RecordedFuture-Alert-Importer fixes
This commit is contained in:
Родитель
11ef436850
Коммит
5d5d19d303
|
@ -42,7 +42,7 @@
|
|||
"Workbooks/RecordedFutureMalwareThreatHunting.json"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Recorded Future",
|
||||
"Version": "3.2.7",
|
||||
"Version": "3.2.8",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1Pconnector": false
|
||||
|
|
Двоичный файл не отображается.
|
@ -97,7 +97,7 @@
|
|||
"email": "support@recordedfuture.com",
|
||||
"_email": "[variables('email')]",
|
||||
"_solutionName": "Recorded Future",
|
||||
"_solutionVersion": "3.2.7",
|
||||
"_solutionVersion": "3.2.8",
|
||||
"solutionId": "recordedfuture1605638642586.recorded_future_sentinel_solution",
|
||||
"_solutionId": "[variables('solutionId')]",
|
||||
"analyticRuleObject1": {
|
||||
|
@ -190,7 +190,7 @@
|
|||
"_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]",
|
||||
"RecordedFuture-Alert-Importer": "RecordedFuture-Alert-Importer",
|
||||
"_RecordedFuture-Alert-Importer": "[variables('RecordedFuture-Alert-Importer')]",
|
||||
"playbookVersion3": "1.0",
|
||||
"playbookVersion3": "1.3",
|
||||
"playbookContentId3": "RecordedFuture-Alert-Importer",
|
||||
"_playbookContentId3": "[variables('playbookContentId3')]",
|
||||
"playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]",
|
||||
|
@ -343,7 +343,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFutureDomainMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.7",
|
||||
"description": "RecordedFutureDomainMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
|
||||
|
@ -482,7 +482,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFutureDomainMalwareC2inSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.7",
|
||||
"description": "RecordedFutureDomainMalwareC2inSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
|
||||
|
@ -622,7 +622,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFutureHashObservedInUndergroundinCommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.2.7",
|
||||
"description": "RecordedFutureHashObservedInUndergroundinCommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
|
||||
|
@ -778,7 +778,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFutureIPMalwareC2inAzureActivityEvents_AnalyticalRules Analytics Rule with template version 3.2.7",
|
||||
"description": "RecordedFutureIPMalwareC2inAzureActivityEvents_AnalyticalRules Analytics Rule with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
|
||||
|
@ -909,7 +909,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFutureIPMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.7",
|
||||
"description": "RecordedFutureIPMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
|
||||
|
@ -1054,7 +1054,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.7",
|
||||
"description": "RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
|
||||
|
@ -1183,7 +1183,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFutureThreatHuntingHashAllActors_AnalyticalRules Analytics Rule with template version 3.2.7",
|
||||
"description": "RecordedFutureThreatHuntingHashAllActors_AnalyticalRules Analytics Rule with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
|
||||
|
@ -1249,23 +1249,23 @@
|
|||
"ActorInformation": "RecordedFuturePortalLink"
|
||||
},
|
||||
"alertDetailsOverride": {
|
||||
"alertDisplayNameFormat": "{{Description}}",
|
||||
"alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{Hash}} from the {{Type}} table.\\n",
|
||||
"alertDynamicProperties": [
|
||||
{
|
||||
"value": "RecordedFuturePortalLink",
|
||||
"alertProperty": "AlertLink"
|
||||
"alertProperty": "AlertLink",
|
||||
"value": "RecordedFuturePortalLink"
|
||||
}
|
||||
],
|
||||
"alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{Hash}} from the {{Type}} table.\\n"
|
||||
"alertDisplayNameFormat": "{{Description}}"
|
||||
},
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
"matchingMethod": "AllEntities",
|
||||
"reopenClosedIncident": false,
|
||||
"lookbackDuration": "1h",
|
||||
"enabled": true
|
||||
},
|
||||
"createIncident": true
|
||||
"matchingMethod": "AllEntities",
|
||||
"enabled": true,
|
||||
"lookbackDuration": "1h"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
|
@ -1320,7 +1320,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFutureThreatHuntingIPAllActors_AnalyticalRules Analytics Rule with template version 3.2.7",
|
||||
"description": "RecordedFutureThreatHuntingIPAllActors_AnalyticalRules Analytics Rule with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
|
||||
|
@ -1380,23 +1380,23 @@
|
|||
"ActorInformation": "RecordedFuturePortalLink"
|
||||
},
|
||||
"alertDetailsOverride": {
|
||||
"alertDisplayNameFormat": "{{Description}}",
|
||||
"alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{NetworkIP}} from the {{Type}} table.\\n",
|
||||
"alertDynamicProperties": [
|
||||
{
|
||||
"value": "RecordedFuturePortalLink",
|
||||
"alertProperty": "AlertLink"
|
||||
"alertProperty": "AlertLink",
|
||||
"value": "RecordedFuturePortalLink"
|
||||
}
|
||||
],
|
||||
"alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{NetworkIP}} from the {{Type}} table.\\n"
|
||||
"alertDisplayNameFormat": "{{Description}}"
|
||||
},
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
"matchingMethod": "AllEntities",
|
||||
"reopenClosedIncident": false,
|
||||
"lookbackDuration": "1h",
|
||||
"enabled": true
|
||||
},
|
||||
"createIncident": true
|
||||
"matchingMethod": "AllEntities",
|
||||
"enabled": true,
|
||||
"lookbackDuration": "1h"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
|
@ -1451,7 +1451,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFutureThreatHuntingDomainAllActors_AnalyticalRules Analytics Rule with template version 3.2.7",
|
||||
"description": "RecordedFutureThreatHuntingDomainAllActors_AnalyticalRules Analytics Rule with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
|
||||
|
@ -1511,23 +1511,23 @@
|
|||
"ActorInformation": "RecordedFuturePortalLink"
|
||||
},
|
||||
"alertDetailsOverride": {
|
||||
"alertDisplayNameFormat": "{{Description}}",
|
||||
"alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{DomainName}} from the {{Type}} table.\\n",
|
||||
"alertDynamicProperties": [
|
||||
{
|
||||
"value": "RecordedFuturePortalLink",
|
||||
"alertProperty": "AlertLink"
|
||||
"alertProperty": "AlertLink",
|
||||
"value": "RecordedFuturePortalLink"
|
||||
}
|
||||
],
|
||||
"alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{DomainName}} from the {{Type}} table.\\n"
|
||||
"alertDisplayNameFormat": "{{Description}}"
|
||||
},
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
"matchingMethod": "AllEntities",
|
||||
"reopenClosedIncident": false,
|
||||
"lookbackDuration": "1h",
|
||||
"enabled": true
|
||||
},
|
||||
"createIncident": true
|
||||
"matchingMethod": "AllEntities",
|
||||
"enabled": true,
|
||||
"lookbackDuration": "1h"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
|
@ -1582,7 +1582,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFutureThreatHuntingUrlAllActors_AnalyticalRules Analytics Rule with template version 3.2.7",
|
||||
"description": "RecordedFutureThreatHuntingUrlAllActors_AnalyticalRules Analytics Rule with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
|
||||
|
@ -1640,23 +1640,23 @@
|
|||
"ActorInformation": "RecordedFuturePortalLink"
|
||||
},
|
||||
"alertDetailsOverride": {
|
||||
"alertDisplayNameFormat": "{{Description}}",
|
||||
"alertDescriptionFormat": "*{{Description}}**\\n\\nCorrelation found on {{Url}} from the {{Type}} table.\\n",
|
||||
"alertDynamicProperties": [
|
||||
{
|
||||
"value": "RecordedFuturePortalLink",
|
||||
"alertProperty": "AlertLink"
|
||||
"alertProperty": "AlertLink",
|
||||
"value": "RecordedFuturePortalLink"
|
||||
}
|
||||
],
|
||||
"alertDescriptionFormat": "*{{Description}}**\\n\\nCorrelation found on {{Url}} from the {{Type}} table.\\n"
|
||||
"alertDisplayNameFormat": "{{Description}}"
|
||||
},
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
"matchingMethod": "AllEntities",
|
||||
"reopenClosedIncident": false,
|
||||
"lookbackDuration": "1h",
|
||||
"enabled": true
|
||||
},
|
||||
"createIncident": true
|
||||
"matchingMethod": "AllEntities",
|
||||
"enabled": true,
|
||||
"lookbackDuration": "1h"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
|
@ -1711,7 +1711,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFuture-IOC_Enrichment Playbook with template version 3.2.7",
|
||||
"description": "RecordedFuture-IOC_Enrichment Playbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion1')]",
|
||||
|
@ -2378,7 +2378,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFuture-Playbook-Alert-Importer Playbook with template version 3.2.7",
|
||||
"description": "RecordedFuture-Playbook-Alert-Importer Playbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion2')]",
|
||||
|
@ -2748,7 +2748,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFuture-AlertImporter Playbook with template version 3.2.7",
|
||||
"description": "RecordedFuture-AlertImporter Playbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion3')]",
|
||||
|
@ -3081,7 +3081,7 @@
|
|||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": "{\n\"RuleName\": \"@{items('For_each_triggered_alert')?['rule']?['name']}\",\n\"Triggered\": \"@{items('For_each_triggered_alert')?['log']?['triggered']}\",\n\"AlertName\": \"@{items('For_each_triggered_alert')?['title']}\",\n\"AlertID\": \"@{items('For_each_triggered_alert')?['id']}\", \n\"Entity\": @{items('For_each_hit')?['entities']},\n\"Documents\": @{items('For_each_hit')?['document']},\n\"URL\": \"@{items('For_each_triggered_alert')?['rule']?['url']?['portal']}\",\n\"Document_url\": \"@{items('For_each_hit')?['document']?['url']}\",\n\"AISummary\": \"@{replace(replace(coalesce(items('For_each_triggered_alert')?['ai_insights']?['text'],''), '\\', '\\\\'), '\"', '\\\"')}\",\n\"Fragment\": \"@{replace(replace(coalesce(body('Parse_JSON')?['fragment'],''), '\\', '\\\\'), '\"', '\\\"')}\"}",
|
||||
"body": "{\n\"RuleName\": \"@{items('For_each_triggered_alert')?['rule']?['name']}\",\n\"Triggered\": \"@{items('For_each_triggered_alert')?['log']?['triggered']}\",\n\"AlertName\": \"@{replace(replace(items('For_each_triggered_alert')?['title'], '\\', '\\\\'), '\"', '\\\"')}\",\n\"AlertID\": \"@{items('For_each_triggered_alert')?['id']}\", \n\"Entity\": @{items('For_each_hit')?['entities']},\n\"Documents\": @{items('For_each_hit')?['document']},\n\"URL\": \"@{items('For_each_triggered_alert')?['rule']?['url']?['portal']}\",\n\"Document_url\": \"@{items('For_each_hit')?['document']?['url']}\",\n\"AISummary\": \"@{replace(replace(coalesce(items('For_each_triggered_alert')?['ai_insights']?['text'],''), '\\', '\\\\'), '\"', '\\\"')}\",\n\"Fragment\": \"@{replace(replace(coalesce(body('Parse_JSON')?['fragment'],''), '\\', '\\\\'), '\"', '\\\"')}\"}",
|
||||
"headers": {
|
||||
"Log-Type": "RecordedFuturePortalAlerts"
|
||||
},
|
||||
|
@ -3125,7 +3125,7 @@
|
|||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": "RecordedFuturePortalAlerts_CL\n| summarize LatestEvent=max(Triggered_t)",
|
||||
"body": "RecordedFuturePortalAlerts_CL\n| summarize LatestEvent=max(Triggered_t)| extend LatestEvent=coalesce(LatestEvent, ago(1d))",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
|
||||
|
@ -3214,7 +3214,7 @@
|
|||
"location": "[[variables('workspace-location-inline')]",
|
||||
"tags": {
|
||||
"hidden-SentinelTemplateName": "RecordedFuture-AlertImporter",
|
||||
"hidden-SentinelTemplateVersion": "1.0",
|
||||
"hidden-SentinelTemplateVersion": "1.3",
|
||||
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
|
||||
},
|
||||
"identity": {
|
||||
|
@ -3317,7 +3317,7 @@
|
|||
"postDeployment": [
|
||||
"After deployment, open the playbook to configure all connections and press save."
|
||||
],
|
||||
"lastUpdateTime": "2024-01-12T00:00:00Z",
|
||||
"lastUpdateTime": "2024-08-23T00:00:00Z",
|
||||
"tags": [
|
||||
"Alert"
|
||||
],
|
||||
|
@ -3342,6 +3342,13 @@
|
|||
"notes": [
|
||||
"API connector renaming."
|
||||
]
|
||||
},
|
||||
{
|
||||
"version": "1.3",
|
||||
"title": "RecordedFuture-Alert-Importer",
|
||||
"notes": [
|
||||
"Encoding and latest_event_date fix."
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -3368,7 +3375,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFuture-ThreatIntelligenceImport Playbook with template version 3.2.7",
|
||||
"description": "RecordedFuture-ThreatIntelligenceImport Playbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion4')]",
|
||||
|
@ -3590,7 +3597,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFuture-Domain-IndicatorImport Playbook with template version 3.2.7",
|
||||
"description": "RecordedFuture-Domain-IndicatorImport Playbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion5')]",
|
||||
|
@ -3881,7 +3888,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFuture-Hash-IndicatorImport Playbook with template version 3.2.7",
|
||||
"description": "RecordedFuture-Hash-IndicatorImport Playbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion6')]",
|
||||
|
@ -4172,7 +4179,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFuture-IP-IndicatorImport Playbook with template version 3.2.7",
|
||||
"description": "RecordedFuture-IP-IndicatorImport Playbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion7')]",
|
||||
|
@ -4465,7 +4472,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFuture-URL-IndicatorImport Playbook with template version 3.2.7",
|
||||
"description": "RecordedFuture-URL-IndicatorImport Playbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion8')]",
|
||||
|
@ -4756,7 +4763,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFuture-Sandbox_Enrichment-Url Playbook with template version 3.2.7",
|
||||
"description": "RecordedFuture-Sandbox_Enrichment-Url Playbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion9')]",
|
||||
|
@ -5134,7 +5141,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFuture-CustomConnector Playbook with template version 3.2.7",
|
||||
"description": "RecordedFuture-CustomConnector Playbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion10')]",
|
||||
|
@ -7208,19 +7215,19 @@
|
|||
},
|
||||
"created": {
|
||||
"type": "string",
|
||||
"example": "2023-09-20T19:09:35.993568+05:30"
|
||||
"example": "2023-09-20T15:39:35.993568+02:00"
|
||||
},
|
||||
"modified": {
|
||||
"type": "string",
|
||||
"example": "2023-09-20T19:09:35.993568+05:30"
|
||||
"example": "2023-09-20T15:39:35.993568+02:00"
|
||||
},
|
||||
"valid_from": {
|
||||
"type": "string",
|
||||
"example": "2023-09-20T19:09:35.993568+05:30"
|
||||
"example": "2023-09-20T15:39:35.993568+02:00"
|
||||
},
|
||||
"valid_until": {
|
||||
"type": "string",
|
||||
"example": "2023-09-20T20:09:35.993568+05:30"
|
||||
"example": "2023-09-20T16:39:35.993568+02:00"
|
||||
},
|
||||
"external_references": {
|
||||
"type": "array",
|
||||
|
@ -7416,19 +7423,19 @@
|
|||
},
|
||||
"created": {
|
||||
"type": "string",
|
||||
"example": "2023-09-20T19:09:35.993568+05:30"
|
||||
"example": "2023-09-20T15:39:35.993568+02:00"
|
||||
},
|
||||
"modified": {
|
||||
"type": "string",
|
||||
"example": "2023-09-20T19:09:35.993568+05:30"
|
||||
"example": "2023-09-20T15:39:35.993568+02:00"
|
||||
},
|
||||
"valid_from": {
|
||||
"type": "string",
|
||||
"example": "2023-09-20T19:09:35.993568+05:30"
|
||||
"example": "2023-09-20T15:39:35.993568+02:00"
|
||||
},
|
||||
"valid_until": {
|
||||
"type": "string",
|
||||
"example": "2023-09-20T20:09:35.993568+05:30"
|
||||
"example": "2023-09-20T16:39:35.993568+02:00"
|
||||
},
|
||||
"external_references": {
|
||||
"type": "array",
|
||||
|
@ -7726,7 +7733,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFuture-ThreatMap-Importer Playbook with template version 3.2.7",
|
||||
"description": "RecordedFuture-ThreatMap-Importer Playbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion11')]",
|
||||
|
@ -8096,7 +8103,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFuture-MalwareThreatMap-Importer Playbook with template version 3.2.7",
|
||||
"description": "RecordedFuture-MalwareThreatMap-Importer Playbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion12')]",
|
||||
|
@ -8471,7 +8478,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "ActorThreatHunt-IndicatorImport Playbook with template version 3.2.7",
|
||||
"description": "ActorThreatHunt-IndicatorImport Playbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion13')]",
|
||||
|
@ -8707,7 +8714,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "MalwareThreatHunt-IndicatorImport Playbook with template version 3.2.7",
|
||||
"description": "MalwareThreatHunt-IndicatorImport Playbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('playbookVersion14')]",
|
||||
|
@ -8944,7 +8951,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFuturePlaybookAlertOverview Workbook with template version 3.2.7",
|
||||
"description": "RecordedFuturePlaybookAlertOverview Workbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('workbookVersion1')]",
|
||||
|
@ -9028,7 +9035,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFutureAlertOverview Workbook with template version 3.2.7",
|
||||
"description": "RecordedFutureAlertOverview Workbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('workbookVersion2')]",
|
||||
|
@ -9112,7 +9119,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFutureDomainCorrelation Workbook with template version 3.2.7",
|
||||
"description": "RecordedFutureDomainCorrelation Workbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('workbookVersion3')]",
|
||||
|
@ -9196,7 +9203,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFutureHashCorrelation Workbook with template version 3.2.7",
|
||||
"description": "RecordedFutureHashCorrelation Workbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('workbookVersion4')]",
|
||||
|
@ -9280,7 +9287,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFutureIPCorrelation Workbook with template version 3.2.7",
|
||||
"description": "RecordedFutureIPCorrelation Workbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('workbookVersion5')]",
|
||||
|
@ -9364,7 +9371,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFutureURLCorrelation Workbook with template version 3.2.7",
|
||||
"description": "RecordedFutureURLCorrelation Workbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('workbookVersion6')]",
|
||||
|
@ -9448,7 +9455,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFutureThreatActorHunting Workbook with template version 3.2.7",
|
||||
"description": "RecordedFutureThreatActorHunting Workbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('workbookVersion7')]",
|
||||
|
@ -9532,7 +9539,7 @@
|
|||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "RecordedFutureMalwareThreatHunting Workbook with template version 3.2.7",
|
||||
"description": "RecordedFutureMalwareThreatHunting Workbook with template version 3.2.8",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('workbookVersion8')]",
|
||||
|
@ -9612,7 +9619,7 @@
|
|||
"apiVersion": "2023-04-01-preview",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"properties": {
|
||||
"version": "3.2.7",
|
||||
"version": "3.2.8",
|
||||
"kind": "Solution",
|
||||
"contentSchemaVersion": "3.0.0",
|
||||
"displayName": "Recorded Future",
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
"postDeployment": [
|
||||
"After deployment, open the playbook to configure all connections and press save."
|
||||
],
|
||||
"lastUpdateTime": "2024-01-12T00:00:00.000Z",
|
||||
"lastUpdateTime": "2024-08-23T00:00:00.000Z",
|
||||
"entities": [],
|
||||
"tags": [ "Alert" ],
|
||||
"support": {
|
||||
|
@ -35,6 +35,11 @@
|
|||
"version": "1.2",
|
||||
"title": "RecordedFuture-Alert-Importer",
|
||||
"notes": [ "API connector renaming." ]
|
||||
},
|
||||
{
|
||||
"version": "1.3",
|
||||
"title": "RecordedFuture-Alert-Importer",
|
||||
"notes": [ "Encoding and latest_event_date fix." ]
