Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #5089 from BenjiSec/UpdateTriggerPlaybooks 

playbooks for update trigger
This commit is contained in:
Lior Tamir 2022-05-25 10:25:17 +03:00 коммит произвёл GitHub
Родитель fdb7e51ffb 296719444c
Коммит 7648423eed
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
61 изменённых файлов: 2782 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

654
Playbooks/Jira-CreateAndUpdateIssue/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,654 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Create And Update Jira Issue",
"description": "This playbook will create or update incident in Jira. When incident is created, playbook will run and create issue in Jira. When incident is updated, playbook will run and add update to comment section.",
"postDeployment": ["1. Add Microsoft Sentinel Responder role to the playbook's managed identity.", "2. Authorize Jira connection with: Jira instance, API token, user name.", "3. Create an automation rules for when incident is created or updated and add this playbook as an action"],
"lastUpdateTime": "2022-05-30T00:00:00.000Z",
"entities": [
],
"tags": [ "Sync", "Incident Update"
],
"support": {
"tier": "community"
},
"author": {
"name": "Benjamin Kovacevic"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "Jira-CreateAndUpdateIssue",
"type": "string"
}
},
"variables": {
"JiraConnectionName": "[concat('Jira-', parameters('PlaybookName'))]",
"MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]"
},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {
},
"type": "Object"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Condition_-_create_or_update_incident": {
"actions": {
"Create_a_new_issue": {
"runAfter": {
},
"type": "ApiConnection",
"inputs": {
"body": {
"fields": {
"description": "Incident description: @{triggerBody()?['object']?['properties']?['description']};\nSeverity: @{triggerBody()?['object']?['properties']?['severity']};\nIncident URL: @{triggerBody()?['object']?['properties']?['incidentUrl']}",
"issuetype": {
"id": "10001"
},
"summary": "@triggerBody()?['object']?['properties']?['title']"
}
},
"host": {
"connection": {
"name": "@parameters('$connections')['Jira']['connectionId']"
}
},
"method": "post",
"path": "/issue",
"queries": {
"projectKey": "SEN"
}
}
},
"Update_incident": {
"runAfter": {
"Create_a_new_issue": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"tagsToAdd": {
"TagsToAdd": [
{
"Tag": "Jira Issue ID: @{body('Create_a_new_issue')?['id']}"
}
]
}
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "put",
"path": "/Incidents"
}
}
},
"runAfter": {
"Initialize_variable_-_status": [
"Succeeded"
]
},
"else": {
"actions": {
"For_each": {
"foreach": "@triggerBody()?['object']?['properties']?['labels']",
"actions": {
"Condition": {
"actions": {
"Add_comment": {
"runAfter": {
"Condition_-_status_update": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"body": "Microsoft Sentinel incident is updated:\n\nUpdate fields: @{join(triggerBody()?['incidentUpdates']?['updatedFields'], '; ')}\nUpdate by: @{triggerBody()?['incidentUpdates']?['updatedBy']?['name']}\n\nNew values:\n@{outputs('Compose_alert')}\n@{outputs('Compose_severity')}\n@{outputs('Compose_owner')}\n@{outputs('Compose_status')}\n@{outputs('Compose_tag')}\n@{outputs('Compose_comment')}\n@{outputs('Compose_tactics')}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['Jira']['connectionId']"
}
},
"method": "post",
"path": "/issue/@{encodeURIComponent(variables('Jira ID'))}/comment"
}
},
"Condition_-_alert_updated": {
"actions": {
"Compose_alert": {
"runAfter": {
"For_each_-_new_alert": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "Alerts: @{variables('New alert')}"
},
"For_each_-_new_alert": {
"foreach": "@triggerBody()?['incidentUpdates']?['alerts']",
"actions": {
"Append_to_string_variable_-_alert": {
"runAfter": {
},
"type": "AppendToStringVariable",
"inputs": {
"name": "New alert",
"value": "@concat(items('For_each_-_new_alert')?['properties']?['alertDisplayName'], '; ')"
}
}
},
"runAfter": {
},
"type": "Foreach"
}
},
"runAfter": {
"Condition_-_comment_updated": [
"Succeeded"
]
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Alerts"
]
}
]
},
"type": "If"
},
"Condition_-_comment_updated": {
"actions": {
"Compose_comment": {
"runAfter": {
"For_each_-_new_comment": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "Comment: @{variables('New comments')}"
},
"For_each_-_new_comment": {
"foreach": "@triggerBody()?['incidentUpdates']?['comments']",
"actions": {
"Append_to_string_variable_-_comment": {
"runAfter": {
},
"type": "AppendToStringVariable",
"inputs": {
"name": "New comments",
"value": "@concat(items('For_each_-_new_comment')?['properties']?['message'], '; ')"
}
}
},
"runAfter": {
},
"type": "Foreach"
}
},
"runAfter": {
"Set_variable_-_Jira_ID": [
"Succeeded"
]
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Comments"
]
}
]
},
"type": "If"
},
"Condition_-_owner_update": {
"actions": {
"Append_to_string_variable_-_owner": {
"runAfter": {
},
"type": "AppendToStringVariable",
"inputs": {
"name": "New owner",
"value": "@triggerBody()?['object']?['properties']?['owner']?['assignedTo']"
}
},
"Compose_owner": {
"runAfter": {
"Append_to_string_variable_-_owner": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "Owner: @{variables('New owner')}"
}
},
"runAfter": {
"Condition_-_tag_updated": [
"Succeeded"
]
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Owner"
]
}
]
},
"type": "If"
},
"Condition_-_severity_update": {
"actions": {
"Append_to_string_variable_-_severity": {
"runAfter": {
},
"type": "AppendToStringVariable",
"inputs": {
"name": "New severity",
"value": "@triggerBody()?['object']?['properties']?['severity']"
}
},
"Compose_severity": {
"runAfter": {
"Append_to_string_variable_-_severity": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "Severity: @{variables('New severity')}"
}
},
"runAfter": {
"Condition_-_owner_update": [
"Succeeded"
]
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Severity"
]
}
]
},
"type": "If"
},
"Condition_-_status_update": {
"actions": {
"Append_to_string_variable_-_status": {
"runAfter": {
},
"type": "AppendToStringVariable",
"inputs": {
"name": "New status",
"value": "@triggerBody()?['object']?['properties']?['status']"
}
},
"Compose_status": {
"runAfter": {
"Append_to_string_variable_-_status": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "Status: @{variables('New status')}"
}
},
"runAfter": {
"Condition_-_tactics_update": [
"Succeeded"
]
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Status"
]
}
]
},
"type": "If"
},
"Condition_-_tactics_update": {
"actions": {
"Compose_tactics": {
"runAfter": {
},
"type": "Compose",
"inputs": "Tactics: @{join(triggerBody()?['incidentUpdates']?['tactics'], '; ')}"
}
},
"runAfter": {
"Condition_-_severity_update": [
"Succeeded"
]
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Tactics"
]
}
]
},
"type": "If"
},
"Condition_-_tag_updated": {
"actions": {
"Compose_tag": {
"runAfter": {
"For_each_-_new_tag": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "Tags: @{variables('New tag')}"
},
"For_each_-_new_tag": {
"foreach": "@triggerBody()?['incidentUpdates']?['labels']",
"actions": {
"Append_to_string_variable_-_tag": {
"runAfter": {
},
"type": "AppendToStringVariable",
"inputs": {
"name": "New tag",
"value": "@concat(items('For_each_-_new_tag')?['labelName'], '; ')"
}
}
},
"runAfter": {
},
"type": "Foreach"
}
},
"runAfter": {
"Condition_-_alert_updated": [
"Succeeded"
]
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Labels"
]
}
]
},
"type": "If"
},
"Set_variable_-_Jira_ID": {
"runAfter": {
},
"type": "SetVariable",
"inputs": {
"name": "Jira ID",
"value": "@{split(items('For_each')?['labelName'],': ')[1]}"
}
}
},
"runAfter": {
},
"expression": {
"and": [
{
"contains": [
"@items('For_each')?['labelName']",
"Jira"
]
}
]
},
"type": "If"
}
},
"runAfter": {
},
"type": "Foreach"
}
}
},
"expression": {
"and": [
{
"equals": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"@null"
]
}
]
},
"type": "If"
},
"Initialize_variable_-_Jira_ID": {
"runAfter": {
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Jira ID",
"type": "string"
}
]
}
},
"Initialize_variable_-_alert": {
"runAfter": {
"Initialize_variable_-_comment": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "New alert",
"type": "string"
}
]
}
},
"Initialize_variable_-_comment": {
"runAfter": {
"Initialize_variable_-_Jira_ID": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "New comments",
"type": "string"
}
]
}
},
"Initialize_variable_-_owner": {
"runAfter": {
"Initialize_variable_-_tag": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "New owner",
"type": "string"
}
]
}
},
"Initialize_variable_-_severity": {
"runAfter": {
"Initialize_variable_-_owner": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "New severity",
"type": "string"
}
]
}
},
"Initialize_variable_-_status": {
"runAfter": {
"Initialize_variable_-_severity": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "New status",
"type": "string"
}
]
}
},
"Initialize_variable_-_tag": {
"runAfter": {
"Initialize_variable_-_alert": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "New tag",
"type": "string"
}
]
}
}
},
"outputs": {
}
},
"parameters": {
"$connections": {
"value": {
"Jira": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('JiraConnectionName'))]",
"connectionName": "[variables('JiraConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Jira')]"
},
"microsoftsentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"connectionName": "[variables('MicrosoftSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
},
"name": "[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[resourceGroup().location]",
"tags": {
"hidden-SentinelTemplateName": "CreateJiraIssue-Incident",
"hidden-SentinelTemplateVersion": "2.0"
},
"identity": {
"type": "SystemAssigned"
},
"apiVersion": "2017-07-01",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('JiraConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('JiraConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('JiraConnectionName')]",
"customParameterValues": {
},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Jira')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('MicrosoftSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('MicrosoftSentinelConnectionName')]",
"customParameterValues": {
},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
}
}
}
]
}

