Merge pull request #11429 from illumio-shield/illumio-sentinel-playbook
Illumio sentinel playbook
This commit is contained in:
v-prasadboke
GitHub
Коммит
63b7dd4994
Двоичные данные
Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/Images/illumio-get-ven-details-playbook.png
Normal file
Двоичные данные
Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/Images/illumio-get-ven-details-playbook.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 97 KiB |
|
|
@ -0,0 +1,545 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "Illumio Get Ven Details Playbook",
|
||||
"description": "This playbook leverages Illumio workloads API to enrich IP, Hostname and Labels, found in Microsoft Sentinel alerts. <img src=\"https://raw.githubusercontent.com/illumio-shield/Azure-Sentinel/illumio-sentinel-playbook/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/images/illumio-get-ven-details-playbook.png\"/>.",
|
||||
"prerequisites": [
|
||||
"To use this playbook, ensure that you have valid API key and secret, org id and pce fqdn. Ensure that you deploy the template with the required context."
|
||||
],
|
||||
"postDeployment": [
|
||||
"After deployment open the playbook in edit mode and configure/authorize all connections and press save. <img src=\"https://raw.githubusercontent.com/illumio-shield/Azure-Sentinel/illumio-sentinel-playbook/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/images/illumio-get-ven-details-playbook.png\"/>"
|
||||
],
|
||||
"prerequisitesDeployTemplateFile": "",
|
||||
"lastUpdateTime": "2024-11-21T00:00:00.000Z",
|
||||
"entities": [
|
||||
"ip",
|
||||
"host"
|
||||
],
|
||||
"tags": [ "Enrichment" ],
|
||||
"support": {
|
||||
"tier": "Partner"
|
||||
},
|
||||
"author": {
|
||||
"name": "Illumio"
|
||||
},
|
||||
"releaseNotes": [
|
||||
{
|
||||
"version": "1.0",
|
||||
"title": "Illumio Get Ven Details",
|
||||
"notes": [ "Initial version" ]
|
||||
}
|
||||
]
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "Illumio-Ven-Details",
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "PlayBook Name"
|
||||
}
|
||||
},
|
||||
"DeployersUserName": {
|
||||
"defaultValue": "<username>@<domain>",
|
||||
"type": "string"
|
||||
},
|
||||
"FunctionAppName": {
|
||||
"defaultValue": "IllumioVenDetails",
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "Function app Name"
|
||||
}
|
||||
},
|
||||
"PCE_FQDN": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "FQDN of PCE"
|
||||
}
|
||||
},
|
||||
"PORT": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "Port that PCE connects to, like 443"
|
||||
}
|
||||
},
|
||||
"ORG_ID": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "Customer's org id"
|
||||
}
|
||||
},
|
||||
"API_KEY": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "API key"
|
||||
}
|
||||
},
|
||||
"API_SECRET": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "API secret"
|
||||
}
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"location": "[resourceGroup().location]",
|
||||
"hostingPlanName": "[parameters('FunctionAppName')]",
|
||||
"storageAccountName": "vendetailsstorage",
|
||||
"functionAppName": "[parameters('FunctionAppName')]",
|
||||
"applicationInsightsName": "[parameters('FunctionAppName')]",
|
||||
"pceFQDN": "[parameters('PCE_FQDN')]",
|
||||
"port": "[parameters('PORT')]",
|
||||
"orgId": "[parameters('ORG_ID')]",
|
||||
"apiKey": "[parameters('API_KEY')]",
|
||||
"apiSecret": "[parameters('API_SECRET')]",
|
||||
"o365ConnectionName": "[concat('o365-', parameters('PlaybookName'))]",
|
||||
"sentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('o365ConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"displayName": "[parameters('DeployersUserName')]",
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('sentinelConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"displayName": "[parameters('DeployersUserName')]",
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/serverfarms",
|
||||
"apiVersion": "2020-06-01",
|
||||
"name": "[variables('hostingPlanName')]",
|
||||
"location": "[variables('location')]",
|
||||
"sku": {
|
||||
"name": "Y1",
|
||||
"tier": "Dynamic"
|
||||
},
|
||||
"properties": {
|
||||
"name": "[variables('hostingPlanName')]",
|
||||
"computeMode": "Dynamic"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Storage/storageAccounts",
|
||||
"apiVersion": "2019-06-01",
|
||||
"name": "[variables('storageAccountName')]",
|