|
||||
}
|
||||
]
|
||||
},
|
||||
|
@ -365,7 +370,7 @@
|
|||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": "{\n\"RuleName\": \"@{items('For_each_triggered_alert')?['rule']?['name']}\",\n\"Triggered\": \"@{items('For_each_triggered_alert')?['log']?['triggered']}\",\n\"AlertName\": \"@{items('For_each_triggered_alert')?['title']}\",\n\"AlertID\": \"@{items('For_each_triggered_alert')?['id']}\", \n\"Entity\": @{items('For_each_hit')?['entities']},\n\"Documents\": @{items('For_each_hit')?['document']},\n\"URL\": \"@{items('For_each_triggered_alert')?['rule']?['url']?['portal']}\",\n\"Document_url\": \"@{items('For_each_hit')?['document']?['url']}\",\n\"AISummary\": \"@{replace(replace(coalesce(items('For_each_triggered_alert')?['ai_insights']?['text'],''), '\\', '\\\\'), '\"', '\\\"')}\",\n\"Fragment\": \"@{replace(replace(coalesce(body('Parse_JSON')?['fragment'],''), '\\', '\\\\'), '\"', '\\\"')}\"}",
|
||||
"body": "{\n\"RuleName\": \"@{items('For_each_triggered_alert')?['rule']?['name']}\",\n\"Triggered\": \"@{items('For_each_triggered_alert')?['log']?['triggered']}\",\n\"AlertName\": \"@{replace(replace(items('For_each_triggered_alert')?['title'], '\\', '\\\\'), '\"', '\\\"')}\",\n\"AlertID\": \"@{items('For_each_triggered_alert')?['id']}\", \n\"Entity\": @{items('For_each_hit')?['entities']},\n\"Documents\": @{items('For_each_hit')?['document']},\n\"URL\": \"@{items('For_each_triggered_alert')?['rule']?['url']?['portal']}\",\n\"Document_url\": \"@{items('For_each_hit')?['document']?['url']}\",\n\"AISummary\": \"@{replace(replace(coalesce(items('For_each_triggered_alert')?['ai_insights']?['text'],''), '\\', '\\\\'), '\"', '\\\"')}\",\n\"Fragment\": \"@{replace(replace(coalesce(body('Parse_JSON')?['fragment'],''), '\\', '\\\\'), '\"', '\\\"')}\"}",
|
||||
"headers": {
|
||||
"Log-Type": "RecordedFuturePortalAlerts"
|
||||
},
|
||||
|
@ -411,7 +416,7 @@
|
|||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": "RecordedFuturePortalAlerts_CL\n| summarize LatestEvent=max(Triggered_t)",
|
||||
"body": "RecordedFuturePortalAlerts_CL\n| summarize LatestEvent=max(Triggered_t)| extend LatestEvent=coalesce(LatestEvent, ago(1d))",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
|
||||
|
@ -501,7 +506,7 @@
|
|||
"location": "[resourceGroup().location]",
|
||||
"tags": {
|
||||
"hidden-SentinelTemplateName": "RecordedFuture-AlertImporter",
|
||||
"hidden-SentinelTemplateVersion": "1.0"
|
||||
"hidden-SentinelTemplateVersion": "1.3"
|
||||
},
|
||||
"identity": {
|
||||
"type": "SystemAssigned"
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|
||||
|-------------|--------------------------------|---------------------------------------------|
|
||||
| 3.2.7 | 01-08-2024 | updated **Analytic rules** for entity mappings |
|
||||
| 3.2.6 | 08-03-2024 | Added incident creation to RecordedFuture-Alert-Importer **Playbook**.<br/> Update concurrency in RecordedFuture-IOC_Enrichment **Playbook** |
|
||||
| 3.2.8 | 23-08-2024 | Updated RecordedFuture-Alert-Importer **Playbook** added text encoding and latest_event_date bugfix |
|
||||
| 3.2.7 | 01-08-2024 | Updated **Analytic rules** for entity mappings |
|
||||
| 3.2.6 | 03-08-2024 | Added incident creation to RecordedFuture-Alert-Importer **Playbook**.<br/> Update concurrency in RecordedFuture-IOC_Enrichment **Playbook** |
|
||||
| 3.2.5 | 24-06-2024 | Added missing AMA **Data Connector** reference in **Analytic rules** |
|
||||
| 3.2.4 | 08-03-2024 | Change default Recurrence for pulling data in Fix parse json in RecordedFuture-ThreatMap-Importer **Playbook**.<br/> Update solution description, referencing release notes. |
|
||||
| 3.2.3 | 27-02-2024 | Fix parsing in RecordedFuture-PlaybookAlert-Importer **Playbook**.<br/> Added Recorded Future AI Summary to Alert **workbook**.<br/> Added Statues to playbook alert Workbook. |
|
||||
|
|
Загрузка…
Ссылка в новой задаче