Playbook Preparation for Cisco ASA (#5806)

Solutions/CiscoASA/Playbooks/CiscoASA-AddIPtoNetworkObjectGroup/azuredeploy.json

@@ -1,8 +1,37 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
+    "metadata": {
+        "title": "Block IP - Cisco ASA",
+        "prerequisitesDeployTemplateFile": "../CustomConnector/azuredeploy.json",
+        "description": "This playbook allows blocking/allowing of IPs in Cisco ASA, using a Network Object Group. The Network Object Group itself should be part of an Access Control Entry.",
+        "prerequisites": [
+            "1. In Cisco ASA there needs to be a Network Object Group. You can create a Network Object Group using Cisco ASDM, [Configure a Network Object Group](https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/asdm76/firewall/asdm-76-firewall-config/access-objects.html#ariaid-title6), or using the CLI, [Configuring a Network Object Group](https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/acl_objects.html#86292). The Network Object Group can be blocked using an access rule, [Configure Access Rules](https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/asdm76/firewall/asdm-76-firewall-config/access-rules.html#ID-2124-00000152).",
+            "2. Cisco ASA custom connector needs to be deployed prior to the deployment of this playbook (link below), in the same resource group and region.",
+            "3. To authenticate the connector, in Cisco ASA create a local user and allow it to use the REST API. Depending on the playbook used the user needs to be able to add members to a network object group or create access control entries, by default that requires privilege level 15."
+        ],
+        "postDeployment": [ "**a. Authorize connections**", "Once deployment is complete, you will need to authorize each connection.", "1. Click the Azure Sentinel connection resource", "2.Click edit API connection", "3.Click Authorize", "4.Sign in", "5.Click Save", "6.Repeat steps for other connections such as Teams and Cisco ASA (For authorizing the Cisco ASA API connection, the username and password needs to be provided)", "**b. Select Teams channel**", "The Teams channel to which the adaptive card will be posted will need to be configured.", "1. Click the Azure Logic app resource", "2. Edit the Logic App", "3. Find the 'PostToTeams' action", "4. Select a Team and Channel", "5. Save the Logic App", "**c. Configurations in Sentinel**", "1. In Azure sentinel analytical rules should be configured to trigger an incident with IP Entity.", "2. Configure the automation rules to trigger this playbook" ],
+        "lastUpdateTime": "2021-07-28T00:00:00.000Z",
+        "entities": [ "Ip" ],
+        "tags": [ "Remediation", "Response from teams" ],
+        "support": {
+            "tier": "community"
+        },
+        "author": {
+            "name": "Wortell"
+        },
+        "releaseNotes": [
+            {
+                "version": "1.0.0",
+                "title": "",
+                "notes": [
+                    "Initial version"
+                ]
+            }
+        ]
+    },
     "parameters": {
-        "Playbook Name": {
+        "PlaybookName": {
             "defaultValue": "CiscoASA-AddIPtoNetworkObjectGroup",
             "type": "String",
             "metadata": {
@@ -24,9 +53,9 @@
         }
     },
     "variables": {
-        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('Playbook Name'))]",
-        "TeamsConnectionName": "[concat('teamsconnector-', parameters('Playbook Name'))]",
-        "CiscoASAConnectionName": "[concat('ciscoasaconnector-', parameters('Playbook Name'))]"
+        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
+        "TeamsConnectionName": "[concat('teamsconnector-', parameters('PlaybookName'))]",
+        "CiscoASAConnectionName": "[concat('ciscoasaconnector-', parameters('PlaybookName'))]"
     },
     "resources": [
         {
@@ -37,7 +66,7 @@
             "properties": {
                 "customParameterValues": {},
                 "api": {
-                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
                 }
             }
         },
@@ -49,7 +78,7 @@
             "properties": {
                 "customParameterValues": {},
                 "api": {
-                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/teams')]"
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/teams')]"
                 }
             }
         },
@@ -68,7 +97,7 @@
         {
             "type": "Microsoft.Logic/workflows",
             "apiVersion": "2017-07-01",
-            "name": "[parameters('Playbook Name')]",
+            "name": "[parameters('PlaybookName')]",
             "location": "[resourceGroup().location]",
             "dependsOn": [
                 "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",

Solutions/CiscoASA/Playbooks/CiscoASA-CreateACEInACL/azuredeploy.json

@@ -1,8 +1,36 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
+    "metadata": {
+        "title": "Cisco ASA - Create or remove access rules on an interface for IP Addresses",
+        "description": "This playbook allows blocking/unblocking of IPs in Cisco ASA, using **Access Control Entries** which will be created in an access control list.",
+        "prerequisites": [
+            "1. **This playbook template is based on Azure Sentinel Incident Trigger which is currently in Private Preview (Automation Rules).** You can change the trigger to the Sentinel Alert trigger in cases you are not part of the Private Preview.",
+            "2. Cisco ASA custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector doc page.",
+            "3. Cisco ASA needs to have an extended Access Control List configured. Create a new ACL or retrieve the name of an existing ACL. To use Cisco ASDM to configure Extended ACLs, see [Configure Extended ACLs](https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/asdm714/firewall/asdm-714-firewall-config/access-acls.html#ID-2069-0000016d)"
+        ],
+        "postDeployment": [ "**a. Authorize connections**", "Once deployment is complete, you will need to authorize each connection.", "1. Click the Azure Sentinel connection resource", "2.Click edit API connection", "3.Click Authorize", "4.Sign in", "5.Click Save", "6.Repeat steps for other connections such as Teams and Cisco ASA (For authorizing the Cisco ASA API connection, the username and password needs to be provided)", "**b. Select Teams channel**", "The Teams channel to which the adaptive card will be posted will need to be configured.", "1. Click the Azure Logic app resource", "2. Edit the Logic App", "3. Find the 'PostToTeams' action", "4. Select a Team and Channel", "5. Save the Logic App", "**c. Configurations in Sentinel**", "1. In Azure sentinel analytical rules should be configured to trigger an incident with IP Entity.", "2. Configure the automation rules to trigger this playbook" ],
+        "lastUpdateTime": "2021-07-28T00:00:00.000Z",
+        "entities": [ "Ip" ],
+        "tags": [],
+        "support": {
+            "tier": "community"
+        },
+        "author": {
+            "name": "Wortell"
+        },
+        "releaseNotes": [
+            {
+                "version": "1.0.0",
+                "title": "",
+                "notes": [
+                    "Initial version"
+                ]
+            }
+        ]
+    },
     "parameters": {
-        "Playbook Name": {
+        "PlaybookName": {
             "defaultValue": "CiscoASA-CreateACEInACL",
             "type": "String",
             "metadata": {
@@ -24,9 +52,9 @@
         }
     },
     "variables": {
-        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('Playbook Name'))]",
-        "TeamsConnectionName": "[concat('teamsconnector-', parameters('Playbook Name'))]",
-        "CiscoASAConnectionName": "[concat('ciscoasaconnector-', parameters('Playbook Name'))]"
+        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
+        "TeamsConnectionName": "[concat('teamsconnector-', parameters('PlaybookName'))]",
+        "CiscoASAConnectionName": "[concat('ciscoasaconnector-', parameters('PlaybookName'))]"
     },
     "resources": [
         {
@@ -37,7 +65,7 @@
             "properties": {
                 "customParameterValues": {},
                 "api": {
-                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
                 }
             }
         },
@@ -49,7 +77,7 @@
             "properties": {
                 "customParameterValues": {},
                 "api": {
-                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/teams')]"
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/teams')]"
                 }
             }
         },
@@ -68,7 +96,7 @@
         {
             "type": "Microsoft.Logic/workflows",
             "apiVersion": "2017-07-01",
-            "name": "[parameters('Playbook Name')]",
+            "name": "[parameters('PlaybookName')]",
             "location": "[resourceGroup().location]",
             "dependsOn": [
                 "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",

