Playbook: Sailpoint playbook preparation (#5781)

* Update azuredeploy file

* Updated package and files
This commit is contained in:
v-amolpatil 2022-08-12 16:32:19 +05:30 коммит произвёл GitHub
Родитель 69eca329f6
Коммит 70cfdab2f3
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
15 изменённых файлов: 11877 добавлений и 12291 удалений

Просмотреть файл

@ -3,6 +3,7 @@ name: SailPointIdentityNowAlertForTriggers
description: |
'Create alerts for SailPoint IdentityNow Event Trigger Service.'
severity: Informational
status: Available
requiredDataConnectors:
- connectorId: SailPointIdentityNow
dataTypes:

Просмотреть файл

@ -3,6 +3,7 @@ name: SailPointIdentityNowEventType
description: |
'Created to detect failed events of particular type from SailPointIDN_Events.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: SailPointIdentityNow
dataTypes:

Просмотреть файл

@ -3,6 +3,7 @@ name: SailPointIdentityNowEventTypeTechnicalName
description: |
'Created to detect new threat events from the data in SailPointIDN_Events.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: SailPointIdentityNow
dataTypes:

Просмотреть файл

@ -3,6 +3,7 @@ name: SailPointIdentityNowFailedEvents
description: |
'Detects all events with status failed.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: SailPointIdentityNow
dataTypes:

Просмотреть файл

@ -3,6 +3,7 @@ name: SailPointIdentityNowFailedEventsBasedOnTime
description: |
'Detects failed events based on created time.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: SailPointIdentityNow
dataTypes:

Просмотреть файл

@ -3,6 +3,7 @@ name: SailPointIdentityNowUserWithFailedEvent
description: |
'Detects any failed event for a particular user.'
severity: High
status: Available
requiredDataConnectors:
- connectorId: SailPointIdentityNow
dataTypes:

Просмотреть файл

@ -2,7 +2,7 @@
"id": "SailPointIdentityNow",
"title": "SailPoint IdentityNow",
"publisher": "SailPoint",
"descriptionMarkdown": "The [SailPoint](https://www.sailpoint.com/) IdentityNow data connector provides the capability to ingest [SailPoint IdentityNow] search events into Azure Sentinel through the REST API. The connector provides customers the ability to extract audit information from their IdentityNow tenant. It is intended to make it even easier to bring IdentityNow user activity and governance events into Azure Sentinel to improve insights from your security incident and event monitoring solution.",
"descriptionMarkdown": "The [SailPoint](https://www.sailpoint.com/) IdentityNow data connector provides the capability to ingest [SailPoint IdentityNow] search events into Microsoft Sentinel through the REST API. The connector provides customers the ability to extract audit information from their IdentityNow tenant. It is intended to make it even easier to bring IdentityNow user activity and governance events into Microsoft Sentinel to improve insights from your security incident and event monitoring solution.",
"graphQueries": [
{
"metricName": "SailPointIDN_Events logs",
@ -45,7 +45,7 @@
],
"availability": {
"status": 1,
"isPreview": true
"isPreview": false
},
"permissions": {
"resourceProvider": [
@ -84,7 +84,7 @@
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This connector uses Azure Functions to connect to the SailPoint IdentityNow REST API to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
"description": ">**NOTE:** This connector uses Azure Functions to connect to the SailPoint IdentityNow REST API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"title": "",
@ -128,7 +128,7 @@
},
{
"title": "",
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-sailpointidentitynow-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. searcheventXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Azure Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-sailpointidentitynow-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. searcheventXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"title": "",

Просмотреть файл

@ -14,4 +14,4 @@ Using IdentityNow's AuditEvents API, we can solve a number of problems. Some exa
--> Surface and gain insights into the brute force password attempts IdentityNow has blocked --> Correlate IdentityNow user activity with other system events to identify coordinated attacks --> Evaluate the timing of login attempts from different geographies to identify problems
NOTE: This function app is intended to make it even easier to bring IdentityNow user activity and governance events into Azure Sentinel to improve insights from your security incident and event monitoring solution.
NOTE: This function app is intended to make it even easier to bring IdentityNow user activity and governance events into Microsoft Sentinel to improve insights from your security incident and event monitoring solution.

