"alertProperty": "AlertLink"
"alertProperty": "AlertLink",
"value": "RecordedFuturePortalLink"
}
],
"alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{NetworkIP}} from the {{Type}} table.\\n"
"alertDisplayNameFormat": "{{Description}}"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"matchingMethod": "AllEntities",
"reopenClosedIncident": false,
"lookbackDuration": "1h",
"enabled": true
},
"createIncident": true
"matchingMethod": "AllEntities",
"enabled": true,
"lookbackDuration": "1h"
}
}
}
},
@ -1451,7 +1451,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFutureThreatHuntingDomainAllActors_AnalyticalRules Analytics Rule with template version 3.2.7",
"description": "RecordedFutureThreatHuntingDomainAllActors_AnalyticalRules Analytics Rule with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@ -1511,23 +1511,23 @@
"ActorInformation": "RecordedFuturePortalLink"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "{{Description}}",
"alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{DomainName}} from the {{Type}} table.\\n",
"alertDynamicProperties": [
{
"value": "RecordedFuturePortalLink",
"alertProperty": "AlertLink"
"alertProperty": "AlertLink",
"value": "RecordedFuturePortalLink"
}
],
"alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{DomainName}} from the {{Type}} table.\\n"
"alertDisplayNameFormat": "{{Description}}"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"matchingMethod": "AllEntities",
"reopenClosedIncident": false,
"lookbackDuration": "1h",
"enabled": true
},
"createIncident": true
"matchingMethod": "AllEntities",
"enabled": true,
"lookbackDuration": "1h"
}
}
}
},
@ -1582,7 +1582,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFutureThreatHuntingUrlAllActors_AnalyticalRules Analytics Rule with template version 3.2.7",
"description": "RecordedFutureThreatHuntingUrlAllActors_AnalyticalRules Analytics Rule with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
@ -1640,23 +1640,23 @@
"ActorInformation": "RecordedFuturePortalLink"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "{{Description}}",
"alertDescriptionFormat": "*{{Description}}**\\n\\nCorrelation found on {{Url}} from the {{Type}} table.\\n",
"alertDynamicProperties": [
{
"value": "RecordedFuturePortalLink",
"alertProperty": "AlertLink"
"alertProperty": "AlertLink",
"value": "RecordedFuturePortalLink"
}
],
"alertDescriptionFormat": "*{{Description}}**\\n\\nCorrelation found on {{Url}} from the {{Type}} table.\\n"
"alertDisplayNameFormat": "{{Description}}"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"matchingMethod": "AllEntities",
"reopenClosedIncident": false,
"lookbackDuration": "1h",
"enabled": true
},
"createIncident": true
"matchingMethod": "AllEntities",
"enabled": true,
"lookbackDuration": "1h"
}
}
}
},
@ -1711,7 +1711,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFuture-IOC_Enrichment Playbook with template version 3.2.7",
"description": "RecordedFuture-IOC_Enrichment Playbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@ -2378,7 +2378,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFuture-Playbook-Alert-Importer Playbook with template version 3.2.7",
"description": "RecordedFuture-Playbook-Alert-Importer Playbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@ -2748,7 +2748,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFuture-AlertImporter Playbook with template version 3.2.7",
"description": "RecordedFuture-AlertImporter Playbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@ -3081,7 +3081,7 @@
},
"type": "ApiConnection",
"inputs": {
"body": "{\n\"RuleName\": \"@{items('For_each_triggered_alert')?['rule']?['name']}\",\n\"Triggered\": \"@{items('For_each_triggered_alert')?['log']?['triggered']}\",\n\"AlertName\": \"@{items('For_each_triggered_alert')?['title']}\",\n\"AlertID\": \"@{items('For_each_triggered_alert')?['id']}\", \n\"Entity\": @{items('For_each_hit')?['entities']},\n\"Documents\": @{items('For_each_hit')?['document']},\n\"URL\": \"@{items('For_each_triggered_alert')?['rule']?['url']?['portal']}\",\n\"Document_url\": \"@{items('For_each_hit')?['document']?['url']}\",\n\"AISummary\": \"@{replace(replace(coalesce(items('For_each_triggered_alert')?['ai_insights']?['text'],''), '\\', '\\\\'), '\"', '\\\"')}\",\n\"Fragment\": \"@{replace(replace(coalesce(body('Parse_JSON')?['fragment'],''), '\\', '\\\\'), '\"', '\\\"')}\"}",