||||
"location": "[variables('location')]",
|
||||
"sku": {
|
||||
"name": "Standard_LRS",
|
||||
"tier": "Standard"
|
||||
},
|
||||
"kind": "StorageV2",
|
||||
"properties": {
|
||||
"accessTier": "Hot",
|
||||
"minimumTlsVersion": "TLS1_2",
|
||||
"supportsHttpsTrafficOnly": "true",
|
||||
"allowBlobPublicAccess": "false",
|
||||
"allowSharedKeyAccess": "true",
|
||||
"networkAcls": {
|
||||
"bypass": "AzureServices",
|
||||
"defaultAction": "Allow",
|
||||
"ipRules": []
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Insights/components",
|
||||
"apiVersion": "2020-02-02",
|
||||
"name": "[variables('applicationInsightsName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"tags": {
|
||||
"[concat('hidden-link:', resourceId('Microsoft.Web/sites', variables('applicationInsightsName')))]": "Resource"
|
||||
},
|
||||
"properties": {
|
||||
"Application_Type": "web"
|
||||
},
|
||||
"kind": "web"
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/sites",
|
||||
"apiVersion": "2020-06-01",
|
||||
"name": "[variables('functionAppName')]",
|
||||
"location": "[variables('location')]",
|
||||
"kind": "functionapp,linux",
|
||||
"identity": {
|
||||
"type": "SystemAssigned"
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
|
||||
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
|
||||
"[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
|
||||
"siteConfig": {
|
||||
"appSettings": [
|
||||
{
|
||||
"name": "AzureWebJobsStorage",
|
||||
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value)]"
|
||||
},
|
||||
{
|
||||
"name": "FUNCTIONS_EXTENSION_VERSION",
|
||||
"value": "~4"
|
||||
},
|
||||
{
|
||||
"name": "FUNCTIONS_WORKER_RUNTIME",
|
||||
"value": "node"
|
||||
},
|
||||
{
|
||||
"name": "WEBSITE_NODE_DEFAULT_VERSION",
|
||||
"value": "~20"
|
||||
},
|
||||
{
|
||||
"name": "APPINSIGHTS_INSTRUMENTATIONKEY",
|
||||
"value": "[reference(resourceId('microsoft.insights/components', variables('applicationInsightsName')), '2020-02-02-preview').InstrumentationKey]"
|
||||
},
|
||||
{
|
||||
"name": "WEBSITE_RUN_FROM_PACKAGE",
|
||||
"value": "https://raw.githubusercontent.com/illumio-shield/Azure-Sentinel/illumio-sentinel-playbook/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/illumio-ven-details.zip"
|
||||
},
|
||||
{
|
||||
"name": "PCE_FQDN",
|
||||
"value": "[variables('pceFQDN')]"
|
||||
},
|
||||
{
|
||||
"name": "PORT",
|
||||
"value": "[variables('port')]"
|
||||
},
|
||||
{
|
||||
"name": "ORG_ID",
|
||||
"value": "[variables('orgId')]"
|
||||
},
|
||||
{
|
||||
"name": "API_KEY",
|
||||
"value": "[variables('apiKey')]"
|
||||
},
|
||||
{
|
||||
"name": "API_SECRET",
|
||||
"value": "[variables('apiSecret')]"
|
||||
}
|
||||
]
|
||||
},
|
||||
"cors": {
|
||||
"allowedOrigins": [
|
||||
"https://functions.azure.com",
|
||||
"https://functions-staging.azure.com",
|
||||
"https://functions-next.azure.com"
|
||||
],
|
||||
"supportCredentials": false
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"apiVersion": "2017-07-01",
|
||||
"location": "[variables('location')]",
|
||||
"name": "[parameters('PlaybookName')]",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
|
||||
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
|
||||
"[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]",
|
||||
"[resourceId('Microsoft.Web/sites', variables('functionAppName'))]",
|
||||
"[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"state": "Enabled",
|
||||
"definition": {
|
||||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"defaultValue": {},
|
||||
"type": "Object"
|
||||
}
|
||||
},
|
||||
"triggers": {
|
||||
"Microsoft_Sentinel_alert": {
|
||||
"type": "ApiConnectionWebhook",
|
||||
"inputs": {
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"body": {
|
||||
"callback_url": "@listCallbackUrl()"
|
||||
},
|
||||
"path": "/subscribe"
|
||||
}
|
||||
}
|
||||
},
|
||||
"actions": {
|
||||
"IllumioVenDetails-fetchVenDetails": {
|
||||
"type": "Function",
|
||||
"inputs": {
|
||||
"body": "@triggerBody()",
|
||||
"function": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/fetchVenDetails')]"
|
||||
}
|
||||
},
|
||||
"runAfter": {
|
||||
}
|
||||
},
|
||||
"Initialize_variable": {
|
||||
"runAfter": {
|
||||
"IllumioVenDetails-fetchVenDetails": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "varStyle",
|
||||
"type": "object",
|
||||
"value": {
|
||||