Двоичные данные
Playbooks/Jira-CreateAndUpdateIssue/images/AutomationRuleExampleDark.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 162 KiB

Двоичные данные
Playbooks/Jira-CreateAndUpdateIssue/images/AutomationRuleExampleLight.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 147 KiB

Двоичные данные
Playbooks/Jira-CreateAndUpdateIssue/images/JiraNewIssue.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 381 KiB

Двоичные данные
Playbooks/Jira-CreateAndUpdateIssue/images/JiraPlaybookDark.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 118 KiB

Двоичные данные
Playbooks/Jira-CreateAndUpdateIssue/images/JiraPlaybookLight.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 119 KiB

Двоичные данные
Playbooks/Jira-CreateAndUpdateIssue/images/JiraUpdateIssue.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 405 KiB

Двоичные данные
Playbooks/Jira-CreateAndUpdateIssue/images/jira-connector-requirementsDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 81 KiB

Двоичные данные
Playbooks/Jira-CreateAndUpdateIssue/images/jira-connector-requirementsLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 59 KiB

40
Playbooks/Jira-CreateAndUpdateIssue/readme.md Normal file
Просмотреть файл

@ -0,0 +1,40 @@
# Jira-CreateAndUpdateIssue
author: Benjamin Kovacevic
This playbook will create or update incident in Jira. When incident is created, playbook will run and create issue in Jira. When incident is updated, playbook will run and add update to comment section.
# Prerequisites
We will need following data to make Jira connector:<br>
1. Jira instance (ex. xyz.atlassian.net)<br>
2. Jira API (create API token on https://id.atlassian.com/manage-profile/security/api-tokens)<br>
3. User email<br>
![Jira connector requirements](./images/jira-connector-requirementsDark.png)<br>
# Quick Deployment
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FJira-CreateAndUpdateIssue%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FJira-CreateAndUpdateIssue%2Fazuredeploy.json)
<br><br>
# Post-deployment
1. Authorize Jira connector and choose:
- Jira Project (where you want to sync Microsoft Sentinel incidents to) and
- Issue Type Id (Microsoft Sentinel incident issue type in Jira - Task, Story, Bug,...).<br>
2. Assign Microsoft Sentinel Responder role to playbook's managed identity. To do so, choose Identity blade under Settings of the Logic App.
3. Add playbook as an action to the automation rule, ex.:
- Trigger = When incident is updated;
- Condition = Staus > Changed To > Closed;.<br>
**Automation rule example**<br>
![Automation Rule Example](./images/AutomationRuleExampleDark.jpg)
# Screenshots
**Playbook** <br>
![playbook screenshot](./images/JiraPlaybookDark.jpg)<br>
![playbook screenshot](./images/JiraPlaybookLight.jpg)<br><br>
**Jira New Issue** <br>
![jira screenshot new](./images/JiraNewIssue.jpg)<br><br>
**Jira Update Issue** <br>
![jira screenshot update](./images/JiraUpdateIssue.jpg)<br>

9
Playbooks/Jira-CreateAndUpdateIssue/releaseNotes.md Normal file
Просмотреть файл

@ -0,0 +1,9 @@
### 2.0 New version leverages incident update trigger
- New version of the playbook creates a record and updates it.
- In creation part added step to add tag with Jira ID.
- Added option to update Jira issue when incident updated in Microsoft Sentinel.
### 1.0
- Initial version

324
Playbooks/Notify-IncidentClosed/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,324 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Notify When Incident Is Closed",
"description": "This playbook is utilizing new update trigger to notify person/group on Microsoft Teams/Outlook when incident is closed.",
"prerequisites": ["1. Email address to where notification will be sent to.", "2. (Optional) Microsoft Teams Team ID and Channel ID, or choose them in Logic Apps designer after the deployment. [Guidance to get Ids](Instructions to get IDs - https://www.linkedin.com/pulse/3-ways-locate-microsoft-team-id-christopher-barber-/)"
],
"postDeployment": ["1. Authorize Microsoft Teams and Microsoft Office 365 Outlook connectors.", "2. Add playbook as an action to the automation rule: Trigger = When incident is updated; Condition = Status Changed To Closed."
],
"lastUpdateTime": "2022-05-30T00:00:00.000Z",
"entities": [
],
"tags": [ "Notification", "Incident Update"
],
"support": {
"tier": "community",
"armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
},
"author": {
"name": "Benjamin Kovacevic"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "Notify-IncidentClosed",
"type": "string"
},
"Notification email": {
"type": "string",
"defaultValue": "Notification email",
"metadata": {
"description": "Enter value for Notification email"
}
},
"Teams Channel ID": {
"type": "string",
"defaultValue": "Teams Channel ID",
"metadata": {
"description": "Enter value for Teams Channel ID"
}
},
"Teams Team ID": {
"type": "string",
"defaultValue": "Teams Team ID",
"metadata": {
"description": "Enter value for Teams Team ID"
}
}
},
"variables": {
"MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"Office365ConnectionName": "[concat('Office365-', parameters('PlaybookName'))]",
"TeamsConnectionName": "[concat('Teams-', parameters('PlaybookName'))]"
},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {
},
"type": "Object"
},
"Notification email": {
"defaultValue": "[parameters('Notification email')]",
"type": "string"
},
"Teams Channel ID": {
"defaultValue": "[parameters('Teams Channel ID')]",
"type": "string"
},
"Teams Team ID": {
"defaultValue": "[parameters('Teams Team ID')]",
"type": "string"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Compose_-_Incident_URL": {
"runAfter": {
},
"type": "Compose",
"inputs": "\u003ca href=\"@{triggerBody()?['object']?['properties']?['incidentUrl']}\"\u003eClick here to view incident\u003c/a\u003e"
},
"Compose_-_Teams_adaptive_card_response": {
"runAfter": {
"Send_an_email_(V2)": [
"Succeeded"
]
},
"type": "Compose",
"inputs": {
"$schema": "http://adaptivecards.io/schemas/adaptive-card.json",
"body": [
{
"color": "Good",
"size": "Large",
"text": "Microsoft Sentinel Incident Closed!",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true
},
{
"text": "Incident details:",
"type": "TextBlock",
"wrap": true
},
{
"facts": [
{
"title": "Title",
"value": "@{triggerBody()?['object']?['properties']?['title']}"
},
{
"title": "Incident ID",
"value": "@{triggerBody()?['object']?['properties']?['incidentNumber']}"
},
{
"title": "Description",
"value": "@{triggerBody()?['object']?['properties']?['description']}"
},
{
"title": "Tactics",
"value": "@{join(triggerBody()?['object']?['properties']?['additionalData']?['tactics'], '\u003cbr /\u003e')}"
},
{
"title": "Alert providers",
"value": "@{join(triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames'], '\u003cbr /\u003e')}"
},
{
"title": "Status",
"value": "@{triggerBody()?['object']?['properties']?['status']}"
},
{
"title": "Classification",
"value": "@{triggerBody()?['object']?['properties']?['classification']}"
},
{
"title": "Classification comment",
"value": "@{triggerBody()?['object']?['properties']?['classificationComment']}"
},
{
"title": "Classification reason",
"value": "@{triggerBody()?['object']?['properties']?['classificationReason']}"
},
{
"title": "Incident updated by",
"value": "@{triggerBody()?['incidentUpdates']?['updatedBy']?['name']}"
},
{
"title": "Incident URL",
"value": "[Click here to view incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})"
}
],
"type": "FactSet"
}
],
"type": "AdaptiveCard",
"version": "1.4"
}
},
"Post_adaptive_card_in_a_chat_or_channel": {
"runAfter": {
"Compose_-_Teams_adaptive_card_response": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"messageBody": "@{outputs('Compose_-_Teams_adaptive_card_response')}",
"recipient": {
"channelId": "@parameters('Teams Channel ID')",
"groupId": "@parameters('Teams Team ID')"
}
},
"host": {
"connection": {
"name": "@parameters('$connections')['teams']['connectionId']"
}
},
"method": "post",
"path": "/v1.0/teams/conversation/adaptivecard/poster/Flow bot/location/@{encodeURIComponent('Channel')}"
}
},
"Send_an_email_(V2)": {
"runAfter": {
"Compose_-_Incident_URL": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"Body": "\u003cp\u003e\u003cspan style=\"font-size: 18px\"\u003e\u003cstrong\u003eIncident details:\u003c/strong\u003e\u003c/span\u003e\u003cbr\u003e\n\u003cbr\u003e\n\u003cstrong\u003eTitle\u003c/strong\u003e: @{triggerBody()?['object']?['properties']?['title']};\u003cbr\u003e\n\u003cstrong\u003eIncident ID\u003c/strong\u003e: @{triggerBody()?['object']?['properties']?['incidentNumber']};\u003cbr\u003e\n\u003cstrong\u003eDescription\u003c/strong\u003e: @{triggerBody()?['object']?['properties']?['description']};\u003cbr\u003e\n\u003cstrong\u003eTactics\u003c/strong\u003e: @{join(triggerBody()?['object']?['properties']?['additionalData']?['tactics'], '\u003cbr /\u003e')};\u003cbr\u003e\n\u003cstrong\u003eAlert providers\u003c/strong\u003e: @{join(triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames'], '\u003cbr /\u003e')};\u003cbr\u003e\n\u003cstrong\u003eStatus\u003c/strong\u003e: @{triggerBody()?['object']?['properties']?['status']};\u003cbr\u003e\n\u003cstrong\u003eClassification\u003c/strong\u003e: @{triggerBody()?['object']?['properties']?['classification']};\u003cbr\u003e\n\u003cstrong\u003eClassification comment\u003c/strong\u003e: @{triggerBody()?['object']?['properties']?['classificationComment']};\u003cbr\u003e\n\u003cstrong\u003eClassification reason\u003c/strong\u003e: @{triggerBody()?['object']?['properties']?['classificationReason']}\u003cbr\u003e\n\u003cstrong\u003eIncident updated by\u003c/strong\u003e: @{triggerBody()?['incidentUpdates']?['updatedBy']?['name']};\u003cbr\u003e\n\u003cstrong\u003eIncident URL\u003c/strong\u003e: @{outputs('Compose_-_Incident_URL')}\u003c/p\u003e",
"Subject": "Microsoft Sentinel Incident Closed!",
"To": "@parameters('Notification email')"
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
}
},
"method": "post",
"path": "/v2/Mail"
}
}
},
"outputs": {
}
},
"parameters": {
"$connections": {
"value": {
"microsoftsentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"connectionName": "[variables('MicrosoftSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"office365": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
"connectionName": "[variables('Office365ConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]"
},
"teams": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
"connectionName": "[variables('TeamsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Teams')]"
}
}
}
}
},
"name": "[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[resourceGroup().location]",
"tags": {
"hidden-SentinelTemplateName": "Notify-IncidentClosed",
"hidden-SentinelTemplateVersion": "1.0"
},
"identity": {
"type": "SystemAssigned"
},
"apiVersion": "2017-07-01",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('MicrosoftSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('MicrosoftSentinelConnectionName')]",
"customParameterValues": {
},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('Office365ConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('Office365ConnectionName')]",
"customParameterValues": {
},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('TeamsConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('TeamsConnectionName')]",
"customParameterValues": {
},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Teams')]"
}
}
}
]
}

Двоичные данные
Playbooks/Notify-IncidentClosed/images/AutomationRuleExampleDark.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 66 KiB

Двоичные данные
Playbooks/Notify-IncidentClosed/images/AutomationRuleExampleLight.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 135 KiB

Двоичные данные
Playbooks/Notify-IncidentClosed/images/DeleteConnectionExample.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 185 KiB

Двоичные данные
Playbooks/Notify-IncidentClosed/images/OutlookNotificationDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 182 KiB

Двоичные данные
Playbooks/Notify-IncidentClosed/images/OutlookNotificationLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 182 KiB

Двоичные данные
Playbooks/Notify-IncidentClosed/images/TeamsNotificationDark.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 42 KiB

Двоичные данные
Playbooks/Notify-IncidentClosed/images/playbookDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 74 KiB

Двоичные данные
Playbooks/Notify-IncidentClosed/images/playbookLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 63 KiB

38
Playbooks/Notify-IncidentClosed/readme.md Normal file
Просмотреть файл

@ -0,0 +1,38 @@
# Notify-IncidentClosed
author: Benjamin Kovacevic
This playbook is utilizing new update trigger to notify person/group on Microsoft Teams/Outlook when incident is closed.
# Prerequisites
1. Email address to where notification will be sent to.
2. Microsoft Teams Team ID and Channel ID (Instructions to get IDs - https://www.linkedin.com/pulse/3-ways-locate-microsoft-team-id-christopher-barber-/) or choose Team and Channel after the deployment
# Quick Deployment
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FNotify-IncidentClosed%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FNotify-IncidentClosed%2Fazuredeploy.json)
<br><br>
# Post-deployment
1. Authorize Microsoft Teams and Microsoft Office 365 Outlook connectors
2. Choose Microsoft Teams Team and Channel where to send the adaptive card (only if Team ID and Channel ID were not added during the deployment)
3. Add playbook as an action to the automation rule
- Trigger = When incident is updated;
- Condition = Staus > Changed To > Closed;.<br>
**Automation rule example**<br>
![Automation Rule Example](./images/AutomationRuleExample.jpg)
4. If you want to receive notifications only on Microsoft Teams or only on Microsoft Office 365 Outlook, please remove unneeded connection. To remove, click on 3 dots on top right side of connector, and choose "Delete".<br><br>
**Delete connection example**<br>
![Delete Connection Example](./images/DeleteConnectionExample.jpg)
# Screenshots
**Playbook** <br>
![playbook screenshot](./images/playbookDark.png)<br>
![playbook screenshot](./images/playbookLight.png)<br><br>
**Teams** <br>
![teams notification](./images/TeamsNotification.jpg)<br><br>
**Outlook** <br>
![outlook notification](./images/OutlookNotification.jpg)<br><br>

317
Playbooks/Notify-IncidentReopened/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,317 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Notify When Incident Is Reopened",
"description": "This playbook is utilizing new update trigger to notify person/group on Microsoft Teams/Outlook when incident is reopened.",
"prerequisites": ["1. Email address to where notification will be sent to.", "2. (Optional) Microsoft Teams Team ID and Channel ID, or choose them in Logic Apps designer after the deployment. [Guidance to get Ids](Instructions to get IDs - https://www.linkedin.com/pulse/3-ways-locate-microsoft-team-id-christopher-barber-/)"
],
"postDeployment": ["1. Authorize Microsoft Teams and Microsoft Office 365 Outlook connectors.", "2. Add playbook as an action to the automation rule: Trigger = When incident is updated; Condition = Staus Changed From Closed."
],
"prerequisitesDeployTemplateFile": "",
"lastUpdateTime": "2022-05-30T00:00:00.000Z",
"entities": [
],
"tags": [ "Notification", "Incident update"
],
"support": {
"tier": "community",
"armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
},
"author": {
"name": "Benjamin Kovacevic"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "Notify-IncidentReopened",
"type": "string"
},
"Notification email": {
"type": "string",
"defaultValue": "Notification email",
"metadata": {
"description": "Enter value for Notification email"
}
},
"Teams Channel ID": {
"type": "string",
"defaultValue": "Teams Channel ID",
"metadata": {
"description": "Enter value for Teams Channel ID"
}
},
"Teams Team ID": {
"type": "string",
"defaultValue": "Teams Team ID",
"metadata": {
"description": "Enter value for Teams Team ID"
}
}
},
"variables": {
"MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"Office365ConnectionName": "[concat('Office365-', parameters('PlaybookName'))]",
"TeamsConnectionName": "[concat('Teams-', parameters('PlaybookName'))]"
},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {
},
"type": "Object"
},
"Notification email": {
"defaultValue": "[parameters('Notification email')]",
"type": "string"
},
"Teams Channel ID": {
"defaultValue": "[parameters('Teams Channel ID')]",
"type": "string"
},
"Teams Team ID": {
"defaultValue": "[parameters('Teams Team ID')]",
"type": "string"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Compose_-_Incident_URL": {
"runAfter": {
},
"type": "Compose",
"inputs": "\u003ca href=\"@{triggerBody()?['object']?['properties']?['incidentUrl']}\"\u003eClick here to view incident\u003c/a\u003e"
},
"Compose_-_Teams_adaptive_card_response": {
"runAfter": {
"Send_an_email_(V2)": [
"Succeeded"
]
},
"type": "Compose",
"inputs": {
"$schema": "http://adaptivecards.io/schemas/adaptive-card.json",
"body": [
{
"color": "Attention",
"size": "Large",
"text": "Microsoft Sentinel Incident Reopened!",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true
},
{
"text": "Incident details:",
"type": "TextBlock",
"wrap": true
},
{
"facts": [
{
"title": "Title",
"value": "@{triggerBody()?['object']?['properties']?['title']}"
},
{
"title": "Incident ID",
"value": "@{triggerBody()?['object']?['properties']?['incidentNumber']}"
},
{
"title": "Description",
"value": "@{triggerBody()?['object']?['properties']?['description']}"
},
{
"title": "Severity",
"value": "@{triggerBody()?['object']?['properties']?['severity']}"
},
{
"title": "Tactics",
"value": "@{join(triggerBody()?['object']?['properties']?['additionalData']?['tactics'], '\u003cbr /\u003e')}"
},
{
"title": "Alert providers",
"value": "@{join(triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames'], '\u003cbr /\u003e')}"
},
{
"title": "New Status",
"value": "@{triggerBody()?['object']?['properties']?['status']}"
},
{
"title": "Incident updated by",
"value": "@{triggerBody()?['incidentUpdates']?['updatedBy']?['name']}"
},
{
"title": "Incident URL",
"value": "[Click here to view incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})"
}
],
"type": "FactSet"
}
],
"type": "AdaptiveCard",
"version": "1.4"
}
},
"Post_adaptive_card_in_a_chat_or_channel": {
"runAfter": {
"Compose_-_Teams_adaptive_card_response": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"messageBody": "@{outputs('Compose_-_Teams_adaptive_card_response')}",
"recipient": {
"channelId": "@parameters('Teams Channel ID')",
"groupId": "@parameters('Teams Team ID')"
}
},
"host": {
"connection": {
"name": "@parameters('$connections')['teams']['connectionId']"
}
},
"method": "post",
"path": "/v1.0/teams/conversation/adaptivecard/poster/Flow bot/location/@{encodeURIComponent('Channel')}"
}
},
"Send_an_email_(V2)": {
"runAfter": {
"Compose_-_Incident_URL": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"Body": "\u003cp\u003e\u003cspan style=\"font-size: 18px\"\u003e\u003cstrong\u003eIncident details:\u003c/strong\u003e\u003c/span\u003e\u003cbr\u003e\n\u003cbr\u003e\n\u003cstrong\u003eTitle\u003c/strong\u003e: @{triggerBody()?['object']?['properties']?['title']};\u003cbr\u003e\n\u003cstrong\u003eIncident ID\u003c/strong\u003e: @{triggerBody()?['object']?['properties']?['incidentNumber']};\u003cbr\u003e\n\u003cstrong\u003eDescription\u003c/strong\u003e: @{triggerBody()?['object']?['properties']?['description']};\u003cbr\u003e\n\u003cstrong\u003eSeverity\u003c/strong\u003e: @{triggerBody()?['object']?['properties']?['severity']};\u003cbr\u003e\n\u003cstrong\u003eTactics\u003c/strong\u003e: @{join(triggerBody()?['object']?['properties']?['additionalData']?['tactics'], '\u003cbr /\u003e')};\u003cbr\u003e\n\u003cstrong\u003eAlert providers\u003c/strong\u003e: @{join(triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames'], '\u003cbr /\u003e')};\u003cbr\u003e\n\u003cstrong\u003eNew Status\u003c/strong\u003e: @{triggerBody()?['object']?['properties']?['status']};\u003cbr\u003e\n\u003cstrong\u003eIncident updated by\u003c/strong\u003e: @{triggerBody()?['incidentUpdates']?['updatedBy']?['name']};\u003cbr\u003e\n\u003cstrong\u003eIncident URL\u003c/strong\u003e: @{outputs('Compose_-_Incident_URL')}\u003c/p\u003e",
"Subject": "Microsoft Sentinel Incident Reopened!",
"To": "@parameters('Notification email')"
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
}
},
"method": "post",
"path": "/v2/Mail"
}
}
},
"outputs": {
}
},
"parameters": {
"$connections": {
"value": {
"microsoftsentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"connectionName": "[variables('MicrosoftSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"office365": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
"connectionName": "[variables('Office365ConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]"
},
"teams": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
"connectionName": "[variables('TeamsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Teams')]"
}
}
}
}
},
"name": "[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"tags": {
"hidden-SentinelTemplateName": "Notify-IncidentReopened",
"hidden-SentinelTemplateVersion": "1.0"
},
"apiVersion": "2017-07-01",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('MicrosoftSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('MicrosoftSentinelConnectionName')]",
"customParameterValues": {
},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('Office365ConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('Office365ConnectionName')]",
"customParameterValues": {
},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('TeamsConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('TeamsConnectionName')]",
"customParameterValues": {
},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Teams')]"
}
}
}
]
}

Двоичные данные
Playbooks/Notify-IncidentReopened/images/AutomationRuleExampleDark.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 66 KiB

Двоичные данные
Playbooks/Notify-IncidentReopened/images/AutomationRuleExampleLight.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 142 KiB

Двоичные данные
Playbooks/Notify-IncidentReopened/images/DeleteConnectionExample.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 185 KiB

Двоичные данные
Playbooks/Notify-IncidentReopened/images/OutlookNotificationDark.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 225 KiB

Двоичные данные
Playbooks/Notify-IncidentReopened/images/OutlookNotificationLight.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 212 KiB

Двоичные данные
Playbooks/Notify-IncidentReopened/images/TeamsNotification.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 24 KiB

Двоичные данные
Playbooks/Notify-IncidentReopened/images/playbookDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 67 KiB

Двоичные данные
Playbooks/Notify-IncidentReopened/images/playbookLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 66 KiB

38
Playbooks/Notify-IncidentReopened/readme.md Normal file
Просмотреть файл

@ -0,0 +1,38 @@
# Notify-IncidentReopened
author: Benjamin Kovacevic
This playbook is utilizing new update trigger to notify person/group on Microsoft Teams/Outlook when incident is reopened.
# Prerequisites
1. Email address to where notification will be sent to.
2. Microsoft Teams Team ID and Channel ID (Instructions to get IDs - https://www.linkedin.com/pulse/3-ways-locate-microsoft-team-id-christopher-barber-/) or choose Team and Channel after the deployment
# Quick Deployment
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FNotify-IncidentReopened%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FNotify-IncidentReopened%2Fazuredeploy.json)
<br><br>
# Post-deployment
1. Authorize Microsoft Teams and Microsoft Office 365 Outlook connectors
2. Choose Microsoft Teams Team and Channel where to send the adaptive card (only if Team ID and Channel ID were not added during the deployment)
3. Add playbook as an action to the automation rule
- Trigger = When incident is updated;
- Condition = Staus > Changed From > Closed;.<br>
**Automation rule example**<br>
![Automation Rule Example](./images/AutomationRuleExample.jpg)
4. If you want to receive notifications only on Microsoft Teams or only on Microsoft Office 365 Outlook, please remove unneeded connection. To remove, click on 3 dots on top right side of connector, and choose "Delete".<br><br>
**Delete connection example**<br>
![Delete Connection Example](./images/DeleteConnectionExample.jpg)
# Screenshots
**Playbook** <br>
![playbook screenshot](./images/playbookDark.png)<br>
![playbook screenshot](./images/playbookLight.png)<br><br>
**Teams** <br>
![teams notification](./images/TeamsNotification.jpg)<br><br>
**Outlook** <br>
![outlook notification](./images/OutlookNotification.jpg)<br><br>

312
Playbooks/Notify-IncidentSeverityChanged/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,312 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Notify When Incident Severity Changed",
"description": "This playbook is utilizing new update trigger to notify person/group on Microsoft Teams/Outlook when incident severity change.",
"prerequisites": ["1. Email address to where notification will be sent to.", "2. (Optional) Microsoft Teams Team ID and Channel ID, or choose them in Logic Apps designer after the deployment. [Guidance to get Ids](Instructions to get IDs - https://www.linkedin.com/pulse/3-ways-locate-microsoft-team-id-christopher-barber-/)"
],
"postDeployment": ["1. Authorize Microsoft Teams and Microsoft Office 365 Outlook connectors.", "2. Add playbook as an action to the automation rule: Trigger = When incident is updated; Condition = Status Changed To Closed."
],
"prerequisitesDeployTemplateFile": "",
"lastUpdateTime": "2022-05-30T00:00:00.000Z",
"entities": [
],
"tags": [ "Notification", "Incident Update"
],
"support": {
"tier": "community"
},
"author": {
"name": "Benjamin Kovacevic"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "Notify-IncidentSeverityChanged",
"type": "string"
},
"Notification email": {
"type": "string",
"defaultValue": "Notification email",
"metadata": {
"description": "Enter value for Notification email"
}
},
"Teams Channel ID": {
"type": "string",
"defaultValue": "Teams Channel ID",
"metadata": {
"description": "Enter value for Teams Channel ID"
}
},
"Teams Team ID": {
"type": "string",
"defaultValue": "Teams Team ID",
"metadata": {
"description": "Enter value for Teams Team ID"
}
}
},
"variables": {
"MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"Office365ConnectionName": "[concat('Office365-', parameters('PlaybookName'))]",
"TeamsConnectionName": "[concat('Teams-', parameters('PlaybookName'))]"
},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {
},
"type": "Object"
},
"Notification email": {
"defaultValue": "[parameters('Notification email')]",
"type": "string"
},
"Teams Channel ID": {
"defaultValue": "[parameters('Teams Channel ID')]",
"type": "string"
},
"Teams Team ID": {
"defaultValue": "[parameters('Teams Team ID')]",
"type": "string"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Compose_-_Incident_URL": {
"runAfter": {
},
"type": "Compose",
"inputs": "\u003ca href=\"@{triggerBody()?['object']?['properties']?['incidentUrl']}\"\u003eClick here to view incident\u003c/a\u003e"
},
"Compose_-_Teams_adaptive_card_response": {
"runAfter": {
"Send_an_email_(V2)": [
"Succeeded"
]
},
"type": "Compose",
"inputs": {
"$schema": "http://adaptivecards.io/schemas/adaptive-card.json",
"body": [
{
"color": "Warning",
"size": "Large",
"text": "Microsoft Sentinel Incident Severity Changed!",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true
},
{
"text": "Incident details:",
"type": "TextBlock",
"wrap": true
},
{
"facts": [
{
"title": "Title",
"value": "@{triggerBody()?['object']?['properties']?['title']}"
},
{
"title": "Incident ID",
"value": "@{triggerBody()?['object']?['properties']?['incidentNumber']}"
},
{
"title": "Description",
"value": "@{triggerBody()?['object']?['properties']?['description']}"
},
{
"title": "Tactics",
"value": "@{join(triggerBody()?['object']?['properties']?['additionalData']?['tactics'], '\u003cbr /\u003e')}"
},
{
"title": "Alert providers",
"value": "@{join(triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames'], '\u003cbr /\u003e')}"
},
{
"title": "New Severity",
"value": "@{triggerBody()?['object']?['properties']?['severity']}"
},
{
"title": "Incident updated by",
"value": "@{triggerBody()?['incidentUpdates']?['updatedBy']?['name']}"
},
{
"title": "Incident URL",
"value": "[Click here to view incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})"
}
],
"type": "FactSet"
}
],
"type": "AdaptiveCard",
"version": "1.4"
}
},
"Post_adaptive_card_in_a_chat_or_channel": {
"runAfter": {
"Compose_-_Teams_adaptive_card_response": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"messageBody": "@{outputs('Compose_-_Teams_adaptive_card_response')}",
"recipient": {
"channelId": "@parameters('Teams Channel ID')",
"groupId": "@parameters('Teams Team ID')"
}
},
"host": {
"connection": {
"name": "@parameters('$connections')['teams']['connectionId']"
}
},
"method": "post",
"path": "/v1.0/teams/conversation/adaptivecard/poster/Flow bot/location/@{encodeURIComponent('Channel')}"
}
},
"Send_an_email_(V2)": {
"runAfter": {
"Compose_-_Incident_URL": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"Body": "\u003cp\u003e\u003cspan style=\"font-size: 18px\"\u003e\u003cstrong\u003eIncident details:\u003c/strong\u003e\u003c/span\u003e\u003cbr\u003e\n\u003cbr\u003e\n\u003cstrong\u003eTitle\u003c/strong\u003e: @{triggerBody()?['object']?['properties']?['title']};\u003cbr\u003e\n\u003cstrong\u003eIncident ID\u003c/strong\u003e: @{triggerBody()?['object']?['properties']?['incidentNumber']};\u003cbr\u003e\n\u003cstrong\u003eDescription\u003c/strong\u003e: @{triggerBody()?['object']?['properties']?['description']};\u003cbr\u003e\n\u003cstrong\u003eTactics\u003c/strong\u003e: @{join(triggerBody()?['object']?['properties']?['additionalData']?['tactics'], '\u003cbr /\u003e')};\u003cbr\u003e\n\u003cstrong\u003eAlert providers\u003c/strong\u003e: @{join(triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames'], '\u003cbr /\u003e')};\u003cbr\u003e\n\u003cstrong\u003eNew Severity\u003c/strong\u003e: @{triggerBody()?['object']?['properties']?['severity']};\u003cbr\u003e\n\u003cstrong\u003eIncident updated by\u003c/strong\u003e: @{triggerBody()?['incidentUpdates']?['updatedBy']?['name']};\u003cbr\u003e\n\u003cstrong\u003eIncident URL\u003c/strong\u003e: @{outputs('Compose_-_Incident_URL')}\u003c/p\u003e",
"Subject": "Microsoft Sentinel Incident Severity Changed!",
"To": "@parameters('Notification email')"
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
}
},
"method": "post",
"path": "/v2/Mail"
}
}
},
"outputs": {
}
},
"parameters": {
"$connections": {
"value": {
"microsoftsentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"connectionName": "[variables('MicrosoftSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"office365": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
"connectionName": "[variables('Office365ConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]"
},
"teams": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
"connectionName": "[variables('TeamsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Teams')]"
}
}
}
}
},
"name": "[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[resourceGroup().location]",
"tags": {
"hidden-SentinelTemplateName": "Notify-IncidentSeverityChanged",
"hidden-SentinelTemplateVersion": "1.0"
},
"identity": {
"type": "SystemAssigned"
},
"apiVersion": "2017-07-01",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('MicrosoftSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('MicrosoftSentinelConnectionName')]",
"customParameterValues": {
},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('Office365ConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('Office365ConnectionName')]",
"customParameterValues": {
},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('TeamsConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('TeamsConnectionName')]",
"customParameterValues": {
},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Teams')]"
}
}
}
]
}

