Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

[skip ci] Github Bot Added package to Pull Request!

This commit is contained in:
Github Bot 2024-01-08 09:23:37 +00:00
Родитель 25ec950c17
Коммит c237055bc3
4 изменённых файлов: 174 добавлений и 126 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

31
Solutions/Australian Cyber Security Centre/Data/system_generated_metadata.json Normal file
Просмотреть файл

@ -0,0 +1,31 @@
{
"Name": "Australian Cyber Security Centre",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/ACSClogo.svg\"width=\"75px\"height=\"75px\">",
"Description": "This solution allows customers to share threat intelligence with the Australian Cyber Security Centre (ACSC) through the Cyber Threat Intelligence Sharing (CTIS) program. This solution contains a playbook that can be used to get indicators from Microsoft Sentinel and convert them into STIX bundles to be posted to the CTIS TAXII 2.1 server as a Contributing Partner. This solution is only available to deeded ACSC partners that have completed onboarding to the CTIS program. Credentials will be provided during the onboarding process. For more information please contact community@ctis-au.org or visit the [ACSC Partner Portal](https://partners.cyber.gov.au/login?ec=302&startURL=%2Fs%2F).",
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Australian Cyber Security Centre\\",
"Version": "3.0.2",
"TemplateSpec": true,
"Is1PConnector": true,
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-australiancybersecurity",
"providers": [
"Australian Cyber Security Centre"
],
"categories": {
"domains": [
"Security - Threat Intelligence"
]
},
"firstPublishDate": "2022-11-23",
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"Playbooks": [
"Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json"
]
}

Двоичные данные
Solutions/Australian Cyber Security Centre/Package/3.0.2.zip
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/Australian Cyber Security Centre/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/ACSClogo.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Australian%20Cyber%20Security%20Centre/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThis solution allows customers to share threat intelligence with the Australian Cyber Security Centre (ACSC) through the Cyber Threat Intelligence Sharing (CTIS) program. This solution contains a playbook that can be used to get indicators from Microsoft Sentinel and convert them into STIX bundles to be posted to the CTIS TAXII 2.1 server as a Contributing Partner. This solution is only available to deeded ACSC partners that have completed onboarding to the CTIS program. Credentials will be provided during the onboarding process. For more information please contact community@ctis-au.org or visit the [ACSC Partner Portal](https://partners.cyber.gov.au/login?ec=302&startURL=%2Fs%2F).\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/ACSClogo.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThis solution allows customers to share threat intelligence with the Australian Cyber Security Centre (ACSC) through the Cyber Threat Intelligence Sharing (CTIS) program. This solution contains a playbook that can be used to get indicators from Microsoft Sentinel and convert them into STIX bundles to be posted to the CTIS TAXII 2.1 server as a Contributing Partner. This solution is only available to deeded ACSC partners that have completed onboarding to the CTIS program. Credentials will be provided during the onboarding process. For more information please contact community@ctis-au.org or visit the [ACSC Partner Portal](https://partners.cyber.gov.au/login?ec=302&startURL=%2Fs%2F).\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",

267
Solutions/Australian Cyber Security Centre/Package/mainTemplate.json
Просмотреть файл

@ -30,12 +30,12 @@
}
},
"variables": {
"solutionId": "azuresentinel.azure-sentinel-solution-australiancybersecurity",
"_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Australian Cyber Security Centre",
"_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-australiancybersecurity",
"_solutionId": "[variables('solutionId')]",
"AusCtisExportTaggedIndicators": "AusCtisExportTaggedIndicators",
"_AusCtisExportTaggedIndicators": "[variables('AusCtisExportTaggedIndicators')]",
"TemplateEmptyArray": "[json('[]')]",
@ -215,181 +215,198 @@
"For_each_IncidentID_create_a_Grouping": {
"foreach": "@variables('IncidentIDLabelsForGrouping')",
"actions": {
"Condition_to_check_if_Grouping_for_IncidentID_is_already_created": {
"Condition_to_check_if_Indicator_is_not_part_of_any_Incident_skip_Grouping": {
"actions": {
"Append_to_array_TempIncidentArray": {
"runAfter": {
"Grouping_Object_Composition": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "TempIncidentIdArray",
"value": "@split(items('For_each_IncidentID_create_a_Grouping'), ';')[2]"
}
},
"For_each_combination_extract_IndicatorId_and_MarkingRefObj": {
"foreach": "@body('Extract_Goruping_details_for_each_Indicatorids')",
"Condition_to_check_if_Grouping_for_IncidentID_is_already_created": {
"actions": {
"Append_to_array_GroupingConfidence": {
"Append_to_array_TempIncidentArray": {
"runAfter": {
"Append_to_array_GroupingIndicators": [
"Grouping_Object_Composition": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "TempIncidentIdArray",
"value": "@split(items('For_each_IncidentID_create_a_Grouping'), ';')[2]"
}
},
"For_each_combination_extract_IndicatorId_and_MarkingRefObj": {
"foreach": "@body('Extract_Goruping_details_for_each_Indicatorids')",
"actions": {
"Append_to_array_GroupingConfidence": {
"runAfter": {
"Append_to_array_GroupingIndicators": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "GroupingConfidence",
"value": "@int(split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[1])"
}
},
"Append_to_array_GroupingDescription": {
"runAfter": {
"Append_to_array_GroupingMarkingRefObjs": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "GroupingDescription",
"value": "@split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[4]"
}
},
"Append_to_array_GroupingIndicators": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "GroupingIndicators",
"value": "@split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[0]"
}
},
"Append_to_array_GroupingMarkingRefObjs": {
"runAfter": {
"Append_to_array_GroupingConfidence": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "GroupingMarkingRefObjs",
"value": "@split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[3]"
}
}
},
"type": "Foreach"
},
"Grouping_Object_Composition": {
"actions": {
"Append_GroupObj_to_Indicators_array": {
"runAfter": {
"Compose_Group_Object": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "Indicators",
"value": "@outputs('Compose_Group_Object')"
}
},
"Compose_Group_Object": {
"type": "Compose",
"inputs": {
"confidence": "@min(variables('GroupingConfidence'))",
"context": "suspicious-activity",
"created": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')",
"created_by_ref": "@variables('CreatedByRefObjId')",
"description": "@first(variables('GroupingDescription'))",
"id": "grouping--@{guid()}",
"modified": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')",
"object_marking_refs": "@union(variables('GroupingMarkingRefObjs'), variables('GroupingMarkingRefObjs'))",
"object_refs": "@union(variables('GroupingIndicators'), variables('GroupingIndicators'))",
"spec_version": "2.1",
"type": "grouping"
}
}
},
"runAfter": {
"For_each_combination_extract_IndicatorId_and_MarkingRefObj": [
"Succeeded"
]
},
"type": "Scope"
},
"Reset_Array_GroupingConfidence": {
"runAfter": {
"Reset_Array_GroupingIndicators": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "GroupingConfidence",
"value": "@int(split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[1])"
"value": "[variables('TemplateEmptyArray')]"
}
},
"Append_to_array_GroupingDescription": {
