Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update Prompt-User

This commit is contained in:
dicolanl 2021-06-09 16:43:19 +00:00
Родитель 518875e35c
Коммит b5a192f0a3
7 изменённых файлов: 556 добавлений и 190 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
Playbooks/Get-MDEInvestigationPackage/incident-trigger/azuredeploy.json
Просмотреть файл

@ -2,7 +2,7 @@
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0", "contentVersion": "1.0.0.0",
"metadata": { "metadata": {
"title": "Get-ASCRecommendations", "title": "Get-MDEInvestigationPackage",
"description": "This playbook will call the collect invesitgation package in MDE. It will then loop until thats complete, once complete it will add a comment to the incident and post a message in teams with the URL to download the package.", "description": "This playbook will call the collect invesitgation package in MDE. It will then loop until thats complete, once complete it will add a comment to the incident and post a message in teams with the URL to download the package.",
"prerequisites": "1. You will need the Team Id and Chat Id. 2. You will need to grant Machine.CollectForensics permissions to the managed identity.", "prerequisites": "1. You will need the Team Id and Chat Id. 2. You will need to grant Machine.CollectForensics permissions to the managed identity.",
"lastUpdateTime": "2021-06-03T00:00:00.000Z", "lastUpdateTime": "2021-06-03T00:00:00.000Z",