"cellStyle": "style=\"font-family: Calibri; padding: 5px; border: 1px solid black;\"",
|
||||
"headerStyle": "style=\"font-family: Helvetica; padding: 5px; border: 1px solid black;\"",
|
||||
"numcellStyle": "style=\"font-family: Calibri; padding: 5px; border: 1px solid black;text-align: center;\"",
|
||||
"rowStyleHighValues": "style=\"font-size:110%;background-color:#b32400; padding: 5px; border: 1px solid black;text-align: center;\"",
|
||||
"rowStyleInfoValues": "style=\"background-color:#a6a6a6; padding: 5px; border: 1px solid black;text-align: center;\"",
|
||||
"rowStyleLowValues": "style=\"background-color:#ffcc00; padding: 5px; border: 1px solid black;text-align: center;\"",
|
||||
"rowStyleMedValues": "style=\"background-color:#ff6600; padding: 5px; border: 1px solid black;text-align: center;\"",
|
||||
"tableStyle": "style=\"border-collapse: collapse;\""
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"Initialize_variable_1": {
|
||||
"runAfter": {
|
||||
"Initialize_variable": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "varHTMLTable",
|
||||
"type": "string",
|
||||
"value": "<table @{variables('varStyle').tableStyle}>\n <tr>\n <th @{variables('varStyle').headerStyle}>Incident Number</th>\n <th @{variables('varStyle').headerStyle}>Created Time</th>\n <th @{variables('varStyle').headerStyle}>Title</th>\n <th @{variables('varStyle').headerStyle}>Ven Details</th>\n <th @{variables('varStyle').headerStyle}>Description</th>\n <th @{variables('varStyle').headerStyle}>Incident URL</th>\n </tr>"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"Initialize_variable_2": {
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "varSeverityColour",
|
||||
"type": "string",
|
||||
"value": "@triggerBody()?['Severity']"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Initialize_variable_3": [
|
||||
"Succeeded"
|
||||
]
|
||||
}
|
||||
},
|
||||
"Parse_JSON": {
|
||||
"runAfter": {
|
||||
"Initialize_variable_2": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ParseJson",
|
||||
"inputs": {
|
||||
"content": "@body('IllumioVenDetails-fetchVenDetails')",
|
||||
"schema": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"response": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"public_ip": {
|
||||
"type": [
|
||||
"string",
|
||||
"null"
|
||||
]
|
||||
},
|
||||
"hostname": {
|
||||
"type": [
|
||||
"string",
|
||||
"null"
|
||||
]
|
||||
},
|
||||
"labels": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"href": {
|
||||
"type": "string"
|
||||
},
|
||||
"key": {
|
||||
"type": "string"
|
||||
},
|
||||
"value": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
"href",
|
||||
"key",
|
||||
"value"
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
"public_ip",
|
||||
"hostname",
|
||||
"labels"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"For_each": {
|
||||
"type": "Foreach",
|
||||
"foreach": "@body('Parse_JSON')?['response']",
|
||||
"actions": {
|
||||
"Append_to_string_variable": {
|
||||
"type": "AppendToStringVariable",
|
||||
"inputs": {
|
||||
"name": "EntityTable",
|
||||
"value": "<tr>\n <td @{variables('varStyle').cellStyle}>@{item()?['public_ip']}</td>\n <td @{variables('varStyle').cellStyle}>@{item()?['hostname']}</td> \n <td @{variables('varSeverityColour')}>@{item()?['labels']}</td> \n</tr>"
|
||||
}
|
||||
}
|
||||
},
|
||||
"runAfter": {
|
||||
"Parse_JSON": [
|
||||
"Succeeded"
|
||||
]
|
||||
}
|
||||
},
|
||||
"Append_to_string_variable_1": {
|
||||
"type": "AppendToStringVariable",
|
||||
"inputs": {
|
||||
"name": "EntityTable",
|
||||
"value": "</table>"
|
||||
},
|
||||
"runAfter": {
|
||||
"Append_to_string_variable_2": [
|
||||
"Succeeded"
|
||||
]
|
||||
}
|
||||
},
|
||||
"Condition": {
|
||||
"type": "If",
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"greater": [
|
||||
"@length(body('Parse_JSON')?['response'])",
|
||||
0
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"actions": {
|
||||
"Send_an_email_(V2)": {
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['office365']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"body": {
|
||||
"To": "[parameters('DeployersUserName')]",
|
||||
"Subject": "Test Alert details",
|
||||
"Body": "<p class=\"editor-paragraph\">In the following, is more information, about the new Azure Sentinel incident:</p><br><p class=\"editor-paragraph\">@{variables('varHTMLTable')}</p><br><p class=\"editor-paragraph\">Illumio</p>",
|
||||
"Importance": "Normal"
|
||||
},
|
||||
"path": "/v2/Mail"
|
||||
}
|
||||
}
|
||||
},
|
||||
"else": {
|
||||
"actions": {}
|
||||
},
|
||||
"runAfter": {
|
||||
"Append_to_string_variable_1": [
|
||||
"Succeeded"
|
||||
]
|
||||
}
|
||||
},
|
||||
"Initialize_variable_3": {
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "EntityTable",
|
||||
"type": "string",
|
||||
"value": "<table @{variables('varStyle').tableStyle}>\n <tr>\n <th @{variables('varStyle').headerStyle}>IP Address</th>\n <th @{variables('varStyle').headerStyle}>Hostname</th>\n <th @{variables('varStyle').headerStyle}>Labels</th>\n </tr>"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Initialize_variable_1": [
|
||||
"Succeeded"
|
||||
]
|
||||
}
|
||||
},
|
||||
"Append_to_string_variable_2": {
|
||||
"type": "AppendToStringVariable",
|
||||
"inputs": {
|
||||
"name": "varHTMLTable",
|
||||
"value": "</table>"
|
||||
},
|
||||
"runAfter": {
|
||||
"For_each": [
|
||||
"Succeeded"
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
"outputs": {}
|
||||
},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"value": {
|
||||
"azuresentinel": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('sentinelConnectionName'))]",
|
||||
"connectionName": "[variables('sentinelConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
},
|
||||
"office365": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
|
||||
"connectionName": "[variables('o365ConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
Двоичные данные
Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/illumio-ven-details.zip
Normal file
Двоичные данные
Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/illumio-ven-details.zip
Normal file
Двоичный файл не отображается.
Двоичные данные
Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/Images/illumio-port-blocking-switch-playbook.png
Normal file
Двоичные данные
Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/Images/illumio-port-blocking-switch-playbook.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 240 KiB |
|
|
@ -0,0 +1,371 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "Illumio Containment Switch Playbook",
|
||||
"description": "This playbook leverages Illumio workloads API to contain and isolate a workload based on user inputs. <img src=\"https://raw.githubusercontent.com/illumio-shield/Azure-Sentinel/illumio-sentinel-playbook/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/images/illumio-port-blocking-switch-playbook.png\"/>.",
|
||||
"prerequisites": [
|
||||
"To use this playbook, ensure that you have valid API key and secret, org id and pce fqdn. Ensure that you deploy the template with the required context."
|
||||
],
|
||||
"postDeployment": [
|
||||
"After deployment open the playbook in edit mode and configure/authorize all connections and press save. <img src=\"https://raw.githubusercontent.com/illumio-shield/Azure-Sentinel/illumio-sentinel-playbook/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/images/illumio-port-blocking-switch-playbook.png\"/>"
|
||||
],
|
||||
"prerequisitesDeployTemplateFile": "",
|
||||
"lastUpdateTime": "2024-11-21T00:00:00.000Z",
|
||||
"entities": [
|
||||
|
||||
],
|
||||
"tags": [ "Remediation" ],
|
||||
"support": {
|
||||
"tier": "Partner"
|
||||
},
|
||||
"author": {
|
||||
"name": "Illumio"
|
||||
},
|
||||
"releaseNotes": [
|
||||
{
|
||||
"version": "1.0",
|
||||
"title": "Illumio Containment Switch",
|
||||
"notes": [ "Initial version" ]
|
||||
}
|
||||
]
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "Illumio-Port-Blocking-Switch",
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "PlayBook Name"
|
||||
}
|
||||
},
|
||||
"FunctionAppName": {
|
||||
"defaultValue": "IllumioPortBlockingApp",
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "Function app Name"
|
||||
}
|
||||
},
|
||||
"PCE_FQDN": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "FQDN of PCE"
|
||||
}
|
||||
},
|
||||
"PORT": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "Port that PCE connects to, like 443"
|
||||
}
|
||||
},
|
||||
"ORG_ID": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "Customer's org id"
|
||||
}
|
||||
},
|
||||
"API_KEY": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "API key"
|
||||
}
|
||||
},
|
||||
"API_SECRET": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "API secret"
|
||||
}
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"location": "[resourceGroup().location]",
