update Affected-Key-Credentials-CVE-2021-42306 ARM

2022-03-16 15:47:09 -07:00 · 2022-03-16 15:47:09 -07:00 · 6c690a0778
--- a/Playbooks/Affected-Key-Credentials-CVE-2021-42306/azuredeploy.json
+++ b/Playbooks/Affected-Key-Credentials-CVE-2021-42306/azuredeploy.json
@ -1,4 +1,98 @@
 {
+	"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+	"contentVersion": "1.0.0.0",
+	"parameters": {
+		"PlaybookName": {
+			"type": "string",
+			"defaultValue": "Affected-Key-Credentials-Scanner"
+		},
+		"Environment": {
+			"type": "string",
+			"allowedValues": [
+				"Azure Commercial",
+				"Azure Fairfax (Gov)",
+				"Germany",
+				"China"
+			],
+			"defaultValue": "Azure Commercial",
+			"metadata": {
+				"description": "Cloud Environment"
+			}
+		},
+		"ObjectClass": {
+			"type": "string",
+			"allowedValues": [
+				"Application",
+				"ServicePrincipal"
+			],
+			"defaultValue": "Application",
+			"metadata": {
+				"description": "Select Application/ ServicePrincipal"
+			}
+		},
+		"WorkspaceId": {
+			"type": "string",
+			"metadata": {
+				"description": "Azure Sentinel WorkspaceId"
+			}
+		},
+		"WorkspaceName": {
+			"type": "string",
+			"metadata": {
+				"description": "Azure Sentinel WorkspaceName"
+			}
+		},
+		"TenantId": {
+			"type": "string",
+			"metadata": {
+				"description": "Azure AAD TenantId"
+			}
+		},
+		"ClientId": {
+			"type": "string",
+			"metadata": {
+				"description": "Azure AAD ClientId"
+			}
+		},
+		"ClientSecret": {
+			"type": "string",
+			"metadata": {
+				"description": "Azure AAD ClientSecret"
+			}
+		},
+		"WatchListAlias": {
+			"type": "string",
+			"defaultValue": "Vulnerable_CVE_2021_42306",
+			"metadata": {
+				"description": "Describe Watchlist Name"
+			}
+		},
+		"WatchlistDescription": {
+			"type": "string",
+			"defaultValue": "Vulnerable_CVE_2021_42306",
+			"metadata": {
+				"description": "Describe Watchlist Description"
+			}
+		}
+	},
+	"variables": {
+		"azuresentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
+	},
+	"metadata": {
+		"support": {
+			"tier": "community"
+		},
+		"tags": [],
+		"lastUpdateTime": "",
+		"title": "",
+		"entities": [],
+		"author": {
+			"name": "Sreedhar Ande"
+		},
+		"prerequisites": "Azure AAD App with necessary permissions",
+		"prerequisitesDeployTemplateFile": "",
+		"description": "This Playbook scans all key credentials in all apps/serviceprincipals in the specified tenant  for credentials with property hasExtendedValue == true by calling Microsoft Graph and adds to Azure Sentinel Watchlist"
+	},
 	"resources": [
 		{
 			"properties": {
@ -14,43 +108,43 @@
 						},
 						"Environment": {
 							"defaultValue": "[parameters('Environment')]",
-							"type": "String"
+							"type": "string"
 						},
 						"SubscriptionId": {
 							"defaultValue": "[subscription().subscriptionId]",
-							"type": "String"
+							"type": "string"
 						},
 						"ObjectClass": {
 							"defaultValue": "[parameters('ObjectClass')]",
-							"type": "String"
+							"type": "string"
 						},
 						"ResourceGroup": {
-							"defaultValue": "[parameters('ResourceGroup')]",
-							"type": "String"
+							"defaultValue": "[resourceGroup().name]",
+							"type": "string"
 						},
 						"WorkspaceId": {
 							"defaultValue": "[parameters('WorkspaceId')]",
-							"type": "String"
+							"type": "string"
 						},
 						"WorkspaceName": {
 							"defaultValue": "[parameters('WorkspaceName')]",
-							"type": "String"
+							"type": "string"
 						},
 						"TenantId": {
 							"defaultValue": "[parameters('TenantId')]",
-							"type": "String"
+							"type": "string"
 						},
 						"ClientId": {
 							"defaultValue": "[parameters('ClientId')]",
-							"type": "String"
+							"type": "string"
 						},
 						"ClientSecret": {
 							"defaultValue": "[parameters('ClientSecret')]",
-							"type": "String"
+							"type": "string"
 						},
 						"WatchListAlias": {
-							"defaultValue": "[parameters('WatchlistName')]",
-							"type": "String"
+							"defaultValue": "[parameters('WatchListAlias')]",
+							"type": "string"
 						}
 					},
 					"triggers": {
@ -512,7 +606,12 @@
 							"azuresentinel": {
 								"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
 								"connectionId": "[resourceId('Microsoft.Web/connections', variables('azuresentinelConnectionName'))]",
-								"connectionName": "[variables('azuresentinelConnectionName')]"
+								"connectionName": "[variables('azuresentinelConnectionName')]",
+								"connectionProperties": {
+									"authentication": {
+										"type": "ManagedServiceIdentity"
+									}
+								}
 							}
 						}
 					}
@ -536,26 +635,27 @@
 			]
 		},
 		{
+			"name": "[variables('azuresentinelConnectionName')]",
+			"type": "Microsoft.Web/connections",
 			"properties": {
 				"displayName": "[variables('azuresentinelConnectionName')]",
 				"customParameterValues": {},
+				"parameterValueType": "Alternative",
 				"api": {
 					"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
 				}
 			},
-			"name": "[variables('azuresentinelConnectionName')]",
-			"type": "Microsoft.Web/connections",
-			"kind": "V1",
+			"apiVersion": "2016-06-01",
 			"location": "[resourceGroup().location]",
-			"apiVersion": "2016-06-01"
+			"kind": "V1"
 		},
 		{
-			"name": "[concat(parameters('WorkspaceName'), '/Microsoft.SecurityInsights/', parameters('WatchlistName'))]",
+			"name": "[concat(parameters('WorkspaceName'), '/Microsoft.SecurityInsights/', parameters('WatchListAlias'))]",
 			"type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists",
 			"kind": "",
 			"properties": {
-				"displayName": "[parameters('WatchlistName')]",
-				"watchlistAlias": "[parameters('WatchlistName')]",
+				"displayName": "[parameters('WatchListAlias')]",
+				"watchlistAlias": "[parameters('WatchListAlias')]",
 				"source": "Vulnerable_CVE_2021_42306.csv",
 				"description": "[parameters('WatchlistDescription')]",
 				"provider": "Microsoft",
@ -569,105 +669,5 @@
 			},
 			"apiVersion": "2021-03-01-preview"
 		}
-	],
-	"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-	"variables": {
-		"azuresentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
-	},
-	"contentVersion": "1.0.0.0",
-	"metadata": {
-		"description": "",
-		"tags": [],
-		"lastUpdateTime": "",
-		"prerequisites": "",
-		"author": {
-			"name": "Sreedhar Ande;Chi Nguyen"
-		},
-		"entities": [],
-		"prerequisitesDeployTemplateFile": "",
-		"title": "",
-		"support": {
-			"tier": "community"
-		}
-	},
-	"parameters": {
-		"PlaybookName": {
-			"type": "string",
-			"defaultValue": "Affected-Key-Credentials-Scanner"
-		},
-		"Environment": {
-			"type": "string",
-			"allowedValues": [
-				"Azure Commercial",
-				"Azure Fairfax (Gov)",
-				"Germany",
-				"China"
-			],
-			"defaultValue": "Azure Commercial",
-			"metadata": {
-				"description": "Cloud Environment"
-			}
-		},
-		"ObjectClass": {
-			"type": "string",
-			"allowedValues": [
-				"Application",
-				"ServicePrincipal"
-			],
-			"defaultValue": "Application",
-			"metadata": {
-				"description": "Select Application/ ServicePrincipal"
-			}
-		},
-		"ResourceGroup": {
-			"type": "string",
-			"metadata": {
-				"description": "Azure Sentinel ResourceGroup"
-			}
-		},
-		"WorkspaceId": {
-			"type": "string",
-			"metadata": {
-				"description": "Azure Sentinel WorkspaceId"
-			}
-		},
-		"WorkspaceName": {
-			"type": "string",
-			"metadata": {
-				"description": "Azure Sentinel WorkspaceName"
-			}
-		},
-		"TenantId": {
-			"type": "string",
-			"metadata": {
-				"description": "Azure AAD TenantId"
-			}
-		},
-		"ClientId": {
-			"type": "string",
-			"metadata": {
-				"description": "Azure AAD ClientId"
-			}
-		},
-		"ClientSecret": {
-			"type": "string",
-			"metadata": {
-				"description": "Azure AAD ClientSecret"
-			}
-		},
-		"WatchlistName": {
-			"type": "string",
-			"defaultValue":"Vulnerable_CVE_2021_42306",
-			"metadata": {
-				"description": "Describe Watchlist Name"
-			}
-		},
-		"WatchlistDescription": {
-			"type": "string",
-			"defaultValue":"Vulnerable_CVE_2021_42306",
-			"metadata": {
-				"description": "Describe Watchlist Description"
-			}
-		}
-	}
-}
+	]
+}