"body": "{\n\"RuleName\": \"@{items('For_each_triggered_alert')?['rule']?['name']}\",\n\"Triggered\": \"@{items('For_each_triggered_alert')?['log']?['triggered']}\",\n\"AlertName\": \"@{replace(replace(items('For_each_triggered_alert')?['title'], '\\', '\\\\'), '\"', '\\\"')}\",\n\"AlertID\": \"@{items('For_each_triggered_alert')?['id']}\", \n\"Entity\": @{items('For_each_hit')?['entities']},\n\"Documents\": @{items('For_each_hit')?['document']},\n\"URL\": \"@{items('For_each_triggered_alert')?['rule']?['url']?['portal']}\",\n\"Document_url\": \"@{items('For_each_hit')?['document']?['url']}\",\n\"AISummary\": \"@{replace(replace(coalesce(items('For_each_triggered_alert')?['ai_insights']?['text'],''), '\\', '\\\\'), '\"', '\\\"')}\",\n\"Fragment\": \"@{replace(replace(coalesce(body('Parse_JSON')?['fragment'],''), '\\', '\\\\'), '\"', '\\\"')}\"}",
"headers": {
"Log-Type": "RecordedFuturePortalAlerts"
},
@ -3125,7 +3125,7 @@
},
"type": "ApiConnection",
"inputs": {
"body": "RecordedFuturePortalAlerts_CL\n| summarize LatestEvent=max(Triggered_t)",
"body": "RecordedFuturePortalAlerts_CL\n| summarize LatestEvent=max(Triggered_t)| extend LatestEvent=coalesce(LatestEvent, ago(1d))",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
@ -3214,7 +3214,7 @@
"location": "[[variables('workspace-location-inline')]",
"tags": {
"hidden-SentinelTemplateName": "RecordedFuture-AlertImporter",
"hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelTemplateVersion": "1.3",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
"identity": {
@ -3317,7 +3317,7 @@
"postDeployment": [
"After deployment, open the playbook to configure all connections and press save."
],
"lastUpdateTime": "2024-01-12T00:00:00Z",
"lastUpdateTime": "2024-08-23T00:00:00Z",
"tags": [
"Alert"
],
@ -3342,6 +3342,13 @@
"notes": [
"API connector renaming."
]
},
{
"version": "1.3",
"title": "RecordedFuture-Alert-Importer",
"notes": [
"Encoding and latest_event_date fix."
]
}
]
}
@ -3368,7 +3375,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFuture-ThreatIntelligenceImport Playbook with template version 3.2.7",
"description": "RecordedFuture-ThreatIntelligenceImport Playbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
@ -3590,7 +3597,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFuture-Domain-IndicatorImport Playbook with template version 3.2.7",
"description": "RecordedFuture-Domain-IndicatorImport Playbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion5')]",
@ -3881,7 +3888,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFuture-Hash-IndicatorImport Playbook with template version 3.2.7",
"description": "RecordedFuture-Hash-IndicatorImport Playbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion6')]",
@ -4172,7 +4179,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFuture-IP-IndicatorImport Playbook with template version 3.2.7",
"description": "RecordedFuture-IP-IndicatorImport Playbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion7')]",
@ -4465,7 +4472,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFuture-URL-IndicatorImport Playbook with template version 3.2.7",
"description": "RecordedFuture-URL-IndicatorImport Playbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion8')]",
@ -4756,7 +4763,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFuture-Sandbox_Enrichment-Url Playbook with template version 3.2.7",
"description": "RecordedFuture-Sandbox_Enrichment-Url Playbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion9')]",
@ -5134,7 +5141,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFuture-CustomConnector Playbook with template version 3.2.7",
"description": "RecordedFuture-CustomConnector Playbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion10')]",
@ -7208,19 +7215,19 @@
},
"created": {
"type": "string",
"example": "2023-09-20T19:09:35.993568+05:30"
"example": "2023-09-20T15:39:35.993568+02:00"
},
"modified": {
"type": "string",
"example": "2023-09-20T19:09:35.993568+05:30"
"example": "2023-09-20T15:39:35.993568+02:00"
},
"valid_from": {
"type": "string",
