updated file changes
This commit is contained in:
v-amolpatil
Родитель
bbb76406ca
Коммит
74a889d4f6
Двоичные данные
Solutions/Watchlists Utilities/Package/2.0.0.zip
Двоичные данные
Solutions/Watchlists Utilities/Package/2.0.0.zip
Двоичный файл не отображается.
|
|
@ -4074,13 +4074,15 @@
|
|||
"title": "Watchlists - Inform Subscription Owner",
|
||||
"description": "This playbook leverages Microsoft Sentinel Watchlists in order to get the relevant subscription owner contact details, and inform about an ASC alert that occured in that subscription. It uses Microsoft Teams and Office 365 Outlook as ways to inform the sub owner.",
|
||||
"prerequisites": [
|
||||
"None"
|
||||
"Create a Watchlist that this playbook will query:",
|
||||
"1.Create an input comma-separated value (CSV) file with the following columns: SubscriptionId, SubscriptionName, OwnerName, OwnerEmail, where each row represents a subscription in an Azure tenant.",
|
||||
"2. Upload the table to the Microsoft Sentinel Watchlist area. Make a note of the value you use as the Watchlist Alias, as you'll use it to query this watchlist from the playbook."
|
||||
],
|
||||
"mainSteps": [
|
||||
"Note: This playbook utilizes two features currently in Preview.",
|
||||
"* Microsoft Sentinel Watchlists",
|
||||
"* Microsoft Sentinel Incident Trigger",
|
||||
"<img src='https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Watchlist-InformSubowner-IncidentTrigger/images/designerView.png'/>"
|
||||
"<img src='https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Watchlists%20Utilities/Playbooks/Watchlist-InformSubowner-IncidentTrigger/images/designerView.png?raw=true'/>"
|
||||
],
|
||||
"lastUpdateTime": "2022-07-21T00:00:00Z",
|
||||
"entities": [
|
||||
|
|
@ -4509,22 +4511,20 @@
|
|||
"title": "Watchlist - close incidents with safe IPs",
|
||||
"description": "This playbook leverages Microsoft Sentinel Watchlists in order to close incidents which include IP addresses considered safe.",
|
||||
"prerequisites": [
|
||||
"None"
|
||||
"<a href='https://docs.microsoft.com/azure/sentinel/watchlists?WT.mc_id=Portal-fx#create-a-new-watchlist'>Create a watchlist</a> for safe IPs with ip column named 'ipaddress' (can be changed in 'Run query' step). Watchlist should be located in the same workspace of the incidents."
|
||||
],
|
||||
"mainSteps": [
|
||||
"For each Ip address included in the alert (entities of type IP):",
|
||||
"1. Check if IP is included in watchlist.",
|
||||
"* If IP is in the watchlist, consider the IP saf,.",
|
||||
"**Add it to Safe IPs array.**",
|
||||
"* If IP is not in the watchlist, meaning that we are not sure it is safe,",
|
||||
"Add it to not Safe IPs array.**",
|
||||
"- If IP is in the watchlist, consider the IP saf,. **Add it to Safe IPs array.**",
|
||||
"- If IP is not in the watchlist, meaning that we are not sure it is safe, **Add it to not Safe IPs array.**",
|
||||
"2. Add a comment to the incident the list of safe and not safe IPs found.",
|
||||
"3. If the not safe list is empty (length == 0), close the incident as Benign Positive.",
|
||||
"## Configurations",
|
||||
"* Configure the step 'Run query and list results with the identifiers of the Sentinel workspace where the watchlist is stored.",
|
||||
"* Configure the identity used in the 'Run query and list results' step with the Log Analytics Reader RBAC role on the Microsoft Sentinel resource group.",
|
||||
"* Configure the Managed Identity of the Logic App with the Microsoft Sentinel Responder RBAC role on the Microsoft Sentinel resource group.",
|
||||
"* The watchlist used in this example has at list one column named **ipaddress** which stores the safe address. See the csv file attached in this folder as an example.",
|
||||
"** Configurations **",
|
||||
"- Configure the step 'Run query and list results with the identifiers of the Sentinel workspace where the watchlist is stored.",
|
||||
"- Configure the identity used in the 'Run query and list results' step with the Log Analytics Reader RBAC role on the Microsoft Sentinel resource group.",
|
||||
