update solution Atlassian Jira Audit with playbook (#6022)
* update solution Atlassian Jira Audit with playbook * fixed review comments * Update PlaybooksMigrated.json * Update createUiDefinition.json Co-authored-by: v-sabiraj <v-sabiraj@microsoft.com>
This commit is contained in:
v-laanjana
GitHub
Родитель
32b6be45bd
Коммит
7158e1629a
|
|
@ -3,6 +3,7 @@ name: Jira - Global permission added
|
|||
description: |
|
||||
'Detects when global permission added.'
|
||||
severity: Medium
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ name: Jira - New site admin user
|
|||
description: |
|
||||
'Detects new site admin user.'
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ name: Jira - New user created
|
|||
description: |
|
||||
'Detects when new user was created.'
|
||||
severity: Medium
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ name: Jira - Permission scheme updated
|
|||
description: |
|
||||
'Detects when permission scheme was updated.'
|
||||
severity: Medium
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ name: Jira - New site admin user
|
|||
description: |
|
||||
'Detects new site admin user.'
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ name: Jira - Project roles changed
|
|||
description: |
|
||||
'Detects when project roles were changed.'
|
||||
severity: Medium
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ name: Jira - User's password changed multiple times
|
|||
description: |
|
||||
'Detects when user's password was changed multiple times from different IP addresses.'
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ name: Jira - User removed from group
|
|||
description: |
|
||||
'Detects when a user was removed from group.'
|
||||
severity: Medium
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ name: Jira - User removed from project
|
|||
description: |
|
||||
'Detects when a user was removed from project.'
|
||||
severity: Medium
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ name: Jira - Workflow scheme copied
|
|||
description: |
|
||||
'Detects when workflow scheme was copied.'
|
||||
severity: Medium
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: JiraAuditAPI
|
||||
dataTypes:
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@
|
|||
],
|
||||
"availability": {
|
||||
"status": 1,
|
||||
"isPreview": true
|
||||
"isPreview": false
|
||||
},
|
||||
"permissions": {
|
||||
"resourceProvider": [
|
||||
|
|
|
|||
|
|
@ -1,9 +1,8 @@
|
|||
{
|
||||
"Name": "AtlassianJiraAudit",
|
||||
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">",
|
||||
"Description": "The [Atlassian Jira Audit](https://www.atlassian.com/software/jira) data connector provides the capability to ingest [Jira Audit Records](https://support.atlassian.com/jira-cloud-administration/docs/audit-activities-in-jira-applications/) events into Azure Sentinel through the REST API. Refer to [API documentation](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-audit-records/) for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.",
|
||||
"WorkbookDescription": "This data connector depends on a parser based on Kusto Function **JiraAudit** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-jiraauditapi-parser)",
|
||||
"Author": "Microsoft - support@microsoft.com",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/atlassian.svg\"width=\"75px\"height=\"75px\">",
|
||||
"Description": "The [Atlassian Jira](https://www.atlassian.com/software/jira) Audit solution provides the capability to ingest [Jira Audit Records](https://support.atlassian.com/jira-cloud-administration/docs/audit-activities-in-jira-applications/) events into Microsoft Sentinel through the REST API. Refer to [API documentation](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-audit-records/) for more information.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs. \n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \n\n b.[Azure Functions](https://azure.microsoft.com/services/functions/#overview)",
|
||||
"Workbooks": [
|
||||
"Workbooks/AtlassianJiraAudit.json"
|
||||
],
|
||||
|
|
@ -34,7 +33,16 @@
|
|||
"Data Connectors": [
|
||||
"Data Connectors/JiraNativePollerConnector/azuredeploy_Jira_native_poller_connector.json"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\azure\\Solutions\\AtlassianJiraAudit",
|
||||
"Version": "1.0.1",
|
||||
"Metadata": "SolutionMetadata.json"
|
||||
"Playbooks": [
|
||||
"Playbooks/Create-Jira-Issue/alert-trigger/azuredeploy.json",
|
||||
"Playbooks/Create-Jira-Issue/incident-trigger/azuredeploy.json",
|
||||
"Playbooks/Jira-CreateAndUpdateIssue/azuredeploy.json",
|
||||
"Playbooks/Sync-AssignedUser/azuredeploy.json"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\azure-Sentinel\\Solutions\\AtlassianJiraAudit",
|
||||
"Version": "2.0.0",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1PConnector": false
|
||||
}
|
||||
|
||||
|
|
|
|||
Двоичный файл не отображается.