|
||||
"hostingPlanName": "[parameters('FunctionAppName')]",
|
||||
"storageAccountName": "portblockstorage",
|
||||
"functionAppName": "[parameters('FunctionAppName')]",
|
||||
"applicationInsightsName": "[parameters('FunctionAppName')]",
|
||||
"pceFQDN": "[parameters('PCE_FQDN')]",
|
||||
"port": "[parameters('PORT')]",
|
||||
"orgId": "[parameters('ORG_ID')]",
|
||||
"apiKey": "[parameters('API_KEY')]",
|
||||
"apiSecret": "[parameters('API_SECRET')]",
|
||||
"sentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Web/serverfarms",
|
||||
"apiVersion": "2020-06-01",
|
||||
"name": "[variables('hostingPlanName')]",
|
||||
"location": "[variables('location')]",
|
||||
"sku": {
|
||||
"name": "Y1",
|
||||
"tier": "Dynamic"
|
||||
},
|
||||
"properties": {
|
||||
"name": "[variables('hostingPlanName')]",
|
||||
"computeMode": "Dynamic"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Storage/storageAccounts",
|
||||
"apiVersion": "2019-06-01",
|
||||
"name": "[variables('storageAccountName')]",
|
||||
"location": "[variables('location')]",
|
||||
"sku": {
|
||||
"name": "Standard_LRS",
|
||||
"tier": "Standard"
|
||||
},
|
||||
"kind": "StorageV2",
|
||||
"properties": {
|
||||
"accessTier": "Hot",
|
||||
"minimumTlsVersion": "TLS1_2",
|
||||
"supportsHttpsTrafficOnly": "true",
|
||||
"allowBlobPublicAccess": "false",
|
||||
"allowSharedKeyAccess": "true",
|
||||
"networkAcls": {
|
||||
"bypass": "AzureServices",
|
||||
"defaultAction": "Allow",
|
||||
"ipRules": []
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Insights/components",
|
||||
"apiVersion": "2020-02-02",
|
||||
"name": "[variables('applicationInsightsName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"tags": {
|
||||
"[concat('hidden-link:', resourceId('Microsoft.Web/sites', variables('applicationInsightsName')))]": "Resource"
|
||||
},
|
||||
"properties": {
|
||||
"Application_Type": "web"
|
||||
},
|
||||
"kind": "web"
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/sites",
|
||||
"apiVersion": "2020-06-01",
|
||||
"name": "[variables('functionAppName')]",
|
||||
"location": "[variables('location')]",
|
||||
"kind": "functionapp,linux",
|
||||
"identity": {
|
||||
"type": "SystemAssigned"
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
|
||||
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
|
||||
"[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
|
||||
"siteConfig": {
|
||||
"appSettings": [
|
||||
{
|
||||
"name": "AzureWebJobsStorage",
|
||||
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value)]"
|
||||
},
|
||||
{
|
||||
"name": "FUNCTIONS_EXTENSION_VERSION",
|
||||
"value": "~4"
|
||||
},
|
||||
{
|
||||
"name": "FUNCTIONS_WORKER_RUNTIME",
|
||||
"value": "node"
|
||||
},
|
||||
{
|
||||
"name": "WEBSITE_NODE_DEFAULT_VERSION",
|
||||
"value": "~20"
|
||||
},
|
||||
{
|
||||
"name": "APPINSIGHTS_INSTRUMENTATIONKEY",
|
||||
"value": "[reference(resourceId('microsoft.insights/components', variables('applicationInsightsName')), '2020-02-02-preview').InstrumentationKey]"
|
||||
},
|
||||
{
|
||||
"name": "WEBSITE_RUN_FROM_PACKAGE",
|
||||
"value": "https://raw.githubusercontent.com/illumio-shield/Azure-Sentinel/illumio-sentinel-playbook/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/illumio-containment-switch.zip"
|
||||
},
|
||||
{
|
||||
"name": "PCE_FQDN",
|
||||
"value": "[variables('pceFQDN')]"
|
||||
},
|
||||
{
|
||||
"name": "PORT",
|
||||
"value": "[variables('port')]"
|
||||
},
|
||||
{
|
||||
"name": "ORG_ID",
|
||||
"value": "[variables('orgId')]"
|
||||
},
|
||||
{
|
||||
"name": "API_KEY",
|
||||
"value": "[variables('apiKey')]"
|
||||
},
|
||||
{
|
||||
"name": "API_SECRET",
|
||||
"value": "[variables('apiSecret')]"
|
||||
}
|
||||
]
|
||||
},
|
||||
"cors": {
|
||||
"allowedOrigins": [
|
||||
"https://functions.azure.com",
|
||||
"https://functions-staging.azure.com",
|
||||
"https://functions-next.azure.com"
|
||||
],
|
||||
"supportCredentials": false
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"apiVersion": "2017-07-01",
|
||||
"name": "[parameters('PlaybookName')]",
|
||||
"location": "[variables('location')]",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
|
||||
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
|
||||
"[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]",
|
||||
"[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"state": "Enabled",
|
||||
"definition": {
|
||||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"defaultValue": {},
|
||||
"type": "Object"
|
||||
}
|
||||
},
|
||||
"triggers": {
|
||||
"When_a_HTTP_request_is_received": {
|
||||
"type": "Request",
|
||||
"kind": "Http",
|
||||
"inputs": {
|
||||
"method": "POST",
|
||||
"schema": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"protocol": {
|
||||
"type": "integer"
|
||||
},
|
||||
"port": {
|
||||
"type": "integer"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"actions": {
|
||||
"PortBlockingFunction-runTrafficQuery": {
|
||||
"runAfter": {},
|
||||
"type": "Function",
|
||||
"inputs": {
|
||||
"body": "@triggerBody()",
|
||||
"function": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/runTrafficQuery')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults": {
|
||||
"runAfter": {
|
||||
"PortBlockingFunction-runTrafficQuery": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Function",
|
||||
"inputs": {
|
||||
"body": "@body('PortBlockingFunction-runTrafficQuery')",
|
||||
"function": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/fetchVisibilityOnlyWorkloadsFromTrafficResults')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"PortBlockingFunction-createVirtualService": {
|
||||
"runAfter": {
|
||||
"PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Function",
|
||||
"inputs": {
|
||||
"body": "@body('PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults')",
|
||||
"function": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/createVirtualService')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"PortBlockingFunction-bindWorkloadsToVirtualService": {
|
||||
"runAfter": {
|
||||
"PortBlockingFunction-createVirtualService": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Function",
|
||||
"inputs": {
|
||||
"body": "@body('PortBlockingFunction-createVirtualService')",
|
||||
"function": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/bindWorkloadsToVirtualService')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"PortBlockingFunction-createAllowRuleForVirtualService": {
|
||||
"runAfter": {
|
||||
"PortBlockingFunction-bindWorkloadsToVirtualService": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Function",
|
||||
"inputs": {
|
||||
"body": "@body('PortBlockingFunction-bindWorkloadsToVirtualService')",
|
||||
"function": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/createAllowRuleForVirtualService')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"PortBlockingFunction-changeWorkloadEnforcementState": {
|
||||
"runAfter": {
|
||||
"PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Function",
|
||||
"inputs": {
|
||||
"body": "@body('PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults')",
|
||||
"function": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/changeWorkloadEnforcementState')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
"PortBlockingFunction-createDenyRule": {
|
||||
"runAfter": {
|
||||
"PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Function",
|
||||
"inputs": {
|
||||
"body": "@body('PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults')",
|
||||
"function": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/createDenyRule')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"outputs": {}
|
||||
},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"value": {
|
||||
"azuresentinel": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('sentinelConnectionName'))]",
|
||||
"connectionName": "[variables('sentinelConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
Двоичные данные
Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/illumio-containment-switch.zip
Normal file
Двоичные данные
Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/illumio-containment-switch.zip
Normal file
Двоичный файл не отображается.
|
|
@ -19,8 +19,12 @@
|
|||
"Analytic Rules/Illumio_VEN_Deactivated_Query.yaml",
|
||||
"Analytic Rules/Illumio_VEN_Suspend_Query.yaml"
|
||||
],
|
||||
"Playbooks": [
|
||||
"Playbooks/Illumio-Port-Blocking-Switch/azuredeploy.json",
|
||||
"Playbooks/Illumio-Get-Ven-Details/azuredeploy.json"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\IllumioSaaS",
|
||||
"Version": "3.2.2",
|
||||
"Version": "3.3.2",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1Pconnector": false
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче