Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update azuredeploy.json

This commit is contained in:
MrSharpBones 2024-10-10 11:57:29 -04:00 коммит произвёл GitHub
Родитель 7d9a84fc77
Коммит 6db34217cc
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
1 изменённых файлов: 121 добавлений и 320 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

441
Playbooks/MDTI-Actor-Lookup/azuredeploy.json
Просмотреть файл

@ -26,53 +26,26 @@
"defaultValue": "MDTI-Actor-LookupV2",
"type": "string"
}
},
"variables": {
"AzuresentinelConnectionName": "[concat('Azuresentinel', parameters('PlaybookName'))]",
"SecuritycopilotConnectionName": "[concat('Securitycopilot-', parameters('PlaybookName'))]"
"MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('AzureSentinel-', parameters('PlaybookName'))]",
"SecuritycopilotConnectionName": "[concat('Securitycopilot-', parameters('PlaybookName'))]",
"Keyvault-ConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('SecuritycopilotConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {
},
"type": "Object"
}
},
"triggers": {
@ -102,7 +75,7 @@
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
"name": "@parameters('$connections')['AzureSentinel']['connectionId']"
}
},
"method": "post",
@ -120,7 +93,7 @@
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
"name": "@parameters('$connections')['AzureSentinel']['connectionId']"
}
},
"method": "post",
@ -128,24 +101,6 @@
"path": "/entities/ip"
}
},
"Entities_-_Get_URLs": {
"runAfter": {
"MDTI-Base": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"path": "/entities/url"
}
},
"For_each": {
"foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
"actions": {
@ -180,7 +135,7 @@
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
"name": "@parameters('$connections')['AzureSentinel']['connectionId']"
}
},
"method": "post",
@ -237,7 +192,7 @@
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
"name": "@parameters('$connections')['AzureSentinel']['connectionId']"
}
},
"method": "put",
@ -380,240 +335,6 @@
},
"type": "Foreach"
},
"For_each_1": {
"foreach": "@body('Entities_-_Get_URLs')?['URLs']",
"actions": {
"For_each_5": {
"foreach": "@body('Parse_JSON_2')?['rules']",
"actions": {
"Append_to_array_variable_2": {
"runAfter": {
"Compose_4": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "entity_url",
"value": "@outputs('Compose_4')"
}
},
"Compose_4": {
"type": "Compose",
"inputs": "@concat(string(body('Parse_JSON_2')?['name']), ', ', string(body('Parse_JSON_2')?['description']))"
},
"Condition_3": {
"actions": {
"Add_comment_to_incident_(V3)_3": {
"runAfter": {
"Submit_a_Copilot_for_Security_prompt_3": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "\u003cp class=\"editor-paragraph\"\u003eActor Group Name: @{outputs('Compose_5')}\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003eActor Group Summary: @{body('Submit_a_Copilot_for_Security_prompt_3')?['EvaluationResultContent']}\u003c/p\u003e"
},
"path": "/Incidents/Comment"
}
},
"Compose_5": {
"runAfter": {
"Join_2": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "@body('Join_2')"
},
"Join_2": {
"type": "Join",
"inputs": {
"from": "@variables('entity_url')",
"joinWith": "\n"
}
},
"Submit_a_Copilot_for_Security_prompt_3": {
"runAfter": {
"Compose_5": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['securitycopilot']['connectionId']"
}
},
"method": "post",
"body": {
"PromptContent": "Provide a summary for the actor group @{outputs('Compose_5')}"
},
"path": "/process-prompt"
}
},
"Update_incident_3": {
"runAfter": {
"Add_comment_to_incident_(V3)_3": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"tagsToAdd": {
"TagsToAdd": [
{
"Tag": "@outputs('Compose_5')"
}
]
},
"severity": "High",
"status": "Active"
},
"path": "/Incidents"
}
}
},
"runAfter": {
"Append_to_array_variable_2": [
"Succeeded"
]
},
"else": {
"actions": {
}
},
"expression": {
"and": [
{
"contains": [
"@variables('entity_url')",
"Cyber Threat Intelligence"
]
}
]
},
"type": "If"
}
},
"runAfter": {
"Parse_JSON_2": [
"Succeeded"
]
},
"type": "Foreach"
},
"HTTP_3": {
"type": "Http",
"inputs": {
"uri": "https://graph.microsoft.com/beta/security/threatIntelligence/hosts/@{items('For_each_1')?['Url']}/reputation",
"method": "GET",
"headers": {
"Content-Type": "application/json"
},
"authentication": {
"audience": "@{body('MDTI-Base')?['resource']}",
"authority": "",
"clientId": "@{body('MDTI-Base')?['clientId']}",
"secret": "@{body('MDTI-Base')?['clientSecret']}",
"tenant": "@{body('MDTI-Base')?['tenantId']}",
"type": "ActiveDirectoryOAuth"
}
},
"runtimeConfiguration": {
"contentTransfer": {
"transferMode": "Chunked"
},
"secureData": {
"properties": [
"inputs",
"outputs"
]
}
}
},
"Parse_JSON_2": {
"runAfter": {
"HTTP_3": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('HTTP_3')",
"schema": {
"properties": {
"@@odata.type": {
"type": "string"
},
"classification": {
"type": "string"
},
"id": {
"type": "string"
},
"rules": {
"items": {
"properties": {
"description": {
"type": "string"
},
"name": {
"type": "string"
},
"relatedDetailsUrl": {
"type": [
"string",
"null"
]
},
"severity": {
"type": "string"
}
},
"required": [
"name",
"description",
"severity",
"relatedDetailsUrl"
],
"type": "object"
},
"type": "array"
},
"score": {
"type": "integer"
}
},
"type": "object"
}
}
}
},
"runAfter": {
"Initialize_variable_2": [
"Succeeded"
]
},
"type": "Foreach"
},
"For_each_2": {
"foreach": "@body('Entities_-_Get_IPs')?['IPs']",
"actions": {
@ -648,7 +369,7 @@
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
"name": "@parameters('$connections')['AzureSentinel']['connectionId']"
}
},
"method": "post",
@ -705,7 +426,7 @@
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
"name": "@parameters('$connections')['AzureSentinel']['connectionId']"
}
},
"method": "put",
@ -891,7 +612,7 @@
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
"name": "@parameters('$connections')['AzureSentinel']['connectionId']"
}
},
"method": "post",
@ -912,7 +633,7 @@
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
"name": "@parameters('$connections')['AzureSentinel']['connectionId']"
}
},
"method": "post",
@ -960,7 +681,7 @@
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
"name": "@parameters('$connections')['AzureSentinel']['connectionId']"
}
},
"method": "put",
@ -1088,7 +809,7 @@
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
"name": "@parameters('$connections')['AzureSentinel']['connectionId']"
}
},
"method": "post",
@ -1109,7 +830,7 @@
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
"name": "@parameters('$connections')['AzureSentinel']['connectionId']"
}
},
"method": "post",
@ -1157,7 +878,7 @@
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
"name": "@parameters('$connections')['AzureSentinel']['connectionId']"
}
},
"method": "put",
@ -1249,7 +970,7 @@
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['keyvault-1']['connectionId']"
"name": "@parameters('$connections')['Keyvault']['connectionId']"
}
},
"method": "get",
@ -1292,24 +1013,6 @@
]
}
},
"Initialize_variable_2": {
"runAfter": {
"Entities_-_Get_URLs": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "entity_url",
"type": "array",
"value": [
]
}
]
}
},
"Initialize_variable_3": {
"runAfter": {
"Entities_-_Get_IPs": [
@ -1380,24 +1083,122 @@
}
}
}
},
"outputs": {
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
"connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"connectionName": "[variables('MicrosoftSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"securitycopilot": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('SecuritycopilotConnectionName'))]",
"connectionName": "[variables('SecuritycopilotConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]"
},
"Keyvault": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Keyvault-ConnectionName'))]",
"connectionName": "[variables('Keyvault-ConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
},
"name": "[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[resourceGroup().location]",
"tags": {
"hidden-SentinelTemplateName": "MDTI-Actor-LookupV2",
"hidden-SentinelTemplateVersion": "1.0"
},
"identity": {
"type": "SystemAssigned"
},
"apiVersion": "2017-07-01",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('SecuritycopilotConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('Keyvault-ConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('MicrosoftSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('MicrosoftSentinelConnectionName')]",
"customParameterValues": {
},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('AzureSentinelConnectionName')]",
"customParameterValues": {
},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/AzureSentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('SecuritycopilotConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('SecuritycopilotConnectionName')]",
"customParameterValues": {
},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('Keyvault-ConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('Keyvault-ConnectionName')]",
"customParameterValues": {
},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]"
}
}
}
]