Двоичные данные
Playbooks/Notify-IncidentSeverityChanged/images/AutomationRuleExampleDark.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 66 KiB

Двоичные данные
Playbooks/Notify-IncidentSeverityChanged/images/AutomationRuleExampleLight.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 132 KiB

Двоичные данные
Playbooks/Notify-IncidentSeverityChanged/images/DeleteConnectionExample.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 185 KiB

Двоичные данные
Playbooks/Notify-IncidentSeverityChanged/images/OutlookNotificationDark.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 208 KiB

Двоичные данные
Playbooks/Notify-IncidentSeverityChanged/images/OutlookNotificationLight.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 55 KiB

Двоичные данные
Playbooks/Notify-IncidentSeverityChanged/images/TeamsNotification.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 25 KiB

Двоичные данные
Playbooks/Notify-IncidentSeverityChanged/images/playbookDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 65 KiB

Двоичные данные
Playbooks/Notify-IncidentSeverityChanged/images/playbookLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 65 KiB

38
Playbooks/Notify-IncidentSeverityChanged/readme.md Normal file
Просмотреть файл

@ -0,0 +1,38 @@
# Notify-IncidentSeverityChanged
author: Benjamin Kovacevic
This playbook is utilizing new update trigger to notify person/group on Microsoft Teams/Outlook when incident severity change.
# Prerequisites
1. Email address to where notification will be sent to.
2. Microsoft Teams Team ID and Channel ID (Instructions to get IDs - https://www.linkedin.com/pulse/3-ways-locate-microsoft-team-id-christopher-barber-/) or choose Team and Channel after the deployment
# Quick Deployment
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FNotify-IncidentSeverityChanged%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FNotify-IncidentSeverityChanged%2Fazuredeploy.json)
<br><br>
# Post-deployment
1. Authorize Microsoft Teams and Microsoft Office 365 Outlook connectors
2. Choose Microsoft Teams Team and Channel where to send the adaptive card (only if Team ID and Channel ID were not added during the deployment)
3. Add playbook as an action to the automation rule
- Trigger = When incident is updated;
- Condition = Severity > Changed;.<br>
**Automation rule example**<br>
![Automation Rule Example](./images/AutomationRuleExample.jpg)
4. If you want to receive notifications only on Microsoft Teams or only on Microsoft Office 365 Outlook, please remove unneeded connection. To remove, click on 3 dots on top right side of connector, and choose "Delete".<br><br>
**Delete connection example**<br>
![Delete Connection Example](./images/DeleteConnectionExample.jpg)
# Screenshots
**Playbook** <br>
![playbook screenshot](./images/playbookDark.png)<br>
![playbook screenshot](./images/playbookLight.png)<br><br>
**Teams** <br>
![teams notification](./images/TeamsNotification.jpg)<br><br>
**Outlook** <br>
![outlook notification](./images/OutlookNotification.jpg)<br><br>

764
Playbooks/SNOW-CreateAndUpdateIncident/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,764 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Create And Update Service Now Record",
"description": "This playbook will create or update incident in SNOW. When incident is created, playbook will run and create incident in SNOW. When incident is updated, playbook will run and add update to comment section. When incident is closed, playbook will run and close incident in SNOW.",
"postDeployment": ["1. Add Microsoft Sentinel Responder role to the playbook's managed identity.", "2. Authorize ServiceNow connection", "3. Create an automation rules for when incident is created or updated and add this playbook as an action."],
"prerequisitesDeployTemplateFile": "",
"lastUpdateTime": "2022-05-30T00:00:00.000Z",
"entities": [
],
"tags": [ "Sync", "Incident Update"
],
"support": {
"tier": "community"
},
"author": {
"name": "Benjamin Kovacevic"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "SNOW-CreateAndUpdateIncident",
"type": "string"
}
},
"variables": {
"MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"Service-NowConnectionName": "[concat('Service-Now-', parameters('PlaybookName'))]"
},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {
},
"type": "Object"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Condition_-_create_or_update_incident": {
"actions": {
"Create_Record": {
"runAfter": {
"Switch": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"comments": "@triggerBody()?['object']?['properties']?['incidentUrl']",
"description": "Incident description: @{triggerBody()?['object']?['properties']?['description']};\nSeverity: @{triggerBody()?['object']?['properties']?['severity']};\nTactics: @{join(triggerBody()?['object']?['properties']?['additionalData']?['tactics'], '; ')};\nAlerts: @{join(triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames'],'; ')};",
"impact": "@variables('Creation severity')",
"number": "@triggerBody()?['object']?['name']",
"short_description": "@triggerBody()?['object']?['properties']?['title']",
"urgency": "@variables('Creation severity')"
},
"host": {
"connection": {
"name": "@parameters('$connections')['service-now']['connectionId']"
}
},
"method": "post",
"path": "/api/now/v2/table/@{encodeURIComponent('incident')}",
"queries": {
"sysparm_display_value": false,
"sysparm_exclude_reference_link": true
}
}
},
"Switch": {
"runAfter": {
},
"cases": {
"Case_Severity_High": {
"case": "High",
"actions": {
"Set_Severity_variable_to_High": {
"runAfter": {
},
"type": "SetVariable",
"inputs": {
"name": "Creation severity",
"value": "1"
}
}
}
},
"Case_Severity_Medium": {
"case": "Medium",
"actions": {
"Set_Severity_variable_to_Medium": {
"runAfter": {
},
"type": "SetVariable",
"inputs": {
"name": "Creation severity",
"value": "2"
}
}
}
}
},
"default": {
"actions": {
}
},
"expression": "@triggerBody()?['object']?['properties']?['severity']",
"type": "Switch"
},
"Update_incident": {
"runAfter": {
"Create_Record": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"tagsToAdd": {
"TagsToAdd": [
{
"Tag": "SNOW System ID: @{body('Create_Record')?['result']?['sys_id']}"
}
]
}
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "put",
"path": "/Incidents"
}
}
},
"runAfter": {
"Initialize_variable_-_creation_severity": [
"Succeeded"
]
},
"else": {
"actions": {
"For_each": {
"foreach": "@triggerBody()?['object']?['properties']?['labels']",
"actions": {
"Condition": {
"actions": {
"Condition_-_is_incident_closed": {
"actions": {
"Update_Record_-_Incident_closed": {
"runAfter": {
},
"type": "ApiConnection",
"inputs": {
"body": {
"caller_id": "@triggerBody()?['incidentUpdates']?['updatedBy']?['name']",
"close_code": "Closed/Resolved by Caller",
"close_notes": "Classification: @{triggerBody()?['object']?['properties']?['classification']}\nClassification reason: @{triggerBody()?['object']?['properties']?['classificationReason']}\nClassification comment: @{triggerBody()?['object']?['properties']?['classificationComment']}",
"state": "7"
},
"host": {
"connection": {
"name": "@parameters('$connections')['service-now']['connectionId']"
}
},
"method": "put",
"path": "/api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('SNOW System ID'))}",
"queries": {
"sysparm_display_value": false,
"sysparm_exclude_reference_link": true
}
}
}
},
"runAfter": {
"Set_variable_-_SNOW_System_ID": [
"Succeeded"
]
},
"else": {
"actions": {
"Condition_-_alert_updated": {
"actions": {
"Compose_alert": {
"runAfter": {
"For_each_-_new_alert": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "Alerts: @{variables('New alert')}"
},
"For_each_-_new_alert": {
"foreach": "@triggerBody()?['incidentUpdates']?['alerts']",
"actions": {
"Append_to_string_variable_-_alert": {
"runAfter": {
},
"type": "AppendToStringVariable",
"inputs": {
"name": "New alert",
"value": "@concat(items('For_each_-_new_alert')?['properties']?['alertDisplayName'], '; ')"
}
}
},
"runAfter": {
},
"type": "Foreach"
}
},
"runAfter": {
"Condition_-_comment_updated": [
"Succeeded"
]
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Alerts"
]
}
]
},
"type": "If"
},
"Condition_-_comment_updated": {
"actions": {
"Compose_comment": {
"runAfter": {
"For_each_-_new_comment": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "Comment: @{variables('New comments')}"
},
"For_each_-_new_comment": {
"foreach": "@triggerBody()?['incidentUpdates']?['comments']",
"actions": {
"Append_to_string_variable_-_comment": {
"runAfter": {
},
"type": "AppendToStringVariable",
"inputs": {
"name": "New comments",
"value": "@concat(items('For_each_-_new_comment')?['properties']?['message'], '; ')"
}
}
},
"runAfter": {
},
"type": "Foreach"
}
},
"runAfter": {
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Comments"
]
}
]
},
"type": "If"
},
"Condition_-_owner_update": {
"actions": {
"Append_to_string_variable_-_owner": {
"runAfter": {
},
"type": "AppendToStringVariable",
"inputs": {
"name": "New owner",
"value": "@triggerBody()?['object']?['properties']?['owner']?['assignedTo']"
}
},
"Compose_owner": {
"runAfter": {
"Append_to_string_variable_-_owner": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "Owner: @{variables('New owner')}"
}
},
"runAfter": {
"Condition_-_tag_updated": [
"Succeeded"
]
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Owner"
]
}
]
},
"type": "If"
},
"Condition_-_severity_update": {
"actions": {
"Append_to_string_variable_-_severity": {
"runAfter": {
},
"type": "AppendToStringVariable",
"inputs": {
"name": "New severity",
"value": "@triggerBody()?['object']?['properties']?['severity']"
}
},
"Compose_severity": {
"runAfter": {
"Append_to_string_variable_-_severity": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "Severity: @{variables('New severity')}"
}
},
"runAfter": {
"Condition_-_owner_update": [
"Succeeded"
]
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Severity"
]
}
]
},
"type": "If"
},
"Condition_-_status_update": {
"actions": {
"Append_to_string_variable_-_status": {
"runAfter": {
},
"type": "AppendToStringVariable",
"inputs": {
"name": "New status",
"value": "@triggerBody()?['object']?['properties']?['status']"
}
},
"Compose_status": {
"runAfter": {
"Append_to_string_variable_-_status": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "Status: @{variables('New status')}"
}
},
"runAfter": {
"Condition_-_tactics_update": [
"Succeeded"
]
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Status"
]
}
]
},
"type": "If"
},
"Condition_-_tactics_update": {
"actions": {
"Compose_tactics": {
"runAfter": {
},
"type": "Compose",
"inputs": "Tactics: @{join(triggerBody()?['incidentUpdates']?['tactics'], '; ')}"
}
},
"runAfter": {
"Condition_-_severity_update": [
"Succeeded"
]
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Tactics"
]
}
]
},
"type": "If"
},
"Condition_-_tag_updated": {
"actions": {
"Compose_tag": {
"runAfter": {
"For_each_-_new_tag": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "Tags: @{variables('New tag')}"
},
"For_each_-_new_tag": {
"foreach": "@triggerBody()?['incidentUpdates']?['labels']",
"actions": {
"Append_to_string_variable_-_tag": {
"runAfter": {
},
"type": "AppendToStringVariable",
"inputs": {
"name": "New tag",
"value": "@concat(items('For_each_-_new_tag')?['labelName'], '; ')"
}
}
},
"runAfter": {
},
"type": "Foreach"
}
},
"runAfter": {
"Condition_-_alert_updated": [
"Succeeded"
]
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Labels"
]
}
]
},
"type": "If"
},
"Update_Record_-_incident_not_closed": {
"runAfter": {
"Condition_-_status_update": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"comments": "Microsoft Sentinel incident is updated:\n\nUpdate fields: @{join(triggerBody()?['incidentUpdates']?['updatedFields'], '; ')}\nUpdate by: @{triggerBody()?['incidentUpdates']?['updatedBy']?['name']}\n\nNew values:\n@{outputs('Compose_alert')}\n@{outputs('Compose_severity')}\n@{outputs('Compose_owner')}\n@{outputs('Compose_status')}\n@{outputs('Compose_tag')}\n@{outputs('Compose_comment')}\n@{outputs('Compose_tactics')}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['service-now']['connectionId']"
}
},
"method": "put",
"path": "/api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('SNOW System ID'))}",
"queries": {
"sysparm_display_value": false,
"sysparm_exclude_reference_link": true
}
}
}
}
},
"expression": {
"and": [
{
"equals": [
"@triggerBody()?['object']?['properties']?['status']",
"Closed"
]
}
]
},
"type": "If"
},
"Set_variable_-_SNOW_System_ID": {
"runAfter": {
},
"type": "SetVariable",
"inputs": {
"name": "SNOW System ID",
"value": "@{split(items('For_each')?['labelName'],': ')[1]}"
}
}
},
"runAfter": {
},
"expression": {
"and": [
{
"contains": [
"@items('For_each')?['labelName']",
"SNOW"
]
}
]
},
"type": "If"
}
},
"runAfter": {
},
"type": "Foreach"
}
}
},
"expression": {
"and": [
{
"equals": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"@null"
]
}
]
},
"type": "If"
},
"Initialize_variable_-_SNOW_System_ID": {
"runAfter": {
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "SNOW System ID",
"type": "string"
}
]
}
},
"Initialize_variable_-_alert": {
"runAfter": {
"Initialize_variable_-_comment": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "New alert",
"type": "string"
}
]
}
},
"Initialize_variable_-_comment": {
"runAfter": {
"Initialize_variable_-_SNOW_System_ID": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "New comments",
"type": "string"
}
]
}
},
"Initialize_variable_-_creation_severity": {
"runAfter": {
"Initialize_variable_-_status": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Creation severity",
"type": "string",
"value": "3"
}
]
}
},
"Initialize_variable_-_owner": {
"runAfter": {
"Initialize_variable_-_tag": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "New owner",
"type": "string"
}
]
}
},
"Initialize_variable_-_severity": {
"runAfter": {
"Initialize_variable_-_owner": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "New severity",
"type": "string"
}
]
}
},
"Initialize_variable_-_status": {
"runAfter": {
"Initialize_variable_-_severity": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "New status",
"type": "string"
}
]
}
},
"Initialize_variable_-_tag": {
"runAfter": {
"Initialize_variable_-_alert": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "New tag",
"type": "string"
}
]
}
}
},
"outputs": {
}
},
"parameters": {
"$connections": {
"value": {
"microsoftsentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"connectionName": "[variables('MicrosoftSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"service-now": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Service-NowConnectionName'))]",
"connectionName": "[variables('Service-NowConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Service-Now')]"
}
}
}
}
},
"name": "[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[resourceGroup().location]",
"tags": {
"hidden-SentinelTemplateName": "CreateSNOWRecord-Incident",
"hidden-SentinelTemplateVersion": "2.0"
},
"identity": {
"type": "SystemAssigned"
},
"apiVersion": "2017-07-01",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('Service-NowConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('MicrosoftSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('MicrosoftSentinelConnectionName')]",
"customParameterValues": {
},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('Service-NowConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('Service-NowConnectionName')]",
"customParameterValues": {
},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Service-Now')]"
}
}
}
]
}

Двоичные данные
Playbooks/SNOW-CreateAndUpdateIncident/images/AutomationRuleExampleDark.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 153 KiB

