trimmed the URL to make it as domain format in "Get site breaches enrichment" playbook and added domain as an optional parameter in custom connector action
This commit is contained in:
Родитель
a3476158d0
Коммит
980b128a5e
|
@ -201,7 +201,7 @@
|
|||
"type": "string",
|
||||
"description": "filter by site/domain ex : adobe.com",
|
||||
"x-ms-summary": "domain",
|
||||
"x-ms-visibility": "advanced"
|
||||
"x-ms-visibility": "important"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
Двоичный файл не отображается.
До Ширина: | Высота: | Размер: 12 KiB |
Двоичный файл не отображается.
До Ширина: | Высота: | Размер: 155 KiB После Ширина: | Высота: | Размер: 229 KiB |
Двоичный файл не отображается.
До Ширина: | Высота: | Размер: 218 KiB После Ширина: | Высота: | Размер: 242 KiB |
|
@ -51,7 +51,7 @@
|
|||
"identity": {
|
||||
"type": "SystemAssigned"
|
||||
},
|
||||
"tags": {
|
||||
"tags": {
|
||||
"LogicAppsCategory": "security",
|
||||
"hidden-SentinelTemplateName": "GetSiteBreachesHIBPwned",
|
||||
"hidden-SentinelTemplateVersion": "1.0"
|
||||
|
@ -75,14 +75,14 @@
|
|||
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
|
||||
"type": "ApiConnectionWebhook",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"path": "/incident-creation"
|
||||
}
|
||||
}
|
||||
|
@ -100,16 +100,16 @@
|
|||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"message": "<p><strong></strong><strong>@{outputs('Compose_image_to_update_in_the_incident')}</strong><strong> HaveIBeenPwned_BreachedsitesEnrichment </strong>playbook<strong> </strong>ran and fetched the below information for breach incidents:<br>\n@{variables('Breaches')}</p>"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"message": "<p><strong></strong><strong>@{outputs('Compose_image_to_update_in_the_incident')}</strong><strong> HaveIBeenPwned_BreachedsitesEnrichment </strong>playbook<strong> </strong>ran and fetched the below information for breach incidents:<br>\n@{variables('Breaches')}</p>"
|
||||
},
|
||||
"path": "/Incidents/Comment"
|
||||
},
|
||||
"description": "This adds comment to the Incident"
|
||||
|
@ -117,7 +117,7 @@
|
|||
"Compose_image_to_update_in_the_incident": {
|
||||
"runAfter": {},
|
||||
"type": "Compose",
|
||||
"inputs": "<img src=\"https://www.bing.com/th?id=OIP.bhGpY9L2aqT2B00nX_gOoAEiEi&w=93&h=100&c=8&rs=1&qlt=90&dpr=1.5&pid=3.1&rm=2\" alt=\"Lamp\" width=\"32\" height=\"32\">",
|
||||
"inputs": "<img src=\"https://th.bing.com/th/id/OIP.bhGpY9L2aqT2B00nX_gOoAAAAA?w=152&h=180&c=7&o=5&dpr=1.5&pid=1.7\" alt=\"Lamp\" width=\"32\" height=\"32\">",
|
||||
"description": "This composes HaveIBeenPwned image to be added to the Incident"
|
||||
}
|
||||
},
|
||||
|
@ -153,8 +153,32 @@
|
|||
"For_each_URL": {
|
||||
"foreach": "@body('Entities_-_Get_URLs')?['URLs']",
|
||||
"actions": {
|
||||
"Compose_domain_name_for_the_host": {
|
||||
"runAfter": {
|
||||
"Compose_host_name_of_the_url": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Compose",
|
||||
"inputs": "@replace(string(outputs('Compose_host_name_of_the_url')), 'www.', '')",
|
||||
"description": "This composes the domain name for the url/host"
|
||||
},
|
||||
"Compose_host_name_of_the_url": {
|
||||
"runAfter": {
|
||||
"Set_variable_url": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Compose",
|
||||
"inputs": "@uriHost(variables('URL'))",
|
||||
"description": "This composes the host name of the URL"
|
||||
},
|
||||
"Get_breached_site_information": {
|
||||
"runAfter": {},
|
||||
"runAfter": {
|
||||
"Compose_domain_name_for_the_host": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"host": {
|
||||
|
@ -165,11 +189,20 @@
|
|||
"method": "get",
|
||||
"path": "/api/v3/breaches",
|
||||
"queries": {
|
||||
"domain": "@items('For_each_URL')?['Url']"
|
||||
"domain": "@{outputs('Compose_domain_name_for_the_host')}"
|
||||
}
|
||||
},
|
||||
"description": "Get breached information for particular site from Have i been pwned"
|
||||
},
|
||||
"Set_variable_url": {
|
||||
"runAfter": {},
|
||||
"type": "SetVariable",
|
||||
"inputs": {
|
||||
"name": "URL",
|
||||
"value": "@items('For_each_URL')?['Url']"
|
||||
},
|
||||
"description": "This sets the variable URL"
|
||||
},
|
||||
"Switch_to_check_the_status_of_API_response_from_HaveIBeenPwned": {
|
||||
"runAfter": {
|
||||
"Get_breached_site_information": [
|
||||
|
@ -226,8 +259,6 @@
|
|||
"runAfter": {},
|
||||
"type": "Table",
|
||||
"inputs": {
|
||||
"from": "@body('Get_breached_site_information')",
|
||||
"format": "HTML",
|
||||
"columns": [
|
||||
{
|
||||
"header": "Name",
|
||||
|
@ -249,7 +280,9 @@
|
|||
"header": "Pwned Count",
|
||||
"value": "@item()?['PwnCount']"
|
||||
}
|
||||
]
|
||||
],
|
||||
"format": "HTML",
|
||||
"from": "@body('Get_breached_site_information')"
|
||||
},
|
||||
"description": "This create HTML table format for the site breach information"
|
||||
},
|
||||
|
@ -361,10 +394,10 @@
|
|||
"runAfter": {},
|
||||
"type": "Terminate",
|
||||
"inputs": {
|
||||
"runStatus": "Failed",
|
||||
"runError": {
|
||||
"message": "No Inputs from sentinel"
|
||||
}
|
||||
},
|
||||
"runStatus": "Failed"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -386,13 +419,13 @@
|
|||
"runAfter": {},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"path": "/entities/url"
|
||||
}
|
||||
},
|
||||
|
@ -413,13 +446,30 @@
|
|||
},
|
||||
"description": "This holds the variable terminate to terminate the logic app"
|
||||
},
|
||||
"Initialize_variable_breach_information": {
|
||||
"Initialize_variable_URL": {
|
||||
"runAfter": {
|
||||
"Entities_-_Get_URLs": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "URL",
|
||||
"type": "string"
|
||||
}
|
||||
]
|
||||
},
|
||||
"description": "This holds the URL value"
|
||||
},
|
||||
"Initialize_variable_breach_information": {
|
||||
"runAfter": {
|
||||
"Initialize_variable_URL": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
|
|
|
@ -55,6 +55,6 @@ Iterates on the URL found in this incident and performs the following:
|
|||
|
||||
3. Add a comment to the incident with the breach information collected which looks like below.
|
||||
|
||||
![comment to the incident](./Images/IncidentcommentLight.PNG)
|
||||
![comment to the incident](./Images/IncidentcommentDark.PNG)
|
||||
![comment to the incident](./Images/IncidentcommentLight.png)
|
||||
![comment to the incident](./Images/IncidentcommentDark.png)
|
||||
|
||||
|
|
|
@ -380,6 +380,11 @@
|
|||
"[resourceId('Microsoft.Web/connections', variables('azuresentinel_Connection_Name'))]",
|
||||
"[resourceId('Microsoft.Web/connections', variables('HaveIBeenPwnedConnector_Connection_Name'))]"
|
||||
],
|
||||
"tags": {
|
||||
"LogicAppsCategory": "security",
|
||||
"hidden-SentinelTemplateName": "GetSiteBreachesHIBPwned",
|
||||
"hidden-SentinelTemplateVersion": "1.0"
|
||||
},
|
||||
"properties": {
|
||||
"state": "Enabled",
|
||||
"definition": {
|
||||
|
@ -395,14 +400,14 @@
|
|||
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
|
||||
"type": "ApiConnectionWebhook",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"path": "/incident-creation"
|
||||
}
|
||||
}
|
||||
|
@ -420,16 +425,16 @@
|
|||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"message": "<p><strong></strong><strong>@{outputs('Compose_image_to_update_in_the_incident')}</strong><strong> HaveIBeenPwned_BreachedsitesEnrichment </strong>playbook<strong> </strong>ran and fetched the below information for breach incidents:<br>\n@{variables('Breaches')}</p>"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"message": "<p><strong></strong><strong>@{outputs('Compose_image_to_update_in_the_incident')}</strong><strong> HaveIBeenPwned_BreachedsitesEnrichment </strong>playbook<strong> </strong>ran and fetched the below information for breach incidents:<br>\n@{variables('Breaches')}</p>"
|
||||
},
|
||||
"path": "/Incidents/Comment"
|
||||
},
|
||||
"description": "This adds comment to the Incident"
|
||||
|
@ -437,7 +442,7 @@
|
|||
"Compose_image_to_update_in_the_incident": {
|
||||
"runAfter": {},
|
||||
"type": "Compose",
|
||||
"inputs": "<img src=\"https://www.bing.com/th?id=OIP.bhGpY9L2aqT2B00nX_gOoAEiEi&w=93&h=100&c=8&rs=1&qlt=90&dpr=1.5&pid=3.1&rm=2\" alt=\"Lamp\" width=\"32\" height=\"32\">",
|
||||
"inputs": "<img src=\"https://th.bing.com/th/id/OIP.bhGpY9L2aqT2B00nX_gOoAAAAA?w=152&h=180&c=7&o=5&dpr=1.5&pid=1.7\" alt=\"Lamp\" width=\"32\" height=\"32\">",
|
||||
"description": "This composes HaveIBeenPwned image to be added to the Incident"
|
||||
}
|
||||
},
|
||||
|
@ -473,8 +478,32 @@
|
|||
"For_each_URL": {
|
||||
"foreach": "@body('Entities_-_Get_URLs')?['URLs']",
|
||||
"actions": {
|
||||
"Compose_domain_name_for_the_host": {
|
||||
"runAfter": {
|
||||
"Compose_host_name_of_the_url": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Compose",
|
||||
"inputs": "@replace(string(outputs('Compose_host_name_of_the_url')), 'www.', '')",
|
||||
"description": "This composes the domain name for the url/host"
|
||||
},
|
||||
"Compose_host_name_of_the_url": {
|
||||
"runAfter": {
|
||||
"Set_variable_url": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Compose",
|
||||
"inputs": "@uriHost(variables('URL'))",
|
||||
"description": "This composes the host name of the URL"
|
||||
},
|
||||
"Get_breached_site_information": {
|
||||
"runAfter": {},
|
||||
"runAfter": {
|
||||
"Compose_domain_name_for_the_host": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"host": {
|
||||
|
@ -485,11 +514,20 @@
|
|||
"method": "get",
|
||||
"path": "/api/v3/breaches",
|
||||
"queries": {
|
||||
"domain": "@items('For_each_URL')?['Url']"
|
||||
"domain": "@{outputs('Compose_domain_name_for_the_host')}"
|
||||
}
|
||||
},
|
||||
"description": "Get breached information for particular site from Have i been pwned"
|
||||
},
|
||||
"Set_variable_url": {
|
||||
"runAfter": {},
|
||||
"type": "SetVariable",
|
||||
"inputs": {
|
||||
"name": "URL",
|
||||
"value": "@items('For_each_URL')?['Url']"
|
||||
},
|
||||
"description": "This sets the variable URL"
|
||||
},
|
||||
"Switch_to_check_the_status_of_API_response_from_HaveIBeenPwned": {
|
||||
"runAfter": {
|
||||
"Get_breached_site_information": [
|
||||
|
@ -546,8 +584,6 @@
|
|||
"runAfter": {},
|
||||
"type": "Table",
|
||||
"inputs": {
|
||||
"from": "@body('Get_breached_site_information')",
|
||||
"format": "HTML",
|
||||
"columns": [
|
||||
{
|
||||
"header": "Name",
|
||||
|
@ -569,7 +605,9 @@
|
|||
"header": "Pwned Count",
|
||||
"value": "@item()?['PwnCount']"
|
||||
}
|
||||
]
|
||||
],
|
||||
"format": "HTML",
|
||||
"from": "@body('Get_breached_site_information')"
|
||||
},
|
||||
"description": "This create HTML table format for the site breach information"
|
||||
},
|
||||
|
@ -681,10 +719,10 @@
|
|||
"runAfter": {},
|
||||
"type": "Terminate",
|
||||
"inputs": {
|
||||
"runStatus": "Failed",
|
||||
"runError": {
|
||||
"message": "No Inputs from sentinel"
|
||||
}
|
||||
},
|
||||
"runStatus": "Failed"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -706,13 +744,13 @@
|
|||
"runAfter": {},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||
"path": "/entities/url"
|
||||
}
|
||||
},
|
||||
|
@ -733,13 +771,30 @@
|
|||
},
|
||||
"description": "This holds the variable terminate to terminate the logic app"
|
||||
},
|
||||
"Initialize_variable_breach_information": {
|
||||
"Initialize_variable_URL": {
|
||||
"runAfter": {
|
||||
"Entities_-_Get_URLs": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "URL",
|
||||
"type": "string"
|
||||
}
|
||||
]
|
||||
},
|
||||
"description": "This holds the URL value"
|
||||
},
|
||||
"Initialize_variable_breach_information": {
|
||||
"runAfter": {
|
||||
"Initialize_variable_URL": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
|
|
Загрузка…
Ссылка в новой задаче