|
|
@ -6,7 +6,7 @@
|
|||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Atlassian Jira Audit](https://www.atlassian.com/software/jira) data connector provides the capability to ingest [Jira Audit Records](https://support.atlassian.com/jira-cloud-administration/docs/audit-activities-in-jira-applications/) events into Azure Sentinel through the REST API. Refer to [API documentation](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-audit-records/) for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/atlassian.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Atlassian Jira](https://www.atlassian.com/software/jira) Audit solution provides the capability to ingest [Jira Audit Records](https://support.atlassian.com/jira-cloud-administration/docs/audit-activities-in-jira-applications/) events into Microsoft Sentinel through the REST API. Refer to [API documentation](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-audit-records/) for more information.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs. \n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \n\n b.[Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10, **Playbooks:** 4\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
|
|
@ -44,7 +44,7 @@
|
|||
"placeholder": "Select a workspace",
|
||||
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
|
||||
"constraints": {
|
||||
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
|
||||
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
|
||||
"required": true
|
||||
},
|
||||
"visible": true
|
||||
|
|
@ -60,17 +60,7 @@
|
|||
"name": "dataconnectors1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Solution installs the data connector for AtlassianJiraAudit. You can get AtlassianJiraAudit custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) in your Azure Sentinel / Azure Log Analytics workspace."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors-link1",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more about normalized format",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
|
||||
}
|
||||
"text": "This solution installs the data connector for ingesting Atlassian Jira Audit records. After installing the solution, configure and enable this data connector by following guidance in Manage solution view. "
|
||||
}
|
||||
},
|
||||
{
|
||||
|
|
@ -98,38 +88,18 @@
|
|||
"name": "workbooks-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
|
||||
"text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "workbooks-link",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "workbook1",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "AtlassianJiraAudit",
|
||||
"elements": [
|
||||
{
|
||||
"name": "workbook1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This data connector depends on a parser based on Kusto Function **JiraAudit** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-jiraauditapi-parser)"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "workbook1-name",
|
||||
"type": "Microsoft.Common.TextBox",
|
||||
"label": "Display Name",
|
||||
"defaultValue": "AtlassianJiraAudit",
|
||||
"toolTip": "Display name for the workbook.",
|
||||
"constraints": {
|
||||
"required": true,
|
||||
"regex": "[a-z0-9A-Z]{1,256}$",
|
||||
"validationMessage": "Please enter a workbook name"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
|
|
@ -146,7 +116,13 @@
|
|||
"name": "analytics-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Azure Sentinel Solution installs analytic rules for AtlassianJiraAudit that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
|
||||
"text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "analytics-link",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
|
||||
|
|
@ -240,13 +216,13 @@
|
|||
{
|
||||
"name": "analytic7",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Jira - User's password changed",
|
||||
"label": "Jira - User's password changed multiple times",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic7-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Detects when user's password was changed."
|
||||
"text": "Detects when user's password was changed multiple times from different IP addresses."
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -304,7 +280,13 @@
|
|||
"name": "huntingqueries-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Azure Sentinel Solution installs hunting queries for AtlassianJiraAudit that you can run in Azure Sentinel. These hunting queries will be deployed in the Hunting gallery of your Azure Sentinel workspace. Run these hunting queries to hunt for threats in the Hunting gallery after this Solution deploys.",
|
||||
"text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "huntingqueries-link",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
|
||||
|
|
@ -452,13 +434,40 @@
|
|||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "playbooks",
|
||||
"label": "Playbooks",
|
||||
"subLabel": {
|
||||
"preValidation": "Configure the playbooks",
|
||||
"postValidation": "Done"
|
||||
},
|
||||
"bladeTitle": "Playbooks",
|
||||
"elements": [
|
||||
{
|
||||
"name": "playbooks-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "playbooks-link",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"outputs": {
|
||||
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(filter.id, toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
|
||||
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
|
||||
"location": "[location()]",
|
||||
"workspace": "[basics('workspace')]",
|
||||
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"
|
||||
"workspace": "[basics('workspace')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -2,7 +2,7 @@
|
|||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "Create Jira Issue",
|
||||
"title": "Create Jira Issue alert-trigger",
|
||||
"description": "This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel.",
|
||||
"prerequisites": "We will need following data to make Jira connector: 1. Jira instance (ex. xyz.atlassian.net); 2. Jira API; 3. Username.; After deployment assign Azure Sentinel Reader role to the Playbooks Managed Identity.",
|
||||
"lastUpdateTime": "2022-07-20T00:00:00.000Z",
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "Create Jira Issue",
|
||||
"title": "Create Jira Issue incident-trigger",
|
||||
"description": "This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel.",
|
||||
"prerequisites": [
|
||||
"1. Jira instance (ex. xyz.atlassian.net)",
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"publisherId": "azuresentinel",
|
||||
"offerId": "azure-sentinel-solution-atlassianjiraaudit",
|
||||
"firstPublishDate": "2022-01-10",
|
||||
"providers": ["Application"],
|
||||
"providers": ["Atlassian"],
|
||||
"categories": {
|
||||
"domains" : ["DevOps"]
|
||||
},
|
||||
|
|
|
|||
|
|
@ -182,5 +182,21 @@
|
|||
{
|
||||
"OldPath": "Playbooks/Reset-AADUserPassword",
|
||||
"NewPath": "Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword"
|
||||
},
|
||||
{
|
||||
"OldPath": "Playbooks/Create-Jira-Issue",
|
||||
"NewPath": "Solutions/AtlassianJiraAudit/Playbooks/Create-Jira-Issue"
|
||||
},
|
||||
{
|
||||
"OldPath": "Playbooks/Jira-CreateAndUpdateIssue",
|
||||
"NewPath": "Solutions/AtlassianJiraAudit/Playbooks/Jira-CreateAndUpdateIssue"
|
||||
},
|
||||
{
|
||||
"OldPath": "Playbooks/Sync-IncidentsWithJira/Sync-AssignedUser",
|
||||
"NewPath": "Solutions/AtlassianJiraAudit/Playbooks/Sync-AssignedUser"
|
||||
},
|
||||
{
|
||||
"OldPath": "Playbooks/Sync-IncidentsWithJira/Sync-Incidents",
|
||||
"NewPath": "Solutions/AtlassianJiraAudit/Playbooks/Sync-Incidents"
|
||||
}
|
||||
]
|
||||
Загрузка…
Ссылка в новой задаче