Двоичные данные
Playbooks/SNOW-CreateAndUpdateIncident/images/AutomationRuleExampleLight.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 153 KiB

Двоичные данные
Playbooks/SNOW-CreateAndUpdateIncident/images/SNOW-connector-requirementsDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 68 KiB

Двоичные данные
Playbooks/SNOW-CreateAndUpdateIncident/images/SNOW-connector-requirementsLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 53 KiB

Двоичные данные
Playbooks/SNOW-CreateAndUpdateIncident/images/SNOWIncidentClosed.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 417 KiB

Двоичные данные
Playbooks/SNOW-CreateAndUpdateIncident/images/SNOWNewIncident.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 431 KiB

Двоичные данные
Playbooks/SNOW-CreateAndUpdateIncident/images/SNOWTagAdded.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 376 KiB

Двоичные данные
Playbooks/SNOW-CreateAndUpdateIncident/images/SnowPlaybookDark.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 210 KiB

Двоичные данные
Playbooks/SNOW-CreateAndUpdateIncident/images/SnowPlaybookLight.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 193 KiB

40
Playbooks/SNOW-CreateAndUpdateIncident/readme.md Normal file
Просмотреть файл

@ -0,0 +1,40 @@
# Jira-CreateAndUpdateIssue
author: Benjamin Kovacevic
This playbook will create or update incident in Jira. When incident is created, playbook will run and create issue in Jira. When incident is updated, playbook will run and add update to comment section.
# Prerequisites
We will need following data to make Jira connector:<br>
1. Jira instance (ex. xyz.atlassian.net)<br>
2. Jira API (create API token on https://id.atlassian.com/manage-profile/security/api-tokens)<br>
3. User email<br>
![Jira connector requirements](./images/jira-connector-requirementsDark.png)<br>
# Quick Deployment
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FJira-CreateAndUpdateIssue%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FJira-CreateAndUpdateIssue%2Fazuredeploy.json)
<br><br>
# Post-deployment
1. Authorize Jira connector and choose:
- Jira Project (where you want to sync Microsoft Sentinel incidents to) and
- Issue Type Id (Microsoft Sentinel incident issue type in Jira - Task, Story, Bug,...).<br>
2. Assign Microsoft Sentinel Responder role to playbook's managed identity. To do so, choose Identity blade under Settings of the Logic App.
3. Add playbook as an action to the automation rule, ex.:
- Trigger = When incident is updated;
- Condition = Staus > Changed To > Closed;.<br>
**Automation rule example**<br>
![Automation Rule Example](./images/AutomationRuleExampleDark.jpg)
# Screenshots
**Playbook** <br>
![playbook screenshot](./images/JiraPlaybookDark.jpg)<br>
![playbook screenshot](./images/JiraPlaybookLight.jpg)<br><br>
**Jira New Issue** <br>
![jira screenshot new](./images/JiraNewIssue.jpg)<br><br>
**Jira Update Issue** <br>
![jira screenshot update](./images/JiraUpdateIssue.jpg)<br>

10
Playbooks/SNOW-CreateAndUpdateIncident/releaseNotes.md Normal file
Просмотреть файл

@ -0,0 +1,10 @@
### 2.0 New version leverages incident update trigger
- New version of the playbook creates a record and updates it.
- In creation part added step to add tag with SNOW ID
- Added option to update SNOW incident when incident updated in Microsoft Sentinel.
- When incident is closed in Microsoft Sentinel, playbok will run and close incident in SNOW
### 1.0
- Initial version

10
Playbooks/Sync-IncidentCommentToM365DOnUpdate/API permission.txt Normal file
Просмотреть файл

@ -0,0 +1,10 @@
$MIGuid = "<MI GUID>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
$GraphAppId = "8ee8fdad-f234-4243-8f3b-15c294843740"
$PermissionName1 = "Incident.ReadWrite.All"
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id

144
Playbooks/Sync-IncidentCommentToM365DOnUpdate/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,144 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Sync - Incident Comment To M365D On Update",
"description": "This playbook will sync incident comments from Microsoft Sentinel to Microsoft 365 Defender when comment is added.",
"prerequisites": "",
"postDeployment": ["1. Add Incident.ReadWrite.All API permission to the playbook's managed identity using PowerShell.", "2. Add playbook as an action to the automation rule - Trigger = When incident is updated; Condition = Incident provider > Equal > Microsoft 365 Defender, and Comments > Added;."
],
"prerequisitesDeployTemplateFile": "",
"lastUpdateTime": "2022-05-30T00:00:00.000Z",
"entities": [
],
"tags": [ "Sync", "Incident Update"
],
"support": {
"tier": "community"
},
"author": {
"name": "Benjamin Kovacevic"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "Sync-IncidentCommentToM365DOnUpdate",
"type": "string"
}
},
"variables": {
"MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]"
},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {
},
"type": "Object"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"For_each": {
"foreach": "@triggerBody()?['incidentUpdates']?['comments']",
"actions": {
"HTTP": {
"runAfter": {
},
"type": "Http",
"inputs": {
"authentication": {
"audience": "https://api.security.microsoft.com/",
"type": "ManagedServiceIdentity"
},
"body": {
"comment": "@{items('For_each')?['properties']?['message']}"
},
"headers": {
"Content-Type": "application/json"
},
"method": "PATCH",
"uri": "https://api.security.microsoft.com/api/incidents/@{triggerBody()?['object']?['properties']?['providerIncidentId']}"
}
}
},
"runAfter": {
},
"type": "Foreach"
}
},
"outputs": {
}
},
"parameters": {
"$connections": {
"value": {
"microsoftsentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"connectionName": "[variables('MicrosoftSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
},
"name": "[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"tags": {
"hidden-SentinelTemplateName": "Sync-IncidentCommentToM365DOnUpdate",
"hidden-SentinelTemplateVersion": "1.0"
},
"apiVersion": "2017-07-01",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('MicrosoftSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('MicrosoftSentinelConnectionName')]",
"customParameterValues": {
},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
}
}
}
]
}

Двоичные данные
Playbooks/Sync-IncidentCommentToM365DOnUpdate/images/AutomationRuleExampleDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 122 KiB

Двоичные данные
Playbooks/Sync-IncidentCommentToM365DOnUpdate/images/AutomationRuleExampleLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 104 KiB

Двоичные данные
Playbooks/Sync-IncidentCommentToM365DOnUpdate/images/M365DComment.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 414 KiB

Двоичные данные
Playbooks/Sync-IncidentCommentToM365DOnUpdate/images/PlaybookDark.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 198 KiB

Двоичные данные
Playbooks/Sync-IncidentCommentToM365DOnUpdate/images/PlaybookLight.jpg Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 199 KiB

44
Playbooks/Sync-IncidentCommentToM365DOnUpdate/readme.md Normal file
Просмотреть файл

@ -0,0 +1,44 @@
# Sync-IncidentCommentToM365DOnUpdate
author: Benjamin Kovacevic
This playbook will sync incident comments from Microsoft Sentinel to Microsoft 365 Defender when comment is added.
# Prerequisites
None.
# Quick Deployment
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSync-IncidentCommentToM365DOnUpdate%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSync-IncidentCommentToM365DOnUpdate%2Fazuredeploy.json)
<br><br>
# Post-deployment
1. Add Incident.ReadWrite.All API permission to the playbook's managed identity using PowerShell
```powershell
$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
$GraphAppId = "8ee8fdad-f234-4243-8f3b-15c294843740"
$PermissionName1 = "Incident.ReadWrite.All"
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id
```
2. Add playbook as an action to the automation rule
- Trigger = When incident is updated;
- Condition = Incident provider > Equal > Microsoft 365 Defender, and
- Comments > Added<br>
**Automation rule example**<br>
![Automation Rule Example](./images/AutomationRuleExampleDark.png)
# Screenshots
**Playbook** <br>
![playbook screenshot](./images/playbookDark.jpg)<br>
![playbook screenshot](./images/playbookLight.jpg)<br>
**Microsoft 365 Defender** <br>
![M365D notification](./images/M365DComment.jpg)<br><br>