update Wildfire custom connector review points
This commit is contained in:
Javed Ahmad Khan
Родитель
e4f27c50f7
Коммит
b1abb08eaa
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 4.4 KiB |
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -1,46 +0,0 @@
|
|||
# PaloAlto PAN-OS Logic Apps Custom Connector
|
||||
|
||||
|
||||
|
||||
# Overview
|
||||
This custom connector connects to PAN-OS service end point and performs defined automated actions on the PAN-OS firewall.
|
||||
|
||||
# Authentication
|
||||
* API Key authentication
|
||||
|
||||
# Actions supported by PaloAlto PAN-OS custom connector
|
||||
| Component | Description |
|
||||
| --------- | -------------- |
|
||||
| **List security rules** | Retrieves a list of all security rules within a specified location in the firewall|
|
||||
| **Create a security policy rule** | Creates a new security policy rule in the firewall|
|
||||
| **Update a security policy rule** | References/Unreferences the address object in the security rule as a source or a destination member |
|
||||
| **List custom url categories** | Retrieves a list of all URL filtering category information within a specified location in the firewall|
|
||||
| **List address objects** | Retrieves a list of all address objects within a specified location in the firewall|
|
||||
| **Create an address object** |Creates an address object depending on type : IP address or URL address|
|
||||
| **Updates an address object** |Updates an address object depending on type : IP address or URL address|
|
||||
| **List address groups** | Retrieves a list of all address object groups within a specified location in the firewall|
|
||||
| **Create an address object group** | Creates a new address object group in the firewall|
|
||||
| **Updates an address object group** | Updates an address object group in the firewall |
|
||||
| **List URL filtering security profiles** | Retrieves a list of all URL filtering security profiles in the firewall|
|
||||
| **Update URL filtering security profiles** | Updates URL filtering security profiles in the firewall|
|
||||
|
||||
# Prerequisites for deploying PAN-OS Custom Connector
|
||||
1. PAN-OS service end point should be known. (e.g. https://{paloaltonetworkdomain})
|
||||
|
||||
|
||||
# Deploy PAN-OS Custom Connector
|
||||
Click on the below button to deploy PAN-OS Custom Connector in your Azure subscription.
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FPaloAlto-Wildfire%2FConnectores%2FPaloAltoConnector%2Fazuredeploy.json)
|
||||
[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FPaloAlto-Wildfire%2FConnectores%2FPaloAltoConnector%2Fazuredeploy.json)
|
||||
|
||||
# Deployment Instructions
|
||||
1. Deploy the PAN-OS custom connector by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
|
||||
2. Fill in the required parameters for deploying PAN-OS custom connector.
|
||||
|
||||
## Deployment Parameters
|
||||
|
||||
| Parameter | Description |
|
||||
| ------------- | ------------- |
|
||||
| **Custom Connector Name** | Enter the name of PAN-OS custom connector |
|
||||
| **Service End Point** | Enter the PAN-OS Service End Point |
|
||||
|
|
@ -3,10 +3,10 @@
|
|||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "Logic Apps Custom Connector - WildfireConnector",
|
||||
"description": "Wildfire custom connector used to perform REST api actions for WildFire",
|
||||
"title": "Logic Apps Custom Connector - Palo Alto Wildfire Connector",
|
||||
"description": "Palo Alto Wildfire custom connector used to perform RESTful XML-based API actions",
|
||||
"prerequisites": [
|
||||
"1. Wildfire API end point should be known."
|
||||
"1. Wildfire API Service Endpoint should be known."
|
||||
],
|
||||
"tags": [ "CustomConnector" ],
|
||||
"lastUpdateTime": "2021-07-27T00:00:00.000Z",
|
||||
|
|
@ -19,16 +19,17 @@
|
|||
},
|
||||
"parameters": {
|
||||
"CustomConnectorName": {
|
||||
"type": "String",
|
||||
"defaultValue": "PaloAltoWildFire",
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "Enter Palo Alto WildFire Custom Connector Display Name"
|
||||
"description": "Enter Palo Alto WildFire Custom Connector Name"
|
||||
},
|
||||
"minLength": 3
|
||||
},
|
||||
"ServiceEndPoint": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "Enter WildFire Endpoint (ex: https://{yourDomain})"
|
||||
"description": "Enter WildFire Endpoint (ex: https://wildfire.paloaltonetworks.com/publicapi)"
|
||||
},
|
||||
"minLength": 3
|
||||
}
|
||||
|
|
|
|||
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL-From-Teams/Images/AdaptiveCard1.jpg
Normal file
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL-From-Teams/Images/AdaptiveCard1.jpg
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 54 KiB |
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL-From-Teams/Images/AdaptiveCard2.png
Normal file
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL-From-Teams/Images/AdaptiveCard2.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 128 KiB |
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL-From-Teams/Images/IncidentCommentDark.jpg
Normal file
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL-From-Teams/Images/IncidentCommentDark.jpg
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 32 KiB |
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL-From-Teams/Images/IncidentCommentLight.jpg
Normal file
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL-From-Teams/Images/IncidentCommentLight.jpg
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 28 KiB |
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL-From-Teams/Images/MainStepsDark.png
Normal file
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL-From-Teams/Images/MainStepsDark.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 142 KiB |
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL-From-Teams/Images/MainStepsLight.png
Normal file
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL-From-Teams/Images/MainStepsLight.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 155 KiB |
|
До Ширина: | Высота: | Размер: 189 KiB После Ширина: | Высота: | Размер: 189 KiB |
|
До Ширина: | Высота: | Размер: 204 KiB После Ширина: | Высота: | Размер: 204 KiB |
|
|
@ -2,19 +2,19 @@
|
|||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "URL verdict on Teams - Wildfire",
|
||||
"title": "Block URL From Teams - Palo Alto Wildfire and PAN-OS",
|
||||
"description": "This playbook is used to add Malicious URL to security policy rules of PAN-OS VM on teams response",
|
||||
"mainSteps": [ "1. Fetches detailed verdict information of the URL.", "2. Checks for verdict status. If it is benign then it closes the incident with URL verdict information.", "3. If verdict status is other than benign (phishing, malware, grayware) then it creates the address object for URL and adds address object to the security policy rules." ],
|
||||
"prerequisites": [
|
||||
"1. Palo Alto WildFire Custom Connector and Palo Alto PAN-OS custom connector needs to be deployed prior to the deployment of this playbook under the same resource group.",
|
||||
"2. Generate wildfire API key to establish the connection to wildfire custom connector.",
|
||||
"3. Palo alto API key.",
|
||||
"2. Generate Wildfire API key to establish the connection to wildfire custom connector.",
|
||||
"3. Palo alto Wildfire API key.",
|
||||
"4. Security policy rule in the Palo Alto PAN-OS VM."
|
||||
],
|
||||
"prerequisitesDeployTemplateFile": [ "../../WildfireConnector/azuredeploy.json", "../../PaloAltoConnector/azuredeploy.json" ],
|
||||
"prerequisitesDeployTemplateFile": [ "../../WildfireConnector/azuredeploy.json" ],
|
||||
"lastUpdateTime": "2021-07-27T00:00:00.000Z",
|
||||
"entities": [ "URLs" ],
|
||||
"tags": [ "Teams" ],
|
||||
"entities": [ "URL" ],
|
||||
"tags": [ "Remediation", "Response from teams" ],
|
||||
"support": {
|
||||
"tier": "community"
|
||||
},
|
||||
|
|
@ -24,10 +24,10 @@
|
|||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "URLEnrichmentTeams-PaloAltoWildFire",
|
||||
"defaultValue": "Block-URL-From-Teams-PaloAltoWildFire",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Enter URL Enrichment Teams Playbook Name"
|
||||
"description": "Enter Block URL From Teams Playbook Name"
|
||||
},
|
||||
"minLength": 3
|
||||
},
|
||||
|
|
@ -40,7 +40,7 @@
|
|||
"minLength": 3
|
||||
},
|
||||
"PAN-OSCustomConnectorName": {
|
||||
"defaultValue": "PaloAltoPAN-OS",
|
||||
"defaultValue": "PaloAltoPANOS",
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "Enter Palo Alto PAN-OS Custom Connector Name"
|
||||
|
|
@ -285,6 +285,31 @@
|
|||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"else": {
|
||||
"actions": {
|
||||
"Update_incident": {
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"classification": {
|
||||
"ClassificationAndReason": "@triggerBody()?['object']?['properties']?['status']"
|
||||
},
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"severity": "@triggerBody()?['object']?['properties']?['severity']",
|
||||
"status": "Closed"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "put",
|
||||
"path": "/Incidents"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
|
|
@ -370,57 +395,6 @@
|
|||
"from": "@createArray(body('Parse_verdict_JSON'))"
