Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Updating threatx solution with minor chnages

This commit is contained in:
Manish Kumar 2022-09-20 17:41:13 +05:30
Родитель 8761e9ad20
Коммит 6ac85b3747
2 изменённых файлов: 43 добавлений и 186 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

112
Solutions/ThreatXCloud/Playbooks/ThreatXPlaybooks/ThreatX-BlockIP-URL/azuredeploy.json
Просмотреть файл

@ -6,10 +6,11 @@
"description": "This Playbook Provides the automation on blocking the suspicious/malicious IP and URL on ThreatX cloud waf", "description": "This Playbook Provides the automation on blocking the suspicious/malicious IP and URL on ThreatX cloud waf",
"prerequisites": [ "prerequisites": [
"1. ThreatX-WAF Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.", "1. ThreatX-WAF Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.",
"2. API Key . To get API Key, login into your ThreatX cloud instance dashboard and navigate to Settings --> API Key --> Add Api key" "2. API Key . To get API Key, login into your ThreatX cloud instance dashboard and navigate to Settings --> API Key --> Add Api key",
"3. Store the API secret key in Key vault and provide the key name of the stored secret during deployment"
], ],
"postDeployment": [ "postDeployment": [
"1. During deployment you need to provide your api key with key vault name ,tenant name." "1. During deployment you need to provide your tenant name and key name of stored secret key."
], ],
"prerequisitesDeployTemplateFile": "../../CustomConnector/ThreatXCustomConnector/azuredeploy.json", "prerequisitesDeployTemplateFile": "../../CustomConnector/ThreatXCustomConnector/azuredeploy.json",
"lastUpdateTime": "2022-09-05T00:00:00.000Z", "lastUpdateTime": "2022-09-05T00:00:00.000Z",
@ -31,31 +32,16 @@
"Customer name": { "Customer name": {
"type": "string", "type": "string",
"metadata": { "metadata": {
"description": "Enter value for Tenant name" "description": "Enter value for Customer name"
}
},
"Keyvault name": {
"defaultValue": "",
"type": "String",
"metadata": {
"description": "Enter unique name else deployment will fail: postfix with some random number"
} }
}, },
"Threatx Key name": { "Threatx Key name": {
"defaultValue": "",
"type": "string", "type": "string",
"metadata": { "metadata": {
"description": "Your Key name" "description": "Your Key name for the stored api secret"
} }
}, },
"Threatx Key": { "CustomConnectorName": {
"defaultValue": "",
"type": "securestring",
"metadata": {
"description": "Your secure threat-x key."
}
},
"CustomConnectorName": {
"defaultValue": "ThreatX-WAFCustomConnector", "defaultValue": "ThreatX-WAFCustomConnector",
"type": "string", "type": "string",
"metadata": { "metadata": {
@ -64,62 +50,11 @@
} }
}, },
"variables": { "variables": {
"keyvault_name": "[toLower(parameters('Keyvault name'))]", "Threatx-WafcustomconnectorConnectionName": "[concat('Threatx-Wafcustomconnector-', parameters('PlaybookName'))]",
"Threatx-WAFConnectionName": "[concat('Threatx-WAF-', parameters('PlaybookName'))]",
"MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]" "KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]"
}, },
"resources": [ "resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2022-07-01",
"name": "[variables('keyvault_name')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Logic/workflows', parameters('PlaybookName'))]"
],
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[reference(resourceId('Microsoft.Logic/workflows', parameters('PlaybookName')), '2019-05-01', 'full').identity.principalId]",
"permissions": {
"certificates": [],
"keys": [],
"secrets": [
"Get",
"List"
]
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2022-07-01",
"name": "[concat(variables('keyvault_name'), '/', parameters('Threatx Key name'))]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', variables('keyvault_name'))]"
],
"properties": {
"value": "[parameters('Threatx Key')]",
"contentType": "string",
"attributes": {
"enabled": true
}
}
},
{ {
"properties": { "properties": {
"provisioningState": "Succeeded", "provisioningState": "Succeeded",
@ -1212,8 +1147,8 @@
"$connections": { "$connections": {
"value": { "value": {
"ThreatX-WAFCustomConnector": { "ThreatX-WAFCustomConnector": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Threatx-WAFConnectionName'))]", "connectionId": "[resourceId('Microsoft.Web/connections', variables('Threatx-WafcustomconnectorConnectionName'))]",
"connectionName": "[variables('Threatx-WAFConnectionName')]", "connectionName": "[variables('Threatx-WafcustomconnectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]"
}, },
"azuresentinel": { "azuresentinel": {
@ -1229,12 +1164,12 @@
"keyvault": { "keyvault": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]",
"connectionName": "[variables('KeyvaultConnectionName')]", "connectionName": "[variables('KeyvaultConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]",
"connectionProperties": { "connectionProperties": {
"authentication": { "authentication": {
"type": "ManagedServiceIdentity" "type": "ManagedServiceIdentity"
} }
}, }
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]"
} }
} }
} }
@ -1252,7 +1187,7 @@
}, },
"apiVersion": "2017-07-01", "apiVersion": "2017-07-01",
"dependsOn": [ "dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('Threatx-WAFConnectionName'))]", "[resourceId('Microsoft.Web/connections', variables('Threatx-WafcustomconnectorConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]"
] ]
@ -1260,11 +1195,11 @@
{ {
"type": "Microsoft.Web/connections", "type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01", "apiVersion": "2016-06-01",
"name": "[variables('Threatx-WAFConnectionName')]", "name": "[variables('Threatx-WafcustomconnectorConnectionName')]",
"location": "[resourceGroup().location]", "location": "[resourceGroup().location]",
"kind": "V1", "kind": "V1",
"properties": { "properties": {
"displayName": "[variables('Threatx-WAFConnectionName')]", "displayName": "[variables('Threatx-WafcustomconnectorConnectionName')]",
"customParameterValues": {}, "customParameterValues": {},
"api": { "api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]"
@ -1287,25 +1222,18 @@
} }
}, },
{ {
"type": "Microsoft.Web/Connections", "type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01", "apiVersion": "2016-06-01",
"name": "[variables('KeyvaultConnectionName')]", "name": "[variables('KeyvaultConnectionName')]",
"kind": "V1",
"location": "[resourceGroup().location]", "location": "[resourceGroup().location]",
"kind": "V1",
"properties": { "properties": {
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/', 'keyvault')]",
"type": "Microsoft.Web/locations/managedApis"
},
"parameterValueType": "Alternative",
"alternativeParameterValues": {
"vaultName": "[variables('keyvault_name')]"
},
"displayName": "[variables('KeyvaultConnectionName')]", "displayName": "[variables('KeyvaultConnectionName')]",
"nonSecretParameterValues": { "customParameterValues": {},
"vaultName": "[variables('keyvault_name')]" "parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]"
} }
} }
} }
] ]

117
Solutions/ThreatXCloud/Playbooks/ThreatXPlaybooks/ThreatX-Enrichment/azuredeploy.json
Просмотреть файл

@ -6,10 +6,11 @@
"description": "This playbook provides/updates the threat intel and essential details in comments section of triggered incident so that SOC analysts can directly take corrective measure to stop the attack", "description": "This playbook provides/updates the threat intel and essential details in comments section of triggered incident so that SOC analysts can directly take corrective measure to stop the attack",
"prerequisites": [ "prerequisites": [
"1. ThreatX-WAF Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.", "1. ThreatX-WAF Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.",
"2. API Key . To get API Key, login into your ThreatX cloud instance dashboard and navigate to Settings --> API Key --> Add Api key" "2. API Key . To get API Key, login into your ThreatX cloud instance dashboard and navigate to Settings --> API Key --> Add Api key",
"3. Store the API secret key in Key vault and provide the key name of the stored secret during deployment"
], ],
"postDeployment": [ "postDeployment": [
"1. During deployment you need to provide your api key with key vault name and tenant name." "1. During deployment you need to provide your tenant name and key name of stored secret key."
], ],
"prerequisitesDeployTemplateFile": "../../CustomConnector/ThreatXCustomConnector/azuredeploy.json", "prerequisitesDeployTemplateFile": "../../CustomConnector/ThreatXCustomConnector/azuredeploy.json",
"lastUpdateTime": "2022-09-15T00:00:00.000Z", "lastUpdateTime": "2022-09-15T00:00:00.000Z",
@ -31,31 +32,17 @@
"customer_name": { "customer_name": {
"type": "string", "type": "string",
"metadata": { "metadata": {
"description": "Enter value for Tenant name" "description": "Enter value for customer_name"
} }
}, },
"Keyvault name": { "Threatx Key name": {
"defaultValue": "",
"type": "String",
"metadata": {
"description": "Enter unique name else deployment will fail: postfix with some random number"
}
},
"Threatx Key name": {
"defaultValue": "", "defaultValue": "",
"type": "string", "type": "string",
"metadata": { "metadata": {
"description": "Your Key name" "description": "Your Key name for the stored api secret"
} }
}, },
"Threatx Key": { "CustomConnectorName": {
"defaultValue": "",
"type": "securestring",
"metadata": {
"description": "Your secure threat-x key."
}
},
"CustomConnectorName": {
"defaultValue": "ThreatX-WAFCustomConnector", "defaultValue": "ThreatX-WAFCustomConnector",
"type": "string", "type": "string",
"metadata": { "metadata": {
@ -64,62 +51,11 @@
} }
}, },
"variables": { "variables": {
"keyvault_name": "[toLower(parameters('Keyvault name'))]", "Threatx-WafcustomconnectorConnectionName": "[concat('Threatx-Wafcustomconnector-', parameters('PlaybookName'))]",
"Threatx-WAFConnectionName": "[concat('Threatx-WAF-', parameters('PlaybookName'))]",
"MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]" "KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]"
}, },
"resources": [ "resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2022-07-01",
"name": "[variables('keyvault_name')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Logic/workflows', parameters('PlaybookName'))]"
],
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[reference(resourceId('Microsoft.Logic/workflows', parameters('PlaybookName')), '2019-05-01', 'full').identity.principalId]",
"permissions": {
"certificates": [],
"keys": [],
"secrets": [
"Get",
"List"
]
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2022-07-01",
"name": "[concat(variables('keyvault_name'), '/', parameters('Threatx Key name'))]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', variables('keyvault_name'))]"
],
"properties": {
"value": "[parameters('Threatx Key')]",
"contentType": "string",
"attributes": {
"enabled": true
}
}
},
{ {
"properties": { "properties": {
"provisioningState": "Succeeded", "provisioningState": "Succeeded",
@ -136,10 +72,10 @@
"type": "string", "type": "string",
"defaultValue": "[parameters('customer_name')]" "defaultValue": "[parameters('customer_name')]"
}, },
"Threatx_Key_name": { "Threatx_Key_name": {
"type": "string", "type": "string",
"defaultValue": "[parameters('Threatx Key name')]" "defaultValue": "[parameters('Threatx Key name')]"
} }
}, },
"triggers": { "triggers": {
"Microsoft_Sentinel_incident": { "Microsoft_Sentinel_incident": {
@ -607,8 +543,8 @@
"$connections": { "$connections": {
"value": { "value": {
"ThreatX-WAFCustomConnector": { "ThreatX-WAFCustomConnector": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Threatx-WAFConnectionName'))]", "connectionId": "[resourceId('Microsoft.Web/connections', variables('Threatx-WafcustomconnectorConnectionName'))]",
"connectionName": "[variables('Threatx-WAFConnectionName')]", "connectionName": "[variables('Threatx-WafcustomconnectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]"
}, },
"azuresentinel": { "azuresentinel": {
@ -624,12 +560,12 @@
"keyvault": { "keyvault": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]",
"connectionName": "[variables('KeyvaultConnectionName')]", "connectionName": "[variables('KeyvaultConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]",
"connectionProperties": { "connectionProperties": {
"authentication": { "authentication": {
"type": "ManagedServiceIdentity" "type": "ManagedServiceIdentity"
} }
}, }
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]"
} }
} }
} }
@ -647,7 +583,7 @@
}, },
"apiVersion": "2017-07-01", "apiVersion": "2017-07-01",
"dependsOn": [ "dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('Threatx-WAFConnectionName'))]", "[resourceId('Microsoft.Web/connections', variables('Threatx-WafcustomconnectorConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]"
] ]
@ -655,11 +591,11 @@
{ {
"type": "Microsoft.Web/connections", "type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01", "apiVersion": "2016-06-01",
"name": "[variables('Threatx-WAFConnectionName')]", "name": "[variables('Threatx-WafcustomconnectorConnectionName')]",
"location": "[resourceGroup().location]", "location": "[resourceGroup().location]",
"kind": "V1", "kind": "V1",
"properties": { "properties": {
"displayName": "[variables('Threatx-WAFConnectionName')]", "displayName": "[variables('Threatx-WafcustomconnectorConnectionName')]",
"customParameterValues": {}, "customParameterValues": {},
"api": { "api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]"
@ -682,25 +618,18 @@
} }
}, },
{ {
"type": "Microsoft.Web/Connections", "type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01", "apiVersion": "2016-06-01",
"name": "[variables('KeyvaultConnectionName')]", "name": "[variables('KeyvaultConnectionName')]",
"kind": "V1",
"location": "[resourceGroup().location]", "location": "[resourceGroup().location]",
"kind": "V1",
"properties": { "properties": {
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/', 'keyvault')]",
"type": "Microsoft.Web/locations/managedApis"
},
"parameterValueType": "Alternative",
"alternativeParameterValues": {
"vaultName": "[variables('keyvault_name')]"
},
"displayName": "[variables('KeyvaultConnectionName')]", "displayName": "[variables('KeyvaultConnectionName')]",
"nonSecretParameterValues": { "customParameterValues": {},
"vaultName": "[variables('keyvault_name')]" "parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]"
} }
} }
} }
] ]