From 6db34217ccd7c56a924022d6453173bea346db9c Mon Sep 17 00:00:00 2001 From: MrSharpBones <127972050+MrSharpBones@users.noreply.github.com> Date: Thu, 10 Oct 2024 11:57:29 -0400 Subject: [PATCH] Update azuredeploy.json --- Playbooks/MDTI-Actor-Lookup/azuredeploy.json | 441 +++++-------------- 1 file changed, 121 insertions(+), 320 deletions(-) diff --git a/Playbooks/MDTI-Actor-Lookup/azuredeploy.json b/Playbooks/MDTI-Actor-Lookup/azuredeploy.json index 0a05cd9d2f..6a0bfeb1b0 100644 --- a/Playbooks/MDTI-Actor-Lookup/azuredeploy.json +++ b/Playbooks/MDTI-Actor-Lookup/azuredeploy.json @@ -26,53 +26,26 @@ "defaultValue": "MDTI-Actor-LookupV2", "type": "string" } - }, "variables": { - "AzuresentinelConnectionName": "[concat('Azuresentinel', parameters('PlaybookName'))]", - "SecuritycopilotConnectionName": "[concat('Securitycopilot-', parameters('PlaybookName'))]" + "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[concat('AzureSentinel-', parameters('PlaybookName'))]", + "SecuritycopilotConnectionName": "[concat('Securitycopilot-', parameters('PlaybookName'))]", + "Keyvault-ConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]" }, "resources": [ { - - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('AzureSentinelConnectionName')]", - "location": "[resourceGroup().location]", - "properties": { - "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('SecuritycopilotConnectionName')]", - "location": "[resourceGroup().location]", - "properties": { - "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]" - } - } - }, - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[parameters('PlaybookName')]", - "location": "[resourceGroup().location]", - "dependsOn": [ - "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" - ], "properties": { + "provisioningState": "Succeeded", "state": "Enabled", "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "contentVersion": "1.0.0.0", "parameters": { "$connections": { + "defaultValue": { + }, "type": "Object" - } }, "triggers": { @@ -102,7 +75,7 @@ "inputs": { "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['AzureSentinel']['connectionId']" } }, "method": "post", @@ -120,7 +93,7 @@ "inputs": { "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['AzureSentinel']['connectionId']" } }, "method": "post", @@ -128,24 +101,6 @@ "path": "/entities/ip" } }, - "Entities_-_Get_URLs": { - "runAfter": { - "MDTI-Base": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "path": "/entities/url" - } - }, "For_each": { "foreach": "@body('Entities_-_Get_Hosts')?['Hosts']", "actions": { @@ -180,7 +135,7 @@ "inputs": { "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['AzureSentinel']['connectionId']" } }, "method": "post", @@ -237,7 +192,7 @@ "inputs": { "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['AzureSentinel']['connectionId']" } }, "method": "put", @@ -380,240 +335,6 @@ }, "type": "Foreach" }, - "For_each_1": { - "foreach": "@body('Entities_-_Get_URLs')?['URLs']", - "actions": { - "For_each_5": { - "foreach": "@body('Parse_JSON_2')?['rules']", - "actions": { - "Append_to_array_variable_2": { - "runAfter": { - "Compose_4": [ - "Succeeded" - ] - }, - "type": "AppendToArrayVariable", - "inputs": { - "name": "entity_url", - "value": "@outputs('Compose_4')" - } - }, - "Compose_4": { - "type": "Compose", - "inputs": "@concat(string(body('Parse_JSON_2')?['name']), ', ', string(body('Parse_JSON_2')?['description']))" - }, - "Condition_3": { - "actions": { - "Add_comment_to_incident_(V3)_3": { - "runAfter": { - "Submit_a_Copilot_for_Security_prompt_3": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "\u003cp class=\"editor-paragraph\"\u003eActor Group Name: @{outputs('Compose_5')}\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003eActor Group Summary: @{body('Submit_a_Copilot_for_Security_prompt_3')?['EvaluationResultContent']}\u003c/p\u003e" - }, - "path": "/Incidents/Comment" - } - }, - "Compose_5": { - "runAfter": { - "Join_2": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "@body('Join_2')" - }, - "Join_2": { - "type": "Join", - "inputs": { - "from": "@variables('entity_url')", - "joinWith": "\n" - } - }, - "Submit_a_Copilot_for_Security_prompt_3": { - "runAfter": { - "Compose_5": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['securitycopilot']['connectionId']" - } - }, - "method": "post", - "body": { - "PromptContent": "Provide a summary for the actor group @{outputs('Compose_5')}" - }, - "path": "/process-prompt" - } - }, - "Update_incident_3": { - "runAfter": { - "Add_comment_to_incident_(V3)_3": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "tagsToAdd": { - "TagsToAdd": [ - { - "Tag": "@outputs('Compose_5')" - } - ] - }, - "severity": "High", - "status": "Active" - }, - "path": "/Incidents" - } - } - }, - "runAfter": { - "Append_to_array_variable_2": [ - "Succeeded" - ] - }, - "else": { - "actions": { - } - }, - "expression": { - "and": [ - { - "contains": [ - "@variables('entity_url')", - "Cyber Threat Intelligence" - ] - } - ] - }, - "type": "If" - } - }, - "runAfter": { - "Parse_JSON_2": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "HTTP_3": { - "type": "Http", - "inputs": { - "uri": "https://graph.microsoft.com/beta/security/threatIntelligence/hosts/@{items('For_each_1')?