|
||||
},
|
||||
"description": "To create html table for incident comment"
|
||||
},
|
||||
"Create_adaptive_card_for_benign_verdict": {
|
||||
"runAfter": {
|
||||
"Add_incident_comment": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "SetVariable",
|
||||
"inputs": {
|
||||
"name": "InformativeAdaptiveCardBody",
|
||||
"value": [
|
||||
{
|
||||
"size": "Large",
|
||||
"text": "Incident URL - Azure Sentinel",
|
||||
"type": "TextBlock",
|
||||
"weight": "Bolder",
|
||||
"wrap": true
|
||||
},
|
||||
{
|
||||
"text": "@{items('For_each_URL')?['Url']} is having benign verdict value. Incident URL is not Blocked.",
|
||||
"type": "TextBlock",
|
||||
"wrap": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"description": "To store adaptive card body"
|
||||
},
|
||||
"Update_incident": {
|
||||
"runAfter": {
|
||||
"Create_adaptive_card_for_benign_verdict": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"classification": {
|
||||
"ClassificationAndReason": "TruePositive - SuspiciousActivity"
|
||||
},
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"severity": "@triggerBody()?['object']?['properties']?['severity']",
|
||||
"status": "Closed"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "put",
|
||||
"path": "/Incidents"
|
||||
}
|
||||
}
|
||||
},
|
||||
"runAfter": {
|
||||
|
|
@ -1042,7 +1016,7 @@
|
|||
"inputs": {
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"message": "<p>@{outputs('Add_icon_to_the_comments')} Palo Alto WildFire URL Enrichment Teams Playbook<br>\n<br>\n@{item()}</p>"
|
||||
"message": "<p>@{outputs('Add_icon_to_the_comments')} Palo Alto WildFire Block URL From Teams Playbook<br>\n<br>\n@{item()}</p>"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
|
|
@ -1208,7 +1182,7 @@
|
|||
"inputs": {
|
||||
"body": {
|
||||
"body": {
|
||||
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"text\": \"Below is/are the URL(s) blocked\",\n \"wrap\": true\n },\n\n {\n \"type\": \"TextBlock\",\n \"text\": \"@{outputs('Construct_string_from_consolidated_verdict_array')}\",\n \"wrap\": true\n },\n \n {\n \"text\": \" Incident # : @{triggerBody()?['object']?['properties']?['incidentNumber']} \",\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})\",\n \"wrap\": true\n },\n\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration :\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Azure Sentinal incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Inaccurate Data\",\n \"value\": \"False Positive - Inaccurate Data\"\n },\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Incorrect Alert Logic\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"True Positive - Suspicious Activity\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Benign Positive - Suspicious But Expected\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"Undetermined\",\n \"value\": \"Undetermined\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Azure Sentinel Incident Severity?\"\n },\n {\n \"choices\": [\n {\n \n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"@{triggerBody()?['object']?['properties']?['severity']}\"\n }\n \n \n \n ],\n\"width\":\"auto\",\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Update configuration\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}",
|
||||
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"text\": \"Below is/are the URL(s) blocked\",\n \"wrap\": true\n },\n\n {\n \"type\": \"TextBlock\",\n \"text\": \"@{outputs('Construct_string_from_consolidated_verdict_array')}\",\n \"wrap\": true\n },\n \n {\n \"text\": \" Incident # : @{triggerBody()?['object']?['properties']?['incidentNumber']} \",\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})\",\n \"wrap\": true\n },\n\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration :\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Azure Sentinal incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Inaccurate Data\",\n \"value\": \"False Positive - Inaccurate Data\"\n },\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Incorrect Alert Logic\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"True Positive - Suspicious Activity\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Benign Positive - Suspicious But Expected\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"Undetermined\",\n \"value\": \"Undetermined\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Azure Sentinel Incident Severity?\"\n },\n {\n \"choices\": [\n {\n \n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"@{triggerBody()?['object']?['properties']?['severity']}\"\n }\n \n \n \n ],\n\"width\":\"auto\",\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Update configuration\"\n },\n {\n \"title\": \"Ignore\",\n \"type\": \"Action.Submit\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}",
|
||||
"recipient": {
|
||||
"channelId": "19:9439f8f3bcf94355a5fd22c21582f0f7@thread.tacv2"
|
||||
},
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
# Palo Alto Wildfire URL Enrichment Teams Playbook
|
||||
# Palo Alto Wildfire Block URL From Teams Playbook
|
||||
# Summary
|
||||
This playbook automates the URL verdict and adds it to security policy rules.
|
||||
|
||||
|
|
@ -31,7 +31,7 @@ When a new Azure Sentinel incident is created, this playbook gets triggered and
|
|||
|
||||
| Parameter | Description |
|
||||
| ------------- | ------------- |
|
||||
| **Playbook Name** | Enter the Playbook Name (e.g. Wildfire_URL_verdict_on_Teams) |
|
||||
| **Playbook Name** | Enter the Playbook Name |
|
||||
| **Wildfire API Key** | Enter the WildFire API Key |
|
||||
| **Security Policy Rule** | Enter the Security Policy Rule which is created in PAN-OS |
|
||||
| **Wildfire Custom Connector Name** | Enter the name of WildFire custom connector |
|
||||
|
|
@ -61,11 +61,11 @@ When a new Azure Sentinel incident is created, this playbook gets triggered and
|
|||
- If verdict status is not benign (phishing, malware, grayware) then it sends an adaptive card to the SOC user and creates address object for URL and adds address object into security policy rule.
|
||||
|
||||
## Enrich Incident with verdict or verdict report details as follows
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Adaptive card recieved by SOC
|
||||
|
||||
|
||||
|
||||
## SOC user can change the Configurations of incidents
|
||||
|
||||
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL/Images/IncidentCommentDark.jpg
Normal file
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL/Images/IncidentCommentDark.jpg
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 32 KiB |
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL/Images/IncidentCommentDark1.jpg
Normal file
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL/Images/IncidentCommentDark1.jpg
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 39 KiB |
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL/Images/IncidentCommentLight.jpg
Normal file
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL/Images/IncidentCommentLight.jpg
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 29 KiB |
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL/Images/IncidentCommentLight1.jpg
Normal file
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL/Images/IncidentCommentLight1.jpg
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 33 KiB |
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL/Images/MainStepsDark.png
Normal file
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL/Images/MainStepsDark.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 131 KiB |
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL/Images/MainStepsLight.png
Normal file
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/Block-URL/Images/MainStepsLight.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 145 KiB |
|
До Ширина: | Высота: | Размер: 178 KiB После Ширина: | Высота: | Размер: 178 KiB |
|
До Ширина: | Высота: | Размер: 190 KiB После Ширина: | Высота: | Размер: 190 KiB |
|
|
@ -2,19 +2,19 @@
|
|||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "URL verdict automation - Wildfire",
|
||||
"title": "Block URL - Palo Alto Wildfire and PAN-OS",
|
||||
"description": "This playbook used to add verdict URL security policy rules",
|
||||
"mainSteps": [ "1. Fetches detailed verdict information of the URL.", "2. Checks for verdict status. If it is benign then it closes the incident with URL verdict information.", "3. If verdict status is other than benign (phishing, malware, grayware) then it creates the address object for URL and adds address object to the security policy rules." ],
|
||||
"prerequisites": [
|
||||
"1. Palo Alto WildFire Custom Connector and PaloAlto PAN-OS custom connector needs to be deployed prior to the deployment of this playbook under the same resource group.",
|
||||
"1. Palo Alto WildFire Custom Connector and Palo Alto PAN-OS custom connector needs to be deployed prior to the deployment of this playbook under the same resource group.",
|
||||
"2. Generate wildfire API key to establish the connection to wildfire custom connector.",
|
||||
"3. Palo alto API key.",
|
||||
"3. Palo Alto WildFire API key.",
|
||||
"4. Security policy rule in the Palo Alto PAN-OS VM."
