New Playbook - Reopen incidents with outstanding tasks
This commit is contained in:
Brian Delaney
GitHub
Родитель
d0ce13e146
Коммит
768fe5143a
|
|
@ -0,0 +1,219 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "Reopen-Incident-With-Incomplete-Tasks",
|
||||
"type": "String"
|
||||
},
|
||||
"ARMEndpoint": {
|
||||
"defaultValue": "https://management.azure.com",
|
||||
"type": "String"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('AzureSentinelConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"kind": "V1",
|
||||
"properties": {
|
||||
"displayName": "[variables('AzureSentinelConnectionName')]",
|
||||
"customParameterValues": {},
|
||||
"parameterValueType": "Alternative",
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"apiVersion": "2017-07-01",
|
||||
"name": "[parameters('PlaybookName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
|
||||
],
|
||||
"identity": {
|
||||
"type": "SystemAssigned"
|
||||
},
|
||||
"properties": {
|
||||
"state": "Enabled",
|
||||
"definition": {
|
||||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"defaultValue": {},
|
||||
"type": "Object"
|
||||
},
|
||||
"ARMEndpoint": {
|
||||
"defaultValue": "[parameters('ARMEndpoint')]",
|
||||
"type": "String"
|
||||
}
|
||||
},
|
||||
"triggers": {
|
||||
"Microsoft_Sentinel_incident": {
|
||||
"type": "ApiConnectionWebhook",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"path": "/incident-creation"
|
||||
}
|
||||
}
|
||||
},
|
||||
"actions": {
|
||||
"Condition": {
|
||||
"actions": {
|
||||
"Add_comment_to_incident_(V3)": {
|
||||
"runAfter": {
|
||||
"Update_incident": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"incidentArmId": "@body('Update_incident')?['id']",
|
||||
"message": "<p>The incident was automatically reopened as there are assigned tasks that still need completion.</p>"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/Incidents/Comment"
|
||||
}
|
||||
},
|
||||
"Update_incident": {
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"status": "Active",
|
||||
"tagsToAdd": {
|
||||
"TagsToAdd": [
|
||||
{
|
||||
"Tag": "TasksNeedCompletion"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "put",
|
||||
"path": "/Incidents"
|
||||
}
|
||||
}
|
||||
},
|
||||
"runAfter": {
|
||||
"Filter_array": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"greater": [
|
||||
"@length(body('Filter_array'))",
|
||||
0
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"type": "If"
|
||||
},
|
||||
"Filter_array": {
|
||||
"runAfter": {
|
||||
"GetTasks": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Query",
|
||||
"inputs": {
|
||||
"from": "@body('GetTasks')['value']",
|
||||
"where": "@not(equals(item()?['properties']?['status'], 'Completed'))"
|
||||
}
|
||||
},
|
||||
"GetTasks": {
|
||||
"runAfter": {
|
||||
"Terminate_If_Incident_is_not_Closed": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Http",
|
||||
"inputs": {
|
||||
"authentication": {
|
||||
"audience": "@parameters('ARMEndpoint')",
|
||||
"type": "ManagedServiceIdentity"
|
||||
},
|
||||
"method": "GET",
|
||||
"queries": {
|
||||
"api-version": "2024-03-01"
|
||||
},
|
||||
"uri": "@{parameters('ARMEndpoint')}@{triggerBody()?['object']?['id']}/tasks"
|
||||
}
|
||||
},
|
||||
"Terminate_If_Incident_is_not_Closed": {
|
||||
"actions": {
|
||||
"Terminate": {
|
||||
"runAfter": {},
|
||||
"type": "Terminate",
|
||||
"inputs": {
|
||||
"runStatus": "Succeeded"
|
||||
}
|
||||
}
|
||||
},
|
||||
"runAfter": {},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"not": {
|
||||
"equals": [
|
||||
"@triggerBody()?['object']?['properties']?['status']",
|
||||
"Closed"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"type": "If"
|
||||
}
|
||||
},
|
||||
"outputs": {}
|
||||
},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"value": {
|
||||
"azuresentinel": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||
"connectionName": "[variables('AzureSentinelConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
|
||||
"connectionProperties": {
|
||||
"authentication": {
|
||||
"type": "ManagedServiceIdentity"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
Загрузка…
Ссылка в новой задаче