"example": "2023-09-20T19:09:35.993568+05:30"
"example": "2023-09-20T15:39:35.993568+02:00"
},
"valid_until": {
"type": "string",
"example": "2023-09-20T20:09:35.993568+05:30"
"example": "2023-09-20T16:39:35.993568+02:00"
},
"external_references": {
"type": "array",
@ -7416,19 +7423,19 @@
},
"created": {
"type": "string",
"example": "2023-09-20T19:09:35.993568+05:30"
"example": "2023-09-20T15:39:35.993568+02:00"
},
"modified": {
"type": "string",
"example": "2023-09-20T19:09:35.993568+05:30"
"example": "2023-09-20T15:39:35.993568+02:00"
},
"valid_from": {
"type": "string",
"example": "2023-09-20T19:09:35.993568+05:30"
"example": "2023-09-20T15:39:35.993568+02:00"
},
"valid_until": {
"type": "string",
"example": "2023-09-20T20:09:35.993568+05:30"
"example": "2023-09-20T16:39:35.993568+02:00"
},
"external_references": {
"type": "array",
@ -7726,7 +7733,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFuture-ThreatMap-Importer Playbook with template version 3.2.7",
"description": "RecordedFuture-ThreatMap-Importer Playbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion11')]",
@ -8096,7 +8103,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFuture-MalwareThreatMap-Importer Playbook with template version 3.2.7",
"description": "RecordedFuture-MalwareThreatMap-Importer Playbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion12')]",
@ -8471,7 +8478,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "ActorThreatHunt-IndicatorImport Playbook with template version 3.2.7",
"description": "ActorThreatHunt-IndicatorImport Playbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion13')]",
@ -8707,7 +8714,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "MalwareThreatHunt-IndicatorImport Playbook with template version 3.2.7",
"description": "MalwareThreatHunt-IndicatorImport Playbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion14')]",
@ -8944,7 +8951,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFuturePlaybookAlertOverview Workbook with template version 3.2.7",
"description": "RecordedFuturePlaybookAlertOverview Workbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@ -9028,7 +9035,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFutureAlertOverview Workbook with template version 3.2.7",
"description": "RecordedFutureAlertOverview Workbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@ -9112,7 +9119,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFutureDomainCorrelation Workbook with template version 3.2.7",
"description": "RecordedFutureDomainCorrelation Workbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion3')]",
@ -9196,7 +9203,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFutureHashCorrelation Workbook with template version 3.2.7",
"description": "RecordedFutureHashCorrelation Workbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion4')]",
@ -9280,7 +9287,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFutureIPCorrelation Workbook with template version 3.2.7",
"description": "RecordedFutureIPCorrelation Workbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion5')]",
@ -9364,7 +9371,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFutureURLCorrelation Workbook with template version 3.2.7",
"description": "RecordedFutureURLCorrelation Workbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion6')]",
@ -9448,7 +9455,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFutureThreatActorHunting Workbook with template version 3.2.7",
"description": "RecordedFutureThreatActorHunting Workbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion7')]",
@ -9532,7 +9539,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RecordedFutureMalwareThreatHunting Workbook with template version 3.2.7",
"description": "RecordedFutureMalwareThreatHunting Workbook with template version 3.2.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion8')]",
@ -9612,7 +9619,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.2.7",
"version": "3.2.8",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Recorded Future",

13
Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json
Просмотреть файл

@ -10,7 +10,7 @@
"postDeployment": [
"After deployment, open the playbook to configure all connections and press save."