|
||||
],
|
||||
"prerequisitesDeployTemplateFile": [ "../../WildfireConnector/azuredeploy.json", "../../PaloAltoConnector/azuredeploy.json" ],
|
||||
"prerequisitesDeployTemplateFile": [ "../../WildfireConnector/azuredeploy.json" ],
|
||||
"lastUpdateTime": "2021-07-27T00:00:00.000Z",
|
||||
"entities": [ "URLs" ],
|
||||
"tags": [ "Automation" ],
|
||||
"entities": [ "URL" ],
|
||||
"tags": [ "Remediation" ],
|
||||
"support": {
|
||||
"tier": "community"
|
||||
},
|
||||
|
|
@ -24,10 +24,10 @@
|
|||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "URLEnrichment-PaloAltoWildFire",
|
||||
"defaultValue": "Block-URL-PaloAltoWildFire",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Enter URL Enrichment Playbook Name"
|
||||
"description": "Enter Block URL Playbook Name"
|
||||
},
|
||||
"minLength": 3
|
||||
},
|
||||
|
|
@ -40,7 +40,7 @@
|
|||
"minLength": 3
|
||||
},
|
||||
"PAN-OSCustomConnectorName": {
|
||||
"defaultValue": "PaloAltoPAN-OS",
|
||||
"defaultValue": "PaloAltoPANOS",
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "Enter Palo Alto PAN-OS Custom Connector Name"
|
||||
|
|
@ -65,8 +65,7 @@
|
|||
"variables": {
|
||||
"WildFireConnectionName": "[concat('WildFireConnector-', parameters('PlaybookName'))]",
|
||||
"PANOSConnectionName": "[concat('PANOSConnector-', parameters('PlaybookName'))]",
|
||||
"AzureSentinelConnectionName": "[concat('AzureSentinelConnector-', parameters('PlaybookName'))]",
|
||||
"TeamsConnectionName": "[concat('TeamsConnector-', parameters('PlaybookName'))]"
|
||||
"AzureSentinelConnectionName": "[concat('AzureSentinelConnector-', parameters('PlaybookName'))]"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
|
|
@ -107,19 +106,7 @@
|
|||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('TeamsConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/teams')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"apiVersion": "2017-07-01",
|
||||
|
|
@ -128,8 +115,7 @@
|
|||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Web/connections', variables('PANOSConnectionName'))]",
|
||||
"[resourceId('Microsoft.Web/connections', variables('WildFireConnectionName'))]",
|
||||
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||
"[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]"
|
||||
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
|
||||
],
|
||||
"identity": {
|
||||
"type": "SystemAssigned"
|
||||
|
|
@ -172,7 +158,7 @@
|
|||
"actions": {
|
||||
"Add_icon_to_the_comment": {
|
||||
"runAfter": {
|
||||
"Post_adaptive_card_to_a_channel": [
|
||||
"Append_consolidated_comment": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
|
|
@ -182,7 +168,7 @@
|
|||
},
|
||||
"Append_consolidated_comment": {
|
||||
"runAfter": {
|
||||
"Create_adaptive_card_for_verdict": [
|
||||
"For_each_URL": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
|
|
@ -193,117 +179,6 @@
|
|||
},
|
||||
"description": "consolidate comments of each iteration to update to incident"
|
||||
},
|
||||
"Check_for_malicious_verdict": {
|
||||
"actions": {
|
||||
"Append_incident_comment": {
|
||||
"runAfter": {
|
||||
"Create_HTML_table_for_verdict": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable",
|
||||
"inputs": {
|
||||
"name": "incidentComment",
|
||||
"value": "<b>Below list of URL(s) is/are associated with incident.</b>\n@{body('Create_HTML_table_for_verdict')}"
|
||||
},
|
||||
"description": "To append incident comment"
|
||||
},
|
||||
"Create_HTML_table_for_verdict": {
|
||||
"runAfter": {},
|
||||
"type": "Table",
|
||||
"inputs": {
|
||||
"columns": [
|
||||
{
|
||||
"header": "URL",
|
||||
"value": "@item()?['URL']"
|
||||
},
|
||||
{
|
||||
"header": "Verdict",
|
||||
"value": "@item()?['Wildfire_Verdict']"
|
||||
},
|
||||
{
|
||||
"header": "Security Policy Rule",
|
||||
"value": "@parameters('SecurityPolicyRule')"
|
||||
},
|
||||
{
|
||||
"header": "Action Taken",
|
||||
"value": "Blocked"
|
||||
}
|
||||
],
|
||||
"format": "HTML",
|
||||
"from": "@variables('ConsolidatedverdictArray')"
|
||||
},
|
||||
"description": "Create HTML table for verdict "
|
||||
}
|
||||
},
|
||||
"runAfter": {
|
||||
"For_each_URL": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"not": {
|
||||
"equals": [
|
||||
"@variables('ConsolidatedverdictArray')",
|
||||
"@null"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"type": "If",
|
||||
"description": "Condition to check if verdict array has values"
|
||||
},
|
||||
"Construct_string_from_consolidated_verdict_array": {
|
||||
"runAfter": {
|
||||
"Check_for_malicious_verdict": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Compose",
|
||||
"inputs": "@replace(replace(replace(replace(replace(replace(string(variables('ConsolidatedverdictArray')),'[',''),']',''),'\"',''),'{',''),'}',''),'\"','')",
|
||||
"description": "Construct verdict string from verdict array "
|
||||
},
|
||||
"Create_adaptive_card_for_verdict": {
|
||||
"runAfter": {
|
||||
"Construct_string_from_consolidated_verdict_array": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "SetVariable",
|
||||
"inputs": {
|
||||
"name": "InformativeAdaptiveCardBody",
|
||||
"value": [
|
||||
{
|
||||
"size": "Large",
|
||||
"text": " Verdict URL summary from Azure Sentinel",
|
||||
"type": "TextBlock",
|
||||
"weight": "Bolder",
|
||||
"wrap": true
|
||||
},
|
||||
{
|
||||
"size": "Large",
|
||||
"text": "Below URL(s) is/are blocked",
|
||||
"type": "TextBlock",
|
||||
"weight": "Bolder",
|
||||
"wrap": true
|
||||
},
|
||||
{
|
||||
"text": "@{outputs('Construct_string_from_consolidated_verdict_array')}",
|
||||
"type": "TextBlock",
|
||||
"wrap": true
|
||||
},
|
||||
{
|
||||
"text": "is/are having malicious verdict value & it is blocked in PAN-OS VM",
|
||||
"type": "TextBlock",
|
||||
"wrap": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"description": "Create adaptive card for verdict"
|
||||
},
|
||||
"Entities_-_Get_URLs": {
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection",
|
||||
|
|
@ -366,57 +241,6 @@
|
|||
"from": "@createArray(body('Parse_verdict_JSON'))"
|
||||
},
|
||||
"description": "To create html table for incident comment"
|
||||
},
|
||||
"Create_adaptive_card_for_benign_verdict": {
|
||||
"runAfter": {
|
||||
"Add_incident_comment": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "SetVariable",
|
||||
"inputs": {
|
||||
"name": "InformativeAdaptiveCardBody",
|
||||
"value": [
|
||||
{
|
||||
"size": "Large",
|
||||
"text": "Incident URL - Azure Sentinel",
|
||||
"type": "TextBlock",
|
||||
"weight": "Bolder",
|
||||
"wrap": true
|
||||
},
|
||||
{
|
||||
"text": "@{items('For_each_URL')?['Url']} is having benign verdict value. Incident URL is not blocked.",
|
||||
"type": "TextBlock",
|
||||
"wrap": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"description": "To create adaptive card body"
|
||||
},
|
||||
"Update_incident": {
|
||||
"runAfter": {
|
||||
"Create_adaptive_card_for_benign_verdict": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"classification": {
|
||||
"ClassificationAndReason": "TruePositive - SuspiciousActivity"
|
||||
},
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"severity": "@triggerBody()?['object']?['properties']?['severity']",
|
||||
"status": "Closed"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "put",
|
||||
"path": "/Incidents"
|
||||
}
|
||||
}
|
||||
},
|
||||
"runAfter": {
|
||||
|
|
@ -426,6 +250,69 @@
|
|||
},
|
||||
"else": {
|
||||
"actions": {
|
||||
"Check_for_malicious_verdict": {
|
||||
"actions": {
|
||||
"Append_incident_comment": {
|
||||
"runAfter": {
|
||||
"Create_HTML_table_for_verdict": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable",
|
||||
"inputs": {
|
||||
"name": "incidentComment",
|
||||
"value": "<b>Below list of URL(s) is/are associated with incident.</b>\n@{body('Create_HTML_table_for_verdict')}"
|
||||
},
|
||||
"description": "To append incident comment"
|
||||
},
|
||||
"Create_HTML_table_for_verdict": {
|
||||
"runAfter": {},
|
||||
"type": "Table",
|
||||
"inputs": {
|
||||
"columns": [
|
||||
{
|
||||
"header": "URL",
|
||||
"value": "@item()?['URL']"
|
||||
},
|
||||
{
|
||||
"header": "Verdict",
|
||||
"value": "@item()?['Wildfire_Verdict']"
|
||||
},
|
||||
{
|
||||
"header": "Security Policy Rule",
|
||||
"value": "@parameters('SecurityPolicyRule')"
|
||||
},
|
||||
{
|
||||
"header": "Action Taken",
|
||||
"value": "Blocked"
|
||||
}
|
||||
],
|
||||
"format": "HTML",
|
||||
"from": "@variables('ConsolidatedverdictArray')"
|
||||
},
|
||||
"description": "Create HTML table for verdict "
|
||||
}
|
||||
},
|
||||
"runAfter": {
|
||||
"Check_if_the_URL_is_added_to_security_policy_rules": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"not": {
|
||||
"equals": [
|
||||
"@variables('ConsolidatedverdictArray')",
|
||||
"@null"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"type": "If",
|
||||
"description": "Condition to check if verdict array has values"
|
||||
},
|
||||
"Check_if_address_object_exists": {
|
||||
"actions": {
|
||||
"Check_if_security_rule_applied_to_URL": {
|
||||
|
|
@ -877,7 +764,7 @@
|
|||
"inputs": {
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"message": "<p>@{outputs('Add_icon_to_the_comment')} Palo Alto WildFire URL Enrichment Playbook<br>\n<br>\n@{item()}</p>"
|
||||
"message": "<p>@{outputs('Add_icon_to_the_comment')} Palo Alto WildFire Block URL Playbook<br>\n<br>\n@{item()}</p>"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
|
|
@ -897,26 +784,9 @@
|
|||
"type": "Foreach",
|
||||
"description": "Loop for incident comment"
|
||||
},
|
||||
"Initialize_adaptive_card_message_variable": {
|
||||
"runAfter": {
|
||||
"Initialize_incident_comment_variable": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "InformativeAdaptiveCardBody",
|
||||
"type": "array"
|
||||
}
|
||||
]
|
||||
},
|
||||
"description": "To store the adaptive card message"
|
||||
},
|
||||
"Initialize_consolidated_comments_variable": {
|
||||
"runAfter": {
|
||||
"Initialize_adaptive_card_message_variable": [
|
||||
"Initialize_incident_comment_variable": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
|
|
@ -999,23 +869,6 @@
|
|||
},
|
||||
"description": "To store the verdict JOSN object"
|
||||
},
|
||||
"Initialize_verdict_URL_collections_variable": {
|
||||
"runAfter": {
|
||||
"Initialize_consolidated_comments_variable": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "VerdictURLs",
|
||||
"type": "array"
|
||||
}
|
||||
]
|
||||
},
|
||||
"description": "Tp store Invalid verdict URLs"
|
||||
},
|
||||
"Initialize_verdict_description_variable": {
|
||||
"runAfter": {
|
||||
"Initialize_destination_members_variable": [
|
||||
|
|
@ -1035,7 +888,7 @@
|
|||
},
|
||||
"Initialize_verdict_object_variable": {
|
||||
"runAfter": {
|
||||
"Initialize_verdict_URL_collections_variable": [
|
||||
"Initialize_consolidated_comments_variable": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
|
|
@ -1050,30 +903,29 @@
|
|||
},
|
||||
"description": "To store verdict object"
|
||||
},
|
||||
"Post_adaptive_card_to_a_channel": {
|
||||
"Update_incident": {
|
||||
"runAfter": {
|
||||
"Append_consolidated_comment": [
|
||||
"For_each_incident_comment": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"size\": \"Small\",\n \"style\": \"Person\",\n \"type\": \"Image\",\n \"url\": \"https://avatars2.githubusercontent.com/u/4855743?s=280&v=4\"\n },\n {\n \"type\":\"ColumnSet\",\n \"columns\": [\n {\n \"type\":\"Column\",\n\n \"items\": @{variables('InformativeAdaptiveCardBody')},\n \"width\": \"auto\"\n \n }\n ]\n}\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}",
|
||||
"recipient": {
|
||||
"channelId": "19:9439f8f3bcf94355a5fd22c21582f0f7@thread.tacv2"
|
||||
}
|
||||
"classification": {
|
||||
"ClassificationAndReason": "TruePositive - SuspiciousActivity"
|
||||
},
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"severity": "@triggerBody()?['object']?['properties']?['severity']",
|
||||
"status": "Closed"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['teams']['connectionId']"
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/flowbot/actions/adaptivecard/recipienttypes/channel",
|
||||
"queries": {
|
||||
"groupId": "03f5260e-dec3-4047-8cac-38ffe019dd73"
|
||||
}
|
||||
"method": "put",
|
||||
"path": "/Incidents"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
@ -1101,11 +953,6 @@
|
|||
"type": "ManagedServiceIdentity"
|
||||
}
|
||||
}
|
||||
},
|
||||
"teams": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
|
||||
"connectionName": "[variables('TeamsConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/teams')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1,6 +1,4 @@
|
|||
|
||||
|
||||
# Palo Alto Wildfire URL Enrichment Playbook
|
||||
# Palo Alto Wildfire Block URL Playbook
|
||||
# Summary
|
||||
This playbook automates the URL verdict and adds it to security policy rules.