['Url']}/reputation", - "method": "GET", - "headers": { - "Content-Type": "application/json" - }, - "authentication": { - "audience": "@{body('MDTI-Base')?['resource']}", - "authority": "", - "clientId": "@{body('MDTI-Base')?['clientId']}", - "secret": "@{body('MDTI-Base')?['clientSecret']}", - "tenant": "@{body('MDTI-Base')?['tenantId']}", - "type": "ActiveDirectoryOAuth" - } - }, - "runtimeConfiguration": { - "contentTransfer": { - "transferMode": "Chunked" - }, - "secureData": { - "properties": [ - "inputs", - "outputs" - ] - } - } - }, - "Parse_JSON_2": { - "runAfter": { - "HTTP_3": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('HTTP_3')", - "schema": { - "properties": { - "@@odata.type": { - "type": "string" - }, - "classification": { - "type": "string" - }, - "id": { - "type": "string" - }, - "rules": { - "items": { - "properties": { - "description": { - "type": "string" - }, - "name": { - "type": "string" - }, - "relatedDetailsUrl": { - "type": [ - "string", - "null" - ] - }, - "severity": { - "type": "string" - } - }, - "required": [ - "name", - "description", - "severity", - "relatedDetailsUrl" - ], - "type": "object" - }, - "type": "array" - }, - "score": { - "type": "integer" - } - }, - "type": "object" - } - } - } - }, - "runAfter": { - "Initialize_variable_2": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, "For_each_2": { "foreach": "@body('Entities_-_Get_IPs')?['IPs']", "actions": { @@ -648,7 +369,7 @@ "inputs": { "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['AzureSentinel']['connectionId']" } }, "method": "post", @@ -705,7 +426,7 @@ "inputs": { "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['AzureSentinel']['connectionId']" } }, "method": "put", @@ -891,7 +612,7 @@ "inputs": { "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['AzureSentinel']['connectionId']" } }, "method": "post", @@ -912,7 +633,7 @@ "inputs": { "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['AzureSentinel']['connectionId']" } }, "method": "post", @@ -960,7 +681,7 @@ "inputs": { "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['AzureSentinel']['connectionId']" } }, "method": "put", @@ -1088,7 +809,7 @@ "inputs": { "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['AzureSentinel']['connectionId']" } }, "method": "post", @@ -1109,7 +830,7 @@ "inputs": { "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['AzureSentinel']['connectionId']" } }, "method": "post", @@ -1157,7 +878,7 @@ "inputs": { "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['AzureSentinel']['connectionId']" } }, "method": "put", @@ -1249,7 +970,7 @@ "inputs": { "host": { "connection": { - "name": "@parameters('$connections')['keyvault-1']['connectionId']" + "name": "@parameters('$connections')['Keyvault']['connectionId']" } }, "method": "get", @@ -1292,24 +1013,6 @@ ] } }, - "Initialize_variable_2": { - "runAfter": { - "Entities_-_Get_URLs": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "entity_url", - "type": "array", - "value": [ - ] - } - ] - } - }, "Initialize_variable_3": { "runAfter": { "Entities_-_Get_IPs": [ @@ -1380,24 +1083,122 @@ } } } + }, + "outputs": { } }, "parameters": { "$connections": { "value": { "azuresentinel": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "connectionName": "[variables('AzureSentinelConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, "securitycopilot": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('SecuritycopilotConnectionName'))]", "connectionName": "[variables('SecuritycopilotConnectionName')]", "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]" + }, + "Keyvault": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('Keyvault-ConnectionName'))]", + "connectionName": "[variables('Keyvault-ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } } } } } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "MDTI-Actor-LookupV2", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('SecuritycopilotConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('Keyvault-ConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('MicrosoftSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "customParameterValues": { + }, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureSentinelConnectionName')]", + "customParameterValues": { + }, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/AzureSentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('SecuritycopilotConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('SecuritycopilotConnectionName')]", + "customParameterValues": { + }, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('Keyvault-ConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('Keyvault-ConnectionName')]", + "customParameterValues": { + }, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]" + } } } ]