Solutions/CiscoASA/Playbooks/CiscoASA-CreateInboundAccessRuleOnInterface/azuredeploy.json

@@ -1,8 +1,36 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
+    "metadata": {
+        "title": "Cisco ASA - Create or Inbound Access Rule On Interface",
+        "description": "This playbook allows blocking/unblocking of IPs in Cisco ASA, using **Access Rules** which will be created on an interface.",
+        "prerequisites": [
+            "1. **This playbook template is based on Azure Sentinel Incident Trigger which is currently in Private Preview (Automation Rules).** You can change the trigger to the Sentinel Alert trigger in cases you are not part of the Private Preview.",
+            "2. Cisco ASA custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector doc page.",
+            "3. Cisco ASA needs to have an extended Access Control List configured. Create a new ACL or retrieve the name of an existing ACL. To use Cisco ASDM to configure Extended ACLs, see [Configure Extended ACLs](https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/asdm714/firewall/asdm-714-firewall-config/access-acls.html#ID-2069-0000016d)"
+        ],
+        "postDeployment": [ "**a. Authorize connections**", "Once deployment is complete, you will need to authorize each connection.", "1. Click the Azure Sentinel connection resource", "2.Click edit API connection", "3.Click Authorize", "4.Sign in", "5.Click Save", "6.Repeat steps for other connections such as Teams and Cisco ASA (For authorizing the Cisco ASA API connection, the username and password needs to be provided)", "**b. Select Teams channel**", "The Teams channel to which the adaptive card will be posted will need to be configured.", "1. Click the Azure Logic app resource", "2. Edit the Logic App", "3. Find the 'PostToTeams' action", "4. Select a Team and Channel", "5. Save the Logic App", "**c. Configurations in Sentinel**", "1. In Azure sentinel analytical rules should be configured to trigger an incident with IP Entity.", "2. Configure the automation rules to trigger this playbook" ],
+        "lastUpdateTime": "2021-07-28T00:00:00.000Z",
+        "entities": [ "Ip" ],
+        "tags": [],
+        "support": {
+            "tier": "community"
+        },
+        "author": {
+            "name": "Wortell"
+        },
+        "releaseNotes": [
+            {
+                "version": "1.0.0",
+                "title": "",
+                "notes": [
+                    "Initial version"
+                ]
+            }
+        ]
+    },
     "parameters": {
-        "Playbook Name": {
+        "PlaybookName": {
             "defaultValue": "CiscoASA-CreateInboundAccessRuleOnInterface",
             "type": "String",
             "metadata": {
@@ -24,9 +52,9 @@
         }
     },
     "variables": {
-        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('Playbook Name'))]",
-        "TeamsConnectionName": "[concat('teamsconnector-', parameters('Playbook Name'))]",
-        "CiscoASAConnectionName": "[concat('ciscoasaconnector-', parameters('Playbook Name'))]"
+        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
+        "TeamsConnectionName": "[concat('teamsconnector-', parameters('PlaybookName'))]",
+        "CiscoASAConnectionName": "[concat('ciscoasaconnector-', parameters('PlaybookName'))]"
     },
     "resources": [
         {
@@ -37,7 +65,7 @@
             "properties": {
                 "customParameterValues": {},
                 "api": {
-                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
                 }
             }
         },
@@ -49,7 +77,7 @@
             "properties": {
                 "customParameterValues": {},
                 "api": {
-                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/teams')]"
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/teams')]"
                 }
             }
         },
@@ -68,7 +96,7 @@
         {
             "type": "Microsoft.Logic/workflows",
             "apiVersion": "2017-07-01",
-            "name": "[parameters('Playbook Name')]",
+            "name": "[parameters('PlaybookName')]",
             "location": "[resourceGroup().location]",
             "dependsOn": [
                 "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",