|
||||
|
||||
|
|
@ -33,7 +31,7 @@ When a new Azure Sentinel incident is created, this playbook gets triggered and
|
|||
|
||||
| Parameter | Description |
|
||||
| ------------- | ------------- |
|
||||
| **Playbook Name** | Enter the Playbook Name (e.g. Wildfire_URL_verdict) |
|
||||
| **Playbook Name** | Enter the Playbook Name |
|
||||
| **Wildfire API Key** | Enter the WildFire API Key |
|
||||
| **Security Policy Rule** | Enter the Security Policy Rule which is created in PAN-OS |
|
||||
| **Wildfire Custom Connector Name** | Enter the name of WildFire custom connector |
|
||||
|
|
@ -63,14 +61,11 @@ When a new Azure Sentinel incident is created, this playbook gets triggered and
|
|||
- If verdict status benign (code=0), then it closes the incident with URL verdict information.
|
||||
- If verdict status is other than benign (phishing, malware, grayware), it automatically create address object for URL and adds address object into security policy rule.
|
||||
|
||||
## Incident Comment created by Palo Alto Wildfire URL Verdict Automation
|
||||
## Incident Comment created by Palo Alto Wildfire Block URL Playbook
|
||||
### When verdict status is benign
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
### When verdict status is not benign
|
||||
|
||||
|
||||
|
||||
## Triggered an infomative adaptive card for the SOC
|
||||
|
||||
|
||||
|
||||
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/FileHash-Enrichment/Images/Email.jpg
Normal file
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/FileHash-Enrichment/Images/Email.jpg
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 89 KiB |
|
До Ширина: | Высота: | Размер: 15 KiB После Ширина: | Высота: | Размер: 15 KiB |
|
До Ширина: | Высота: | Размер: 145 KiB После Ширина: | Высота: | Размер: 145 KiB |
|
До Ширина: | Высота: | Размер: 15 KiB После Ширина: | Высота: | Размер: 15 KiB |
|
До Ширина: | Высота: | Размер: 126 KiB После Ширина: | Высота: | Размер: 126 KiB |
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/FileHash-Enrichment/Images/MainStepsDark.png
Normal file
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/FileHash-Enrichment/Images/MainStepsDark.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 85 KiB |
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/FileHash-Enrichment/Images/MainStepsLight.png
Normal file
Двоичные данные
Playbooks/PaloAlto-Wildfire/Playbooks/FileHash-Enrichment/Images/MainStepsLight.png
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 85 KiB |
|
До Ширина: | Высота: | Размер: 179 KiB После Ширина: | Высота: | Размер: 179 KiB |
|
До Ширина: | Высота: | Размер: 190 KiB После Ширина: | Высота: | Размер: 190 KiB |
|
|
@ -2,16 +2,16 @@
|
|||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "File hash enrichment - Wildfire",
|
||||
"title": "FileHash Enrichment - Palo Alto Wildfire",
|
||||
"description": "This playbook used to enrich sentinel incident with filehash information",
|
||||
"mainSteps": [ "1. Fetches detailed verdict information of the file hash.", "2. Enriches the incident with verdict information based on the verdict values (benign, phishing, malware, grayware)." ],
|
||||
"mainSteps": [ "1. Fetches detailed verdict information of the fileHash.", "2. Enriches the incident with verdict information based on the verdict values (benign, phishing, malware, grayware)." ],
|
||||
"prerequisites": [
|
||||
"1. Palo Alto WildFire Custom Connector needs to be deployed prior to the deployment of this playbook under the same resource group.",
|
||||
"2. Generate wildfire API key to establish the connection to wildfire custom connector."
|
||||
],
|
||||
"prerequisitesDeployTemplateFile": "../../WildfireConnector/azuredeploy.json",
|
||||
"lastUpdateTime": "2021-07-27T00:00:00.000Z",
|
||||
"entities": [ "FileHashes" ],
|
||||
"entities": [ "FileHash" ],
|
||||
"tags": [ "Enrichment" ],
|
||||
"support": {
|
||||
"tier": "community"
|
||||
|
|
@ -22,7 +22,7 @@
|
|||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "FileHashEnrichment-PaloAltoWildFire",
|
||||
"defaultValue": "FileHash-Enrichment-PaloAltoWildFire",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Enter FileHash Enrichment Playbook Name"
|
||||
|
|
@ -47,7 +47,7 @@
|
|||
"NotificationEmail": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Enter DL or SOC Email Address For Notification"
|
||||
"description": "Enter DL or SOC Email Address for receiving filehash report"
|
||||
},
|
||||
"minLength": 3
|
||||
}
|
||||
|
|
@ -155,7 +155,7 @@
|
|||
"type": "Compose",
|
||||
"inputs": "<img src=\"https://connectoricons-prod.azureedge.net/releases/v1.0.1500/1.0.1500.2502/azuresentinel/icon.png\",alt=\"Logo\" width=\"32\" height=\"32\" />\n"
|
||||
},
|
||||
"Entities_-_Get_FileHashes": {
|
||||
"Entities_-_Get_FileHash": {
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
|
|
@ -170,7 +170,7 @@
|
|||
}
|
||||
},
|
||||
"For_each_FileHash": {
|
||||
"foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']",
|
||||
"foreach": "@body('Entities_-_Get_FileHash')?['Filehashes']",
|
||||
"actions": {
|
||||
"Append_consolidated_comments": {
|
||||
"runAfter": {
|
||||
|
|
@ -539,8 +539,8 @@
|
|||
"Name": "@{items('For_each_FileHash')?['Value']}.pdf"
|
||||
}
|
||||
],
|
||||
"Body": "<p>@{outputs('WildFire_Logo')}@{outputs('Azure_Sentinel_Logo')}<br>\n<br>\nTitle - Palo Alto WildFire FileHash verdict report (@{items('For_each_FileHash')?['Value']})<br>\n<br>\n Summary of FileHash verdict report was posted as a comment to the incident. @{outputs('Add_incident_URL_to_Email')}<br>\n Attached is full report.<br>\n<br>\n<br>\n<span style=\"color: rgb(124,112,107)\">Note: This is an automatic mail sent by Azure Sentinel playbook.</span></p>",
|
||||
"Subject": "INC#:@{triggerBody()?['object']?['properties']?['incidentNumber']} @{items('For_each_FileHash')?['Value']}- Palo Alto WildFire FileHash Verdict Report",
|
||||
"Body": "<p>@{outputs('WildFire_Logo')}@{outputs('Azure_Sentinel_Logo')}<br>\n<br>\nPalo Alto WildFire FileHash verdict report (@{items('For_each_FileHash')?['Value']})<br>\n<br>\n* Summary of FileHash verdict report was posted as a comment to the incident. @{outputs('Add_incident_URL_to_Email')}<br>\n* Attached is full report.<br>\n<br>\n<br>\n<span style=\"color: rgb(124,112,107)\">Note: This is an automatic mail sent by Azure Sentinel playbook.</span></p>",
|
||||
"Subject": "INC#@{triggerBody()?['object']?['properties']?['incidentNumber']} - Palo Alto WildFire FileHash Verdict Report (@{items('For_each_FileHash')?['Value']})",
|
||||
"To": "@{triggerBody()?['object']?['properties']?['owner']?['email']};@{parameters('NotificationEmail')}"
|
||||
},
|
||||
"host": {
|
||||
|
|
@ -753,7 +753,7 @@
|
|||
},
|
||||
"Initialize_report_JSON_object_variable": {
|
||||
"runAfter": {
|
||||
"Entities_-_Get_FileHashes": [
|
||||
"Entities_-_Get_FileHash": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
|
|
@ -26,7 +26,7 @@ When a new Azure Sentinel incident is created, this playbook gets triggered and
|
|||
|
||||
| Parameter | Description |
|
||||
| ------------- | ------------- |
|
||||
| **Playbook Name** | Enter the Playbook Name (e.g. Wildfire-file-hash-Enrichment) |
|
||||
| **Playbook Name** | Enter the Playbook Name|
|
||||
| **Wildfire API Key** | Enter the WildFire API Key |
|
||||
| **Wildfire Custom Connector Name** | Enter the name of WildFire custom connector |
|
||||
| **Notification Email** | Enter the DL or SOC email address for receiving filehash report|
|
||||
|
|
@ -68,4 +68,4 @@ When a new Azure Sentinel incident is created, this playbook gets triggered and
|
|||
|
||||
## **Email received by SOC when verdict status is other than benign**
|
||||
|
||||
|
||||
|
||||
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 674 KiB |
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 881 KiB |
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 613 KiB |
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 12 KiB |
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 12 KiB |
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 854 KiB |
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 13 KiB |
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 12 KiB |
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 13 KiB |
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 12 KiB |
|
|
@ -0,0 +1,9 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<wildfire>
|
||||
<get-verdict-info>
|
||||
<url>www.google.com</url>
|
||||
<verdict>0</verdict>
|
||||
<analysis_time>2021-08-10T20:30:29Z</analysis_time>
|
||||
<valid>Yes</valid>
|
||||
</get-verdict-info>
|
||||
</wildfire>
|
||||
|
|
@ -2,20 +2,23 @@
|
|||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "Logic Apps Custom Connector and Playbook templates - Wildfire",
|
||||
"title": "Logic Apps Custom Connector and Playbook templates - Palo Alto Wildfire and PAN-OS",
|
||||
"description": "This is a consolidated json file for deploying WildFire custom connector + 3 Playbooks",
|
||||
"mainSteps": [ "Filehash enrichment: 1. Fetches detailed verdict information of the filehash. 2. Enriches the incident with verdict information based on the verdict values (benign, phishing, malware, grayware).", "URL on Teams : 1. Fetches detailed verdict information of the URL. 2. Checks for verdict status. If it is benign then it closes the incident with URL verdict information. 3. If verdict status is other than benign (phishing, malware, grayware) then it creates the address object for URL and adds address object to the security policy rules.", "URL on Teams : 1. Fetches detailed verdict information of the URL. 2. Checks for verdict status. If it is benign then it closes the incident with URL verdict information. 3. If verdict status is other than benign (phishing, malware, grayware) then it creates the address object for URL and adds address object to the security policy rules." ],
|
||||
"mainSteps": [
|
||||
"Filehash Enrichment: 1. Fetches detailed verdict information of the filehash. 2. Enriches the incident with verdict information based on the verdict values (benign, phishing, malware, grayware).",
|
||||
"Block URL: 1. Fetches detailed verdict information of the URL. 2. Checks for verdict status. If it is benign then it closes the incident with URL verdict information. 3. If verdict status is other than benign (phishing, malware, grayware) then it creates the address object for URL and adds address object to the security policy rules.",
|
||||
"Block URL From Teams : 1. Fetches detailed verdict information of the URL. 2. Checks for verdict status. If it is benign then it closes the incident with URL verdict information. 3. If verdict status is other than benign (phishing, malware, grayware) then it creates the address object for URL and adds address object to the security policy rules."
|
||||
],
|
||||
"prerequisites": [
|
||||
"1. PaloAlto PAN-OS custom connector needs to be deployed prior to the deployment of this playbook under the same resource group.",
|
||||
"2. Generate wildfire API key to establish the connection to wildfire custom connector.",
|
||||
"3. Palo alto API key.",
|
||||
"3. Palo alto Wildfire API key.",
|
||||
"4. Security policy rule in the Palo Alto PAN-OS VM.",
|
||||
"5. Wildfire API end point should be known."
|
||||
"5. Wildfire API Serivce Endpoint should be known."
|
||||
],
|
||||
"prerequisitesDeployTemplateFile": [ "../../PaloAltoConnector/azuredeploy.json" ],
|
||||
"lastUpdateTime": "2021-07-27T00:00:00.000Z",
|
||||
"entities": [ "URLs", "Filehash" ],
|
||||
"tags": [ "Teams", "enrichment", "automation" ],
|
||||
"entities": [ "URL", "Filehash" ],
|
||||
"tags": [ "Remediation", "Response from teams", "Enrichment" ],
|
||||
"support": {
|
||||
"tier": "community"
|
||||
},
|
||||
|
|
@ -25,26 +28,26 @@
|
|||
},
|
||||
"parameters": {
|
||||
"FilehashEnrichmentPlaybookName": {
|
||||
"defaultValue": "FileHashEnrichment-PaloAltoWildFire",
|
||||
"defaultValue": "FileHash-Enrichment-PaloAltoWildFire",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Enter Filehash Enrichment Playbook Name"
|
||||
},
|
||||
"minLength": 3
|
||||
},
|
||||
"URLEnrichmentPlaybookName": {
|
||||
"defaultValue": "URLEnrichment-PaloAltoWildFire",
|
||||
"BlockURLPlaybookName": {
|
||||
"defaultValue": "Block-URL-PaloAltoWildFire",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Enter URL Enrichment Playbook Name"
|
||||
"description": "Enter Block URL Playbook Name"
|
||||
},
|
||||
"minLength": 3
|
||||
},
|
||||
"URLEnrichmentTeamsPlaybookName": {
|
||||
"defaultValue": "URLEnrichmentTeams-PaloAltoWildFire",
|
||||
"BlockURLFromTeamsPlaybookName": {
|
||||
"defaultValue": "Block-URL-From-Teams-PaloAltoWildFire",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Enter URL Enrichment Teams Playbook Name"
|
||||
"description": "Enter Block URL From Teams Playbook Name"
|
||||
},
|
||||
"minLength": 3
|
||||
},
|
||||
|
|
@ -73,12 +76,12 @@
|
|||
"NotificationEmail": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Enter DL or SOC Email Address For Notification"
|
||||
"description": "Enter DL or SOC Email Address for receiving filehash report"
|
||||
},
|
||||
"minLength": 3
|
||||
},
|
||||
"PAN-OSCustomConnectorName": {
|
||||
"defaultValue": "PaloAltoPAN-OS",
|
||||
"defaultValue": "PaloAltoPANOS",
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "Enter Palo Alto PAN-OS Custom Connector Name"
|
||||
|
|
@ -760,7 +763,7 @@
|
|||
"type": "Compose",
|
||||
"inputs": "<img src=\"https://connectoricons-prod.azureedge.net/releases/v1.0.1500/1.0.1500.2502/azuresentinel/icon.png\",alt=\"Logo\" width=\"32\" height=\"32\" />\n"
|
||||
},
|
||||
"Entities_-_Get_FileHashes": {
|
||||
"Entities_-_Get_FileHash": {
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
|
|
@ -775,7 +778,7 @@
|
|||
}
|
||||
},
|
||||
"For_each_FileHash": {
|
||||
"foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']",
|
||||
"foreach": "@body('Entities_-_Get_FileHash')?['Filehashes']",
|
||||
"actions": {
|
||||
"Append_consolidated_comments": {
|
||||
"runAfter": {
|
||||
|
|
@ -1144,8 +1147,8 @@
|
|||
"Name": "@{items('For_each_FileHash')?['Value']}.pdf"
|
||||
}
|
||||
],
|
||||
"Body": "<p>@{outputs('WildFire_Logo')}@{outputs('Azure_Sentinel_Logo')}<br>\n<br>\nTitle - Palo Alto WildFire FileHash verdict report (@{items('For_each_FileHash')?['Value']})<br>\n<br>\n Summary of FileHash verdict report was posted as a comment to the incident. @{outputs('Add_incident_URL_to_Email')}<br>\n Attached is full report.<br>\n<br>\n<br>\n<span style=\"color: rgb(124,112,107)\">Note: This is an automatic mail sent by Azure Sentinel playbook.</span></p>",
|
||||
"Subject": "INC#:@{triggerBody()?['object']?['properties']?['incidentNumber']} @{items('For_each_FileHash')?['Value']}- Palo Alto WildFire FileHash Verdict Report",
|
||||
"Body": "<p>@{outputs('WildFire_Logo')}@{outputs('Azure_Sentinel_Logo')}<br>\n<br>\nPalo Alto WildFire FileHash verdict report (@{items('For_each_FileHash')?['Value']})<br>\n<br>\n* Summary of FileHash verdict report was posted as a comment to the incident. @{outputs('Add_incident_URL_to_Email')}<br>\n* Attached is full report.<br>\n<br>\n<br>\n<span style=\"color: rgb(124,112,107)\">Note: This is an automatic mail sent by Azure Sentinel playbook.</span></p>",
|
||||
"Subject": "INC#@{triggerBody()?['object']?['properties']?['incidentNumber']} - Palo Alto WildFire FileHash Verdict Report (@{items('For_each_FileHash')?['Value']})",
|
||||
"To": "@{triggerBody()?['object']?['properties']?['owner']?['email']};@{parameters('NotificationEmail')}"
|
||||
},
|
||||
"host": {
|
||||
|
|
@ -1358,7 +1361,7 @@
|
|||
},
|
||||
"Initialize_report_JSON_object_variable": {
|
||||
"runAfter": {
|
||||
"Entities_-_Get_FileHashes": [
|
||||
"Entities_-_Get_FileHash": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
|
|
@ -1450,13 +1453,12 @@
|
|||
{
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"apiVersion": "2017-07-01",
|
||||
"name": "[parameters('URLEnrichmentPlaybookName')]",
|
||||
"name": "[parameters('BlockURLPlaybookName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Web/connections', variables('PANOSConnectionName'))]",
|
||||
"[resourceId('Microsoft.Web/connections', variables('WildFireConnectionName'))]",
|
||||
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||
"[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]"
|
||||
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
|
||||
],
|
||||
"identity": {
|
||||
"type": "SystemAssigned"
|
||||
|
|
@ -1499,7 +1501,7 @@
|
|||
"actions": {
|
||||
"Add_icon_to_the_comment": {
|
||||
"runAfter": {
|
||||
"Post_adaptive_card_to_a_channel": [
|
||||
"Append_consolidated_comment": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
|
|
@ -1509,7 +1511,7 @@
|
|||
},
|
||||
"Append_consolidated_comment": {
|
||||
"runAfter": {
|
||||
"Create_adaptive_card_for_verdict": [
|
||||
"For_each_URL": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