Просмотреть файл

@ -0,0 +1,14 @@
{
"Name": "SailPointIdentityNow",
"Author": "SailPointIdentityNow",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [SailPoint Integration](https://www.sailpoint.com/) solution provides the capability to ingest SailPoint IdentityNow search events into Microsoft Sentinel through the REST API. \n\n ** Underlying Microsoft Technologies used:** \n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)",
"Playbooks": [
"Playbooks/Custom Connector/azuredeploy.json"
],
"BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\SailPointIdentityNow",
"Version": "2.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
}

Двоичные данные
Solutions/SailPointIdentityNow/Package/2.0.0.zip Normal file

Двоичный файл не отображается.

Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SailPointIdentityNow/Playbooks/Custom%20Connector/SailPoint.png\"width=\"75px\"height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nDigital transformation has opened up opportunities for greater agility and growth in todays modern enterprises. But its also introducing challenges. Digital transformation has introduced an explosion of cloud, applications, data, and users to manage. Being able to effectively control who can have access to what is the key and if not done properly can lead to potential risk to your business.\n\rTo address this potential risk, organizations are embracing the power and ease of SailPoint Identity Security. This innovative identity platform takes the complexity out of identity; making it intuitive for IT staff to configure and manage and enabling business users with the access they need to get their work done.\n\rThe [SailPoint](https://www.sailpoint.com/) IdentityNow custom connector enables Azure Sentinel customers to utilize the deep, enriched contextual data and governance capabilities of the SailPoint Identity Security to better drive identity-aware security practices.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Analytic Rules:** 6, **Custom Azure Logic Apps Connectors:** 1\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [SailPoint Integration](https://www.sailpoint.com/) solution provides the capability to ingest SailPoint IdentityNow search events into Microsoft Sentinel through the REST API. \n\n ** Underlying Microsoft Technologies used:** \n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Custom Azure Logic Apps Connectors:** 1, \n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -44,153 +44,13 @@
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for SailPointIdentityNow. You can get SailPointIdentityNow custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) SailPointIDN_Events_CL SailPointIDN_Triggers_CL in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for SailPointIdentityNow that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "SailPointIdentityNowAlertForTriggers",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Create alerts for SailPoint IdentityNow Event Trigger Service."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "SailPointIdentityNowEventType",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Created to detect failed events of particular type from SailPointIDN_Events."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "SailPointIdentityNowEventTypeTechnicalName",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Created to detect new threat events from the data in SailPointIDN_Events."
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "SailPointIdentityNowFailedEvents",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects all events with status failed."
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "SailPointIdentityNowFailedEventsBasedOnTime",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects failed events based on created time."
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "SailPointIdentityNowUserWithFailedEvent",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects any failed event for a particular user."
}
}
]
}
]
},
{
"name": "playbooks",
"label": "Playbooks",
@ -204,47 +64,26 @@
"name": "playbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Azure Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.",
"text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
}
},
{
"name": "playbooks-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "playbook1",
"type": "Microsoft.Common.Section",
"label": "SailPointIdentityNowConnector",
"elements": [
{
"name": "playbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Custom Connector is used for connection to SailPoint IdentityNow API."
}
},
{
"name": "playbook1-endpoint",
"type": "Microsoft.Common.TextBox",
"label": "IdentityNow Service URL",
"defaultValue": "https://your-org.api.identitynow.com",
"toolTip": "IdentityNow Service URL",
"constraints": {
"required": true,
"regex": "[\\w\\W]+",
"validationMessage": "Please enter a service URL"
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"IdentityNowServiceUrl": "[steps('playbooks').playbook1.playbook1-endpoint]"
"workspace": "[basics('workspace')]"
}
}
}

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -15,7 +15,7 @@ Digital transformation has opened up opportunities for greater agility and growt
To address this potential risk, organizations are embracing the power and ease of SailPoint Identity Security. This innovative identity platform takes the complexity out of identity; making it intuitive for IT staff to configure and manage and enabling business users with the access they need to get their work done.
The SailPoint IdentityNow custom connector enables Azure Sentinel customers to utilize the deep, enriched contextual data and governance capabilities of the SailPoint Identity Security to better drive identity-aware security practices.
The SailPoint IdentityNow custom connector enables Microsoft Sentinel customers to utilize the deep, enriched contextual data and governance capabilities of the SailPoint Identity Security to better drive identity-aware security practices.
# Prerequisites

Просмотреть файл

@ -0,0 +1,14 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-test-preview",
"firstPublishDate": "2021-10-26",
"providers": ["SailPoint"],
"categories": {
"domains" : ["Security - Threat Protection", "Identity"]
},
"support": {
"name": "SailPoint",
"email": "support.idplusa@sailpoint.com",
"tier": "Partner"
}
}