],
"lastUpdateTime": "2024-01-12T00:00:00.000Z",
"lastUpdateTime": "2024-08-23T00:00:00.000Z",
"entities": [],
"tags": [ "Alert" ],
"support": {
@ -35,6 +35,11 @@
"version": "1.2",
"title": "RecordedFuture-Alert-Importer",
"notes": [ "API connector renaming." ]
},
{
"version": "1.3",
"title": "RecordedFuture-Alert-Importer",
"notes": [ "Encoding and latest_event_date fix." ]
}
]
},
@ -365,7 +370,7 @@
},
"type": "ApiConnection",
"inputs": {
"body": "{\n\"RuleName\": \"@{items('For_each_triggered_alert')?['rule']?['name']}\",\n\"Triggered\": \"@{items('For_each_triggered_alert')?['log']?['triggered']}\",\n\"AlertName\": \"@{items('For_each_triggered_alert')?['title']}\",\n\"AlertID\": \"@{items('For_each_triggered_alert')?['id']}\", \n\"Entity\": @{items('For_each_hit')?['entities']},\n\"Documents\": @{items('For_each_hit')?['document']},\n\"URL\": \"@{items('For_each_triggered_alert')?['rule']?['url']?['portal']}\",\n\"Document_url\": \"@{items('For_each_hit')?['document']?['url']}\",\n\"AISummary\": \"@{replace(replace(coalesce(items('For_each_triggered_alert')?['ai_insights']?['text'],''), '\\', '\\\\'), '\"', '\\\"')}\",\n\"Fragment\": \"@{replace(replace(coalesce(body('Parse_JSON')?['fragment'],''), '\\', '\\\\'), '\"', '\\\"')}\"}",
"body": "{\n\"RuleName\": \"@{items('For_each_triggered_alert')?['rule']?['name']}\",\n\"Triggered\": \"@{items('For_each_triggered_alert')?['log']?['triggered']}\",\n\"AlertName\": \"@{replace(replace(items('For_each_triggered_alert')?['title'], '\\', '\\\\'), '\"', '\\\"')}\",\n\"AlertID\": \"@{items('For_each_triggered_alert')?['id']}\", \n\"Entity\": @{items('For_each_hit')?['entities']},\n\"Documents\": @{items('For_each_hit')?['document']},\n\"URL\": \"@{items('For_each_triggered_alert')?['rule']?['url']?['portal']}\",\n\"Document_url\": \"@{items('For_each_hit')?['document']?['url']}\",\n\"AISummary\": \"@{replace(replace(coalesce(items('For_each_triggered_alert')?['ai_insights']?['text'],''), '\\', '\\\\'), '\"', '\\\"')}\",\n\"Fragment\": \"@{replace(replace(coalesce(body('Parse_JSON')?['fragment'],''), '\\', '\\\\'), '\"', '\\\"')}\"}",
"headers": {
"Log-Type": "RecordedFuturePortalAlerts"
},
@ -411,7 +416,7 @@
},
"type": "ApiConnection",
"inputs": {
"body": "RecordedFuturePortalAlerts_CL\n| summarize LatestEvent=max(Triggered_t)",
"body": "RecordedFuturePortalAlerts_CL\n| summarize LatestEvent=max(Triggered_t)| extend LatestEvent=coalesce(LatestEvent, ago(1d))",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
@ -501,7 +506,7 @@
"location": "[resourceGroup().location]",
"tags": {
"hidden-SentinelTemplateName": "RecordedFuture-AlertImporter",
"hidden-SentinelTemplateVersion": "1.0"
"hidden-SentinelTemplateVersion": "1.3"
},
"identity": {
"type": "SystemAssigned"

5
Solutions/Recorded Future/ReleaseNotes.md
Просмотреть файл

@ -1,7 +1,8 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
| 3.2.7 | 01-08-2024 | updated **Analytic rules** for entity mappings |
| 3.2.6 | 08-03-2024 | Added incident creation to RecordedFuture-Alert-Importer **Playbook**.<br/> Update concurrency in RecordedFuture-IOC_Enrichment **Playbook** |
| 3.2.8 | 23-08-2024 | Updated RecordedFuture-Alert-Importer **Playbook** added text encoding and latest_event_date bugfix |
| 3.2.7 | 01-08-2024 | Updated **Analytic rules** for entity mappings |
| 3.2.6 | 03-08-2024 | Added incident creation to RecordedFuture-Alert-Importer **Playbook**.<br/> Update concurrency in RecordedFuture-IOC_Enrichment **Playbook** |
| 3.2.5 | 24-06-2024 | Added missing AMA **Data Connector** reference in **Analytic rules** |
| 3.2.4 | 08-03-2024 | Change default Recurrence for pulling data in Fix parse json in RecordedFuture-ThreatMap-Importer **Playbook**.<br/> Update solution description, referencing release notes. |
| 3.2.3 | 27-02-2024 | Fix parsing in RecordedFuture-PlaybookAlert-Importer **Playbook**.<br/> Added Recorded Future AI Summary to Alert **workbook**.<br/> Added Statues to playbook alert Workbook. |