|
|
@ -1520,117 +1522,6 @@
|
|||
},
|
||||
"description": "consolidate comments of each iteration to update to incident"
|
||||
},
|
||||
"Check_for_malicious_verdict": {
|
||||
"actions": {
|
||||
"Append_incident_comment": {
|
||||
"runAfter": {
|
||||
"Create_HTML_table_for_verdict": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable",
|
||||
"inputs": {
|
||||
"name": "incidentComment",
|
||||
"value": "<b>Below list of URL(s) is/are associated with incident.</b>\n@{body('Create_HTML_table_for_verdict')}"
|
||||
},
|
||||
"description": "To append incident comment"
|
||||
},
|
||||
"Create_HTML_table_for_verdict": {
|
||||
"runAfter": {},
|
||||
"type": "Table",
|
||||
"inputs": {
|
||||
"columns": [
|
||||
{
|
||||
"header": "URL",
|
||||
"value": "@item()?['URL']"
|
||||
},
|
||||
{
|
||||
"header": "Verdict",
|
||||
"value": "@item()?['Wildfire_Verdict']"
|
||||
},
|
||||
{
|
||||
"header": "Security Policy Rule",
|
||||
"value": "@parameters('SecurityPolicyRule')"
|
||||
},
|
||||
{
|
||||
"header": "Action Taken",
|
||||
"value": "Blocked"
|
||||
}
|
||||
],
|
||||
"format": "HTML",
|
||||
"from": "@variables('ConsolidatedverdictArray')"
|
||||
},
|
||||
"description": "Create HTML table for verdict "
|
||||
}
|
||||
},
|
||||
"runAfter": {
|
||||
"For_each_URL": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"not": {
|
||||
"equals": [
|
||||
"@variables('ConsolidatedverdictArray')",
|
||||
"@null"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"type": "If",
|
||||
"description": "Condition to check if verdict array has values"
|
||||
},
|
||||
"Construct_string_from_consolidated_verdict_array": {
|
||||
"runAfter": {
|
||||
"Check_for_malicious_verdict": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Compose",
|
||||
"inputs": "@replace(replace(replace(replace(replace(replace(string(variables('ConsolidatedverdictArray')),'[',''),']',''),'\"',''),'{',''),'}',''),'\"','')",
|
||||
"description": "Construct verdict string from verdict array "
|
||||
},
|
||||
"Create_adaptive_card_for_verdict": {
|
||||
"runAfter": {
|
||||
"Construct_string_from_consolidated_verdict_array": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "SetVariable",
|
||||
"inputs": {
|
||||
"name": "InformativeAdaptiveCardBody",
|
||||
"value": [
|
||||
{
|
||||
"size": "Large",
|
||||
"text": " Verdict URL summary from Azure Sentinel",
|
||||
"type": "TextBlock",
|
||||
"weight": "Bolder",
|
||||
"wrap": true
|
||||
},
|
||||
{
|
||||
"size": "Large",
|
||||
"text": "Below URL(s) is/are blocked",
|
||||
"type": "TextBlock",
|
||||
"weight": "Bolder",
|
||||
"wrap": true
|
||||
},
|
||||
{
|
||||
"text": "@{outputs('Construct_string_from_consolidated_verdict_array')}",
|
||||
"type": "TextBlock",
|
||||
"wrap": true
|
||||
},
|
||||
{
|
||||
"text": "is/are having malicious verdict value & it is blocked in PAN-OS VM",
|
||||
"type": "TextBlock",
|
||||
"wrap": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"description": "Create adaptive card for verdict"
|
||||
},
|
||||
"Entities_-_Get_URLs": {
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection",
|
||||
|
|
@ -1693,57 +1584,6 @@
|
|||
"from": "@createArray(body('Parse_verdict_JSON'))"
|
||||
},
|
||||
"description": "To create html table for incident comment"
|
||||
},
|
||||
"Create_adaptive_card_for_benign_verdict": {
|
||||
"runAfter": {
|
||||
"Add_incident_comment": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "SetVariable",
|
||||
"inputs": {
|
||||
"name": "InformativeAdaptiveCardBody",
|
||||
"value": [
|
||||
{
|
||||
"size": "Large",
|
||||
"text": "Incident URL - Azure Sentinel",
|
||||
"type": "TextBlock",
|
||||
"weight": "Bolder",
|
||||
"wrap": true
|
||||
},
|
||||
{
|
||||
"text": "@{items('For_each_URL')?['Url']} is having benign verdict value. Incident URL is not blocked.",
|
||||
"type": "TextBlock",
|
||||
"wrap": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"description": "To create adaptive card body"
|
||||
},
|
||||
"Update_incident": {
|
||||
"runAfter": {
|
||||
"Create_adaptive_card_for_benign_verdict": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"classification": {
|
||||
"ClassificationAndReason": "TruePositive - SuspiciousActivity"
|
||||
},
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"severity": "@triggerBody()?['object']?['properties']?['severity']",
|
||||
"status": "Closed"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "put",
|
||||
"path": "/Incidents"
|
||||
}
|
||||
}
|
||||
},
|
||||
"runAfter": {
|
||||
|
|
@ -1753,6 +1593,69 @@
|
|||
},
|
||||
"else": {
|
||||
"actions": {
|
||||
"Check_for_malicious_verdict": {
|
||||
"actions": {
|
||||
"Append_incident_comment": {
|
||||
"runAfter": {
|
||||
"Create_HTML_table_for_verdict": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "AppendToStringVariable",
|
||||
"inputs": {
|
||||
"name": "incidentComment",
|
||||
"value": "<b>Below list of URL(s) is/are associated with incident.</b>\n@{body('Create_HTML_table_for_verdict')}"
|
||||
},
|
||||
"description": "To append incident comment"
|
||||
},
|
||||
"Create_HTML_table_for_verdict": {
|
||||
"runAfter": {},
|
||||
"type": "Table",
|
||||
"inputs": {
|
||||
"columns": [
|
||||
{
|
||||
"header": "URL",
|
||||
"value": "@item()?['URL']"
|
||||
},
|
||||
{
|
||||
"header": "Verdict",
|
||||
"value": "@item()?['Wildfire_Verdict']"
|
||||
},
|
||||
{
|
||||
"header": "Security Policy Rule",
|
||||
"value": "@parameters('SecurityPolicyRule')"
|
||||
},
|
||||
{
|
||||
"header": "Action Taken",
|
||||
"value": "Blocked"
|
||||
}
|
||||
],
|
||||
"format": "HTML",
|
||||
"from": "@variables('ConsolidatedverdictArray')"
|
||||
},
|
||||
"description": "Create HTML table for verdict "
|
||||
}
|
||||
},
|
||||
"runAfter": {
|
||||
"Check_if_the_URL_is_added_to_security_policy_rules": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"not": {
|
||||
"equals": [
|
||||
"@variables('ConsolidatedverdictArray')",
|
||||
"@null"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"type": "If",
|
||||
"description": "Condition to check if verdict array has values"
|
||||
},
|
||||
"Check_if_address_object_exists": {
|
||||
"actions": {
|
||||
"Check_if_security_rule_applied_to_URL": {
|
||||
|
|
@ -2204,7 +2107,7 @@
|
|||
"inputs": {
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"message": "<p>@{outputs('Add_icon_to_the_comment')} Palo Alto WildFire URL Enrichment Playbook<br>\n<br>\n@{item()}</p>"
|
||||
"message": "<p>@{outputs('Add_icon_to_the_comment')} Palo Alto WildFire Block URL Playbook<br>\n<br>\n@{item()}</p>"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
|
|
@ -2224,26 +2127,9 @@
|
|||
"type": "Foreach",
|
||||
"description": "Loop for incident comment"
|
||||
},
|
||||
"Initialize_adaptive_card_message_variable": {
|
||||
"runAfter": {
|
||||
"Initialize_incident_comment_variable": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "InformativeAdaptiveCardBody",
|
||||
"type": "array"
|
||||
}
|
||||
]
|
||||
},
|
||||
"description": "To store the adaptive card message"
|
||||
},
|
||||
"Initialize_consolidated_comments_variable": {
|
||||
"runAfter": {
|
||||
"Initialize_adaptive_card_message_variable": [
|
||||
"Initialize_incident_comment_variable": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
|
|
@ -2326,23 +2212,6 @@
|
|||
},
|
||||
"description": "To store the verdict JOSN object"
|
||||
},
|
||||
"Initialize_verdict_URL_collections_variable": {
|
||||
"runAfter": {
|
||||
"Initialize_consolidated_comments_variable": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "VerdictURLs",
|
||||
"type": "array"
|
||||
}
|
||||
]
|
||||
},
|
||||
"description": "Tp store Invalid verdict URLs"
|
||||
},
|
||||
"Initialize_verdict_description_variable": {
|
||||
"runAfter": {
|
||||
"Initialize_destination_members_variable": [
|
||||
|
|
@ -2362,7 +2231,7 @@
|
|||
},
|
||||
"Initialize_verdict_object_variable": {
|
||||
"runAfter": {
|
||||
"Initialize_verdict_URL_collections_variable": [
|
||||
"Initialize_consolidated_comments_variable": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
|
|
@ -2377,30 +2246,29 @@
|
|||
},
|
||||
"description": "To store verdict object"
|
||||
},
|
||||
"Post_adaptive_card_to_a_channel": {
|
||||
"Update_incident": {
|
||||
"runAfter": {
|
||||
"Append_consolidated_comment": [
|
||||
