diff --git a/Playbooks/Restrict-MDATPFileHash/azuredeploy.json b/Playbooks/Restrict-MDATPFileHash/azuredeploy.json deleted file mode 100644 index d41107465e..0000000000 --- a/Playbooks/Restrict-MDATPFileHash/azuredeploy.json +++ /dev/null @@ -1,360 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "comments": "This playbook will take FileHash entities and generate alert and block threat indicators for each file hash in MDATP for 90 days.", - "author": "Nicholas DiCola" - }, - "parameters": { - "PlaybookName": { - "defaultValue": "Restrict-MDATPFileHash", - "type": "String" - }, - "UserName": { - "defaultValue": "@", - "type": "string" - } - }, - "variables": { - "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]" - }, - "resources": [ - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('AzureSentinelConnectionName')]", - "location": "[resourceGroup().location]", - "properties": { - "displayName": "[parameters('UserName')]", - "customParameterValues": { - }, - "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" - } - } - }, - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[parameters('PlaybookName')]", - "location": "[resourceGroup().location]", - "tags": { - "LogicAppsCategory": "security" - }, - "dependsOn": [ - "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" - ], - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "actions": { - "Alert_-_Get_incident": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "get", - "path": "/Cases/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}" - }, - "runAfter": { - }, - "type": "ApiConnection" - }, - "For_each": { - "actions": { - "Condition": { - "actions": { - "Switch": { - "cases": { - "Case": { - "actions": { - "HTTP": { - "inputs": { - "authentication": { - "audience": "https://api.securitycenter.windows.com/", - "type": "ManagedServiceIdentity" - }, - "body": { - "action": "AlertAndBlock", - "application": "@{triggerBody()?['ProductName']}", - "description": "@{body('Alert_-_Get_incident')?['properties']?['Title']}", - "expirationTime": "@{addDays(triggerBody()?['TimeGenerated'], 90)}", - "indicatorType": "FileSha1", - "indicatorValue": "@{items('For_each')?['Value']}", - "severity": "@{body('Alert_-_Get_incident')?['properties']?['Severity']}", - "title": "@{guid()}" - }, - "method": "POST", - "uri": "https://api.securitycenter.windows.com/api/indicators" - }, - "runAfter": { - }, - "type": "Http" - } - }, - "case": "SHA1" - }, - "Case_2": { - "actions": { - "HTTP_2": { - "inputs": { - "authentication": { - "audience": "https://api.securitycenter.windows.com/", - "type": "ManagedServiceIdentity" - }, - "body": { - "action": "AlertAndBlock", - "application": "@{triggerBody()?['ProductName']}", - "description": "@{body('Alert_-_Get_incident')?['properties']?['Title']}", - "expirationTime": "@{addDays(triggerBody()?['TimeGenerated'], 90)}", - "indicatorType": "FileSha256", - "indicatorValue": "@{items('For_each')?['Value']}", - "severity": "@{body('Alert_-_Get_incident')?['properties']?['Severity']}", - "title": "@{guid()}" - }, - "method": "POST", - "uri": "https://api.securitycenter.windows.com/api/indicators" - }, - "runAfter": { - }, - "type": "Http" - } - }, - "case": "SHA256" - } - }, - "default": { - "actions": { - } - }, - "expression": "@items('For_each')?['Algorithm']", - "runAfter": { - }, - "type": "Switch" - } - }, - "expression": { - "and": [ - { - "equals": [ - "@items('For_each')['Type']", - "filehash" - ] - } - ] - }, - "runAfter": { - }, - "type": "If" - } - }, - "foreach": "@body('Parse_JSON')", - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Parse_JSON": { - "inputs": { - "content": "@triggerBody()?['Entities']", - "schema": { - "items": { - "properties": { - "$id": { - "type": "string" - }, - "AadUserId": { - "type": "string" - }, - "Account": { - "properties": { - "$ref": { - "type": "string" - } - }, - "type": "object" - }, - "Address": { - "type": "string" - }, - "Algorithm": { - "type": "string" - }, - "CommandLine": { - "type": "string" - }, - "CreatedTimeUtc": { - "type": "string" - }, - "CreationTimeUtc": { - "type": "string" - }, - "Directory": { - "type": "string" - }, - "DnsDomain": { - "type": "string" - }, - "ElevationToken": { - "type": "string" - }, - "FileHashes": { - "items": { - "properties": { - "$ref": { - "type": "string" - } - }, - "required": [ - "$ref" - ], - "type": "object" - }, - "type": "array" - }, - "Host": { - "properties": { - "$ref": { - "type": "string" - } - }, - "type": "object" - }, - "HostName": { - "type": "string" - }, - "ImageFile": { - "properties": { - "$ref": { - "type": "string" - } - }, - "type": "object" - }, - "IsDomainJoined": { - "type": "boolean" - }, - "IsDownloaded": { - "type": "boolean" - }, - "IsPe": { - "type": "boolean" - }, - "IsValid": { - "type": "boolean" - }, - "LastAccessTimeUtc": { - "type": "string" - }, - "LastWriteTimeUtc": { - "type": "string" - }, - "MachineId": { - "type": "string" - }, - "MachineIdType": { - "type": "integer" - }, - "NTDomain": { - "type": "string" - }, - "Name": { - "type": "string" - }, - "ParentProcess": { - "properties": { - "$ref": { - "type": "string" - } - }, - "type": "object" - }, - "ProcessId": { - "type": "string" - }, - "Sid": { - "type": "string" - }, - "SizeInBytes": { - "type": "integer" - }, - "Type": { - "type": "string" - }, - "UPNSuffix": { - "type": "string" - }, - "Url": { - "type": "string" - }, - "Value": { - "type": "string" - } - }, - "required": [ - "$id", - "Type" - ], - "type": "object" - }, - "type": "array" - } - }, - "runAfter": { - "Alert_-_Get_incident": [ - "Succeeded" - ] - }, - "type": "ParseJson" - } - }, - "contentVersion": "1.0.0.0", - "outputs": { - }, - "parameters": { - "$connections": { - "defaultValue": { - }, - "type": "Object" - } - }, - "triggers": { - "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/subscribe" - }, - "type": "ApiConnectionWebhook" - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "connectionName": "[variables('AzureSentinelConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" - } - } - } - } - } - } - ] -} \ No newline at end of file diff --git a/Playbooks/Restrict-MDATPFileHash/readme.md b/Playbooks/Restrict-MDATPFileHash/readme.md deleted file mode 100644 index 20f6d08a20..0000000000 --- a/Playbooks/Restrict-MDATPFileHash/readme.md +++ /dev/null @@ -1,25 +0,0 @@ -# Restrict-MDATPFileHash -author: Nicholas DiCola - -This playbook will take FileHash entities and generate alert and block threat indicators for each file hash in MDATP for 90 days. - - - - - - - - -**Additional Post Install Notes:** - -The Logic App creates and uses a Managed System Identity (MSI) to authenticate and authorize against api.securitycenter.windows.com to update threat indicators. - -The MSI must be assigned API Permissions 'Ti.ReadWrite' to WindowsDefenderATP App. To assign use PowerShell and AzureAD Module. Run the following commands: - -$msi = Get-AzureADServicePrincipal | ?{$_.DisplayName -ieq "Restrict-MDATPUrl"} -$graph = Get-AzureADServicePrincipal -Filter "AppId eq 'fc780465-2017-40d4-a0c5-307022471b92'" -$roles = $graph.AppRoles | ?{$_.Value -imatch "Ti.ReadWrite" } - -Foreach ($role in $roles){ -New-AzureADServiceAppRoleAssignment -ObjectId $msi.ObjectId -PrincipalId $msi.ObjectId -Id $role.Id -ResourceId $graph.ObjectId -} \ No newline at end of file diff --git a/Playbooks/Restrict-MDEFileHash/alert-trigger/azuredeploy.json b/Playbooks/Restrict-MDEFileHash/alert-trigger/azuredeploy.json new file mode 100644 index 0000000000..d1f79d2741 --- /dev/null +++ b/Playbooks/Restrict-MDEFileHash/alert-trigger/azuredeploy.json @@ -0,0 +1,224 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "comments": "This playbook will take FileHash entities and generate alert and block threat indicators for each file hash in MDE for 90 days.", + "author": "Nicholas DiCola" + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Restrict-MDEFileHash", + "type": "String" + } + }, + "variables": { + "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[parameters('PlaybookName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "tags": { + "LogicAppsCategory": "security" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Alert_-_Get_incident": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + }, + "runAfter": {}, + "type": "ApiConnection" + }, + "Entities_-_Get_FileHashes": { + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/filehash" + }, + "runAfter": { + "Alert_-_Get_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

@{items('For_each')?['Value']} was added to MDE Indicators with action: AlertandBlock via playbook.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Switch": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Switch": { + "cases": { + "Case": { + "actions": { + "HTTP": { + "inputs": { + "authentication": { + "audience": "https://api.securitycenter.windows.com/", + "type": "ManagedServiceIdentity" + }, + "body": { + "action": "AlertAndBlock", + "application": "Azure Sentinel", + "description": "@{body('Alert_-_Get_incident')?['properties']?['incidentNumber']}-@{body('Alert_-_Get_incident')?['properties']?['title']}", + "expirationTime": "@{addDays(triggerBody()?['TimeGenerated'], 90)}", + "indicatorType": "FileSha1", + "indicatorValue": "@{items('For_each')?['Value']}", + "severity": "@{body('Alert_-_Get_incident')?['properties']?['severity']}", + "title": "@{guid()}" + }, + "method": "POST", + "uri": "https://api.securitycenter.windows.com/api/indicators" + }, + "runAfter": {}, + "type": "Http" + } + }, + "case": "SHA1" + }, + "Case_2": { + "actions": { + "HTTP_2": { + "inputs": { + "authentication": { + "audience": "https://api.securitycenter.windows.com/", + "type": "ManagedServiceIdentity" + }, + "body": { + "action": "AlertAndBlock", + "application": "Azure Sentinel", + "description": "@{body('Alert_-_Get_incident')?['properties']?['incidentNumber']}-@{body('Alert_-_Get_incident')?['properties']?['title']}", + "expirationTime": "@{addDays(triggerBody()?['TimeGenerated'], 90)}", + "indicatorType": "FileSha256", + "indicatorValue": "@{items('For_each')?['Value']}", + "severity": "@{body('Alert_-_Get_incident')?['properties']?['severity']}", + "title": "@{guid()}" + }, + "method": "POST", + "uri": "https://api.securitycenter.windows.com/api/indicators" + }, + "runAfter": {}, + "type": "Http" + } + }, + "case": "SHA256" + } + }, + "default": { + "actions": {} + }, + "expression": "@items('For_each')?['Algorithm']", + "runAfter": {}, + "type": "Switch" + } + }, + "foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']", + "runAfter": { + "Entities_-_Get_FileHashes": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + }, + "contentVersion": "1.0.0.0", + "outputs": {}, + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + }, + "type": "ApiConnectionWebhook" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[variables('AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + } + ] +} \ No newline at end of file diff --git a/Playbooks/Restrict-MDEFileHash/alert-trigger/images/Restrict-MDEFileHash_alert.png b/Playbooks/Restrict-MDEFileHash/alert-trigger/images/Restrict-MDEFileHash_alert.png new file mode 100644 index 0000000000..c956aef452 Binary files /dev/null and b/Playbooks/Restrict-MDEFileHash/alert-trigger/images/Restrict-MDEFileHash_alert.png differ diff --git a/Playbooks/Restrict-MDEFileHash/incident-trigger/azuredeploy.json b/Playbooks/Restrict-MDEFileHash/incident-trigger/azuredeploy.json new file mode 100644 index 0000000000..7acfc9e9af --- /dev/null +++ b/Playbooks/Restrict-MDEFileHash/incident-trigger/azuredeploy.json @@ -0,0 +1,217 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Restrict-MDEFileHash", + "description": "This playbook will take FileHash entities and generate alert and block threat indicators for each file hash in MDE for 90 days.", + "prerequisites": "You will need to grant Ti.ReadWrite permissions to the managed identity.", + "lastUpdateTime": "2021-06-10T00:00:00.000Z", + "entities": [ "FileHash" ], + "tags": [ "Remediation" ], + "support": { + "kind": "Community" + }, + "author": { + "name": "Nicholas DiCola" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Restrict-MDEFileHash", + "type": "String" + } + }, + "variables": { + "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[parameters('PlaybookName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "tags": { + "LogicAppsCategory": "security" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Entities_-_Get_FileHashes": { + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/filehash" + }, + "runAfter": {}, + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{items('For_each')?['Value']} was added to MDE Indicators with action: AlertandBlock via playbook.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Switch": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Switch": { + "cases": { + "Case": { + "actions": { + "HTTP": { + "inputs": { + "authentication": { + "audience": "https://api.securitycenter.windows.com/", + "type": "ManagedServiceIdentity" + }, + "body": { + "action": "AlertAndBlock", + "application": "Azure Sentinel", + "description": "@{triggerBody()?['object']?['properties']?['incidentNumber']}-@{triggerBody()?['object']?['properties']?['title']}", + "expirationTime": "@{addDays(triggerBody()?['TimeGenerated'], 90)}", + "indicatorType": "FileSha1", + "indicatorValue": "@{items('For_each')?['Value']}", + "severity": "@{triggerBody()?['object']?['properties']?['severity']}", + "title": "@{guid()}" + }, + "method": "POST", + "uri": "https://api.securitycenter.windows.com/api/indicators" + }, + "runAfter": {}, + "type": "Http" + } + }, + "case": "SHA1" + }, + "Case_2": { + "actions": { + "HTTP_2": { + "inputs": { + "authentication": { + "audience": "https://api.securitycenter.windows.com/", + "type": "ManagedServiceIdentity" + }, + "body": { + "action": "AlertAndBlock", + "application": "Azure Sentinel", + "description": "@{triggerBody()?['object']?['properties']?['incidentNumber']}-@{triggerBody()?['object']?['properties']?['title']}", + "expirationTime": "@{addDays(triggerBody()?['TimeGenerated'], 90)}", + "indicatorType": "FileSha256", + "indicatorValue": "@{items('For_each')?['Value']}", + "severity": "@{triggerBody()?['object']?['properties']?['severity']}", + "title": "@{guid()}" + }, + "method": "POST", + "uri": "https://api.securitycenter.windows.com/api/indicators" + }, + "runAfter": {}, + "type": "Http" + } + }, + "case": "SHA256" + } + }, + "default": { + "actions": {} + }, + "expression": "@items('For_each')?['Algorithm']", + "runAfter": {}, + "type": "Switch" + } + }, + "foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']", + "runAfter": { + "Entities_-_Get_FileHashes": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + }, + "contentVersion": "1.0.0.0", + "outputs": {}, + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + }, + "type": "ApiConnectionWebhook" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[variables('AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + } + ] +} \ No newline at end of file diff --git a/Playbooks/Restrict-MDEFileHash/incident-trigger/images/Restrict-MDEFileHash_incident.png b/Playbooks/Restrict-MDEFileHash/incident-trigger/images/Restrict-MDEFileHash_incident.png new file mode 100644 index 0000000000..b85b45300b Binary files /dev/null and b/Playbooks/Restrict-MDEFileHash/incident-trigger/images/Restrict-MDEFileHash_incident.png differ diff --git a/Playbooks/Restrict-MDEFileHash/incident-trigger/images/designerDark.png b/Playbooks/Restrict-MDEFileHash/incident-trigger/images/designerDark.png new file mode 100644 index 0000000000..24438bdcb9 Binary files /dev/null and b/Playbooks/Restrict-MDEFileHash/incident-trigger/images/designerDark.png differ diff --git a/Playbooks/Restrict-MDEFileHash/incident-trigger/images/designerLight.png b/Playbooks/Restrict-MDEFileHash/incident-trigger/images/designerLight.png new file mode 100644 index 0000000000..368b7a78ff Binary files /dev/null and b/Playbooks/Restrict-MDEFileHash/incident-trigger/images/designerLight.png differ diff --git a/Playbooks/Restrict-MDEFileHash/readme.md b/Playbooks/Restrict-MDEFileHash/readme.md new file mode 100644 index 0000000000..cd271510f2 --- /dev/null +++ b/Playbooks/Restrict-MDEFileHash/readme.md @@ -0,0 +1,51 @@ +# Restrict-MDEFileHash +author: Nicholas DiCola + +This playbook will take FileHash entities and generate alert and block threat indicators for each file hash in MDE for 90 days. + +## Quick Deployment +**Deploy with incident trigger** (recommended) + +After deployment, attach this playbook to an **automation rule** so it runs when the incident is created. + +[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules) + + + + + + + + +**Deploy with alert trigger** + +After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will rune when an alert is created. + + + + + + + + +## Prerequisites +- **For Gov Only** You will need to update the HTTP action URL to the correct URL documented [here](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/gov?view=o365-worldwide#api) +- You will need to grant Ti.ReadWrite permissions to the managed identity. Run the following code replacing the managed identity object id. You find the managed identity object id on the Identity blade under Settings for the Logic App. +```powershell +$MIGuid = "" +$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid + +$MDEAppId = "fc780465-2017-40d4-a0c5-307022471b92" +$PermissionName = "Ti.ReadWrite" + +$MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'" +$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"} +New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` +-ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id +``` + +## Screenshots +**Incident Trigger**
+![Incident Trigger](./incident-trigger/images/Restrict-MDEFileHash_incident.png)
+**Alert Trigger**
+![Alert Trigger](./alert-trigger/images/Restrict-MDEFileHash_alert.png)
\ No newline at end of file