399
Playbooks/Prompt-User/azuredeploy.json → Playbooks/Prompt-User/alert-trigger/azuredeploy.json
Просмотреть файл

@ -2,7 +2,7 @@
{ {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0", "contentVersion": "1.0.0.0",
"metadata":{ "metadata": {
"comments": "This playbook will ask the user if they completed the action from the Incident in Azure Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.", "comments": "This playbook will ask the user if they completed the action from the Incident in Azure Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.",
"author": "Nicholas DiCola" "author": "Nicholas DiCola"
}, },
@ -41,9 +41,11 @@
"apiVersion": "2016-06-01", "apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]", "name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]", "location": "[resourceGroup().location]",
"kind": "V1",
"properties": { "properties": {
"displayName": "[parameters('UserName')]", "displayName": "[parameters('PlaybookName')]",
"customParameterValues": {}, "customParameterValues": {},
"parameterValueType": "Alternative",
"api": { "api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
} }
@ -83,6 +85,9 @@
"tags": { "tags": {
"LogicAppsCategory": "security" "LogicAppsCategory": "security"
}, },
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [ "dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", "[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
@ -93,7 +98,200 @@
"state": "Enabled", "state": "Enabled",
"definition": { "definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Alert_-_Get_incident": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
},
"runAfter": {},
"type": "ApiConnection"
},
"Entities_-_Get_Accounts": {
"inputs": {
"body": "@triggerBody()?['Entities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/account"
},
"runAfter": {
"Alert_-_Get_incident": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"For_each": {
"actions": {
"Condition_2": {
"actions": {
"Add_comment_to_incident_(V3)": {
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"message": "<p>@{body('Get_user')?['displayName']} confirms they completed the action that triggered the alert. &nbsp;Closing the incident.</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"runAfter": {},
"type": "ApiConnection"
},
"Update_incident": {
"inputs": {
"body": {
"classification": {
"ClassificationAndReason": "BenignPositive - SuspiciousButExpected",
"ClassificationReasonText": "User Confirmed it was them"
},
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"status": "Closed"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Incidents"
},
"runAfter": {
"Add_comment_to_incident_(V3)": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"else": {
"actions": {
"Add_comment_to_incident_(V3)_2": {
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"message": "<p>@{body('Get_user')?['displayName']} confirms they did not complete the action. Further investigation is needed.</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"runAfter": {},
"type": "ApiConnection"
},
"Post_a_message_(V3)": {
"inputs": {
"body": {
"body": {
"content": "<p>New alert from Azure Sentinel.<br>\nPlease investigate ASAP.<br>\nSeverity : @{body('Alert_-_Get_incident')?['properties']?['severity']}<br>\nDescription: @{body('Alert_-_Get_incident')?['properties']?['description']}<br>\n<br>\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.</p>",
"contentType": "html"
},
"subject": "Incident @{body('Alert_-_Get_incident')?['properties']?['incidentNumber']} - @{body('Alert_-_Get_incident')?['properties']?['title']}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['teams']['connectionId']"
}
},
"method": "post",
"path": "/v3/beta/teams/@{encodeURIComponent('76882eab-d84d-45f6-aba3-c5b4ae105319')}/channels/@{encodeURIComponent('19:f59057003d5d443588b92fc0349b3dd4@thread.tacv2')}/messages"
},
"runAfter": {
"Add_comment_to_incident_(V3)_2": [
"Succeeded"
]
},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"equals": [
"",
"This was me"
]
}
]
},
"runAfter": {
"Send_approval_email": [
"Succeeded"
]
},
"type": "If"
},
"Get_user": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuread']['connectionId']"
}
},
"method": "get",
"path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@' ,items('For_each')?['UPNSuffix']))}"
},
"runAfter": {},
"type": "ApiConnection"
},
"Send_approval_email": {
"inputs": {
"body": {
"Message": {
"Body": "New Alert from Azure Sentinel.\nPlease respond ASAP.\nSeverity: @{triggerBody()?['Severity']}\nName: @{triggerBody()?['AlertDisplayName']}\nDescription: @{triggerBody()?['Description']}",
"HideHTMLMessage": false,
"Importance": "High",
"Options": "This was me, This was not me",
"ShowHTMLConfirmationDialog": false,
"Subject": "Security Alert: @{body('Alert_-_Get_incident')?['properties']?['title']}",
"To": "@body('Get_user')?['mail']"
},
"NotificationUrl": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
}
},
"path": "/approvalmail/$subscriptions"
},
"runAfter": {
"Get_user": [
"Succeeded"
]
},
"type": "ApiConnectionWebhook"
}
},
"foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
"runAfter": {
"Entities_-_Get_Accounts": [
"Succeeded"
]
},
"type": "Foreach"
}
},
"contentVersion": "1.0.0.0", "contentVersion": "1.0.0.0",
"outputs": {},
"parameters": { "parameters": {
"$connections": { "$connections": {
"defaultValue": {}, "defaultValue": {},
@ -102,7 +300,6 @@
}, },
"triggers": { "triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
"type": "ApiConnectionWebhook",
"inputs": { "inputs": {
"body": { "body": {
"callback_url": "@{listCallbackUrl()}" "callback_url": "@{listCallbackUrl()}"
@ -113,191 +310,10 @@
} }
}, },
"path": "/subscribe" "path": "/subscribe"
} },
"type": "ApiConnectionWebhook"
} }
}, }
"actions": {
"Alert_-_Get_accounts": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['Entities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/account"
}
},
"Alert_-_Get_incident": {
"runAfter": {
"Alert_-_Get_accounts": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Cases/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}"
}
},
"For_each": {
"foreach": "@body('Alert_-_Get_accounts')?['Accounts']",
"actions": {
"For_each_2": {
"foreach": "@body('Alert_-_Get_incident')['value']",
"actions": {
"Condition": {
"actions": {
"Add_comment_to_incident": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(body('Alert_-_Get_incident')?['properties']?['CaseNumber'])}/@{encodeURIComponent('User confirms they completed the action that triggered the alert. Closing the incident.')}"
}
},
"Change_incident_status": {
"runAfter": {
"Add_comment_to_incident": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Case/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(body('Alert_-_Get_incident')?['properties']?['CaseNumber'])}/Status/@{encodeURIComponent('Closed')}"
}
}
},
"runAfter": {
"Send_approval_email": [
"Succeeded"
]
},
"else": {
"actions": {
"Add_comment_to_incident_2": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(body('Alert_-_Get_incident')?['properties']?['CaseNumber'])}/@{encodeURIComponent('User confirms they did not complete the action. Further investigation is needed.')}"
}
},
"Post_a_message_(V3)": {
"runAfter": {
"Add_comment_to_incident_2": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"body": {
"content": "<p>New alert from Azure Sentinel. <br>\nPlease investigate ASAP. <br>\nSeverity : @{triggerBody()?['Severity']}<br>\nName: @{triggerBody()?['AlertDisplayName']}<br>\nDescription: @{triggerBody()?['Description']}</p>",
"contentType": "html"
},
"subject": "Security Alert: @{items('For_each_2')?['properties']?['Title']}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['teams']['connectionId']"
}
},
"method": "post",
"path": "/v3/beta/teams/@{encodeURIComponent('7fdb6cff-0779-45ac-aefd-da589fc62729')}/channels/@{encodeURIComponent('19:2df964c9afc44d60a51bc282f56bacef@thread.skype')}/messages"
}
}
}
},
"expression": {
"and": [
{
"equals": [
"@body('Send_approval_email')?['SelectedOption']",
"This was me"
]
}
]
},
"type": "If"
},
"Send_approval_email": {
"runAfter": {},
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"Message": {
"Body": "New Alert from Azure Sentinel.\nPlease respond ASAP.\nSeverity: @{triggerBody()?['Severity']}\nName: @{triggerBody()?['AlertDisplayName']}\nDescription: @{triggerBody()?['Description']}",
"Importance": "Normal",
"Options": "This was me, This was not me",
"Subject": "Security Alert: @{body('Alert_-_Get_incident')?['properties']?['Title']}",
"To": "@body('Get_user')?['mail']"
},
"NotificationUrl": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
}
},
"path": "/approvalmail/$subscriptions"
}
}
},
"runAfter": {
"Get_user": [
"Succeeded"
]
},
"type": "Foreach"
},
"Get_user": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuread']['connectionId']"
}
},
"method": "get",
"path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@' ,items('For_each')?['UPNSuffix']))}"
}
}
},
"runAfter": {
"Alert_-_Get_incident": [
"Succeeded"
]
},
"type": "Foreach"
}
},
"outputs": {}
}, },
"parameters": { "parameters": {
"$connections": { "$connections": {
@ -310,7 +326,12 @@
"azuresentinel": { "azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]", "connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}, },
"office365": { "office365": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", "connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
@ -328,4 +349,4 @@
} }
} }
] ]
} }

Двоичные данные
Playbooks/Prompt-User/alert-trigger/images/Prompt-User_alert.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 58 KiB

345
Playbooks/Prompt-User/incident-trigger/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,345 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Prompt-User",
"description": "This playbook will ask the user if they completed the action from the Incident in Azure Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.",
"prerequisites": "1. You will need the Team Id and Chat Id.",
"lastUpdateTime": "2021-06-03T00:00:00.000Z",
"entities": [ "Account" ],
"tags": [ "Repsond" ],
"support": {
"kind": "community"
},
"author": {
"name": "Nicholas DiCola"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "Prompt-User",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureADConnectionName": "[concat('azuread-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"Office365ConnectionName": "[concat('office365-', parameters('PlaybookName'))]",
"TeamsConnectionName": "[concat('teams-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureADConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('Office365ConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('TeamsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/teams')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"LogicAppsCategory": "security"
},
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Entities_-_Get_Accounts": {
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/account"
},
"runAfter": {},
"type": "ApiConnection"
},
"For_each": {
"actions": {
"Condition_2": {
"actions": {
"Add_comment_to_incident_(V3)": {
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>@{body('Get_user')?['displayName']} confirms they completed the action that triggered the alert. &nbsp;Closing the incident.</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"runAfter": {},
"type": "ApiConnection"
},
"Update_incident": {
"inputs": {
"body": {
"classification": {
"ClassificationAndReason": "BenignPositive - SuspiciousButExpected",
"ClassificationReasonText": "User Confirmed it was them"
},
"incidentArmId": "@triggerBody()?['object']?['id']",
"status": "Closed"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Incidents"
},
"runAfter": {
"Add_comment_to_incident_(V3)": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"else": {
"actions": {
"Add_comment_to_incident_(V3)_2": {
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>@{body('Get_user')?['displayName']} confirms they did not complete the action. Further investigation is needed.</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
},
"runAfter": {},
"type": "ApiConnection"
},
"Post_a_message_(V3)": {
"inputs": {
"body": {
"body": {
"content": "<p>New alert from Azure Sentinel.<br>\nPlease investigate ASAP.<br>\nSeverity : @{triggerBody()?['object']?['properties']?['severity']}<br>\nDescription: @{triggerBody()?['object']?['properties']?['description']}<br>\n<br>\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.</p>",
"contentType": "html"
},
"subject": "Incident @{triggerBody()?['object']?['properties']?['incidentNumber']} - @{triggerBody()?['object']?['properties']?['title']}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['teams_1']['connectionId']"
}
},
"method": "post",
"path": "/v3/beta/teams/@{encodeURIComponent('76882eab-d84d-45f6-aba3-c5b4ae105319')}/channels/@{encodeURIComponent('19:f59057003d5d443588b92fc0349b3dd4@thread.tacv2')}/messages"
},
"runAfter": {
"Add_comment_to_incident_(V3)_2": [
"Succeeded"
]
},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"equals": [
"@body('Send_approval_email')?['SelectedOption']",
"This was me"
]
}
]
},
"runAfter": {
"Send_approval_email": [
"Succeeded"
]
},
"type": "If"
},
"Get_user": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuread']['connectionId']"
}
},
"method": "get",
"path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@' ,items('For_each')?['UPNSuffix']))}"
},
"runAfter": {},
"type": "ApiConnection"
},
"Send_approval_email": {
"inputs": {
"body": {
"Message": {
"Body": "New Alert from Azure Sentinel.\nPlease respond ASAP.\nSeverity: @{triggerBody()?['object']?['properties']?['severity']}\nName: @{triggerBody()?['object']?['properties']?['title']}\nDescription: @{triggerBody()?['object']?['properties']?['description']}",
"HideHTMLMessage": false,
"Importance": "High",
"Options": "This was me, This was not me",
"ShowHTMLConfirmationDialog": false,
"Subject": "Security Alert: @{triggerBody()?['object']?['properties']?['title']}",
"To": "@body('Get_user')?['mail']"
},
"NotificationUrl": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
}
},
"path": "/approvalmail/$subscriptions"
},
"runAfter": {
"Get_user": [
"Succeeded"
]
},
"type": "ApiConnectionWebhook"
}
},
"foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
"runAfter": {
"Entities_-_Get_Accounts": [
"Succeeded"
]
},
"type": "Foreach"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuread": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
"connectionName": "[variables('AzureADConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
},
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"office365": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
"connectionName": "[variables('Office365ConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
},
"teams": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
"connectionName": "[variables('TeamsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/teams')]"
}
}
}
}
}
}
]
}

Двоичные данные
Playbooks/Prompt-User/incident-trigger/images/Prompt-User_incident.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 49 KiB

Двоичные данные
Playbooks/Prompt-User/incident-trigger/images/designerDark.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 51 KiB

Двоичные данные
Playbooks/Prompt-User/incident-trigger/images/designerLight.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 49 KiB