"For_each_incident_comment": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"size\": \"Small\",\n \"style\": \"Person\",\n \"type\": \"Image\",\n \"url\": \"https://avatars2.githubusercontent.com/u/4855743?s=280&v=4\"\n },\n {\n \"type\":\"ColumnSet\",\n \"columns\": [\n {\n \"type\":\"Column\",\n\n \"items\": @{variables('InformativeAdaptiveCardBody')},\n \"width\": \"auto\"\n \n }\n ]\n}\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}",
|
||||
"recipient": {
|
||||
"channelId": "19:9439f8f3bcf94355a5fd22c21582f0f7@thread.tacv2"
|
||||
}
|
||||
"classification": {
|
||||
"ClassificationAndReason": "TruePositive - SuspiciousActivity"
|
||||
},
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"severity": "@triggerBody()?['object']?['properties']?['severity']",
|
||||
"status": "Closed"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['teams']['connectionId']"
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/flowbot/actions/adaptivecard/recipienttypes/channel",
|
||||
"queries": {
|
||||
"groupId": "03f5260e-dec3-4047-8cac-38ffe019dd73"
|
||||
}
|
||||
"method": "put",
|
||||
"path": "/Incidents"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
@ -2428,11 +2296,6 @@
|
|||
"type": "ManagedServiceIdentity"
|
||||
}
|
||||
}
|
||||
},
|
||||
"teams": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
|
||||
"connectionName": "[variables('TeamsConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/teams')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -2442,7 +2305,7 @@
|
|||
{
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"apiVersion": "2017-07-01",
|
||||
"name": "[parameters('URLEnrichmentTeamsPlaybookName')]",
|
||||
"name": "[parameters('BlockURLFromTeamsPlaybookName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Web/connections', variables('PANOSConnectionName'))]",
|
||||
|
|
@ -2604,6 +2467,31 @@
|
|||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"else": {
|
||||
"actions": {
|
||||
"Update_incident": {
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"classification": {
|
||||
"ClassificationAndReason": "@triggerBody()?['object']?['properties']?['status']"
|
||||
},
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"severity": "@triggerBody()?['object']?['properties']?['severity']",
|
||||
"status": "Closed"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "put",
|
||||
"path": "/Incidents"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
|
|
@ -2689,57 +2577,6 @@
|
|||
"from": "@createArray(body('Parse_verdict_JSON'))"
|
||||
},
|
||||
"description": "To create html table for incident comment"
|
||||
},
|
||||
"Create_adaptive_card_for_benign_verdict": {
|
||||
"runAfter": {
|
||||
"Add_incident_comment": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "SetVariable",
|
||||
"inputs": {
|
||||
"name": "InformativeAdaptiveCardBody",
|
||||
"value": [
|
||||
{
|
||||
"size": "Large",
|
||||
"text": "Incident URL - Azure Sentinel",
|
||||
"type": "TextBlock",
|
||||
"weight": "Bolder",
|
||||
"wrap": true
|
||||
},
|
||||
{
|
||||
"text": "@{items('For_each_URL')?['Url']} is having benign verdict value. Incident URL is not Blocked.",
|
||||
"type": "TextBlock",
|
||||
"wrap": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"description": "To store adaptive card body"
|
||||
},
|
||||
"Update_incident": {
|
||||
"runAfter": {
|
||||
"Create_adaptive_card_for_benign_verdict": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"classification": {
|
||||
"ClassificationAndReason": "TruePositive - SuspiciousActivity"
|
||||
},
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"severity": "@triggerBody()?['object']?['properties']?['severity']",
|
||||
"status": "Closed"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "put",
|
||||
"path": "/Incidents"
|
||||
}
|
||||
}
|
||||
},
|
||||
"runAfter": {
|
||||
|
|
@ -3361,7 +3198,7 @@
|
|||
"inputs": {
|
||||
"body": {
|
||||
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||
"message": "<p>@{outputs('Add_icon_to_the_comments')} Palo Alto WildFire URL Enrichment Teams Playbook<br>\n<br>\n@{item()}</p>"
|
||||
"message": "<p>@{outputs('Add_icon_to_the_comments')} Palo Alto WildFire Block URL From Teams Playbook<br>\n<br>\n@{item()}</p>"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
|
|
@ -3527,7 +3364,7 @@
|
|||
"inputs": {
|
||||
"body": {
|
||||
"body": {
|
||||
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"text\": \"Below is/are the URL(s) blocked\",\n \"wrap\": true\n },\n\n {\n \"type\": \"TextBlock\",\n \"text\": \"@{outputs('Construct_string_from_consolidated_verdict_array')}\",\n \"wrap\": true\n },\n \n {\n \"text\": \" Incident # : @{triggerBody()?['object']?['properties']?['incidentNumber']} \",\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})\",\n \"wrap\": true\n },\n\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration :\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Azure Sentinal incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Inaccurate Data\",\n \"value\": \"False Positive - Inaccurate Data\"\n },\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Incorrect Alert Logic\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"True Positive - Suspicious Activity\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Benign Positive - Suspicious But Expected\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"Undetermined\",\n \"value\": \"Undetermined\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Azure Sentinel Incident Severity?\"\n },\n {\n \"choices\": [\n {\n \n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"@{triggerBody()?['object']?['properties']?['severity']}\"\n }\n \n \n \n ],\n\"width\":\"auto\",\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Update configuration\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}",
|
||||
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"text\": \"Below is/are the URL(s) blocked\",\n \"wrap\": true\n },\n\n {\n \"type\": \"TextBlock\",\n \"text\": \"@{outputs('Construct_string_from_consolidated_verdict_array')}\",\n \"wrap\": true\n },\n \n {\n \"text\": \" Incident # : @{triggerBody()?['object']?['properties']?['incidentNumber']} \",\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})\",\n \"wrap\": true\n },\n\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration :\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Azure Sentinal incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Inaccurate Data\",\n \"value\": \"False Positive - Inaccurate Data\"\n },\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Incorrect Alert Logic\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"True Positive - Suspicious Activity\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Benign Positive - Suspicious But Expected\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"Undetermined\",\n \"value\": \"Undetermined\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Azure Sentinel Incident Severity?\"\n },\n {\n \"choices\": [\n {\n \n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"@{triggerBody()?['object']?['properties']?['severity']}\"\n }\n \n \n \n ],\n\"width\":\"auto\",\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Update configuration\"\n },\n {\n \"title\": \"Ignore\",\n \"type\": \"Action.Submit\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}",
|
||||
"recipient": {
|
||||
"channelId": "19:9439f8f3bcf94355a5fd22c21582f0f7@thread.tacv2"
|
||||
},
|
||||
|
|
|
|||
|
|
@ -2,19 +2,18 @@
|
|||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "Logic Apps Custom Connector and Playbook templates - wildfire",
|
||||
"description": "This is a linked json file for deploying wildfire custom connector + 3 playbooks.",
|
||||
"title": "Logic Apps Custom Connector and Playbook templates - Palo Alto Wildfire and PAN-OS",
|
||||
"description": "This is a linked json file for deploying Palo Alto Wildfire custom connector + 3 playbooks.",
|
||||
"prerequisites": [
|
||||
"1. PaloAlto PAN-OS custom connector needs to be deployed prior to the deployment of this playbook under the same resource group.",
|
||||
"2. Generate wildfire API key to establish the connection to wildfire custom connector.",
|
||||
"3. Palo alto API key.",
|
||||
"3. Palo Alto Wildfire API key.",
|
||||
"4. Security policy rule in the Palo Alto PAN-OS VM.",
|
||||
"5. Wildfire API end point should be known.",
|
||||
"6. Users must have access to Microsoft Teams and they should be a part of a Teams channel and also Power Automate app should be installed in the Microsoft Teams channel."
|
||||
"5. Wildfire API end point should be known."
|
||||
],
|
||||
"lastUpdateTime": "2021-07-23T00:00:00.000Z",
|
||||
"entities": [ "URLs", "Filehash" ],
|
||||
"tags": [ "Teams", "enrichment", "automation" ],
|
||||
"entities": [ "URL", "Filehash" ],
|
||||
"tags": [ "Remediation", "Response from teams", "Enrichment" ],
|
||||
"support": {
|
||||
"tier": "community"
|
||||
},
|
||||
|
|
@ -26,70 +25,70 @@
|
|||
"linkedTemplateWildfireCustomConnectorURI": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "The Uri of the linked template for WildFire custom connector"
|
||||
"description": "The Uri of the linked template for Palo Alto WildFire custom connector"
|
||||
},
|
||||
"minLength": 3
|
||||
},
|
||||
"linkedTemplatePlaybookFilehashEnrichmentURI": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "The Uri of the linked template for file hash enrichment playbook"
|
||||
"description": "The Uri of the linked template for Filehash Enrichment playbook"
|
||||
},
|
||||
"minLength": 3
|
||||
},
|
||||
"linkedTemplatePlaybookURLVerdictURI": {
|
||||
"linkedTemplatePlaybookBlockURLURI": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "The Uri of the linked template for URL verdict playbook"
|
||||
"description": "The Uri of the linked template for Block URL playbook"
|
||||
},
|
||||
"minLength": 3
|
||||
},
|
||||
"linkedTemplatePlaybookURLVerdictOnTeamsURI": {
|
||||
"linkedTemplatePlaybookBlockURLFromTeamsURI": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "The Uri of the linked template for URL Verdict on Teams playbook"
|
||||
"description": "The Uri of the linked template for Block URL From Teams playbook"
|
||||
},
|
||||
"minLength": 3
|
||||
},
|
||||
"FilehashEnrichmentPlaybookName": {
|
||||
"FilehashEnrichmentPlaybookName": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "Name of the Enrichment Filehash Playbook"
|
||||
"description": "Name of the Filehash Enrichment Playbook"
|
||||
},
|
||||
"minLength": 3
|
||||
},
|
||||
"URLVerdictPlaybookName": {
|
||||
"BlockURLPlaybookName": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "Name of the URL Verdict Playbook"
|
||||
"description": "Name of the Block URL Playbook"
|
||||
},
|
||||
"minLength": 3
|
||||
},
|
||||
"URLVerdictOnTeamsPlaybookName": {
|
||||
"type": "String",
|
||||
"BlockURLFromTeamsPlaybookName": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "Name of the URL Verdict on Teams Playbook"
|
||||
"description": "Name of the Block URL From Teams Playbook"
|
||||
},
|
||||
"minLength": 3
|
||||
},
|
||||
"WildfireCustomConnectorName": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "Enter Palo Alto WildFire Custom Connector Display Name"
|
||||
"description": "Enter Palo Alto WildFire Custom Connector Name"
|
||||
},
|
||||
"minLength": 3
|
||||
},
|
||||
"PaloAltoCustomConnectorName": {
|
||||
"type": "String",
|
||||
"PAN-OSCustomConnectorName": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "Enter Palo Alto Custom Connector Display Name"
|
||||
"description": "Enter Palo Alto PAN-OS Custom Connector Name"
|
||||
},
|
||||
"minLength": 3
|
||||
},
|
||||
"WildfireServiceEndPoint": {
|
||||
"type": "String",
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "Enter WildFire Endpoint (ex: https://{yourDomain})"
|
||||
"description": "Enter WildFire Endpoint"
|
||||
},
|
||||
"minLength": 3
|
||||
},
|
||||
|
|
@ -139,12 +138,12 @@
|
|||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[parameters('PaloAltoCustomConnectorName')]",
|
||||
"name": "[parameters('PAN-OSCustomConnectorName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('PaloAltoCustomConnectorName'))]"
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('PAN-OSCustomConnectorName'))]"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
@ -180,18 +179,18 @@
|
|||
"name": "linkedTemplatePlaybookURLVerdictURI",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Resources/deployments', 'linkedTemplateWildfireCustomConnectorURI')]",
|
||||
"[resourceId('Microsoft.Web/connections', parameters('PaloAltoCustomConnectorName'))]"
|
||||
"[resourceId('Microsoft.Web/connections', parameters('PAN-OSCustomConnectorName'))]"
|
||||
],
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2018-05-01",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "[parameters('linkedTemplatePlaybookURLVerdictURI')]"
|
||||
"uri": "[parameters('linkedTemplatePlaybookBlockURLURI')]"
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"Value": "[parameters('URLVerdictPlaybookName')]"
|
||||
"Value": "[parameters('BlockURLPlaybookName')]"
|
||||
},
|
||||
"WildfireAPIKey": {
|
||||
"Value": "[parameters('WildfireAPIKey')]"
|
||||
|
|
@ -202,8 +201,8 @@
|
|||
"WildfireCustomConnectorName": {
|
||||
"Value": "[parameters('WildfireCustomConnectorName')]"
|
||||
},
|
||||
"PaloAltoCustomConnectorName": {
|
||||
"Value": "[parameters('PaloAltoCustomConnectorName')]"
|
||||
"PAN-OSCustomConnectorName": {
|
||||
"Value": "[parameters('PAN-OSCustomConnectorName')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -212,18 +211,18 @@
|
|||
"name": "linkedTemplatePlaybookURLVerdictOnTeamsURI",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Resources/deployments', 'linkedTemplateWildfireCustomConnectorURI')]",
|
||||
"[resourceId('Microsoft.Web/connections', parameters('PaloAltoCustomConnectorName'))]"
|
||||
"[resourceId('Microsoft.Web/connections', parameters('PAN-OSCustomConnectorName'))]"
|
||||
],
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2018-05-01",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
"uri": "[parameters('linkedTemplatePlaybookURLVerdictOnTeamsURI')]"
|
||||
"uri": "[parameters('linkedTemplatePlaybookBlockURLFromTeamsURI')]"
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"Value": "[parameters('URLVerdictOnTeamsPlaybookName')]"
|
||||
"Value": "[parameters('BlockURLFromTeamsPlaybookName')]"
|
||||
},
|
||||
"WildfireAPIKey": {
|
||||
"Value": "[parameters('WildfireAPIKey')]"
|
||||
|
|
@ -234,8 +233,8 @@
|
|||
"WildfireCustomConnectorName": {
|
||||
"Value": "[parameters('WildfireCustomConnectorName')]"
|
||||
},
|
||||
"PaloAltoCustomConnectorName": {
|
||||
"Value": "[parameters('PaloAltoCustomConnectorName')]"
|
||||
"PAN-OSCustomConnectorName": {
|
||||
"Value": "[parameters('PAN-OSCustomConnectorName')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,7 +7,6 @@
|
|||
1. [Overview](#overview)
|
||||
1. [Prerequisites](#prerequisites)
|
||||
1. [Authentication](#authentication)
|
||||
1. [Deploy PAN-OS custom connector](#deplyoment)
|
||||
1. [Deploy WildFire custom connector and 3 playbook templates](#deployall)
|
||||
1. [Deployment Instructions](#instructions)
|
||||
1. [Post-Deployment Instructions](#postdeployment)
|
||||
|
|
@ -36,15 +35,6 @@ WildFire Custom Connector supports: API Key Authentication
|
|||
|
||||
<a name="deplyoment">
|
||||
|
||||
# Deploy Palo Alto PAN-OS custom connector
|
||||
|
||||
To deploy Palo Alto PAN-OS Custom connector goto [Pre-requisites to deploy Palo Alto PAN-OS Custom Connector](/Connectors/PaloAltoConnector/readme.md)
|
||||
|
||||
Click on the below button to deploy Palo Alto PAN-OS Custom Connector in your Azure subscription.
|
||||
|
||||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FPaloAlto-Wildfire%2FConnectores%2FPaloAltoConnector%2Fazuredeploy.json)
|
||||
[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FPaloAlto-Wildfire%2FConnectores%2FPaloAltoConnector%2Fazuredeploy.json)
|
||||
|
||||
|
||||
<a name="deployall">
|
||||
|
||||
|
|
@ -69,14 +59,14 @@ You can choose to deploy the whole package: connector and all three playbook tem
|
|||
|
||||
| Parameter | Description |
|
||||
| ------------- | ------------- |
|
||||
| **Filehash Enrichment Playbook Name** | Enter the Filehash Enrichment Playbook Name (e.g. Wildfire_filehash_enrichment) |
|
||||
| **URL Enrichment Playbook Name** | Enter the URL Enrichment Playbook Name (e.g. Wildfire_URL_verdict) |
|
||||
| **URL Enrichment Teams Playbook Name** | Enter the URL Enrichment Teams Playbook Name (e.g. URL_verdict_on_teams) |
|
||||
| **Wildfire Custom Connector Name** | Enter the name of WildFire custom connector |
|
||||
| **Filehash Enrichment Playbook Name** | Enter the Filehash Enrichment Playbook Name |
|
||||
| **Block URL Playbook Name** | Enter the Block URL Playbook Name |
|
||||
| **Block URL From Teams Playbook Name** | Enter the Block URL From Teams Playbook Name |
|
||||
| **Wildfire Custom Connector Name** | Enter the name of Palo Alto WildFire custom connector |
|
||||
| **Wildfire Service End Point** | Enter the Service End Point of Wildfire API [WildFire Console](https://wildfire.paloaltonetworks.com)|
|
||||
| **Wildfire API Key** | Enter the WildFire API Key|
|
||||
| **Notification Email** | Enter the DL or SOC email address for receiving filehash report|
|
||||
| **PAN-OS Custom Connector Name** | Enter the PAN-OS custom connector name |
|
||||
| **PAN-OS Custom Connector Name** | Enter the Palo Alto PAN-OS custom connector name |
|
||||
| **Security Policy Rule** | Enter the Security Policy Rule which is created in PAN-OS |
|
||||
|
||||
<a name="postdeployment">
|
||||
|
|
@ -104,12 +94,13 @@ You can choose to deploy the whole package: connector and all three playbook tem
|
|||
* [Wildfire Connector](Connectors/WildFireConnector/readme.md)
|
||||
|
||||
Playbooks
|
||||
* [WildFire Filehash Enrichment](/Playbooks/WildFire-FileHash-Enrichment/readme.md)
|
||||
* [WildFire URL Enrichment](/Playbooks/WildFire-URL-Enrichment/readme.md)
|
||||
* [WildFire URL Enrichment Teams](/Playbooks/WildFire-URL-Enrichment-Teams/readme.md)
|
||||
* [WildFire Filehash Enrichment](/Playbooks/FileHash-Enrichment/readme.md)
|
||||
* [WildFire Block URL](/Playbooks/Block-URL/readme.md)
|
||||
* [WildFire Block URL From Teams](/Playbooks/Block-URL-From-Teams/readme.md)
|
||||
|
||||
|
||||
<a name="limitations">
|
||||
|
||||
# Known Issues and Limitations
|
||||
- We need to authorize the connections after deploying the playbooks.
|
||||
- We need to authorize the connections after deploying the playbooks.
|
||||
- Palo Alto Wildfire API returns response body in XML format. To handle this, 'Parse Json' action is needed to convert xml body into json object.[Refer here](./XMLResponse.xml)
|
||||
Загрузка…
Ссылка в новой задаче