"Reset_Array_GroupingDescription": {
"runAfter": {
"Append_to_array_GroupingMarkingRefObjs": [
"Reset_Array_GroupingMarkingRefObjs": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"type": "SetVariable",
"inputs": {
"name": "GroupingDescription",
"value": "@split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[4]"
"value": "[variables('TemplateEmptyArray')]"
}
},
"Append_to_array_GroupingIndicators": {
"type": "AppendToArrayVariable",
"Reset_Array_GroupingIndicators": {
"runAfter": {
"Append_to_array_TempIncidentArray": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "GroupingIndicators",
"value": "@split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[0]"
"value": "[variables('TemplateEmptyArray')]"
}
},
"Append_to_array_GroupingMarkingRefObjs": {
"Reset_Array_GroupingMarkingRefObjs": {
"runAfter": {
"Append_to_array_GroupingConfidence": [
"Reset_Array_GroupingConfidence": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"type": "SetVariable",
"inputs": {
"name": "GroupingMarkingRefObjs",
"value": "@split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[3]"
}
}
},
"type": "Foreach"
},
"Grouping_Object_Composition": {
"actions": {
"Append_GroupObj_to_Indicators_array": {
"runAfter": {
"Compose_Group_Object": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "Indicators",
"value": "@outputs('Compose_Group_Object')"
}
},
"Compose_Group_Object": {
"type": "Compose",
"inputs": {
"confidence": "@min(variables('GroupingConfidence'))",
"context": "suspicious-activity",
"created": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')",
"created_by_ref": "@variables('CreatedByRefObjId')",
"description": "@first(variables('GroupingDescription'))",
"id": "grouping--@{guid()}",
"modified": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')",
"object_marking_refs": "@union(variables('GroupingMarkingRefObjs'), variables('GroupingMarkingRefObjs'))",
"object_refs": "@union(variables('GroupingIndicators'), variables('GroupingIndicators'))",
"spec_version": "2.1",
"type": "grouping"
"value": "[variables('TemplateEmptyArray')]"
}
}
},
"runAfter": {
"For_each_combination_extract_IndicatorId_and_MarkingRefObj": [
"Extract_Goruping_details_for_each_Indicatorids": [
"Succeeded"
]
},
"type": "Scope"
"expression": {
"and": [
{
"not": {
"equals": [
"@contains(variables('TempIncidentIdArray'), split(items('For_each_IncidentID_create_a_Grouping'), ';')[2])",
"@true"
]
}
}
]
},
"type": "If"
},
"Reset_Array_GroupingConfidence": {
"runAfter": {
"Reset_Array_GroupingDescription": [
"Succeeded"
]
},
"type": "SetVariable",
"Extract_Goruping_details_for_each_Indicatorids": {
"type": "Query",
"inputs": {
"name": "GroupingConfidence",
"value": "[variables('TemplateEmptyArray')]"
}
},
"Reset_Array_GroupingDescription": {
"runAfter": {
"Reset_Array_GroupingMarkingRefObjs": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "GroupingDescription",
"value": "[variables('TemplateEmptyArray')]"
}
},
"Reset_Array_GroupingIndicators": {
"runAfter": {
"Append_to_array_TempIncidentArray": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "GroupingIndicators",
"value": "[variables('TemplateEmptyArray')]"
}
},
"Reset_Array_GroupingMarkingRefObjs": {
"runAfter": {
"Reset_Array_GroupingIndicators": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "GroupingMarkingRefObjs",
"value": "[variables('TemplateEmptyArray')]"
"from": "@variables('IncidentIDLabelsForGrouping')",
"where": "@equals(split(items('For_each_IncidentID_create_a_Grouping'), ';')[2], split(item(), ';')[2])"
}
}
},
"runAfter": {
"Extract_Goruping_details_for_each_Indicatorids": [
"Succeeded"
]
},
"expression": {
"and": [
{
"not": {
"equals": [
"@contains(variables('TempIncidentIdArray'), split(items('For_each_IncidentID_create_a_Grouping'), ';')[2])",
"@true"
"@split(items('For_each_IncidentID_create_a_Grouping'), ';')[2]",
"NoIncident"
]
}
}
]
},
"type": "If"
},
"Extract_Goruping_details_for_each_Indicatorids": {
"type": "Query",
"inputs": {
"from": "@variables('IncidentIDLabelsForGrouping')",
"where": "@equals(split(items('For_each_IncidentID_create_a_Grouping'), ';')[2], split(item(), ';')[2])"
}
}
},
"type": "Foreach",