"- Configure the Managed Identity of the Logic App with the Microsoft Sentinel Responder RBAC role on the Microsoft Sentinel resource group.",
|
||||
"- The watchlist used in this example has at list one column named **ipaddress** which stores the safe address. See the csv file attached in this folder as an example.",
|
||||
"<img src='https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Watchlists%20Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerLight1.png'/>",
|
||||
"<img src='https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Watchlists%20Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerLight2.png'/>",
|
||||
"<img src='https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Watchlists%20Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/commentLight.png'/>"
|
||||
|
|
|
|||
|
|
@ -4,20 +4,18 @@
|
|||
"metadata": {
|
||||
"title": "Watchlist - close incidents with safe IPs",
|
||||
"description": "This playbook leverages Microsoft Sentinel Watchlists in order to close incidents which include IP addresses considered safe.",
|
||||
"prerequisites": ["None"],
|
||||
"prerequisites": ["<a href='https://docs.microsoft.com/azure/sentinel/watchlists?WT.mc_id=Portal-fx#create-a-new-watchlist'>Create a watchlist</a> for safe IPs with ip column named 'ipaddress' (can be changed in 'Run query' step). Watchlist should be located in the same workspace of the incidents."],
|
||||
"mainSteps": ["For each Ip address included in the alert (entities of type IP):",
|
||||
"1. Check if IP is included in watchlist.",
|
||||
"* If IP is in the watchlist, consider the IP saf,.",
|
||||
"**Add it to Safe IPs array.**",
|
||||
"* If IP is not in the watchlist, meaning that we are not sure it is safe,",
|
||||
"Add it to not Safe IPs array.**",
|
||||
"- If IP is in the watchlist, consider the IP safe, **Add it to Safe IPs array.**",
|
||||
"- If IP is not in the watchlist, meaning that we are not sure it is safe, **Add it to not Safe IPs array.**",
|
||||
"2. Add a comment to the incident the list of safe and not safe IPs found.",
|
||||
"3. If the not safe list is empty (length == 0), close the incident as Benign Positive.",
|
||||
"## Configurations",
|
||||
"* Configure the step 'Run query and list results with the identifiers of the Sentinel workspace where the watchlist is stored.",
|
||||
"* Configure the identity used in the 'Run query and list results' step with the Log Analytics Reader RBAC role on the Microsoft Sentinel resource group.",
|
||||
"* Configure the Managed Identity of the Logic App with the Microsoft Sentinel Responder RBAC role on the Microsoft Sentinel resource group.",
|
||||
"* The watchlist used in this example has at list one column named **ipaddress** which stores the safe address. See the csv file attached in this folder as an example.",
|
||||
"** Configurations **",
|
||||
"- Configure the step 'Run query and list results with the identifiers of the Sentinel workspace where the watchlist is stored.",
|
||||
"- Configure the identity used in the 'Run query and list results' step with the Log Analytics Reader RBAC role on the Microsoft Sentinel resource group.",
|
||||
"- Configure the Managed Identity of the Logic App with the Microsoft Sentinel Responder RBAC role on the Microsoft Sentinel resource group.",
|
||||
"- The watchlist used in this example has at list one column named **ipaddress** which stores the safe address. See the csv file attached in this folder as an example.",
|
||||
"<img src='https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Watchlists%20Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerLight1.png'/>",
|
||||
"<img src='https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Watchlists%20Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerLight2.png'/>",
|
||||
"<img src='https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Watchlists%20Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/commentLight.png'/>"
|
||||
|
|
|
|||
|
|
@ -5,11 +5,14 @@ This playbook levarages Microsoft Sentinel Watchlists in order to close incident
|
|||
|
||||
For each Ip address included in the alert (entities of type IP):
|
||||
1. Check if IP is included in watchlist.
|
||||
* If IP is in the watchlist, consider the IP saf,. **Add it to Safe IPs array.**
|
||||
* If IP is in the watchlist, consider the IP safe, **Add it to Safe IPs array.**
|
||||
* If IP is not in the watchlist, meaning that we are not sure it is safe, **Add it to not Safe IPs array.**
|
||||
2. Add a comment to the incident the list of safe and not safe IPs found.
|
||||
3. If the not safe list is empty (length == 0), close the incident as Benign Positive.
|
||||
|
||||
## Prerequisites
|
||||
<a href='https://docs.microsoft.com/azure/sentinel/watchlists?WT.mc_id=Portal-fx#create-a-new-watchlist'>Create a watchlist</a> for safe IPs with ip column named 'ipaddress' (can be changed in 'Run query' step). Watchlist should be located in the same workspace of the incidents.
|
||||
|
||||
## Configurations
|
||||
* Configure the step "Run query and list results" with the identifiers of the Sentinel workspace where the watchlist is stored.
|
||||
* Configure the identity used in the "Run query and list results" step with the Log Analytics Reader RBAC role on the Microsoft Sentinel resource group.
|
||||
|
|
|
|||
|
|
@ -4,11 +4,14 @@
|
|||
"metadata": {
|
||||
"title": "Watchlists - Inform Subscription Owner",
|
||||
"description": "This playbook leverages Microsoft Sentinel Watchlists in order to get the relevant subscription owner contact details, and inform about an ASC alert that occured in that subscription. It uses Microsoft Teams and Office 365 Outlook as ways to inform the sub owner.",
|
||||
"prerequisites": ["None"],
|
||||
"prerequisites": ["Create a Watchlist that this playbook will query:",
|
||||
"1.Create an input comma-separated value (CSV) file with the following columns: SubscriptionId, SubscriptionName, OwnerName, OwnerEmail, where each row represents a subscription in an Azure tenant.",
|
||||
"2. Upload the table to the Microsoft Sentinel Watchlist area. Make a note of the value you use as the Watchlist Alias, as you'll use it to query this watchlist from the playbook."
|
||||
],
|
||||
"mainSteps": ["Note: This playbook utilizes two features currently in Preview.",
|
||||
"* Microsoft Sentinel Watchlists",
|
||||
"* Microsoft Sentinel Incident Trigger",
|
||||
"<img src='https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Watchlist-InformSubowner-IncidentTrigger/images/designerView.png'/>"
|
||||
"<img src='https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Watchlists%20Utilities/Playbooks/Watchlist-InformSubowner-IncidentTrigger/images/designerView.png?raw=true'/>"
|
||||
],
|
||||
"lastUpdateTime": "2022-07-21T00:00:00.000Z",
|
||||
"entities": ["AzureResource"],
|
||||
|
|
|
|||
|
|
@ -4,6 +4,10 @@ author: Lior Tamir
|
|||
This playbook leverages Microsoft Sentinel Watchlists in order to get the relevant subscription owner contact details, and inform about an ASC alert that occured in that subscription.
|
||||
It uses Microsoft Teams and Office 365 Outlook as ways to inform the sub owner.
|
||||
|
||||
## Prerequisites
|
||||
Create a Watchlist that this playbook will query:
|
||||
1.Create an input comma-separated value (CSV) file with the following columns: SubscriptionId, SubscriptionName, OwnerName, OwnerEmail, where each row represents a subscription in an Azure tenant.
|
||||
2. Upload the table to the Microsoft Sentinel Watchlist area. Make a note of the value you use as the Watchlist Alias, as you'll use it to query this watchlist from the playbook.
|
||||
|
||||
Note: This playbook utilizes two features currently in Preview.
|
||||
* Microsoft Sentinel Watchlists
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче