Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

add azuredeploy formatted playbooks

This commit is contained in:
ivanovchinnikov 2021-07-14 17:23:35 +03:00
Родитель b22f3f7db6
Коммит ddaf26921e
24 изменённых файлов: 19171 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

113
Solutions/Group-IB/Playbooks/azuredeploy-GIBIndicatorProcessor.json Normal file
Просмотреть файл

@ -0,0 +1,113 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "GIBIndicatorProcessor",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]"},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/microsoftgraphsecurity')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"For_each": {
"actions": {
"Submit_multiple_tiIndicators": {
"inputs": {
"body": {
"value": "@items('For_each')"
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftgraphsecurity_1']['connectionId']"
}
},
"method": "post",
"path": "/beta/security/tiIndicators/submitTiIndicators"
},
"runAfter": {},
"type": "ApiConnection"
}
},
"foreach": "@body('Select')",
"runAfter": {
"Select": [
"Succeeded"
]
},
"type": "Foreach"
},
"Select": {
"inputs": {
"from": "@triggerBody()['items']",
"select": "@item()['content']"
},
"runAfter": {},
"type": "Select"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"Batch_messages": {
"inputs": {
"configurations": {
"GIBIndicatorsBatch": {
"releaseCriteria": {
"messageCount": 5
}
}
},
"mode": "Inline"
},
"type": "Batch"
}
}
},
"parameters": {
"$connections": {
"value": {
"microsoftgraphsecurity": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/microsoftgraphsecurity')]"
}
}
}
}
}
}
]
}

627
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_APT_ThreatActor.json Normal file
Просмотреть файл

@ -0,0 +1,627 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "GIBTIA_APT_ThreatActor",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"azuremonitorlogsConnectionName": "[concat('azuremon-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuremonitorlogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/microsoftgraphsecurity')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Condition": {
"actions": {
"Set_variable": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'][0]['seqUpdate_d']"
},
"runAfter": {},
"type": "SetVariable"
}
},
"else": {
"actions": {
"HTTP": {
"inputs": {
"headers": {
"accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"collection": "@parameters('Collection Name')",
"date": "@{addDays(utcNow(), -1, 'yyyy-MM-dd')}"
},
"uri": "@{parameters('GIB API URL ')}sequence_list"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON": {
"inputs": {
"content": "@body('HTTP')",
"schema": {
"properties": {
"list": {
"properties": {
"apt/threat_actor": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Update_Last_Item_id_in_Tech_table_": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{body('Parse_JSON')?['list']?['apt/threat_actor']}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"set_seqUpdate_": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Parse_JSON')?['list']?['apt/threat_actor']"
},
"runAfter": {
"Update_Last_Item_id_in_Tech_table_": [
"Succeeded"
]
},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'])",
0
]
}
}
]
},
"runAfter": {
"Get_last_received_item_ID_from_Azure_Log_DB": [
"Succeeded"
]
},
"type": "If"
},
"Get_last_received_item_ID_from_Azure_Log_DB": {
"inputs": {
"body": "GIBTechTable_CL | where collection_name_s == \"@{parameters('Collection Name')}\" | sort by TimeGenerated | limit 1",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "Group-IB-WS",
"resourcename": "Group-IB",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "xxxx-xxx-xxx-xxx-xxxxx",
"timerange": "Last 7 days"
}
},
"runAfter": {
"Initialize_API_Key": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_API_Key": {
"inputs": {
"variables": [
{
"name": "GIB API Key",
"type": "string",
"value": "XXXXXXXXXXXXXXXX"
}
]
},
"runAfter": {
"Initialize_Indicators_Array": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_Indicators_Array": {
"inputs": {
"variables": [
{
"name": "Indicators",
"type": "array",
"value": []
}
]
},
"runAfter": {
"Initialize_seqUpdate": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_seqUpdate": {
"inputs": {
"variables": [
{
"name": "seqUpdate",
"type": "integer"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "IsPortionEmpty",
"type": "boolean",
"value": false
}
]
},
"runAfter": {
"Condition": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Until": {
"actions": {
"Get_items_from_response": {
"inputs": {
"content": "@body('Get_next_portion_of_events_from_GIB')",
"schema": {
"properties": {
"count": {
"type": [
"integer",
"null"
]
},
"items": {
"items": {
"properties": {
"aliases": {
"items": {
"type": [
"string",
"null"
]
},
"type": "array"
},
"country": {},
"createdAt": {
"type": [
"string",
"null"
]
},
"description": {
"type": [
"string",
"null"
]
},
"displayOptions": {
"properties": {
"isFavourite": {
"type": "boolean"
},
"isHidden": {
"type": "boolean"
}
},
"type": "object"
},
"files": {
"type": "array"
},
"goals": {
"type": "array"
},
"id": {
"type": [
"string",
"null"
]
},
"isAPT": {
"type": "boolean"
},
"labels": {
"type": "array"
},
"langs": {
"items": {
"type": [
"string",
"null"
]
},
"type": "array"
},
"name": {
"type": [
"string",
"null"
]
},
"oldId": {},
"roles": {
"type": "array"
},
"seqUpdate": {
"type": [
"integer",
"null"
]
},
"spokenOnLangs": {
"type": "array"
},
"stat": {
"properties": {
"countries": {
"type": "array"
},
"dateFirstSeen": {
"type": [
"string",
"null"
]
},
"dateLastSeen": {
"type": [
"string",
"null"
]
},
"regions": {
"type": "array"
},
"reports": {
"items": {
"properties": {
"datePublished": {
"type": [
"string",
"null"
]
},
"id": {
"type": [
"string",
"null"
]
},
"name": {
"properties": {
"en": {
"type": [
"string",
"null"
]
}
},
"type": "object"
}
},
"required": [
"datePublished",
"id",
"name"
],
"type": "object"
},
"type": "array"
},
"sectors": {
"items": {
"type": [
"string",
"null"
]
},
"type": "array"
}
},
"type": "object"
},
"techSeqUpdate": {},
"updatedAt": {
"type": [
"string",
"null"
]
}
},
"required": [
"aliases",
"country",
"createdAt",
"description",
"files",
"goals",
"id",
"isAPT",
"labels",
"langs",
"name",
"oldId",
"roles",
"seqUpdate",
"spokenOnLangs",
"stat",
"techSeqUpdate",
"updatedAt"
],
"type": "object"
},
"type": "array"
},
"seqUpdate": {
"type": [
"integer",
"null"
]
}
},
"type": "object"
}
},
"runAfter": {
"Get_next_portion_of_events_from_GIB": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Get_next_portion_of_events_from_GIB": {
"inputs": {
"headers": {
"Accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"limit": "10",
"seqUpdate": "@{variables('seqUpdate')}"
},
"uri": "@{parameters('GIB API URL ')}@{parameters('Collection Name')}/updated"
},
"runAfter": {},
"type": "Http"
},
"IfPortionHasItems": {
"actions": {
"Send_Data": {
"inputs": {
"body": "@{body('Get_items_from_response')?['items']}",
"headers": {
"Log-Type": "GIBTIAAPTThreatActor "
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
},
"else": {
"actions": {
"Set_Empty_portion_value": {
"inputs": {
"name": "IsPortionEmpty",
"value": true
},
"runAfter": {},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_items_from_response')?['items'])",
0
]
}
}
]
},
"runAfter": {
"Reset_seqUpdate": [
"Succeeded"
]
},
"type": "If"
},
"Reset_seqUpdate": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_items_from_response')?['seqUpdate']"
},
"runAfter": {
"Get_items_from_response": [
"Succeeded"
]
},
"type": "SetVariable"
},
"Save_seqUpdate": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{variables('seqUpdate')}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"IfPortionHasItems": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"expression": "@equals(variables('IsPortionEmpty'), true)",
"limit": {
"count": 10,
"timeout": "PT1H"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Until"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"Collection Name": {
"defaultValue": "apt/threat_actor",
"type": "String"
},
"GIB API URL ": {
"defaultValue": "https://bt.group-ib.com/api/v2/",
"type": "String"
},
"GIB Username": {
"defaultValue": "xxxx@domian.com",
"type": "String"
}
},
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Hour",
"interval": 1
},
"type": "Recurrence"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
},
"azuremonitorlogs": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('azuremonitorlogsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
}
}
}
}
]
}

1344
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_APT_Threats.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

704
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_Attacks_ddos.json Normal file
Просмотреть файл

@ -0,0 +1,704 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "GIBTIA_Attacks_ddos",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"azuremonitorlogsConnectionName": "[concat('azuremon-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuremonitorlogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/microsoftgraphsecurity')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Condition": {
"actions": {
"Set_variable": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'][0]['seqUpdate_d']"
},
"runAfter": {},
"type": "SetVariable"
}
},
"else": {
"actions": {
"HTTP": {
"inputs": {
"headers": {
"accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"collection": "@parameters('Collection Name')",
"date": "@{addDays(utcNow(), -1, 'yyyy-MM-dd')}"
},
"uri": "@{parameters('GIB API URL ')}sequence_list"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON": {
"inputs": {
"content": "@body('HTTP')",
"schema": {
"properties": {
"list": {
"properties": {
"attacks/ddos": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Update_Last_Item_id_in_Tech_table_": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{body('Parse_JSON')?['list']?['attacks/ddos']}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"set_seqUpdate_": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Parse_JSON')?['list']?['attacks/ddos']"
},
"runAfter": {
"Update_Last_Item_id_in_Tech_table_": [
"Succeeded"
]
},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'])",
0
]
}
}
]
},
"runAfter": {
"Get_last_received_item_ID_from_Azure_Log_DB": [
"Succeeded"
]
},
"type": "If"
},
"Get_last_received_item_ID_from_Azure_Log_DB": {
"inputs": {
"body": "GIBTechTable_CL | where collection_name_s == \"@{parameters('Collection Name')}\" | sort by TimeGenerated | limit 1",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "Group-IB-WS",
"resourcename": "Group-IB",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "xx-xxx-xxxx-xxxx-xxx",
"timerange": "Last 7 days"
}
},
"runAfter": {
"Initialize_API_Key": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_API_Key": {
"inputs": {
"variables": [
{
"name": "GIB API Key",
"type": "string",
"value": "XXXXXX"
}
]
},
"runAfter": {
"Initialize_seqUpdate": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_seqUpdate": {
"inputs": {
"variables": [
{
"name": "seqUpdate",
"type": "integer"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "IsPortionEmpty",
"type": "boolean",
"value": false
}
]
},
"runAfter": {
"Condition": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Until": {
"actions": {
"Get_items_from_response": {
"inputs": {
"content": "@body('Get_next_portion_of_events_from_GIB')",
"schema": {
"properties": {
"count": {
"type": [
"integer",
"null"
]
},
"items": {
"items": {
"properties": {
"cnc": {
"properties": {
"cnc": {},
"domain": {},
"ipv4": {
"properties": {
"asn": {},
"city": {},
"countryCode": {},
"countryName": {},
"ip": {},
"provider": {},
"region": {}
},
"type": "object"
},
"ipv6": {},
"url": {}
},
"type": "object"
},
"dateBegin": {
"type": [
"string",
"null"
]
},
"dateEnd": {
"type": [
"string",
"null"
]
},
"dateReg": {
"type": [
"string",
"null"
]
},
"evaluation": {
"properties": {
"admiraltyCode": {
"type": [
"string",
"null"
]
},
"credibility": {
"type": [
"integer",
"null"
]
},
"reliability": {
"type": [
"integer",
"null"
]
},
"severity": {
"type": [
"string",
"null"
]
},
"tlp": {
"type": [
"string",
"null"
]
},
"ttl": {
"type": [
"integer",
"null"
]
}
},
"type": "object"
},
"id": {
"type": [
"string",
"null"
]
},
"isFavourite": {
"type": "boolean"
},
"isHidden": {
"type": "boolean"
},
"malware": {},
"messageLink": {},
"oldId": {
"type": [
"string",
"null"
]
},
"portalLink": {
"type": [
"string",
"null"
]
},
"protocol": {
"type": [
"string",
"null"
]
},
"seqUpdate": {
"type": [
"integer",
"null"
]
},
"target": {
"properties": {
"category": {},
"domain": {},
"domainsCount": {
"type": [
"integer",
"null"
]
},
"ipv4": {
"properties": {
"asn": {},
"city": {},
"countryCode": {
"type": [
"string",
"null"
]
},
"countryName": {
"type": [
"string",
"null"
]
},
"ip": {
"type": [
"string",
"null"
]
},
"provider": {
"type": [
"string",
"null"
]
},
"region": {}
},
"type": "object"
},
"port": {
"type": [
"integer",
"null"
]
},
"url": {}
},
"type": "object"
},
"threatActor": {},
"type": {
"type": [
"string",
"null"
]
}
},
"required": [
"cnc",
"dateBegin",
"dateEnd",
"dateReg",
"evaluation",
"id",
"malware",
"messageLink",
"oldId",
"portalLink",
"protocol",
"seqUpdate",
"target",
"threatActor",
"type"
],
"type": "object"
},
"type": "array"
},
"resultId": {
"type": [
"string",
"null"
]
}
},
"type": "object"
}
},
"runAfter": {
"Get_next_portion_of_events_from_GIB": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Get_next_portion_of_events_from_GIB": {
"inputs": {
"headers": {
"Accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"limit": "100",
"seqUpdate": "@{variables('seqUpdate')}"
},
"uri": "@{parameters('GIB API URL ')}@{parameters('Collection Name')}/updated"
},
"runAfter": {},
"type": "Http"
},
"IfPortionHasItems": {
"actions": {
"GIBIndicatorProcessor": {
"inputs": {
"batchName": "GIBIndicatorsBatch",
"content": "@body('Select')",
"host": {
"triggerName": "Batch_messages",
"workflow": {
"id": "/subscriptions/xx-xxx-xxxx-xxxx-xxx/resourceGroups/Group-IB-WS/providers/Microsoft.Logic/workflows/GIBIndicatorProcessor"
}
}
},
"runAfter": {
"Select": [
"Succeeded"
]
},
"type": "SendToBatch"
},
"Save_only_as_Indicators": {
"actions": {},
"else": {
"actions": {
"Send_Data": {
"inputs": {
"body": "@{body('Get_items_from_response')?['items']}",
"headers": {
"Log-Type": "GIBTIAAttacksDDoS"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"equals": [
"@parameters('Save only indicators')",
true
]
}
]
},
"runAfter": {},
"type": "If"
},
"Select": {
"inputs": {
"from": "@body('Get_items_from_response')?['items']",
"select": {
"action": "unknown",
"activityGroupNames": [
"@item()?['threatActor']?['name']"
],
"confidence": "@{item()?['evaluation']?['credibility']}",
"description": "GIB DDoS Attack",
"expirationDateTime": "@{addDays(item()?['dateEnd'], item()?['evaluation']?['ttl'])}",
"externalId": "@{item()?['id']}",
"killChain": [],
"malwareFamilyNames": [],
"networkDestinationIPv4": "@{item()?['target']?['ipv4']?['ip']}",
"networkDestinationPort": "@item()?['target']?['port']",
"networkSourceIPv4": "@{item()?['cnc']?['ipv4']?['ip']}",
"severity": 0,
"tags": [
"attacks-ddos"
],
"targetProduct": "Azure Sentinel",
"threatType": "DDoS",
"tlpLevel": "@{item()?['evaluation']?['tlp']}"
}
},
"runAfter": {
"Save_only_as_Indicators": [
"Succeeded"
]
},
"type": "Select"
}
},
"else": {
"actions": {
"Set_Empty_portion_value": {
"inputs": {
"name": "IsPortionEmpty",
"value": true
},
"runAfter": {},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_items_from_response')?['items'])",
0
]
}
}
]
},
"runAfter": {
"Reset_seqUpdate": [
"Succeeded"
]
},
"type": "If"
},
"Reset_seqUpdate": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_items_from_response')?['seqUpdate']"
},
"runAfter": {
"Get_items_from_response": [
"Succeeded"
]
},
"type": "SetVariable"
},
"Save_seqUpdate": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{variables('seqUpdate')}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"IfPortionHasItems": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"expression": "@equals(variables('IsPortionEmpty'), true)",
"limit": {
"count": 10,
"timeout": "PT1H"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Until"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"Collection Name": {
"defaultValue": "attacks/ddos",
"type": "String"
},
"GIB API URL ": {
"defaultValue": "https://bt.group-ib.com/api/v2/",
"type": "String"
},
"GIB Username": {
"defaultValue": "XXX@domain.com",
"type": "String"
},
"Save only indicators": {
"defaultValue": true,
"type": "Bool"
}
},
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Hour",
"interval": 1
},
"type": "Recurrence"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
},
"azuremonitorlogs": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('azuremonitorlogsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
}
}
}
}
]
}

670
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_Attacks_deface.json Normal file
Просмотреть файл

@ -0,0 +1,670 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "GIBTIA_Attacks_deface",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"azuremonitorlogsConnectionName": "[concat('azuremon-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuremonitorlogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/microsoftgraphsecurity')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Condition": {
"actions": {
"Set_variable": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'][0]['seqUpdate_d']"
},
"runAfter": {},
"type": "SetVariable"
}
},
"else": {
"actions": {
"HTTP": {
"inputs": {
"headers": {
"accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"collection": "@parameters('Collection Name')",
"date": "@{addDays(utcNow(), -1, 'yyyy-MM-dd')}"
},
"uri": "@{parameters('GIB API URL ')}sequence_list"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON": {
"inputs": {
"content": "@body('HTTP')",
"schema": {
"properties": {
"list": {
"properties": {
"attacks/deface": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Update_Last_Item_id_in_Tech_table_": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{body('Parse_JSON')?['list']?['attacks/deface']}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"set_seqUpdate_": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Parse_JSON')?['list']?['attacks/deface']"
},
"runAfter": {
"Update_Last_Item_id_in_Tech_table_": [
"Succeeded"
]
},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'])",
0
]
}
}
]
},
"runAfter": {
"Get_last_received_item_ID_from_Azure_Log_DB": [
"Succeeded"
]
},
"type": "If"
},
"Get_last_received_item_ID_from_Azure_Log_DB": {
"inputs": {
"body": "GIBTechTable_CL | where collection_name_s == \"@{parameters('Collection Name')}\" | sort by TimeGenerated | limit 1",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "Group-IB-WS",
"resourcename": "Group-IB",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "xx-xxx-xxxx-xxxx-xxx",
"timerange": "Last 7 days"
}
},
"runAfter": {
"Initialize_API_Key": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_API_Key": {
"inputs": {
"variables": [
{
"name": "GIB API Key",
"type": "string",
"value": "XXXXXXXXXXX"
}
]
},
"runAfter": {
"Initialize_seqUpdate": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_seqUpdate": {
"inputs": {
"variables": [
{
"name": "seqUpdate",
"type": "integer"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "IsPortionEmpty",
"type": "boolean",
"value": false
}
]
},
"runAfter": {
"Condition": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Until": {
"actions": {
"Get_items_from_response": {
"inputs": {
"content": "@body('Get_next_portion_of_events_from_GIB')",
"schema": {
"properties": {
"count": {
"type": [
"integer",
"null"
]
},
"items": {
"items": {
"properties": {
"contacts": {
"items": {
"type": [
"string",
"null"
]
},
"type": "array"
},
"date": {
"type": [
"string",
"null"
]
},
"evaluation": {
"properties": {
"admiraltyCode": {
"type": [
"string",
"null"
]
},
"credibility": {
"type": [
"integer",
"null"
]
},
"reliability": {
"type": [
"integer",
"null"
]
},
"severity": {
"type": [
"string",
"null"
]
},
"tlp": {
"type": [
"string",
"null"
]
},
"ttl": {
"type": [
"integer",
"null"
]
}
},
"type": "object"
},
"id": {
"type": [
"string",
"null"
]
},
"portalLink": {
"type": [
"string",
"null"
]
},
"seqUpdate": {
"type": [
"integer",
"null"
]
},
"source": {
"type": [
"string",
"null"
]
},
"targetDomain": {
"type": [
"string",
"null"
]
},
"targetDomainProvider": {},
"targetIp": {
"properties": {
"asn": {},
"city": {
"type": [
"string",
"null"
]
},
"countryCode": {},
"countryName": {
"type": [
"string",
"null"
]
},
"ip": {
"type": [
"string",
"null"
]
},
"provider": {},
"region": {}
},
"type": "object"
},
"threatActor": {
"properties": {
"country": {},
"id": {
"type": [
"string",
"null"
]
},
"isAPT": {
"type": "boolean"
},
"name": {
"type": [
"string",
"null"
]
}
},
"type": [
"object",
"null"
]
},
"url": {
"type": [
"string",
"null"
]
}
},
"required": [
"contacts",
"date",
"evaluation",
"id",
"portalLink",
"seqUpdate",
"source",
"targetDomain",
"targetDomainProvider",
"targetIp",
"threatActor",
"url"
],
"type": "object"
},
"type": "array"
},
"resultId": {
"type": [
"string",
"null"
]
}
},
"type": "object"
}
},
"runAfter": {
"Get_next_portion_of_events_from_GIB": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Get_next_portion_of_events_from_GIB": {
"inputs": {
"headers": {
"Accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"limit": "100",
"seqUpdate": "@{variables('seqUpdate')}"
},
"uri": "@{parameters('GIB API URL ')}@{parameters('Collection Name')}/updated"
},
"runAfter": {},
"type": "Http"
},
"IfPortionHasItems": {
"actions": {
"GIBIndicatorProcessor": {
"inputs": {
"batchName": "GIBIndicatorsBatch",
"content": "@body('Select')",
"host": {
"triggerName": "Batch_messages",
"workflow": {
"id": "/subscriptions/xx-xxx-xxxx-xxxx-xxx/resourceGroups/Group-IB-WS/providers/Microsoft.Logic/workflows/GIBIndicatorProcessor"
}
}
},
"runAfter": {
"Select": [
"Succeeded"
]
},
"type": "SendToBatch"
},
"Save_only_as_Indicators": {
"actions": {},
"else": {
"actions": {
"Send_Data": {
"inputs": {
"body": "@{body('Get_items_from_response')?['items']}",
"headers": {
"Log-Type": "GIBTIAAttacksDeface"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"equals": [
"@parameters('Save only indicators')",
true
]
}
]
},
"runAfter": {},
"type": "If"
},
"Select": {
"inputs": {
"from": "@body('Get_items_from_response')?['items']",
"select": {
"action": "@parameters('GIB Attacks Deface URL Action')",
"activityGroupNames": [
"@item()?['threatActor']?['name']"
],
"confidence": "@int(item()?['evaluation']?['credibility'])",
"description": "GIB Attacks Deface URL",
"expirationDateTime": "@addDays(item()?['date'], item()?['evaluation']?['ttl'])",
"externalId": "@{item()?['id']}",
"killChain": [],
"malwareFamilyNames": [],
"severity": 3,
"tags": [
"attacks-deface"
],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "@{item()?['evaluation']?['tlp']}",
"url": "@{item()?['url']}"
}
},
"runAfter": {
"Save_only_as_Indicators": [
"Succeeded"
]
},
"type": "Select"
}
},
"else": {
"actions": {
"Set_Empty_portion_value": {
"inputs": {
"name": "IsPortionEmpty",
"value": true
},
"runAfter": {},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_items_from_response')?['items'])",
0
]
}
}
]
},
"runAfter": {
"Reset_seqUpdate": [
"Succeeded"
]
},
"type": "If"
},
"Reset_seqUpdate": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_items_from_response')?['seqUpdate']"
},
"runAfter": {
"Get_items_from_response": [
"Succeeded"
]
},
"type": "SetVariable"
},
"Save_seqUpdate": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{variables('seqUpdate')}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"IfPortionHasItems": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"expression": "@equals(variables('IsPortionEmpty'), true)",
"limit": {
"count": 10,
"timeout": "PT1H"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Until"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"Collection Name": {
"defaultValue": "attacks/deface",
"type": "String"
},
"GIB API URL ": {
"defaultValue": "https://bt.group-ib.com/api/v2/",
"type": "String"
},
"GIB Attacks Deface URL Action": {
"defaultValue": "unknown",
"type": "String"
},
"GIB Username": {
"defaultValue": "xxxx@domain.com",
"type": "String"
},
"Save only indicators": {
"defaultValue": true,
"type": "Bool"
}
},
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Hour",
"interval": 1
},
"type": "Recurrence"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
},
"azuremonitorlogs": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('azuremonitorlogsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
}
}
}
}
]
}

679
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_Attacks_phishing.json Normal file
Просмотреть файл

@ -0,0 +1,679 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "GIBTIA_Attacks_phishing",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"azuremonitorlogsConnectionName": "[concat('azuremon-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuremonitorlogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/microsoftgraphsecurity')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Condition": {
"actions": {
"Set_variable": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'][0]['seqUpdate_d']"
},
"runAfter": {},
"type": "SetVariable"
}
},
"else": {
"actions": {
"HTTP": {
"inputs": {
"headers": {
"accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"collection": "@parameters('Collection Name')",
"date": "@{addDays(utcNow(), -1, 'yyyy-MM-dd')}"
},
"uri": "@{parameters('GIB API URL ')}sequence_list"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON": {
"inputs": {
"content": "@body('HTTP')",
"schema": {
"properties": {
"list": {
"properties": {
"attacks/phishing_kit": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Update_Last_Item_id_in_Tech_table_": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{body('Parse_JSON')?['list']?['attacks/phishing_kit']}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"set_seqUpdate_": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Parse_JSON')?['list']?['attacks/phishing_kit']"
},
"runAfter": {
"Update_Last_Item_id_in_Tech_table_": [
"Succeeded"
]
},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'])",
0
]
}
}
]
},
"runAfter": {
"Get_last_received_item_ID_from_Azure_Log_DB": [
"Succeeded"
]
},
"type": "If"
},
"Get_last_received_item_ID_from_Azure_Log_DB": {
"inputs": {
"body": "GIBTechTable_CL | where collection_name_s == \"@{parameters('Collection Name')}\" | sort by TimeGenerated | limit 1",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "Group-IB-WS",
"resourcename": "Group-IB",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "xx-xxx-xxxx-xxxx-xxx",
"timerange": "Last 7 days"
}
},
"runAfter": {
"Inititlize_Emails_Array_": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_API_Key": {
"inputs": {
"variables": [
{
"name": "GIB API Key",
"type": "string",
"value": "XXXXXXXXXXXXXX"
}
]
},
"runAfter": {
"Initialize_seqUpdate": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_seqUpdate": {
"inputs": {
"variables": [
{
"name": "seqUpdate",
"type": "integer"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "IsPortionEmpty",
"type": "boolean",
"value": false
}
]
},
"runAfter": {
"Condition": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Inititlize_Emails_Array_": {
"inputs": {
"variables": [
{
"name": "emails",
"type": "array",
"value": []
}
]
},
"runAfter": {
"Initialize_API_Key": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Until": {
"actions": {
"Get_items_from_response": {
"inputs": {
"content": "@body('Get_next_portion_of_events_from_GIB')",
"schema": {
"properties": {
"count": {
"type": [
"integer",
"null"
]
},
"items": {
"items": {
"properties": {
"dateDetected": {
"type": [
"string",
"null"
]
},
"downloadedFrom": {
"type": "array"
},
"emails": {
"items": {
"type": [
"string",
"null"
]
},
"type": "array"
},
"evaluation": {
"properties": {
"admiraltyCode": {
"type": [
"string",
"null"
]
},
"credibility": {
"type": [
"integer",
"null"
]
},
"reliability": {
"type": [
"integer",
"null"
]
},
"severity": {
"type": [
"string",
"null"
]
},
"tlp": {
"type": [
"string",
"null"
]
},
"ttl": {
"type": [
"integer",
"null"
]
}
},
"type": "object"
},
"hash": {
"type": [
"string",
"null"
]
},
"id": {
"type": [
"string",
"null"
]
},
"isFavourite": {
"type": "boolean"
},
"isHidden": {
"type": "boolean"
},
"oldId": {
"type": [
"string",
"null"
]
},
"path": {
"type": [
"string",
"null"
]
},
"portalLink": {
"type": [
"string",
"null"
]
},
"seqUpdate": {
"type": [
"integer",
"null"
]
},
"targetBrand": {
"items": {
"type": [
"string",
"null"
]
},
"type": "array"
},
"variables": {}
},
"required": [
"dateDetected",
"downloadedFrom",
"emails",
"evaluation",
"hash",
"id",
"isFavourite",
"isHidden",
"oldId",
"path",
"portalLink",
"seqUpdate",
"targetBrand",
"variables"
],
"type": "object"
},
"type": "array"
},
"resultId": {
"type": [
"string",
"null"
]
}
},
"type": "object"
}
},
"runAfter": {
"Get_next_portion_of_events_from_GIB": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Get_next_portion_of_events_from_GIB": {
"inputs": {
"headers": {
"Accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"limit": "100",
"seqUpdate": "@{variables('seqUpdate')}"
},
"uri": "@{parameters('GIB API URL ')}@{parameters('Collection Name')}/updated"
},
"runAfter": {},
"type": "Http"
},
"IfPortionHasItems": {
"actions": {
"For_each": {
"actions": {
"Empty_Array_List": {
"inputs": {
"name": "emails",
"value": []
},
"runAfter": {
"GIBIndicatorProcessor": [
"Succeeded"
]
},
"type": "SetVariable"
},
"For_each_2": {
"actions": {
"Append_to_array_variable": {
"inputs": {
"name": "emails",
"value": {
"action": "@parameters('GIB Phishing Kit Email Action')",
"activityGroupNames": [],
"confidence": "@items('For_each')?['evaluation']?['credibility']",
"description": "GIB Phishing Kit Email",
"emailSenderAddress": "@items('For_each_2')",
"expirationDateTime": "@addDays(items('For_each')?['dateDetected'], items('For_each')?['evaluation']?['ttl'])",
"killChain": [],
"malwareFamilyNames": [],
"severity": 3,
"tags": [
"attacks-phishing-kit"
],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "@items('For_each')?['evaluation']?['tlp']"
}
},
"runAfter": {},
"type": "AppendToArrayVariable"
}
},
"foreach": "@items('For_each')?['emails']",
"runAfter": {},
"type": "Foreach"
},
"GIBIndicatorProcessor": {
"inputs": {
"batchName": "GIBIndicatorsBatch",
"content": "@variables('emails')",
"host": {
"triggerName": "Batch_messages",
"workflow": {
"id": "/subscriptions/xx-xxx-xxxx-xxxx-xxx/resourceGroups/Group-IB-WS/providers/Microsoft.Logic/workflows/GIBIndicatorProcessor"
}
}
},
"runAfter": {
"For_each_2": [
"Succeeded"
]
},
"type": "SendToBatch"
}
},
"foreach": "@body('Get_items_from_response')?['items']",
"runAfter": {
"Save_only_as_Indicators": [
"Succeeded"
]
},
"type": "Foreach"
},
"Save_only_as_Indicators": {
"actions": {},
"else": {
"actions": {
"Send_Data": {
"inputs": {
"body": "@{body('Get_items_from_response')?['items']}",
"headers": {
"Log-Type": "GIBTIAAttacksPhishingKit"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"equals": [
"@parameters('Save only indicators')",
true
]
}
]
},
"runAfter": {},
"type": "If"
}
},
"else": {
"actions": {
"Set_Empty_portion_value": {
"inputs": {
"name": "IsPortionEmpty",
"value": true
},
"runAfter": {},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_items_from_response')?['items'])",
0
]
}
}
]
},
"runAfter": {
"Reset_seqUpdate": [
"Succeeded"
]
},
"type": "If"
},
"Reset_seqUpdate": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_items_from_response')?['seqUpdate']"
},
"runAfter": {
"Get_items_from_response": [
"Succeeded"
]
},
"type": "SetVariable"
},
"Save_seqUpdate": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{variables('seqUpdate')}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"IfPortionHasItems": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"expression": "@equals(variables('IsPortionEmpty'), true)",
"limit": {
"count": 10,
"timeout": "PT1H"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Until"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"Collection Name": {
"defaultValue": "attacks/phishing_kit",
"type": "String"
},
"GIB API URL ": {
"defaultValue": "https://bt.group-ib.com/api/v2/",
"type": "String"
},
"GIB Phishing Kit Email Action": {
"defaultValue": "unknown",
"type": "String"
},
"GIB Username": {
"defaultValue": "xxxx@domain.com",
"type": "String"
},
"Save only indicators": {
"defaultValue": true,
"type": "Bool"
}
},
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Hour",
"interval": 1
},
"type": "Recurrence"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
},
"azuremonitorlogs": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('azuremonitorlogsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
}
}
}
}
]
}

675
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_Attacks_phishing_kit.json Normal file
Просмотреть файл

@ -0,0 +1,675 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "GIBTIA_Attacks_phishing_kit",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"azuremonitorlogsConnectionName": "[concat('azuremon-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuremonitorlogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/microsoftgraphsecurity')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Condition": {
"actions": {
"Set_variable": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'][0]['seqUpdate_d']"
},
"runAfter": {},
"type": "SetVariable"
}
},
"else": {
"actions": {
"HTTP": {
"inputs": {
"headers": {
"accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"collection": "@parameters('Collection Name')",
"date": "@{addDays(utcNow(), -3, 'yyyy-MM-dd')}"
},
"uri": "@{parameters('GIB API URL ')}sequence_list"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON": {
"inputs": {
"content": "@body('HTTP')",
"schema": {
"properties": {
"list": {
"properties": {
"attacks/phishing_kit": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Update_Last_Item_id_in_Tech_table_": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{body('Parse_JSON')?['list']?['attacks/phishing_kit']}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"set_seqUpdate_": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Parse_JSON')?['list']?['attacks/phishing_kit']"
},
"runAfter": {
"Update_Last_Item_id_in_Tech_table_": [
"Succeeded"
]
},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'])",
0
]
}
}
]
},
"runAfter": {
"Get_last_received_item_ID_from_Azure_Log_DB": [
"Succeeded"
]
},
"type": "If"
},
"Get_last_received_item_ID_from_Azure_Log_DB": {
"inputs": {
"body": "GIBTechTable_CL | where collection_name_s == \"@{parameters('Collection Name')}\" | sort by TimeGenerated | limit 1",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "Group-IB-WS",
"resourcename": "Group-IB",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "6a021fde-5198-441e-9190-9d634e1f4a84",
"timerange": "Last 7 days"
}
},
"runAfter": {
"Inititlize_Emails_Array_": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_API_Key": {
"inputs": {
"variables": [
{
"name": "GIB API Key",
"type": "string",
"value": "XXXXXXX"
}
]
},
"runAfter": {
"Initialize_seqUpdate": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_seqUpdate": {
"inputs": {
"variables": [
{
"name": "seqUpdate",
"type": "integer"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "IsPortionEmpty",
"type": "boolean",
"value": false
}
]
},
"runAfter": {
"Condition": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Inititlize_Emails_Array_": {
"inputs": {
"variables": [
{
"name": "emails",
"type": "array",
"value": []
}
]
},
"runAfter": {
"Initialize_API_Key": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Until": {
"actions": {
"Get_items_from_response": {
"inputs": {
"content": "@body('Get_next_portion_of_events_from_GIB')",
"schema": {
"properties": {
"count": {
"type": [
"integer",
"null"
]
},
"items": {
"items": {
"properties": {
"dateDetected": {
"type": [
"string",
"null"
]
},
"downloadedFrom": {
"type": "array"
},
"emails": {
"items": {
"type": [
"string",
"null"
]
},
"type": "array"
},
"evaluation": {
"properties": {
"admiraltyCode": {
"type": [
"string",
"null"
]
},
"credibility": {
"type": [
"integer",
"null"
]
},
"reliability": {
"type": [
"integer",
"null"
]
},
"severity": {
"type": [
"string",
"null"
]
},
"tlp": {
"type": [
"string",
"null"
]
},
"ttl": {
"type": [
"integer",
"null"
]
}
},
"type": "object"
},
"hash": {
"type": [
"string",
"null"
]
},
"id": {
"type": [
"string",
"null"
]
},
"isFavourite": {
"type": "boolean"
},
"isHidden": {
"type": "boolean"
},
"oldId": {
"type": [
"string",
"null"
]
},
"path": {
"type": [
"string",
"null"
]
},
"portalLink": {
"type": [
"string",
"null"
]
},
"seqUpdate": {
"type": [
"integer",
"null"
]
},
"targetBrand": {
"items": {
"type": [
"string",
"null"
]
},
"type": "array"
},
"variables": {}
},
"required": [
"dateDetected",
"downloadedFrom",
"emails",
"evaluation",
"hash",
"id",
"isFavourite",
"isHidden",
"oldId",
"path",
"portalLink",
"seqUpdate",
"targetBrand",
"variables"
],
"type": "object"
},
"type": "array"
},
"resultId": {
"type": [
"string",
"null"
]
}
},
"type": "object"
}
},
"runAfter": {
"Get_next_portion_of_events_from_GIB": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Get_next_portion_of_events_from_GIB": {
"inputs": {
"headers": {
"Accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"limit": "100",
"seqUpdate": "@{variables('seqUpdate')}"
},
"uri": "@{parameters('GIB API URL ')}@{parameters('Collection Name')}/updated"
},
"runAfter": {},
"type": "Http"
},
"IfPortionHasItems": {
"actions": {
"Empty_Array_List": {
"inputs": {
"name": "emails",
"value": []
},
"runAfter": {
"GIBIndicatorProcessor": [
"Succeeded"
]
},
"type": "SetVariable"
},
"For_each": {
"actions": {
"For_each_2": {
"actions": {
"Append_to_array_variable": {
"inputs": {
"name": "emails",
"value": {
"action": "unknown",
"activityGroupNames": [],
"confidence": "@items('For_each')?['evaluation']?['credibility']",
"description": "GIB Phishing Kit Email",
"emailSenderAddress": "@items('For_each_2')",
"expirationDateTime": "@addDays(items('For_each')?['dateDetected'], items('For_each')?['evaluation']?['ttl'])",
"killChain": [],
"malwareFamilyNames": [],
"severity": 3,
"tags": [
"attacks-phishing-kit"
],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "@items('For_each')?['evaluation']?['tlp']"
}
},
"runAfter": {},
"type": "AppendToArrayVariable"
}
},
"foreach": "@items('For_each')?['emails']",
"runAfter": {},
"type": "Foreach"
}
},
"foreach": "@body('Get_items_from_response')?['items']",
"runAfter": {
"Save_only_as_Indicators": [
"Succeeded"
]
},
"type": "Foreach"
},
"GIBIndicatorProcessor": {
"inputs": {
"batchName": "GIBIndicatorsBatch",
"content": "@variables('emails')",
"host": {
"triggerName": "Batch_messages",
"workflow": {
"id": "/subscriptions/6a021fde-5198-441e-9190-9d634e1f4a84/resourceGroups/Group-IB-WS/providers/Microsoft.Logic/workflows/GIBIndicatorProcessor"
}
}
},
"runAfter": {
"For_each": [
"Succeeded"
]
},
"type": "SendToBatch"
},
"Save_only_as_Indicators": {
"actions": {},
"else": {
"actions": {
"Send_Data": {
"inputs": {
"body": "@{body('Get_items_from_response')?['items']}",
"headers": {
"Log-Type": "GIBTIAAttacksPhishingKit"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"equals": [
"@parameters('Save only indicators')",
true
]
}
]
},
"runAfter": {},
"type": "If"
}
},
"else": {
"actions": {
"Set_Empty_portion_value": {
"inputs": {
"name": "IsPortionEmpty",
"value": true
},
"runAfter": {},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_items_from_response')?['items'])",
0
]
}
}
]
},
"runAfter": {
"Reset_seqUpdate": [
"Succeeded"
]
},
"type": "If"
},
"Reset_seqUpdate": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_items_from_response')?['seqUpdate']"
},
"runAfter": {
"Get_items_from_response": [
"Succeeded"
]
},
"type": "SetVariable"
},
"Save_seqUpdate": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{variables('seqUpdate')}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"IfPortionHasItems": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"expression": "@equals(variables('IsPortionEmpty'), true)",
"limit": {
"count": 10,
"timeout": "PT1H"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Until"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"Collection Name": {
"defaultValue": "attacks/phishing_kit",
"type": "String"
},
"GIB API URL ": {
"defaultValue": "https://bt.group-ib.com/api/v2/",
"type": "String"
},
"GIB Username": {
"defaultValue": "XXXX@domain.com",
"type": "String"
},
"Save only indicators": {
"defaultValue": true,
"type": "Bool"
}
},
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Hour",
"interval": 1
},
"type": "Recurrence"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
},
"azuremonitorlogs": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('azuremonitorlogsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
}
}
}
}
]
}

912
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_BP_phishing.json Normal file
Просмотреть файл

@ -0,0 +1,912 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "GIBTIA_BP_phishing",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"azuremonitorlogsConnectionName": "[concat('azuremon-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuremonitorlogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/microsoftgraphsecurity')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Condition": {
"actions": {
"Set_variable": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'][0]['seqUpdate_d']"
},
"runAfter": {},
"type": "SetVariable"
}
},
"else": {
"actions": {
"HTTP": {
"inputs": {
"headers": {
"accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"collection": "@parameters('Collection Name')",
"date": "@{addDays(utcNow(), -1, 'yyyy-MM-dd')}"
},
"uri": "@{parameters('GIB API URL ')}sequence_list"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON": {
"inputs": {
"content": "@body('HTTP')",
"schema": {
"properties": {
"list": {
"properties": {
"bp/phishing": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Update_Last_Item_id_in_Tech_table_": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{body('Parse_JSON')?['list']?['bp/phishing']}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"set_seqUpdate_": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Parse_JSON')?['list']?['bp/phishing']"
},
"runAfter": {
"Update_Last_Item_id_in_Tech_table_": [
"Succeeded"
]
},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'])",
0
]
}
}
]
},
"runAfter": {
"Get_last_received_item_ID_from_Azure_Log_DB": [
"Succeeded"
]
},
"type": "If"
},
"Get_last_received_item_ID_from_Azure_Log_DB": {
"inputs": {
"body": "GIBTechTable_CL | where collection_name_s == \"@{parameters('Collection Name')}\" | sort by TimeGenerated | limit 1",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "Group-IB-WS",
"resourcename": "Group-IB",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "xx-xxx-xxxx-xxxx-xxx",
"timerange": "Last 7 days"
}
},
"runAfter": {
"Init_TechTable": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Init_TechTable": {
"inputs": {
"body": "{\n\"collection_name\": \"test/collection\",\n\"seqUpdate\": 0 \n} ",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Initialize_seqUpdate": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_API_Key": {
"inputs": {
"variables": [
{
"name": "GIB API Key",
"type": "string",
"value": "XXXXXXXXXXXX"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Initialize_seqUpdate": {
"inputs": {
"variables": [
{
"name": "seqUpdate",
"type": "integer"
}
]
},
"runAfter": {
"Initialize_API_Key": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "IsPortionEmpty",
"type": "boolean",
"value": false
}
]
},
"runAfter": {
"Condition": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Until": {
"actions": {
"Get_items_from_response": {
"inputs": {
"content": "@body('Get_next_portion_of_events_from_GIB')",
"schema": {
"properties": {
"count": {
"type": [
"integer",
"null"
]
},
"items": {
"items": {
"properties": {
"dateBlocked": {
"type": [
"string",
"null"
]
},
"dateDetected": {
"type": [
"string",
"null"
]
},
"evaluation": {
"properties": {
"admiraltyCode": {
"type": [
"string",
"null"
]
},
"credibility": {
"type": [
"integer",
"null"
]
},
"reliability": {
"type": [
"integer",
"null"
]
},
"severity": {
"type": [
"string",
"null"
]
},
"tlp": {
"type": [
"string",
"null"
]
},
"ttl": {
"type": [
"integer",
"null"
]
}
},
"type": "object"
},
"history": {
"items": {
"properties": {
"date": {
"type": [
"string",
"null"
]
},
"field": {
"type": [
"string",
"null"
]
},
"reason": {},
"reporter": {
"type": [
"string",
"null"
]
},
"value": {
"type": [
"string",
"null"
]
}
},
"required": [
"date",
"field",
"reason",
"reporter",
"value"
],
"type": "object"
},
"type": "array"
},
"id": {
"type": [
"string",
"null"
]
},
"ipv4": {
"properties": {
"asn": {
"type": [
"string",
"null"
]
},
"city": {},
"countryCode": {
"type": [
"string",
"null"
]
},
"countryName": {
"type": [
"string",
"null"
]
},
"ip": {
"type": [
"string",
"null"
]
},
"provider": {},
"region": {
"type": [
"string",
"null"
]
}
},
"type": "object"
},
"isFavourite": {
"type": "boolean"
},
"isHidden": {
"type": "boolean"
},
"oldId": {
"type": [
"string",
"null"
]
},
"phishingDomain": {
"properties": {
"dateRegistered": {
"type": [
"string",
"null"
]
},
"domain": {
"type": [
"string",
"null"
]
},
"local": {
"type": [
"string",
"null"
]
},
"registrar": {
"type": [
"string",
"null"
]
},
"title": {
"type": [
"string",
"null"
]
}
},
"type": "object"
},
"portalLink": {
"type": [
"string",
"null"
]
},
"seqUpdate": {
"type": [
"integer",
"null"
]
},
"status": {
"type": [
"string",
"null"
]
},
"targetBrand": {
"type": [
"string",
"null"
]
},
"targetCategory": {
"type": [
"string",
"null"
]
},
"targetCountryName": {},
"targetDomain": {
"type": [
"string",
"null"
]
},
"type": {
"type": [
"string",
"null"
]
}
},
"required": [
"dateBlocked",
"dateDetected",
"evaluation",
"history",
"id",
"ipv4",
"isFavourite",
"isHidden",
"oldId",
"phishingDomain",
"portalLink",
"seqUpdate",
"status",
"targetBrand",
"targetCategory",
"targetCountryName",
"targetDomain",
"type"
],
"type": "object"
},
"type": "array"
},
"seqUpdate": {
"type": [
"integer",
"null"
]
}
},
"type": "object"
}
},
"runAfter": {
"Get_next_portion_of_events_from_GIB": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Get_next_portion_of_events_from_GIB": {
"inputs": {
"headers": {
"Accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"limit": "100",
"seqUpdate": "@{variables('seqUpdate')}"
},
"uri": "@{parameters('GIB API URL ')}@{parameters('Collection Name')}/updated"
},
"runAfter": {},
"type": "Http"
},
"IfPortionHasItems": {
"actions": {
"Filter_Out_Empty_Domains": {
"inputs": {
"from": "@body('Select_Domain')",
"where": "@not(equals(item()?['domainName'], null))"
},
"runAfter": {
"Select_Domain": [
"Succeeded"
]
},
"type": "Query"
},
"Filter_Out_Empty_IPs": {
"inputs": {
"from": "@body('Select_IP')",
"where": "@not(equals(item()?['networkIPv4'], null))"
},
"runAfter": {
"Select_IP": [
"Succeeded"
]
},
"type": "Query"
},
"Filter_Out_Empty_URLs": {
"inputs": {
"from": "@body('Select_URL')",
"where": "@not(equals(item()?['url'], null))"
},
"runAfter": {
"Select_URL": [
"Succeeded"
]
},
"type": "Query"
},
"GIBIndicatorProcessor": {
"inputs": {
"batchName": "GIBIndicatorsBatch",
"content": "@body('Filter_Out_Empty_Domains')",
"host": {
"triggerName": "Batch_messages",
"workflow": {
"id": "/subscriptions/xx-xxx-xxxx-xxxx-xxx/resourceGroups/Group-IB-WS/providers/Microsoft.Logic/workflows/GIBIndicatorProcessor"
}
}
},
"runAfter": {
"Filter_Out_Empty_Domains": [
"Succeeded"
]
},
"type": "SendToBatch"
},
"GIBIndicatorProcessor_2": {
"inputs": {
"batchName": "GIBIndicatorsBatch",
"content": "@body('Filter_Out_Empty_IPs')",
"host": {
"triggerName": "Batch_messages",
"workflow": {
"id": "/subscriptions/xx-xxx-xxxx-xxxx-xxx/resourceGroups/Group-IB-WS/providers/Microsoft.Logic/workflows/GIBIndicatorProcessor"
}
}
},
"runAfter": {
"Filter_Out_Empty_IPs": [
"Succeeded"
]
},
"type": "SendToBatch"
},
"GIBIndicatorProcessor_3": {
"inputs": {
"batchName": "GIBIndicatorsBatch",
"content": "@body('Filter_Out_Empty_URLs')",
"host": {
"triggerName": "Batch_messages",
"workflow": {
"id": "/subscriptions/xx-xxx-xxxx-xxxx-xxx/resourceGroups/Group-IB-WS/providers/Microsoft.Logic/workflows/GIBIndicatorProcessor"
}
}
},
"runAfter": {
"Filter_Out_Empty_URLs": [
"Succeeded"
]
},
"type": "SendToBatch"
},
"Save_only_as_Indicators": {
"actions": {},
"else": {
"actions": {
"Send_Data": {
"inputs": {
"body": "@{body('Get_items_from_response')?['items']}",
"headers": {
"Log-Type": "GIBTIABPPhishing"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"equals": [
"@parameters('Save only indicators')",
true
]
}
]
},
"runAfter": {},
"type": "If"
},
"Select_Domain": {
"inputs": {
"from": "@body('Get_items_from_response')?['items']",
"select": {
"action": "@{parameters('GIB Phishing Domain Action')}",
"activityGroupNames": [],
"confidence": "@int(item()?['evaluation']?['credibility'])",
"description": "GIB Phishing Domain",
"domainName": "@{item()?['phishingDomain']?['domain']}",
"expirationDateTime": "@{addDays(item()?['dateDetected'], item()?['evaluation']?['ttl'])}",
"killChain": [],
"malwareFamilyNames": [],
"severity": 3,
"tags": [
"bp-phishing"
],
"targetProduct": "Azure Sentinel",
"threatType": "Phishing",
"tlpLevel": "@{item()?['evaluation']?['tlp']}"
}
},
"runAfter": {
"GIBIndicatorProcessor_3": [
"Succeeded"
]
},
"type": "Select"
},
"Select_IP": {
"inputs": {
"from": "@body('Get_items_from_response')?['items']",
"select": {
"action": "@{parameters('GIB Phishing IP Action')}",
"activityGroupNames": [],
"confidence": "@int(item()?['evaluation']?['credibility'])",
"description": "GIB Phishing IP",
"expirationDateTime": "@{addDays(item()?['dateDetected'], item()?['evaluation']?['ttl'])}",
"killChain": [],
"malwareFamilyNames": [],
"networkIPv4": "@{item()?['ipv4']?['ip']}",
"severity": 3,
"tags": [
"bp-phishing"
],
"targetProduct": "Azure Sentinel",
"threatType": "Phishing",
"tlpLevel": "@{item()?['evaluation']?['tlp']}"
}
},
"runAfter": {
"Save_only_as_Indicators": [
"Succeeded"
]
},
"type": "Select"
},
"Select_URL": {
"inputs": {
"from": "@body('Get_items_from_response')?['items']",
"select": {
"action": "@{parameters('GIB Phishing URL Action')}",
"activityGroupNames": [],
"confidence": "@int(item()?['evaluation']?['credibility'])",
"description": "GIB Phishing URL",
"expirationDateTime": "@{addDays(item()?['dateDetected'], item()?['evaluation']?['ttl'])}",
"killChain": [],
"malwareFamilyNames": [],
"severity": 3,
"tags": [
"attacks-phishing"
],
"targetProduct": "Azure Sentinel",
"threatType": "Phishing",
"tlpLevel": "@{item()?['evaluation']?['tlp']}",
"url": "@{item()?['url']}"
}
},
"runAfter": {
"GIBIndicatorProcessor_2": [
"Succeeded"
]
},
"type": "Select"
}
},
"else": {
"actions": {
"Set_Empty_portion_value": {
"inputs": {
"name": "IsPortionEmpty",
"value": true
},
"runAfter": {},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_items_from_response')?['items'])",
0
]
}
}
]
},
"runAfter": {
"Reset_seqUpdate": [
"Succeeded"
]
},
"type": "If"
},
"Reset_seqUpdate": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_items_from_response')?['seqUpdate']"
},
"runAfter": {
"Get_items_from_response": [
"Succeeded"
]
},
"type": "SetVariable"
},
"Save_seqUpdate": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{variables('seqUpdate')}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"IfPortionHasItems": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"expression": "@equals(variables('IsPortionEmpty'), true)",
"limit": {
"count": 100,
"timeout": "PT1H"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Until"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"Collection Name": {
"defaultValue": "bp/phishing",
"type": "String"
},
"GIB API URL ": {
"defaultValue": "https://bt.group-ib.com/api/v2/",
"type": "String"
},
"GIB Phishing Domain Action": {
"defaultValue": "unknown",
"type": "String"
},
"GIB Phishing IP Action": {
"defaultValue": "unknown",
"type": "String"
},
"GIB Phishing URL Action": {
"defaultValue": "unknown",
"type": "String"
},
"GIB Username": {
"defaultValue": "xxxx@domain.com",
"type": "String"
},
"Save only indicators": {
"defaultValue": true,
"type": "Bool"
}
},
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Hour",
"interval": 1
},
"type": "Recurrence"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
},
"azuremonitorlogs": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('azuremonitorlogsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
}
}
}
}
]
}

679
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_BP_phishing_kit.json Normal file
Просмотреть файл

@ -0,0 +1,679 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "GIBTIA_BP_phishing_kit",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"azuremonitorlogsConnectionName": "[concat('azuremon-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuremonitorlogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/microsoftgraphsecurity')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Condition": {
"actions": {
"Set_variable": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'][0]['seqUpdate_d']"
},
"runAfter": {},
"type": "SetVariable"
}
},
"else": {
"actions": {
"HTTP": {
"inputs": {
"headers": {
"accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"collection": "@parameters('Collection Name')",
"date": "@{addDays(utcNow(), -1, 'yyyy-MM-dd')}"
},
"uri": "@{parameters('GIB API URL ')}sequence_list"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON": {
"inputs": {
"content": "@body('HTTP')",
"schema": {
"properties": {
"list": {
"properties": {
"bp/phishing_kit": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Update_Last_Item_id_in_Tech_table_": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{body('Parse_JSON')?['list']?['bp/phishing_kit']}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"set_seqUpdate_": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Parse_JSON')?['list']?['bp/phishing_kit']"
},
"runAfter": {
"Update_Last_Item_id_in_Tech_table_": [
"Succeeded"
]
},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'])",
0
]
}
}
]
},
"runAfter": {
"Get_last_received_item_ID_from_Azure_Log_DB": [
"Succeeded"
]
},
"type": "If"
},
"Get_last_received_item_ID_from_Azure_Log_DB": {
"inputs": {
"body": "GIBTechTable_CL | where collection_name_s == \"@{parameters('Collection Name')}\" | sort by TimeGenerated | limit 1",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "Group-IB-WS",
"resourcename": "Group-IB",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "xx-xxx-xxxx-xxxx-xxx",
"timerange": "Last 7 days"
}
},
"runAfter": {
"Inititlize_Emails_Array_": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_API_Key": {
"inputs": {
"variables": [
{
"name": "GIB API Key",
"type": "string",
"value": "XXXXXXXXXXXX"
}
]
},
"runAfter": {
"Initialize_seqUpdate": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_seqUpdate": {
"inputs": {
"variables": [
{
"name": "seqUpdate",
"type": "integer"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "IsPortionEmpty",
"type": "boolean",
"value": false
}
]
},
"runAfter": {
"Condition": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Inititlize_Emails_Array_": {
"inputs": {
"variables": [
{
"name": "emails",
"type": "array",
"value": []
}
]
},
"runAfter": {
"Initialize_API_Key": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Until": {
"actions": {
"Get_items_from_response": {
"inputs": {
"content": "@body('Get_next_portion_of_events_from_GIB')",
"schema": {
"properties": {
"count": {
"type": [
"integer",
"null"
]
},
"items": {
"items": {
"properties": {
"dateDetected": {
"type": [
"string",
"null"
]
},
"downloadedFrom": {
"type": "array"
},
"emails": {
"items": {
"type": [
"string",
"null"
]
},
"type": "array"
},
"evaluation": {
"properties": {
"admiraltyCode": {
"type": [
"string",
"null"
]
},
"credibility": {
"type": [
"integer",
"null"
]
},
"reliability": {
"type": [
"integer",
"null"
]
},
"severity": {
"type": [
"string",
"null"
]
},
"tlp": {
"type": [
"string",
"null"
]
},
"ttl": {
"type": [
"integer",
"null"
]
}
},
"type": "object"
},
"hash": {
"type": [
"string",
"null"
]
},
"id": {
"type": [
"string",
"null"
]
},
"isFavourite": {
"type": "boolean"
},
"isHidden": {
"type": "boolean"
},
"oldId": {
"type": [
"string",
"null"
]
},
"path": {
"type": [
"string",
"null"
]
},
"portalLink": {
"type": [
"string",
"null"
]
},
"seqUpdate": {
"type": [
"integer",
"null"
]
},
"targetBrand": {
"items": {
"type": [
"string",
"null"
]
},
"type": "array"
},
"variables": {}
},
"required": [
"dateDetected",
"downloadedFrom",
"emails",
"evaluation",
"hash",
"id",
"isFavourite",
"isHidden",
"oldId",
"path",
"portalLink",
"seqUpdate",
"targetBrand",
"variables"
],
"type": "object"
},
"type": "array"
},
"resultId": {
"type": [
"string",
"null"
]
}
},
"type": "object"
}
},
"runAfter": {
"Get_next_portion_of_events_from_GIB": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Get_next_portion_of_events_from_GIB": {
"inputs": {
"headers": {
"Accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"limit": "100",
"seqUpdate": "@{variables('seqUpdate')}"
},
"uri": "@{parameters('GIB API URL ')}@{parameters('Collection Name')}/updated"
},
"runAfter": {},
"type": "Http"
},
"IfPortionHasItems": {
"actions": {
"Empty_Array_List": {
"inputs": {
"name": "emails",
"value": []
},
"runAfter": {
"GIBIndicatorProcessor": [
"Succeeded"
]
},
"type": "SetVariable"
},
"For_each": {
"actions": {
"For_each_2": {
"actions": {
"Append_to_array_variable": {
"inputs": {
"name": "emails",
"value": {
"action": "@parameters('GIB Phishing Kit Email Action')",
"activityGroupNames": [],
"confidence": "@int(items('For_each')?['evaluation']?['credibility'])",
"description": "GIB Phishing Kit Email",
"emailSenderAddress": "@items('For_each_2')",
"expirationDateTime": "@addDays(items('For_each')?['dateDetected'], items('For_each')?['evaluation']?['ttl'])",
"killChain": [],
"malwareFamilyNames": [],
"severity": 3,
"tags": [
"bp-phishing-kit"
],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "@items('For_each')?['evaluation']?['tlp']"
}
},
"runAfter": {},
"type": "AppendToArrayVariable"
}
},
"foreach": "@items('For_each')?['emails']",
"runAfter": {},
"type": "Foreach"
}
},
"foreach": "@body('Get_items_from_response')?['items']",
"runAfter": {
"Save_only_as_Indicators": [
"Succeeded"
]
},
"type": "Foreach"
},
"GIBIndicatorProcessor": {
"inputs": {
"batchName": "GIBIndicatorsBatch",
"content": "@variables('emails')",
"host": {
"triggerName": "Batch_messages",
"workflow": {
"id": "/subscriptions/xx-xxx-xxxx-xxxx-xxx/resourceGroups/Group-IB-WS/providers/Microsoft.Logic/workflows/GIBIndicatorProcessor"
}
}
},
"runAfter": {
"For_each": [
"Succeeded"
]
},
"type": "SendToBatch"
},
"Save_only_as_Indicators": {
"actions": {},
"else": {
"actions": {
"Send_Data": {
"inputs": {
"body": "@{body('Get_items_from_response')?['items']}",
"headers": {
"Log-Type": "GIBTIABPPhishingKit"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"equals": [
"@parameters('Save only indicators')",
true
]
}
]
},
"runAfter": {},
"type": "If"
}
},
"else": {
"actions": {
"Set_Empty_portion_value": {
"inputs": {
"name": "IsPortionEmpty",
"value": true
},
"runAfter": {},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_items_from_response')?['items'])",
0
]
}
}
]
},
"runAfter": {
"Reset_seqUpdate": [
"Succeeded"
]
},
"type": "If"
},
"Reset_seqUpdate": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_items_from_response')?['seqUpdate']"
},
"runAfter": {
"Get_items_from_response": [
"Succeeded"
]
},
"type": "SetVariable"
},
"Save_seqUpdate": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{variables('seqUpdate')}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"IfPortionHasItems": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"expression": "@equals(variables('IsPortionEmpty'), true)",
"limit": {
"count": 10,
"timeout": "PT1H"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Until"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"Collection Name": {
"defaultValue": "bp/phishing_kit",
"type": "String"
},
"GIB API URL ": {
"defaultValue": "https://bt.group-ib.com/api/v2/",
"type": "String"
},
"GIB Phishing Kit Email Action": {
"defaultValue": "unknown",
"type": "String"
},
"GIB Username": {
"defaultValue": "xxxx@domain.com",
"type": "String"
},
"Save only indicators": {
"defaultValue": true,
"type": "Bool"
}
},
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Hour",
"interval": 1
},
"type": "Recurrence"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
},
"azuremonitorlogs": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('azuremonitorlogsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
}
}
}
}
]
}

1356
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_Compromised_account.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

1313
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_Compromised_card.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

921
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_Compromised_imei.json Normal file
Просмотреть файл

@ -0,0 +1,921 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "GIBTIA_Compromised_imei",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"azuremonitorlogsConnectionName": "[concat('azuremon-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuremonitorlogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/microsoftgraphsecurity')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Condition": {
"actions": {
"Set_variable": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'][0]['seqUpdate_d']"
},
"runAfter": {},
"type": "SetVariable"
}
},
"else": {
"actions": {
"HTTP": {
"inputs": {
"headers": {
"accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"collection": "@parameters('Collection Name')",
"date": "@{addDays(utcNow(), -1, 'yyyy-MM-dd')}"
},
"uri": "@{parameters('GIB API URL ')}sequence_list"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON": {
"inputs": {
"content": "@body('HTTP')",
"schema": {
"properties": {
"list": {
"properties": {
"compromised/imei": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Update_Last_Item_id_in_Tech_table_": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{body('Parse_JSON')?['list']?['compromised/imei']}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"set_seqUpdate_": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Parse_JSON')?['list']?['compromised/imei']"
},
"runAfter": {
"Update_Last_Item_id_in_Tech_table_": [
"Succeeded"
]
},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'])",
0
]
}
}
]
},
"runAfter": {
"Get_last_received_item_ID_from_Azure_Log_DB": [
"Succeeded"
]
},
"type": "If"
},
"Get_last_received_item_ID_from_Azure_Log_DB": {
"inputs": {
"body": "GIBTechTable_CL | where collection_name_s == \"@{parameters('Collection Name')}\" | sort by TimeGenerated | limit 1",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "Group-IB-WS",
"resourcename": "Group-IB",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "xx-xxx-xxxx-xxxx-xxx",
"timerange": "Last 7 days"
}
},
"runAfter": {
"Init_TechTable": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Init_TechTable": {
"inputs": {
"body": "{\n\"collection_name\" : \"test/collection\",\n\"seqUpdate\" : 0 \n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Initialize_API_Key": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_API_Key": {
"inputs": {
"variables": [
{
"name": "GIB API Key",
"type": "string",
"value": "XXXXXXXXXXXXXXX"
}
]
},
"runAfter": {
"Initialize_seqUpdate": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_seqUpdate": {
"inputs": {
"variables": [
{
"name": "seqUpdate",
"type": "integer"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "IsPortionEmpty",
"type": "boolean",
"value": false
}
]
},
"runAfter": {
"Condition": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Until": {
"actions": {
"Get_items_from_response": {
"inputs": {
"content": "@body('Get_next_portion_of_events_from_GIB')",
"schema": {
"properties": {
"count": {
"type": [
"integer",
"null"
]
},
"items": {
"items": {
"properties": {
"client": {
"properties": {
"ipv4": {
"properties": {
"asn": {},
"city": {},
"countryCode": {},
"countryName": {},
"ip": {},
"provider": {},
"region": {}
},
"type": "object"
}
},
"type": "object"
},
"cnc": {
"properties": {
"cnc": {
"type": [
"string",
"null"
]
},
"domain": {
"type": [
"string",
"null"
]
},
"ipv4": {
"properties": {
"asn": {
"type": [
"string",
"null"
]
},
"city": {
"type": [
"string",
"null"
]
},
"countryCode": {
"type": [
"string",
"null"
]
},
"countryName": {
"type": [
"string",
"null"
]
},
"ip": {
"type": [
"string",
"null"
]
},
"provider": {
"type": [
"string",
"null"
]
},
"region": {
"type": [
"string",
"null"
]
}
},
"type": "object"
},
"ipv6": {},
"url": {
"type": [
"string",
"null"
]
}
},
"type": "object"
},
"dateCompromised": {},
"dateDetected": {
"type": [
"string",
"null"
]
},
"device": {
"properties": {
"iccid": {
"type": [
"string",
"null"
]
},
"imei": {
"type": [
"string",
"null"
]
},
"imsi": {
"type": [
"string",
"null"
]
},
"model": {},
"os": {}
},
"type": "object"
},
"evaluation": {
"properties": {
"admiraltyCode": {
"type": [
"string",
"null"
]
},
"credibility": {
"type": [
"integer",
"null"
]
},
"reliability": {
"type": [
"integer",
"null"
]
},
"severity": {
"type": [
"string",
"null"
]
},
"tlp": {
"type": [
"string",
"null"
]
},
"ttl": {
"type": [
"integer",
"null"
]
}
},
"type": "object"
},
"id": {
"type": [
"string",
"null"
]
},
"isFavourite": {
"type": "boolean"
},
"isHidden": {
"type": "boolean"
},
"malware": {
"properties": {
"id": {
"type": [
"string",
"null"
]
},
"name": {
"type": [
"string",
"null"
]
}
},
"type": [
"object",
"null"
]
},
"oldId": {
"type": [
"string",
"null"
]
},
"operator": {
"properties": {
"countryCode": {},
"name": {},
"number": {
"type": [
"string",
"null"
]
}
},
"type": "object"
},
"portalLink": {
"type": [
"string",
"null"
]
},
"seqUpdate": {
"type": [
"integer",
"null"
]
},
"sourceType": {
"type": [
"string",
"null"
]
},
"threatActor": {}
},
"required": [
"client",
"cnc",
"dateCompromised",
"dateDetected",
"device",
"evaluation",
"id",
"isFavourite",
"isHidden",
"malware",
"oldId",
"operator",
"portalLink",
"seqUpdate",
"sourceType",
"threatActor"
],
"type": "object"
},
"type": "array"
},
"resultId": {
"type": [
"string",
"null"
]
}
},
"type": "object"
}
},
"runAfter": {
"Get_next_portion_of_events_from_GIB": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Get_next_portion_of_events_from_GIB": {
"inputs": {
"headers": {
"Accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"limit": "100",
"seqUpdate": "@{variables('seqUpdate')}"
},
"uri": "@{parameters('GIB API URL ')}@{parameters('Collection Name')}/updated"
},
"runAfter": {},
"type": "Http"
},
"IfPortionHasItems": {
"actions": {
"Filter_Empty_Domains": {
"inputs": {
"from": "@body('Select_Domain')",
"where": "@not(equals(item()?['domainName'], null))"
},
"runAfter": {
"Select_Domain": [
"Succeeded"
]
},
"type": "Query"
},
"Filter_Empty_IPs": {
"inputs": {
"from": "@body('Select_IP')",
"where": "@not(equals(item()?['networkIPv4'], null))"
},
"runAfter": {
"Select_IP": [
"Succeeded"
]
},
"type": "Query"
},
"Filter_Empty_URLs": {
"inputs": {
"from": "@body('Select_URL')",
"where": "@not(equals(item()['url'], null))"
},
"runAfter": {
"Select_URL": [
"Succeeded"
]
},
"type": "Query"
},
"GIBIndicatorProcessor": {
"inputs": {
"batchName": "GIBIndicatorsBatch",
"content": "@body('Select_IP')",
"host": {
"triggerName": "Batch_messages",
"workflow": {
"id": "/subscriptions/xx-xxx-xxxx-xxxx-xxx/resourceGroups/Group-IB-WS/providers/Microsoft.Logic/workflows/GIBIndicatorProcessor"
}
}
},
"runAfter": {
"Filter_Empty_Domains": [
"Succeeded"
]
},
"type": "SendToBatch"
},
"GIBIndicatorProcessor_2": {
"inputs": {
"batchName": "GIBIndicatorsBatch",
"content": "@body('Filter_Empty_IPs')",
"host": {
"triggerName": "Batch_messages",
"workflow": {
"id": "/subscriptions/xx-xxx-xxxx-xxxx-xxx/resourceGroups/Group-IB-WS/providers/Microsoft.Logic/workflows/GIBIndicatorProcessor"
}
}
},
"runAfter": {
"Filter_Empty_IPs": [
"Succeeded"
]
},
"type": "SendToBatch"
},
"GIBIndicatorProcessor_3": {
"inputs": {
"batchName": "GIBIndicatorsBatch",
"content": "@body('Filter_Empty_URLs')",
"host": {
"triggerName": "Batch_messages",
"workflow": {
"id": "/subscriptions/xx-xxx-xxxx-xxxx-xxx/resourceGroups/Group-IB-WS/providers/Microsoft.Logic/workflows/GIBIndicatorProcessor"
}
}
},
"runAfter": {
"Filter_Empty_URLs": [
"Succeeded"
]
},
"type": "SendToBatch"
},
"Save_only_as_Indicators": {
"actions": {},
"else": {
"actions": {
"Send_Data": {
"inputs": {
"body": "@{body('Get_items_from_response')?['items']}",
"headers": {
"Log-Type": "GIBTIACompromisedIMEI"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"equals": [
"@parameters('Save only indicators')",
true
]
}
]
},
"runAfter": {},
"type": "If"
},
"Select_Domain": {
"inputs": {
"from": "@body('Get_items_from_response')?['items']",
"select": {
"action": "@parameters('GIB Compromised IMEI CNC Domain Action')",
"activityGroupNames": [
"@{item()?['threatActor']?['name']}"
],
"confidence": "@int(item()?['evaluation']?['credibility'])",
"description": "GIB Compromised IMEI CNC Domain",
"domainName": "@{item()?['cnc']?['domain']}",
"expirationDateTime": "@{addDays(item()?['dateDetected'], item()?['evaluation']?['ttl'])}",
"killChain": [],
"malwareFamilyNames": [],
"severity": 5,
"tags": [
"compromised-imei"
],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "@{item()?['evaluation']?['tlp']}"
}
},
"runAfter": {
"GIBIndicatorProcessor_3": [
"Succeeded"
]
},
"type": "Select"
},
"Select_IP": {
"inputs": {
"from": "@body('Get_items_from_response')?['items']",
"select": {
"action": "@parameters('GIB Compromised IMEI CNC IP Action')",
"activityGroupNames": [
"@{item()?['threatActor']?['name']}"
],
"confidence": "@int(item()?['evaluation']?['credibility'])",
"description": "GIB Compromised IMEI CNC IP",
"expirationDateTime": "@{addDays(item()?['dateDetected'], item()?['evaluation']?['ttl'])}",
"killChain": [],
"malwareFamilyNames": [],
"networkIPv4": "@{item()?['cnc']?['ipv4']?['ip']}",
"severity": 5,
"tags": [
"compromised-imei"
],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "@{item()?['evaluation']?['tlp']}"
}
},
"runAfter": {
"Save_only_as_Indicators": [
"Succeeded"
]
},
"type": "Select"
},
"Select_URL": {
"inputs": {
"from": "@body('Get_items_from_response')?['items']",
"select": {
"action": "@parameters('GIB Compromised IMEI CNC URL Action')",
"activityGroupNames": [
"@{item()?['threatActor']?['name']}"
],
"confidence": "@int(item()?['evaluation']?['credibility'])",
"description": "GIB Compromised IMEI CNC URL",
"expirationDateTime": "@{addDays(item()?['dateDetected'], item()?['evaluation']?['ttl'])}",
"killChain": [],
"malwareFamilyNames": [],
"severity": 5,
"tags": [
"compromised-imei"
],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "@{item()?['evaluation']?['tlp']}",
"url": "@{item()?['cnc']?['url']}"
}
},
"runAfter": {
"GIBIndicatorProcessor_2": [
"Succeeded"
]
},
"type": "Select"
}
},
"else": {
"actions": {
"Set_Empty_portion_value": {
"inputs": {
"name": "IsPortionEmpty",
"value": true
},
"runAfter": {},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_items_from_response')?['items'])",
0
]
}
}
]
},
"runAfter": {
"Reset_seqUpdate": [
"Succeeded"
]
},
"type": "If"
},
"Reset_seqUpdate": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_items_from_response')?['seqUpdate']"
},
"runAfter": {
"Get_items_from_response": [
"Succeeded"
]
},
"type": "SetVariable"
},
"Save_seqUpdate": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{variables('seqUpdate')}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"IfPortionHasItems": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"expression": "@equals(variables('IsPortionEmpty'), true)",
"limit": {
"count": 10,
"timeout": "PT1H"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Until"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"Collection Name": {
"defaultValue": "compromised/imei",
"type": "String"
},
"GIB API URL ": {
"defaultValue": "https://bt.group-ib.com/api/v2/",
"type": "String"
},
"GIB Compromised IMEI CNC Domain Action": {
"defaultValue": "unknown",
"type": "String"
},
"GIB Compromised IMEI CNC IP Action": {
"defaultValue": "unknown",
"type": "String"
},
"GIB Compromised IMEI CNC URL Action": {
"defaultValue": "unknown",
"type": "String"
},
"GIB Username": {
"defaultValue": "xxxx@domain.com",
"type": "String"
},
"Save only indicators": {
"defaultValue": false,
"type": "Bool"
}
},
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Hour",
"interval": 1
},
"type": "Recurrence"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
},
"azuremonitorlogs": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('azuremonitorlogsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
}
}
}
}
]
}

869
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_Compromised_mule.json Normal file
Просмотреть файл

@ -0,0 +1,869 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "GIBTIA_Compromised_mule",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"azuremonitorlogsConnectionName": "[concat('azuremon-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuremonitorlogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/microsoftgraphsecurity')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Condition": {
"actions": {
"Set_variable": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'][0]['seqUpdate_d']"
},
"runAfter": {},
"type": "SetVariable"
}
},
"else": {
"actions": {
"HTTP": {
"inputs": {
"headers": {
"accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"collection": "@parameters('Collection Name')",
"date": "@{addDays(utcNow(), -1, 'yyyy-MM-dd')}"
},
"uri": "@{parameters('GIB API URL ')}sequence_list"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON": {
"inputs": {
"content": "@body('HTTP')",
"schema": {
"properties": {
"list": {
"properties": {
"compromised/mule": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Update_Last_Item_id_in_Tech_table_": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{body('Parse_JSON')?['list']?['compromised/mule']}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"set_seqUpdate_": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Parse_JSON')?['list']?['compromised/mule']"
},
"runAfter": {
"Update_Last_Item_id_in_Tech_table_": [
"Succeeded"
]
},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'])",
0
]
}
}
]
},
"runAfter": {
"Get_last_received_item_ID_from_Azure_Log_DB": [
"Succeeded"
]
},
"type": "If"
},
"Get_last_received_item_ID_from_Azure_Log_DB": {
"inputs": {
"body": "GIBTechTable_CL | where collection_name_s == \"@{parameters('Collection Name')}\" | sort by TimeGenerated | limit 1",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "Group-IB-WS",
"resourcename": "Group-IB",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "xx-xxx-xxxx-xxxx-xxx",
"timerange": "Last 7 days"
}
},
"runAfter": {
"Init_TechTable": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Init_TechTable": {
"inputs": {
"body": "{ \n\"collection_name\" : \"test/collection\",\n\"seqUpdate\" : 0 \n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Initialize_API_Key": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_API_Key": {
"inputs": {
"variables": [
{
"name": "GIB API Key",
"type": "string",
"value": "XXXXXXXXXXXXXX"
}
]
},
"runAfter": {
"Initialize_seqUpdate": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_seqUpdate": {
"inputs": {
"variables": [
{
"name": "seqUpdate",
"type": "integer"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "IsPortionEmpty",
"type": "boolean",
"value": false
}
]
},
"runAfter": {
"Condition": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Until": {
"actions": {
"Get_items_from_response": {
"inputs": {
"content": "@body('Get_next_portion_of_events_from_GIB')",
"schema": {
"properties": {
"count": {
"type": [
"integer",
"null"
]
},
"items": {
"items": {
"properties": {
"account": {
"type": [
"string",
"null"
]
},
"cnc": {
"properties": {
"cnc": {
"type": [
"string",
"null"
]
},
"domain": {
"type": [
"string",
"null"
]
},
"ipv4": {
"properties": {
"asn": {},
"city": {},
"countryCode": {},
"countryName": {},
"ip": {
"type": [
"string",
"null"
]
},
"provider": {},
"region": {}
},
"type": "object"
},
"ipv6": {},
"url": {
"type": [
"string",
"null"
]
}
},
"type": "object"
},
"dateAdd": {
"type": [
"string",
"null"
]
},
"dateIncident": {},
"evaluation": {
"properties": {
"admiraltyCode": {
"type": [
"string",
"null"
]
},
"credibility": {
"type": [
"integer",
"null"
]
},
"reliability": {
"type": [
"integer",
"null"
]
},
"severity": {
"type": [
"string",
"null"
]
},
"tlp": {
"type": [
"string",
"null"
]
},
"ttl": {
"type": [
"integer",
"null"
]
}
},
"type": "object"
},
"id": {
"type": [
"string",
"null"
]
},
"info": {},
"isFavourite": {
"type": "boolean"
},
"isHidden": {
"type": "boolean"
},
"malware": {
"properties": {
"id": {
"type": [
"string",
"null"
]
},
"name": {
"type": [
"string",
"null"
]
}
},
"type": [
"object",
"null"
]
},
"oldId": {
"type": [
"string",
"null"
]
},
"organization": {
"properties": {
"bic": {},
"bicRu": {},
"bsb": {},
"iban": {},
"name": {
"type": [
"string",
"null"
]
},
"swift": {}
},
"type": "object"
},
"person": {
"properties": {
"address": {},
"birthday": {},
"city": {},
"countryCode": {},
"email": {},
"name": {},
"passport": {},
"phone": {},
"state": {},
"taxNumber": {},
"zip": {}
},
"type": "object"
},
"portalLink": {
"type": [
"string",
"null"
]
},
"seqUpdate": {
"type": [
"integer",
"null"
]
},
"sourceType": {
"type": [
"string",
"null"
]
},
"threatActor": {},
"type": {
"type": [
"string",
"null"
]
}
},
"required": [
"account",
"cnc",
"dateAdd",
"dateIncident",
"evaluation",
"id",
"info",
"malware",
"oldId",
"organization",
"person",
"portalLink",
"seqUpdate",
"sourceType",
"threatActor",
"type"
],
"type": "object"
},
"type": "array"
},
"resultId": {
"type": [
"string",
"null"
]
}
},
"type": "object"
}
},
"runAfter": {
"Get_next_portion_of_events_from_GIB": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Get_next_portion_of_events_from_GIB": {
"inputs": {
"headers": {
"Accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"limit": "100",
"seqUpdate": "@{variables('seqUpdate')}"
},
"uri": "@{parameters('GIB API URL ')}@{parameters('Collection Name')}/updated"
},
"runAfter": {},
"type": "Http"
},
"IfPortionHasItems": {
"actions": {
"Filter_Empty_Domains": {
"inputs": {
"from": "@body('Select_Domain')",
"where": "@not(equals(length(item()?['domainName']), 0))"
},
"runAfter": {
"Select_Domain": [
"Succeeded"
]
},
"type": "Query"
},
"Filter_Empty_IPs": {
"inputs": {
"from": "@body('Select_IP')",
"where": "@not(equals(length(item()?['networkIPv4']), 0))"
},
"runAfter": {
"Select_IP": [
"Succeeded"
]
},
"type": "Query"
},
"Filter_Empty_URLs": {
"inputs": {
"from": "@body('Select_URL')",
"where": "@not(equals(length(item()?['url']), 0))"
},
"runAfter": {
"Select_URL": [
"Succeeded"
]
},
"type": "Query"
},
"GIBIndicatorProcessor": {
"inputs": {
"batchName": "GIBIndicatorsBatch",
"content": "@body('Select_IP')",
"host": {
"triggerName": "Batch_messages",
"workflow": {
"id": "/subscriptions/xx-xxx-xxxx-xxxx-xxx/resourceGroups/Group-IB-WS/providers/Microsoft.Logic/workflows/GIBIndicatorProcessor"
}
}
},
"runAfter": {
"Filter_Empty_Domains": [
"Succeeded"
]
},
"type": "SendToBatch"
},
"GIBIndicatorProcessor_2": {
"inputs": {
"batchName": "GIBIndicatorsBatch",
"content": "@body('Filter_Empty_IPs')",
"host": {
"triggerName": "Batch_messages",
"workflow": {
"id": "/subscriptions/xx-xxx-xxxx-xxxx-xxx/resourceGroups/Group-IB-WS/providers/Microsoft.Logic/workflows/GIBIndicatorProcessor"
}
}
},
"runAfter": {
"Filter_Empty_IPs": [
"Succeeded"
]
},
"type": "SendToBatch"
},
"GIBIndicatorProcessor_3": {
"inputs": {
"batchName": "GIBIndicatorsBatch",
"content": "@body('Filter_Empty_URLs')",
"host": {
"triggerName": "Batch_messages",
"workflow": {
"id": "/subscriptions/xx-xxx-xxxx-xxxx-xxx/resourceGroups/Group-IB-WS/providers/Microsoft.Logic/workflows/GIBIndicatorProcessor"
}
}
},
"runAfter": {
"Filter_Empty_URLs": [
"Succeeded"
]
},
"type": "SendToBatch"
},
"Save_only_as_Indicators": {
"actions": {},
"else": {
"actions": {
"Send_Data": {
"inputs": {
"body": "@{body('Get_items_from_response')?['items']}",
"headers": {
"Log-Type": "GIBTIACompromisedMule"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"equals": [
"@parameters('Save only indicators')",
true
]
}
]
},
"runAfter": {},
"type": "If"
},
"Select_Domain": {
"inputs": {
"from": "@body('Get_items_from_response')?['items']",
"select": {
"action": "unknown",
"activityGroupNames": [
"@{item()?['threatActor']?['name']}"
],
"confidence": "@int(item()?['evaluation']?['credibility'])",
"description": "GIB Compromised Mule CNC Domain",
"domainName": "@{item()?['cnc']?['domain']}",
"expirationDateTime": "@{addDays(item()?['dateAdd'], item()?['evaluation']?['ttl'])}",
"killChain": [],
"malwareFamilyNames": [],
"severity": 5,
"tags": [
"compromised-mule"
],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "@{item()?['evaluation']?['tlp']}"
}
},
"runAfter": {
"GIBIndicatorProcessor_3": [
"Succeeded"
]
},
"type": "Select"
},
"Select_IP": {
"inputs": {
"from": "@body('Get_items_from_response')?['items']",
"select": {
"action": "unknown",
"activityGroupNames": [
"@{item()?['threatActor']?['name']}"
],
"confidence": "@int(item()?['evaluation']?['credibility'])",
"description": "GIB Compromised Mule CNC IP",
"expirationDateTime": "@{addDays(item()?['dateAdd'], item()?['evaluation']?['ttl'])}",
"killChain": [],
"malwareFamilyNames": [],
"networkIPv4": "@{item()?['cnc']?['ipv4']?['ip']}",
"severity": 5,
"tags": [
"compromised-mule"
],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "@{item()?['evaluation']?['tlp']}"
}
},
"runAfter": {
"Save_only_as_Indicators": [
"Succeeded"
]
},
"type": "Select"
},
"Select_URL": {
"inputs": {
"from": "@body('Get_items_from_response')?['items']",
"select": {
"action": "unknown",
"activityGroupNames": [
"@{item()?['threatActor']?['name']}"
],
"confidence": "@int(item()?['evaluation']?['credibility'])",
"description": "GIB Compromised Mule CNC URL",
"expirationDateTime": "@{addDays(item()?['dateAdd'], item()?['evaluation']?['ttl'])}",
"killChain": [],
"malwareFamilyNames": [],
"severity": 5,
"tags": [
"compromised-mule"
],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "@{item()?['evaluation']?['tlp']}",
"url": "@{item()?['cnc']?['url']}"
}
},
"runAfter": {
"GIBIndicatorProcessor_2": [
"Succeeded"
]
},
"type": "Select"
}
},
"else": {
"actions": {
"Set_Empty_portion_value": {
"inputs": {
"name": "IsPortionEmpty",
"value": true
},
"runAfter": {},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_items_from_response')?['items'])",
0
]
}
}
]
},
"runAfter": {
"Reset_seqUpdate": [
"Succeeded"
]
},
"type": "If"
},
"Reset_seqUpdate": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_items_from_response')?['seqUpdate']"
},
"runAfter": {
"Get_items_from_response": [
"Succeeded"
]
},
"type": "SetVariable"
},
"Save_seqUpdate": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{variables('seqUpdate')}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"IfPortionHasItems": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"expression": "@equals(variables('IsPortionEmpty'), true)",
"limit": {
"count": 10,
"timeout": "PT1H"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Until"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"Collection Name": {
"defaultValue": "compromised/mule",
"type": "String"
},
"GIB API URL ": {
"defaultValue": "https://bt.group-ib.com/api/v2/",
"type": "String"
},
"GIB Username": {
"defaultValue": "xxxx@domain.com",
"type": "String"
},
"Save only indicators": {
"defaultValue": false,
"type": "Bool"
}
},
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Hour",
"interval": 1
},
"type": "Recurrence"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
},
"azuremonitorlogs": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('azuremonitorlogsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
}
}
}
}
]
}

1307
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_HI_Threat.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

631
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_HI_Threat_Actor.json Normal file
Просмотреть файл

@ -0,0 +1,631 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "GIBTIA_HI_Threat_Actor",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"azuremonitorlogsConnectionName": "[concat('azuremon-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuremonitorlogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/microsoftgraphsecurity')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Condition": {
"actions": {
"Set_variable": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'][0]['seqUpdate_d']"
},
"runAfter": {},
"type": "SetVariable"
}
},
"else": {
"actions": {
"HTTP": {
"inputs": {
"headers": {
"accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"collection": "@parameters('Collection Name')",
"date": "@{addDays(utcNow(), -1, 'yyyy-MM-dd')}"
},
"uri": "@{parameters('GIB API URL ')}sequence_list"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON": {
"inputs": {
"content": "@body('HTTP')",
"schema": {
"properties": {
"list": {
"properties": {
"hi/threat_actor": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Update_Last_Item_id_in_Tech_table_": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{body('Parse_JSON')?['list']?['hi/threat_actor']}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"set_seqUpdate_": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Parse_JSON')?['list']?['hi/threat_actor']"
},
"runAfter": {
"Update_Last_Item_id_in_Tech_table_": [
"Succeeded"
]
},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'])",
0
]
}
}
]
},
"runAfter": {
"Get_last_received_item_ID_from_Azure_Log_DB": [
"Succeeded"
]
},
"type": "If"
},
"Get_last_received_item_ID_from_Azure_Log_DB": {
"inputs": {
"body": "GIBTechTable_CL | where collection_name_s == \"@{parameters('Collection Name')}\" | sort by TimeGenerated | limit 1",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "Group-IB-WS",
"resourcename": "Group-IB",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "xx-xxx-xxxx-xxxx-xxx",
"timerange": "Last 7 days"
}
},
"runAfter": {
"Init_TechTable": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Init_TechTable": {
"inputs": {
"body": "{\n\"collection_name\" : \"test/collection\",\n\"seqUpdate\" : 0\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Initialize_API_Key": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_API_Key": {
"inputs": {
"variables": [
{
"name": "GIB API Key",
"type": "string",
"value": "XXXXXXXXXXXX"
}
]
},
"runAfter": {
"Initialize_seqUpdate": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_seqUpdate": {
"inputs": {
"variables": [
{
"name": "seqUpdate",
"type": "integer"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "IsPortionEmpty",
"type": "boolean",
"value": false
}
]
},
"runAfter": {
"Condition": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Until": {
"actions": {
"Get_items_from_response": {
"inputs": {
"content": "@body('Get_next_portion_of_events_from_GIB')",
"schema": {
"properties": {
"count": {
"type": [
"integer",
"null"
]
},
"items": {
"items": {
"properties": {
"aliases": {
"items": {
"type": [
"string",
"null"
]
},
"type": "array"
},
"country": {},
"createdAt": {
"type": [
"string",
"null"
]
},
"description": {
"type": [
"string",
"null"
]
},
"displayOptions": {
"properties": {
"isFavourite": {
"type": "boolean"
},
"isHidden": {
"type": "boolean"
}
},
"type": "object"
},
"files": {
"type": "array"
},
"goals": {
"type": "array"
},
"id": {
"type": [
"string",
"null"
]
},
"isAPT": {
"type": "boolean"
},
"labels": {
"type": "array"
},
"langs": {
"items": {
"type": [
"string",
"null"
]
},
"type": "array"
},
"name": {
"type": [
"string",
"null"
]
},
"oldId": {},
"roles": {
"type": "array"
},
"seqUpdate": {
"type": [
"integer",
"null"
]
},
"spokenOnLangs": {
"type": "array"
},
"stat": {
"properties": {
"countries": {
"type": "array"
},
"dateFirstSeen": {
"type": [
"string",
"null"
]
},
"dateLastSeen": {
"type": [
"string",
"null"
]
},
"regions": {
"type": "array"
},
"reports": {
"items": {
"properties": {
"datePublished": {
"type": [
"string",
"null"
]
},
"id": {
"type": [
"string",
"null"
]
},
"name": {
"properties": {
"en": {
"type": [
"string",
"null"
]
}
},
"type": "object"
}
},
"required": [
"datePublished",
"id",
"name"
],
"type": "object"
},
"type": "array"
},
"sectors": {
"items": {
"type": [
"string",
"null"
]
},
"type": "array"
}
},
"type": "object"
},
"techSeqUpdate": {},
"updatedAt": {
"type": [
"string",
"null"
]
}
},
"required": [
"aliases",
"country",
"createdAt",
"description",
"files",
"goals",
"id",
"isAPT",
"labels",
"langs",
"name",
"oldId",
"roles",
"seqUpdate",
"spokenOnLangs",
"stat",
"techSeqUpdate",
"updatedAt"
],
"type": "object"
},
"type": "array"
},
"seqUpdate": {
"type": [
"integer",
"null"
]
}
},
"type": "object"
}
},
"runAfter": {
"Get_next_portion_of_events_from_GIB": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Get_next_portion_of_events_from_GIB": {
"inputs": {
"headers": {
"Accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"limit": "10",
"seqUpdate": "@{variables('seqUpdate')}"
},
"uri": "@{parameters('GIB API URL ')}@{parameters('Collection Name')}/updated"
},
"runAfter": {},
"type": "Http"
},
"IfPortionHasItems": {
"actions": {
"Send_Data": {
"inputs": {
"body": "@{body('Get_items_from_response')?['items']}",
"headers": {
"Log-Type": "GIBTIAHIThreatActor"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
},
"else": {
"actions": {
"Set_Empty_portion_value": {
"inputs": {
"name": "IsPortionEmpty",
"value": true
},
"runAfter": {},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_items_from_response')?['items'])",
0
]
}
}
]
},
"runAfter": {
"Reset_seqUpdate": [
"Succeeded"
]
},
"type": "If"
},
"Reset_seqUpdate": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_items_from_response')?['seqUpdate']"
},
"runAfter": {
"Get_items_from_response": [
"Succeeded"
]
},
"type": "SetVariable"
},
"Save_seqUpdate": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{variables('seqUpdate')}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"IfPortionHasItems": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"expression": "@equals(variables('IsPortionEmpty'), true)",
"limit": {
"count": 10,
"timeout": "PT1H"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Until"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"Collection Name": {
"defaultValue": "hi/threat_actor",
"type": "String"
},
"GIB API URL ": {
"defaultValue": "https://bt.group-ib.com/api/v2/",
"type": "String"
},
"GIB Username": {
"defaultValue": "xxxx@domain.com",
"type": "String"
}
},
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Hour",
"interval": 1000
},
"type": "Recurrence"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
},
"azuremonitorlogs": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('azuremonitorlogsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
}
}
}
}
]
}

906
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_Malware_Targeted_Malware.json Normal file
Просмотреть файл

@ -0,0 +1,906 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "GIBTIA_Malware_Targeted_Malware",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"azuremonitorlogsConnectionName": "[concat('azuremon-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuremonitorlogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/microsoftgraphsecurity')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Condition": {
"actions": {
"Set_variable": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'][0]['seqUpdate_d']"
},
"runAfter": {},
"type": "SetVariable"
}
},
"else": {
"actions": {
"HTTP": {
"inputs": {
"headers": {
"accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"collection": "@parameters('Collection Name')",
"date": "@{addDays(utcNow(), -1, 'yyyy-MM-dd')}"
},
"uri": "@{parameters('GIB API URL ')}sequence_list"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON": {
"inputs": {
"content": "@body('HTTP')",
"schema": {
"properties": {
"list": {
"properties": {
"malware/targeted_malware": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Update_Last_Item_id_in_Tech_table_": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{body('Parse_JSON')?['list']?['malware/targeted_malware']}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"set_seqUpdate_": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Parse_JSON')?['list']?['malware/targeted_malware']"
},
"runAfter": {
"Update_Last_Item_id_in_Tech_table_": [
"Succeeded"
]
},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'])",
0
]
}
}
]
},
"runAfter": {
"Get_last_received_item_ID_from_Azure_Log_DB": [
"Succeeded"
]
},
"type": "If"
},
"Get_last_received_item_ID_from_Azure_Log_DB": {
"inputs": {
"body": "GIBTechTable_CL | where collection_name_s == \"@{parameters('Collection Name')}\" | sort by TimeGenerated | limit 1",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "Group-IB-WS",
"resourcename": "Group-IB",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "xx-xxx-xxxx-xxxx-xxx",
"timerange": "Last 7 days"
}
},
"runAfter": {
"Initialize_Indicators_Array": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Init_TechTable": {
"inputs": {
"body": "{ \"collection_name\" : \"test/collection\",\n\"seqUpdate\" : 0\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Initialize_seqUpdate": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_API_Key": {
"inputs": {
"variables": [
{
"name": "GIB API Key",
"type": "string",
"value": "XXXXXXXXXXXXXXX"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Initialize_Indicators_Array": {
"inputs": {
"variables": [
{
"name": "Indicators",
"type": "array",
"value": []
}
]
},
"runAfter": {
"Init_TechTable": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_seqUpdate": {
"inputs": {
"variables": [
{
"name": "seqUpdate",
"type": "integer"
}
]
},
"runAfter": {
"Initialize_API_Key": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "IsPortionEmpty",
"type": "boolean",
"value": false
}
]
},
"runAfter": {
"Condition": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Until": {
"actions": {
"Get_items_from_response": {
"inputs": {
"content": "@body('Get_next_portion_of_events_from_GIB')",
"schema": {
"properties": {
"count": {
"type": [
"integer",
"null"
]
},
"items": {
"items": {
"properties": {
"date": {
"type": [
"string",
"null"
]
},
"dateAnalyzeEnded": {
"type": [
"string",
"null"
]
},
"dateAnalyzeStarted": {
"type": [
"string",
"null"
]
},
"evaluation": {
"properties": {
"admiraltyCode": {
"type": [
"string",
"null"
]
},
"credibility": {
"type": [
"integer",
"null"
]
},
"reliability": {
"type": [
"integer",
"null"
]
},
"severity": {
"type": [
"string",
"null"
]
},
"tlp": {
"type": [
"string",
"null"
]
},
"ttl": {}
},
"type": "object"
},
"fileName": {},
"fileType": {
"type": [
"string",
"null"
]
},
"fileVersion": {},
"hasReport": {
"type": "boolean"
},
"id": {
"type": [
"string",
"null"
]
},
"injectDump": {
"type": [
"string",
"null"
]
},
"injectMd5": {
"type": [
"string",
"null"
]
},
"isFavourite": {
"type": "boolean"
},
"isHidden": {
"type": "boolean"
},
"malware": {
"properties": {
"id": {
"type": [
"string",
"null"
]
},
"name": {
"type": [
"string",
"null"
]
}
},
"type": [
"object",
"null"
]
},
"md5": {
"type": [
"string",
"null"
]
},
"oldId": {
"type": [
"string",
"null"
]
},
"portalLink": {
"type": [
"string",
"null"
]
},
"seqUpdate": {
"type": [
"integer",
"null"
]
},
"sha1": {
"type": [
"string",
"null"
]
},
"sha256": {
"type": [
"string",
"null"
]
},
"size": {
"type": [
"integer",
"null"
]
},
"source": {
"type": [
"string",
"null"
]
},
"threatActor": {}
},
"required": [
"date",
"evaluation",
"fileType",
"id",
"injectDump",
"injectMd5",
"malware",
"md5",
"portalLink",
"seqUpdate",
"sha1",
"sha256",
"size",
"source"
],
"type": "object"
},
"type": "array"
},
"resultId": {
"type": [
"string",
"null"
]
}
},
"type": "object"
}
},
"runAfter": {
"Get_next_portion_of_events_from_GIB": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Get_next_portion_of_events_from_GIB": {
"inputs": {
"headers": {
"Accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"limit": "100",
"seqUpdate": "@{variables('seqUpdate')}"
},
"uri": "@{parameters('GIB API URL ')}@{parameters('Collection Name')}/updated"
},
"runAfter": {},
"type": "Http"
},
"IfPortionHasItems": {
"actions": {
"For_each": {
"actions": {
"If_MD5": {
"actions": {
"Add_MD5": {
"inputs": {
"name": "Indicators",
"value": {
"action": "@{parameters('GIB Malware Targeted Malware Hashes Action')}",
"activityGroupNames": "@array(items('For_each')?['threatActor']?['name'])",
"confidence": "@int(items('For_each')?['evaluation']?['credibility'])",
"description": "GIB Malware Targeted Malware",
"expirationDateTime": "@addDays(items('For_each')?['date'], 100)",
"fileHashType": "md5",
"fileHashValue": "@items('For_each')?['md5']",
"fileName": "@items('For_each')?['fileName']",
"fileSize": "@items('For_each')?['size']",
"killChain": [],
"malwareFamilyNames": [],
"severity": 5,
"tags": [
"targeted-malware"
],
"targetProduct": "Azure Sentinel",
"threatType": "Malware",
"tlpLevel": "@items('For_each')?['evaluation']?['tlp']"
}
},
"runAfter": {},
"type": "AppendToArrayVariable"
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@items('For_each')?['md5']",
"@null"
]
}
}
]
},
"runAfter": {
"If_inject_MD5": [
"Succeeded"
]
},
"type": "If"
},
"If_SHA1": {
"actions": {
"Add_SHA1": {
"inputs": {
"name": "Indicators",
"value": {
"action": "@{parameters('GIB Malware Targeted Malware Hashes Action')}",
"activityGroupNames": "@array(items('For_each')?['threatActor']?['name'])",
"confidence": "@int(items('For_each')?['evaluation']?['credibility'])",
"description": "GIB Malware Targeted Malware",
"expirationDateTime": "@addDays(items('For_each')?['date'], 100)",
"fileHashType": "sha1",
"fileHashValue": "@items('For_each')?['sha1']",
"fileName": "@items('For_each')?['fileName']",
"fileSize": "@items('For_each')?['size']",
"killChain": [],
"malwareFamilyNames": [],
"severity": 5,
"tags": [
"targeted-malware"
],
"targetProduct": "Azure Sentinel",
"threatType": "Malware",
"tlpLevel": "@items('For_each')?['evaluation']?['tlp']"
}
},
"runAfter": {},
"type": "AppendToArrayVariable"
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@items('For_each')?['sha1']",
"@null"
]
}
}
]
},
"runAfter": {
"If_SHA256": [
"Succeeded"
]
},
"type": "If"
},
"If_SHA256": {
"actions": {
"Add_SHA256": {
"inputs": {
"name": "Indicators",
"value": {
"action": "@{parameters('GIB Malware Targeted Malware Hashes Action')}",
"activityGroupNames": "@array(items('For_each')?['threatActor']?['name'])",
"confidence": "@int(items('For_each')?['evaluation']?['credibility'])",
"description": "GIB Malware Targeted Malware Hash",
"expirationDateTime": "@addDays(items('For_each')?['date'], 100)",
"fileHashType": "sha256",
"fileHashValue": "@items('For_each')?['sha256']",
"fileName": "@items('For_each')?['fileName']",
"fileSize": "@items('For_each')?['size']",
"killChain": [],
"malwareFamilyNames": [],
"severity": 5,
"tags": [
"targeted-malware"
],
"targetProduct": "Azure Sentinel",
"threatType": "Malware",
"tlpLevel": "@items('For_each')?['evaluation']?['tlp']"
}
},
"runAfter": {},
"type": "AppendToArrayVariable"
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@items('For_each')?['sha256']",
"@null"
]
}
}
]
},
"runAfter": {},
"type": "If"
},
"If_inject_MD5": {
"actions": {
"Add_Inject_Dump": {
"inputs": {
"name": "Indicators",
"value": {
"action": "@{parameters('GIB Malware Targeted Malware Hashes Action')}",
"activityGroupNames": "@array(items('For_each')?['threatActor']?['name'])",
"confidence": "@int(items('For_each')?['evaluation']?['credibility'])",
"description": "GIB Malware Targeted Malware Inject",
"expirationDateTime": "@addDays(items('For_each')?['date'], 100)",
"fileHashType": "md5",
"fileHashValue": "@items('For_each')?['injectMd5']",
"killChain": [],
"malwareFamilyNames": [],
"severity": 5,
"tags": [
"targeted-malware"
],
"targetProduct": "Azure Sentinel",
"threatType": "Malware",
"tlpLevel": "@items('For_each')?['evaluation']?['tlp']"
}
},
"runAfter": {},
"type": "AppendToArrayVariable"
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@items('For_each')?['injectMd5']",
"@null"
]
}
}
]
},
"runAfter": {
"If_SHA1": [
"Succeeded"
]
},
"type": "If"
}
},
"foreach": "@body('Get_items_from_response')?['items']",
"runAfter": {
"Save_only_as_Indicators": [
"Succeeded"
]
},
"type": "Foreach"
},
"GIBIndicatorProcessor": {
"inputs": {
"batchName": "GIBIndicatorsBatch",
"content": "@variables('Indicators')",
"host": {
"triggerName": "Batch_messages",
"workflow": {
"id": "/subscriptions/xx-xxx-xxxx-xxxx-xxx/resourceGroups/Group-IB-WS/providers/Microsoft.Logic/workflows/GIBIndicatorProcessor"
}
}
},
"runAfter": {
"For_each": [
"Succeeded"
]
},
"type": "SendToBatch"
},
"Save_only_as_Indicators": {
"actions": {},
"else": {
"actions": {
"Send_Data": {
"inputs": {
"body": "@{body('Get_items_from_response')?['items']}",
"headers": {
"Log-Type": "GIBTIATargetedMalware"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"equals": [
"@parameters('Save only indicators')",
true
]
}
]
},
"runAfter": {},
"type": "If"
},
"Set_variable_2": {
"inputs": {
"name": "Indicators",
"value": []
},
"runAfter": {
"GIBIndicatorProcessor": [
"Succeeded"
]
},
"type": "SetVariable"
}
},
"else": {
"actions": {
"Set_Empty_portion_value": {
"inputs": {
"name": "IsPortionEmpty",
"value": true
},
"runAfter": {},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_items_from_response')?['items'])",
0
]
}
}
]
},
"runAfter": {
"Reset_seqUpdate": [
"Succeeded"
]
},
"type": "If"
},
"Reset_seqUpdate": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_items_from_response')?['seqUpdate']"
},
"runAfter": {
"Get_items_from_response": [
"Succeeded"
]
},
"type": "SetVariable"
},
"Save_seqUpdate": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{variables('seqUpdate')}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"IfPortionHasItems": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"expression": "@equals(variables('IsPortionEmpty'), true)",
"limit": {
"count": 10,
"timeout": "PT1H"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Until"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"Collection Name": {
"defaultValue": "malware/targeted_malware",
"type": "String"
},
"GIB API URL ": {
"defaultValue": "https://bt.group-ib.com/api/v2/",
"type": "String"
},
"GIB Malware Targeted Malware Hashes Action": {
"defaultValue": "unknown",
"type": "String"
},
"GIB Username": {
"defaultValue": "xxxx@domain.com",
"type": "String"
},
"Save only indicators": {
"defaultValue": false,
"type": "Bool"
}
},
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Hour",
"interval": 1
},
"type": "Recurrence"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
},
"azuremonitorlogs": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('azuremonitorlogsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
}
}
}
}
]
}

796
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_Malware_cnc.json Normal file
Просмотреть файл

@ -0,0 +1,796 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "GIBTIA_Malware_cnc",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"azuremonitorlogsConnectionName": "[concat('azuremon-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuremonitorlogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/microsoftgraphsecurity')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Condition": {
"actions": {
"Set_variable": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'][0]['seqUpdate_d']"
},
"runAfter": {},
"type": "SetVariable"
}
},
"else": {
"actions": {
"HTTP": {
"inputs": {
"headers": {
"accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"collection": "@parameters('Collection Name')",
"date": "@{addDays(utcNow(), -1, 'yyyy-MM-dd')}"
},
"uri": "@{parameters('GIB API URL ')}sequence_list"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON": {
"inputs": {
"content": "@body('HTTP')",
"schema": {
"properties": {
"list": {
"properties": {
"malware/cnc": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Update_Last_Item_id_in_Tech_table_": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{body('Parse_JSON')?['list']?['malware/cnc']}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"set_seqUpdate_": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Parse_JSON')?['list']?['malware/cnc']"
},
"runAfter": {
"Update_Last_Item_id_in_Tech_table_": [
"Succeeded"
]
},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'])",
0
]
}
}
]
},
"runAfter": {
"Get_last_received_item_ID_from_Azure_Log_DB": [
"Succeeded"
]
},
"type": "If"
},
"Get_last_received_item_ID_from_Azure_Log_DB": {
"inputs": {
"body": "GIBTechTable_CL | where collection_name_s == \"@{parameters('Collection Name')}\" | sort by TimeGenerated | limit 1",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "Group-IB-WS",
"resourcename": "Group-IB",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "xx-xxx-xxxx-xxxx-xxx",
"timerange": "Last 7 days"
}
},
"runAfter": {
"IndicatorsList": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"IndicatorsList": {
"inputs": {
"variables": [
{
"name": "IndicatorsList",
"type": "array",
"value": []
}
]
},
"runAfter": {
"Init_TechTable": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Init_TechTable": {
"inputs": {
"body": "{\n\"collection_name\" : \"test/collection\",\n\"seqUpdate\" : 0\n} ",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Initialize_seqUpdate": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_API_Key": {
"inputs": {
"variables": [
{
"name": "GIB API Key",
"type": "string",
"value": "XXXXXXXXXXXXX"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Initialize_seqUpdate": {
"inputs": {
"variables": [
{
"name": "seqUpdate",
"type": "integer"
}
]
},
"runAfter": {
"Initialize_API_Key": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "IsPortionEmpty",
"type": "boolean",
"value": false
}
]
},
"runAfter": {
"Condition": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Until": {
"actions": {
"Get_items_from_response": {
"inputs": {
"content": "@body('Get_next_portion_of_events_from_GIB')",
"schema": {
"properties": {
"count": {
"type": [
"integer",
"null"
]
},
"items": {
"items": {
"properties": {
"cnc": {
"type": [
"string",
"null"
]
},
"dateDetected": {
"type": [
"string",
"null"
]
},
"dateLastSeen": {
"type": [
"string",
"null"
]
},
"domain": {
"type": [
"string",
"null"
]
},
"file": {
"type": "array"
},
"id": {
"type": [
"string",
"null"
]
},
"ipv4": {
"items": {
"properties": {
"asn": {},
"city": {},
"countryCode": {},
"countryName": {},
"ip": {
"type": [
"string",
"null"
]
},
"provider": {},
"region": {}
},
"required": [
"asn",
"city",
"countryCode",
"countryName",
"ip",
"provider",
"region"
],
"type": "object"
},
"type": "array"
},
"ipv6": {
"type": "array"
},
"isFavourite": {
"type": "boolean"
},
"isHidden": {
"type": "boolean"
},
"malwareList": {
"type": "array"
},
"oldId": {
"type": [
"string",
"null"
]
},
"platform": {},
"seqUpdate": {
"type": [
"integer",
"null"
]
},
"ssl": {
"type": "array"
},
"threatActor": {
"properties": {
"country": {},
"id": {
"type": [
"string",
"null"
]
},
"isAPT": {
"type": "boolean"
},
"name": {
"type": [
"string",
"null"
]
}
},
"type": [
"object",
"null"
]
},
"url": {}
},
"required": [
"cnc",
"dateDetected",
"dateLastSeen",
"id",
"ipv4",
"seqUpdate"
],
"type": "object"
},
"type": "array"
},
"resultId": {
"type": [
"string",
"null"
]
}
},
"type": "object"
}
},
"runAfter": {
"Get_next_portion_of_events_from_GIB": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Get_next_portion_of_events_from_GIB": {
"inputs": {
"headers": {
"Accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"limit": "100",
"seqUpdate": "@{variables('seqUpdate')}"
},
"uri": "@{parameters('GIB API URL ')}@{parameters('Collection Name')}/updated"
},
"runAfter": {},
"type": "Http"
},
"IfPortionHasItems": {
"actions": {
"For_each": {
"actions": {
"Empty_IndicatorsList": {
"inputs": {
"name": "IndicatorsList",
"value": []
},
"runAfter": {
"GIBIndicatorProcessor": [
"Succeeded"
]
},
"type": "SetVariable"
},
"For_each_2": {
"actions": {
"Add_IPs_to_Indicators_List": {
"inputs": {
"name": "IndicatorsList",
"value": {
"action": "@{parameters('GIB Malware CNC IP Action')}",
"activityGroupNames": "@array(items('For_each')?['threatActor']?['name'])",
"confidence": 80,
"description": "GIB Malware CNC IP",
"expirationDateTime": "@addDays(items('For_each')?['dateLastSeen'], 100)",
"killChain": [],
"malwareFamilyNames": [],
"networkIPv4": "@items('For_each_2')?['ip']",
"severity": 4,
"tags": [
"malware-cnc"
],
"targetProduct": "Azure Sentinel",
"threatType": "C2",
"tlpLevel": "white"
}
},
"runAfter": {},
"type": "AppendToArrayVariable"
}
},
"foreach": "@items('For_each')?['ipv4']",
"runAfter": {},
"type": "Foreach"
},
"GIBIndicatorProcessor": {
"inputs": {
"batchName": "GIBIndicatorsBatch",
"content": "@variables('IndicatorsList')",
"host": {
"triggerName": "Batch_messages",
"workflow": {
"id": "/subscriptions/xx-xxx-xxxx-xxxx-xxx/resourceGroups/Group-IB-WS/providers/Microsoft.Logic/workflows/GIBIndicatorProcessor"
}
}
},
"runAfter": {
"IF_Domain_Exists": [
"Succeeded"
]
},
"type": "SendToBatch"
},
"IF_Domain_Exists": {
"actions": {
"Append_Domain_to_Indicators_List": {
"inputs": {
"name": "IndicatorsList",
"value": {
"action": "@{parameters('GIB Malware CNC Domain Action')}",
"activityGroupNames": "@array(items('For_each')?['threatActor']?['name'])",
"confidence": 80,
"description": "GIB Malware CNC Domain",
"domainName": "@items('For_each')?['domain']",
"expirationDateTime": "@addDays(items('For_each')?['dateLastSeen'], 100)",
"killChain": [],
"malwareFamilyNames": [],
"severity": 4,
"tags": [
"malware-cnc"
],
"targetProduct": "Azure Sentinel",
"threatType": "C2",
"tlpLevel": "white"
}
},
"runAfter": {},
"type": "AppendToArrayVariable"
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@items('For_each')?['domain']",
"@null"
]
}
}
]
},
"runAfter": {
"If_URL_Exists": [
"Succeeded"
]
},
"type": "If"
},
"If_URL_Exists": {
"actions": {
"Append_URL_to_Indicators_list": {
"inputs": {
"name": "IndicatorsList",
"value": {
"action": "@{parameters('GIB Malware CNC URL Action')}",
"activityGroupNames": "@array(items('For_each')?['threatActor']?['name'])",
"confidence": 80,
"description": "GIB Malware CNC URL",
"expirationDateTime": "@addDays(items('For_each')?['dateLastSeen'], 100)",
"killChain": [],
"malwareFamilyNames": [],
"severity": 4,
"tags": [
"malware-cnc"
],
"targetProduct": "Azure Sentinel",
"threatType": "C2",
"tlpLevel": "white",
"url": "@items('For_each')?['url']"
}
},
"runAfter": {},
"type": "AppendToArrayVariable"
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@items('For_each')?['url']",
"@null"
]
}
}
]
},
"runAfter": {
"For_each_2": [
"Succeeded"
]
},
"type": "If"
}
},
"foreach": "@body('Get_items_from_response')?['items']",
"runAfter": {
"Save_only_as_Indicators": [
"Succeeded"
]
},
"type": "Foreach"
},
"Save_only_as_Indicators": {
"actions": {},
"else": {
"actions": {
"Send_Data": {
"inputs": {
"body": "@{body('Get_items_from_response')?['items']}",
"headers": {
"Log-Type": "GIBTIAMalwareCNC"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"equals": [
"@parameters('Save only indicators')",
true
]
}
]
},
"runAfter": {},
"type": "If"
}
},
"else": {
"actions": {
"Set_Empty_portion_value": {
"inputs": {
"name": "IsPortionEmpty",
"value": true
},
"runAfter": {},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_items_from_response')?['items'])",
0
]
}
}
]
},
"runAfter": {
"Reset_seqUpdate": [
"Succeeded"
]
},
"type": "If"
},
"Reset_seqUpdate": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_items_from_response')?['seqUpdate']"
},
"runAfter": {
"Get_items_from_response": [
"Succeeded"
]
},
"type": "SetVariable"
},
"Save_seqUpdate": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{variables('seqUpdate')}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"IfPortionHasItems": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"expression": "@equals(variables('IsPortionEmpty'), true)",
"limit": {
"count": 100,
"timeout": "PT1H"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Until"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"Collection Name": {
"defaultValue": "malware/cnc",
"type": "String"
},
"GIB API URL ": {
"defaultValue": "https://bt.group-ib.com/api/v2/",
"type": "String"
},
"GIB Malware CNC Domain Action": {
"defaultValue": "unknown",
"type": "String"
},
"GIB Malware CNC IP Action": {
"defaultValue": "unknown",
"type": "String"
},
"GIB Malware CNC URL Action": {
"defaultValue": "unknown",
"type": "String"
},
"GIB Username": {
"defaultValue": "xxxx@domain.com",
"type": "String"
},
"Save only indicators": {
"defaultValue": true,
"type": "Bool"
}
},
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Hour",
"interval": 1
},
"type": "Recurrence"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
},
"azuremonitorlogs": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('azuremonitorlogsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
}
}
}
}
]
}

773
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_OSI_GitLeak.json Normal file
Просмотреть файл

@ -0,0 +1,773 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "GIBTIA_OSI_GitLeak",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"azuremonitorlogsConnectionName": "[concat('azuremon-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuremonitorlogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/microsoftgraphsecurity')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Condition": {
"actions": {
"Set_variable": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'][0]['seqUpdate_d']"
},
"runAfter": {},
"type": "SetVariable"
}
},
"else": {
"actions": {
"HTTP": {
"inputs": {
"headers": {
"accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"collection": "@parameters('Collection Name')",
"date": "@{addDays(utcNow(), -1, 'yyyy-MM-dd')}"
},
"uri": "@{parameters('GIB API URL ')}sequence_list"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON": {
"inputs": {
"content": "@body('HTTP')",
"schema": {
"properties": {
"list": {
"properties": {
"osi/git_leak": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Update_Last_Item_id_in_Tech_table_": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{body('Parse_JSON')?['list']?['osi/git_leak']}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"set_seqUpdate_": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Parse_JSON')?['list']?['osi/git_leak']"
},
"runAfter": {
"Update_Last_Item_id_in_Tech_table_": [
"Succeeded"
]
},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'])",
0
]
}
}
]
},
"runAfter": {
"Get_last_received_item_ID_from_Azure_Log_DB": [
"Succeeded"
]
},
"type": "If"
},
"Get_last_received_item_ID_from_Azure_Log_DB": {
"inputs": {
"body": "GIBTechTable_CL | where collection_name_s == \"@{parameters('Collection Name')}\" | sort by TimeGenerated | limit 1",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "Group-IB-WS",
"resourcename": "Group-IB",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "xx-xxx-xxxx-xxxx-xxx",
"timerange": "Last 7 days"
}
},
"runAfter": {
"Initialize_Indicators_Array": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Init_TechTable": {
"inputs": {
"body": "{ \"collection_name\": \"test/collection\", \n\"seqUpdate\" : 0\n} ",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Initialize_API_Kry": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_API_Kry": {
"inputs": {
"variables": [
{
"name": "GIB API Key",
"type": "string",
"value": "XXXXXXXXXXX"
}
]
},
"runAfter": {
"Initialize_seqUpdate": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_Indicators_Array": {
"inputs": {
"variables": [
{
"name": "Indicators",
"type": "array",
"value": []
}
]
},
"runAfter": {
"Init_TechTable": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_seqUpdate": {
"inputs": {
"variables": [
{
"name": "seqUpdate",
"type": "integer"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "IsPortionEmpty",
"type": "boolean",
"value": false
}
]
},
"runAfter": {
"Condition": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Until": {
"actions": {
"Get_items_from_response": {
"inputs": {
"content": "@body('Get_next_portion_of_events_from_GIB')",
"schema": {
"properties": {
"count": {
"type": [
"integer",
"null"
]
},
"items": {
"items": {
"properties": {
"dateDetected": {
"type": [
"string",
"null"
]
},
"dateUpdated": {
"type": [
"string",
"null"
]
},
"evaluation": {
"properties": {
"admiraltyCode": {
"type": [
"string",
"null"
]
},
"credibility": {
"type": [
"integer",
"null"
]
},
"reliability": {
"type": [
"integer",
"null"
]
},
"severity": {
"type": [
"string",
"null"
]
},
"tlp": {
"type": [
"string",
"null"
]
},
"ttl": {
"type": [
"integer",
"null"
]
}
},
"type": "object"
},
"file": {
"type": [
"string",
"null"
]
},
"id": {
"type": [
"string",
"null"
]
},
"matchesType": {
"items": {
"type": [
"string",
"null"
]
},
"type": "array"
},
"matchesTypeCount": {
"properties": {
"card": {
"type": [
"integer",
"null"
]
},
"cisco": {
"type": [
"integer",
"null"
]
},
"commonKeywords": {
"type": [
"integer",
"null"
]
},
"domain": {
"type": [
"integer",
"null"
]
},
"dsn": {
"type": [
"integer",
"null"
]
},
"email": {
"type": [
"integer",
"null"
]
},
"google": {
"type": [
"integer",
"null"
]
},
"ip": {
"type": [
"integer",
"null"
]
},
"keyword": {
"type": [
"integer",
"null"
]
},
"login": {
"type": [
"integer",
"null"
]
},
"metasploit": {
"type": [
"integer",
"null"
]
},
"nmap": {
"type": [
"integer",
"null"
]
},
"pgp": {
"type": [
"integer",
"null"
]
},
"sha": {
"type": [
"integer",
"null"
]
},
"slackAPI": {
"type": [
"integer",
"null"
]
},
"ssh": {
"type": [
"integer",
"null"
]
}
},
"type": [
"object",
"null"
]
},
"name": {
"type": [
"string",
"null"
]
},
"repository": {
"type": [
"string",
"null"
]
},
"revisions": {
"items": {
"properties": {
"bind": {
"items": {
"properties": {
"bindBy": {
"type": [
"string",
"null"
]
},
"data": {
"type": [
"string",
"null"
]
},
"type": {
"type": [
"string",
"null"
]
}
},
"required": [
"bindBy",
"data",
"type"
],
"type": "object"
},
"type": "array"
},
"data": {},
"file": {
"type": [
"string",
"null"
]
},
"fileDiff": {
"type": [
"string",
"null"
]
},
"hash": {
"type": [
"string",
"null"
]
},
"info": {
"properties": {
"authorEmail": {
"type": [
"string",
"null"
]
},
"authorName": {
"type": [
"string",
"null"
]
},
"dateCreated": {
"type": [
"string",
"null"
]
}
},
"type": "object"
}
},
"required": [
"file",
"fileDiff"
],
"type": "object"
},
"type": "array"
},
"seqUpdate": {
"type": [
"integer",
"null"
]
},
"source": {
"type": [
"string",
"null"
]
}
},
"required": [
"dateDetected",
"evaluation",
"file",
"id",
"matchesType",
"matchesTypeCount",
"name",
"repository",
"revisions",
"seqUpdate"
],
"type": "object"
},
"type": "array"
},
"resultId": {
"type": [
"string",
"null"
]
}
},
"type": "object"
}
},
"runAfter": {
"Get_next_portion_of_events_from_GIB": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Get_next_portion_of_events_from_GIB": {
"inputs": {
"headers": {
"Accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"limit": "10",
"seqUpdate": "@{variables('seqUpdate')}"
},
"uri": "@{parameters('GIB API URL ')}@{parameters('Collection Name')}/updated"
},
"runAfter": {},
"type": "Http"
},
"IfPortionHasItems": {
"actions": {
"Send_Data": {
"inputs": {
"body": "@{body('Get_items_from_response')?['items']}",
"headers": {
"Log-Type": "GIBTIAOSIGitLeak"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
},
"else": {
"actions": {
"Set_Empty_portion_value": {
"inputs": {
"name": "IsPortionEmpty",
"value": true
},
"runAfter": {},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_items_from_response')?['items'])",
0
]
}
}
]
},
"runAfter": {
"Reset_seqUpdate": [
"Succeeded"
]
},
"type": "If"
},
"Reset_seqUpdate": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_items_from_response')?['seqUpdate']"
},
"runAfter": {
"Get_items_from_response": [
"Succeeded"
]
},
"type": "SetVariable"
},
"Save_seqUpdate": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{variables('seqUpdate')}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"IfPortionHasItems": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"expression": "@equals(variables('IsPortionEmpty'), true)",
"limit": {
"count": 10,
"timeout": "PT1H"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Until"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"Collection Name": {
"defaultValue": "osi/git_leak",
"type": "String"
},
"GIB API URL ": {
"defaultValue": "https://bt.group-ib.com/api/v2/",
"type": "String"
},
"GIB Username": {
"defaultValue": "xxxx@domain.com",
"type": "String"
}
},
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Hour",
"interval": 1000
},
"type": "Recurrence"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
},
"azuremonitorlogs": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('azuremonitorlogsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
}
}
}
}
]
}

680
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_OSI_PublicLeak.json Normal file
Просмотреть файл

@ -0,0 +1,680 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "GIBTIA_OSI_PublicLeak",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"azuremonitorlogsConnectionName": "[concat('azuremon-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuremonitorlogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/microsoftgraphsecurity')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Condition": {
"actions": {
"Set_variable": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'][0]['seqUpdate_d']"
},
"runAfter": {},
"type": "SetVariable"
}
},
"else": {
"actions": {
"HTTP": {
"inputs": {
"headers": {
"accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"collection": "@parameters('Collection Name')",
"date": "@{addDays(utcNow(), -1, 'yyyy-MM-dd')}"
},
"uri": "@{parameters('GIB API URL ')}sequence_list"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON": {
"inputs": {
"content": "@body('HTTP')",
"schema": {
"properties": {
"list": {
"properties": {
"osi/public_leak": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Update_Last_Item_id_in_Tech_table_": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{body('Parse_JSON')?['list']?['osi/public_leak']}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"set_seqUpdate_": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Parse_JSON')?['list']?['osi/public_leak']"
},
"runAfter": {
"Update_Last_Item_id_in_Tech_table_": [
"Succeeded"
]
},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'])",
0
]
}
}
]
},
"runAfter": {
"Get_last_received_item_ID_from_Azure_Log_DB": [
"Succeeded"
]
},
"type": "If"
},
"Get_last_received_item_ID_from_Azure_Log_DB": {
"inputs": {
"body": "GIBTechTable_CL | where collection_name_s == \"@{parameters('Collection Name')}\" | sort by TimeGenerated | limit 1",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "Group-IB-WS",
"resourcename": "Group-IB",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "xx-xxx-xxxx-xxxx-xxx",
"timerange": "Last 7 days"
}
},
"runAfter": {
"Initialize_Indicators_Array": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Init_TechTable": {
"inputs": {
"body": "{ \"collection_name\" : \"test/collection\",\n\"seqUpdate\" : 0 }\n",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Initialize_API_Key": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_API_Key": {
"inputs": {
"variables": [
{
"name": "GIB API Key",
"type": "string",
"value": "XXXXXXXXXXX"
}
]
},
"runAfter": {
"Initialize_seqUpdate": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_Indicators_Array": {
"inputs": {
"variables": [
{
"name": "Indicators",
"type": "array",
"value": []
}
]
},
"runAfter": {
"Init_TechTable": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_seqUpdate": {
"inputs": {
"variables": [
{
"name": "seqUpdate",
"type": "integer"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "IsPortionEmpty",
"type": "boolean",
"value": false
}
]
},
"runAfter": {
"Condition": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Until": {
"actions": {
"Get_items_from_response": {
"inputs": {
"content": "@body('Get_next_portion_of_events_from_GIB')",
"schema": {
"properties": {
"count": {
"type": [
"integer",
"null"
]
},
"items": {
"items": {
"properties": {
"bind": {
"type": "array"
},
"created": {
"type": [
"string",
"null"
]
},
"data": {
"type": [
"string",
"null"
]
},
"displayOptions": {},
"evaluation": {
"properties": {
"admiraltyCode": {
"type": [
"string",
"null"
]
},
"credibility": {
"type": [
"integer",
"null"
]
},
"reliability": {
"type": [
"integer",
"null"
]
},
"severity": {
"type": [
"string",
"null"
]
},
"tlp": {
"type": [
"string",
"null"
]
},
"ttl": {
"type": [
"integer",
"null"
]
}
},
"type": "object"
},
"hash": {
"type": [
"string",
"null"
]
},
"id": {
"type": [
"string",
"null"
]
},
"language": {
"type": [
"string",
"null"
]
},
"linkList": {
"items": {
"properties": {
"author": {
"type": [
"string",
"null"
]
},
"dateDetected": {
"type": [
"string",
"null"
]
},
"datePublished": {
"type": [
"string",
"null"
]
},
"hash": {
"type": [
"string",
"null"
]
},
"itemSource": {
"type": [
"string",
"null"
]
},
"link": {
"type": [
"string",
"null"
]
},
"sequenceUpdate": {},
"size": {
"type": [
"integer",
"null"
]
},
"source": {
"type": [
"string",
"null"
]
},
"status": {
"type": [
"integer",
"null"
]
},
"title": {
"type": [
"string",
"null"
]
}
},
"required": [
"author",
"dateDetected",
"datePublished",
"hash",
"itemSource",
"link",
"sequenceUpdate",
"size",
"source",
"status",
"title"
],
"type": "object"
},
"type": "array"
},
"matches": {
"type": "array"
},
"oldId": {},
"portalLink": {
"type": [
"string",
"null"
]
},
"seqUpdate": {
"type": [
"integer",
"null"
]
},
"size": {
"type": [
"string",
"null"
]
},
"updated": {
"type": [
"string",
"null"
]
},
"useful": {
"type": [
"integer",
"null"
]
}
},
"required": [
"bind",
"created",
"data",
"evaluation",
"hash",
"id",
"language",
"linkList",
"matches",
"portalLink",
"seqUpdate",
"size",
"updated"
],
"type": "object"
},
"type": "array"
},
"resultId": {
"type": [
"string",
"null"
]
}
},
"type": "object"
}
},
"runAfter": {
"Get_next_portion_of_events_from_GIB": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Get_next_portion_of_events_from_GIB": {
"inputs": {
"headers": {
"Accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"limit": "10",
"seqUpdate": "@{variables('seqUpdate')}"
},
"uri": "@{parameters('GIB API URL ')}@{parameters('Collection Name')}/updated"
},
"runAfter": {},
"type": "Http"
},
"IfPortionHasItems": {
"actions": {
"Send_Data": {
"inputs": {
"body": "@{body('Get_items_from_response')?['items']}",
"headers": {
"Log-Type": "GIBTIAOSIPublicLeak"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
},
"else": {
"actions": {
"Set_Empty_portion_value": {
"inputs": {
"name": "IsPortionEmpty",
"value": true
},
"runAfter": {},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_items_from_response')?['items'])",
0
]
}
}
]
},
"runAfter": {
"Reset_seqUpdate": [
"Succeeded"
]
},
"type": "If"
},
"Reset_seqUpdate": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_items_from_response')?['seqUpdate']"
},
"runAfter": {
"Get_items_from_response": [
"Succeeded"
]
},
"type": "SetVariable"
},
"Save_seqUpdate": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{variables('seqUpdate')}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"IfPortionHasItems": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"expression": "@equals(variables('IsPortionEmpty'), true)",
"limit": {
"count": 10,
"timeout": "PT1H"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Until"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"Collection Name": {
"defaultValue": "osi/public_leak",
"type": "String"
},
"GIB API URL ": {
"defaultValue": "https://bt.group-ib.com/api/v2/",
"type": "String"
},
"GIB Username": {
"defaultValue": "xxxx@domain.com",
"type": "String"
}
},
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Hour",
"interval": 1000
},
"type": "Recurrence"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
},
"azuremonitorlogs": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('azuremonitorlogsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
}
}
}
}
]
}

1188
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_OSI_Vulnerability.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

695
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_Suspicious_ip_open_proxy.json Normal file
Просмотреть файл

@ -0,0 +1,695 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "GIBTIA_Suspicious_ip_open_proxy",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"azuremonitorlogsConnectionName": "[concat('azuremon-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuremonitorlogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/microsoftgraphsecurity')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Condition": {
"actions": {
"Set_variable": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'][0]['seqUpdate_d']"
},
"runAfter": {},
"type": "SetVariable"
}
},
"else": {
"actions": {
"HTTP": {
"inputs": {
"headers": {
"accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"collection": "@parameters('Collection Name')",
"date": "@{addDays(utcNow(), -1, 'yyyy-MM-dd')}"
},
"uri": "@{parameters('GIB API URL ')}sequence_list"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON": {
"inputs": {
"content": "@body('HTTP')",
"schema": {
"properties": {
"list": {
"properties": {
"suspicious_ip/open_proxy": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Update_Last_Item_id_in_Tech_table_": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{body('Parse_JSON')?['list']?['suspicious_ip/open_proxy']}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"set_seqUpdate_": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Parse_JSON')?['list']?['suspicious_ip/open_proxy']"
},
"runAfter": {
"Update_Last_Item_id_in_Tech_table_": [
"Succeeded"
]
},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'])",
0
]
}
}
]
},
"runAfter": {
"Get_last_received_item_ID_from_Azure_Log_DB": [
"Succeeded"
]
},
"type": "If"
},
"Get_last_received_item_ID_from_Azure_Log_DB": {
"inputs": {
"body": "GIBTechTable_CL | where collection_name_s == \"@{parameters('Collection Name')}\" | sort by TimeGenerated | limit 1",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "Group-IB-WS",
"resourcename": "Group-IB",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "xx-xxx-xxxx-xxxx-xxx",
"timerange": "Last 7 days"
}
},
"runAfter": {
"Initialize_TechTable": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_API_Key": {
"inputs": {
"variables": [
{
"name": "GIB API Key",
"type": "string",
"value": "XXXXXXXXXXXXX"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Initialize_TechTable": {
"inputs": {
"body": "{\"collection_name\" : \"test/collection\",\n \"seqUpdate\": 0\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Initialize_seqUpdate": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_seqUpdate": {
"inputs": {
"variables": [
{
"name": "seqUpdate",
"type": "integer"
}
]
},
"runAfter": {
"Initialize_API_Key": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "IsPortionEmpty",
"type": "boolean",
"value": false
}
]
},
"runAfter": {
"Condition": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Until": {
"actions": {
"Get_items_from_response": {
"inputs": {
"content": "@body('Get_next_portion_of_events_from_GIB')",
"schema": {
"properties": {
"count": {
"type": [
"integer",
"null"
]
},
"items": {
"items": {
"properties": {
"anonymous": {
"type": [
"string",
"null"
]
},
"dateDetected": {
"type": [
"string",
"null"
]
},
"dateFirstSeen": {
"type": [
"string",
"null"
]
},
"evaluation": {
"properties": {
"admiraltyCode": {
"type": [
"string",
"null"
]
},
"credibility": {
"type": [
"integer",
"null"
]
},
"reliability": {
"type": [
"integer",
"null"
]
},
"severity": {
"type": [
"string",
"null"
]
},
"tlp": {
"type": [
"string",
"null"
]
},
"ttl": {
"type": [
"integer",
"null"
]
}
},
"type": "object"
},
"id": {
"type": [
"string",
"null"
]
},
"ipv4": {
"properties": {
"asn": {
"type": [
"string",
"null"
]
},
"city": {},
"countryCode": {
"type": [
"string",
"null"
]
},
"countryName": {
"type": [
"string",
"null"
]
},
"ip": {
"type": [
"string",
"null"
]
},
"provider": {
"type": [
"string",
"null"
]
},
"region": {
"type": [
"string",
"null"
]
}
},
"type": "object"
},
"isFavourite": {
"type": "boolean"
},
"isHidden": {
"type": "boolean"
},
"oldId": {
"type": [
"string",
"null"
]
},
"port": {
"type": [
"integer",
"null"
]
},
"portalLink": {
"type": [
"string",
"null"
]
},
"seqUpdate": {
"type": [
"integer",
"null"
]
},
"source": {
"type": [
"string",
"null"
]
},
"type": {
"type": [
"string",
"null"
]
}
},
"required": [
"anonymous",
"dateDetected",
"dateFirstSeen",
"evaluation",
"id",
"ipv4",
"oldId",
"port",
"portalLink",
"seqUpdate",
"source",
"type"
],
"type": "object"
},
"type": "array"
},
"resultId": {
"type": [
"string",
"null"
]
}
},
"type": "object"
}
},
"runAfter": {
"Get_next_portion_of_events_from_GIB": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Get_next_portion_of_events_from_GIB": {
"inputs": {
"headers": {
"Accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"limit": "100",
"seqUpdate": "@{variables('seqUpdate')}"
},
"uri": "@{parameters('GIB API URL ')}@{parameters('Collection Name')}/updated"
},
"runAfter": {},
"type": "Http"
},
"IfPortionHasItems": {
"actions": {
"GIBIndicatorProcessor": {
"inputs": {
"batchName": "GIBIndicatorsBatch",
"content": "@body('Select')",
"host": {
"triggerName": "Batch_messages",
"workflow": {
"id": "/subscriptions/xx-xxx-xxxx-xxxx-xxx/resourceGroups/Group-IB-WS/providers/Microsoft.Logic/workflows/GIBIndicatorProcessor"
}
}
},
"runAfter": {
"Select": [
"Succeeded"
]
},
"type": "SendToBatch"
},
"Save_only_as_Indicators": {
"actions": {},
"else": {
"actions": {
"Send_Data": {
"inputs": {
"body": "@{body('Get_items_from_response')?['items']}",
"headers": {
"Log-Type": "GIBTIASuspiciousIPOpenProxy"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"equals": [
"@parameters('Save only indicators')",
true
]
}
]
},
"runAfter": {},
"type": "If"
},
"Select": {
"inputs": {
"from": "@body('Get_items_from_response')?['items']",
"select": {
"action": "@parameters('GIB Open Proxy Address Action')",
"activityGroupNames": [],
"confidence": "@int(item()?['evaluation']?['credibility'])",
"description": "GIB Open Proxy Address",
"expirationDateTime": "@addDays(item()?['dateDetected'], item()?['evaluation']?['ttl'])",
"externalId": "@item()?['id']",
"killChain": [],
"malwareFamilyNames": [],
"networkIPv4": "@item()?['ipv4']?['ip']",
"networkPort": "@item()?['port']",
"severity": 1,
"tags": [
"open-proxy"
],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "@item()?['evaluation']?['tlp']"
}
},
"runAfter": {
"Save_only_as_Indicators": [
"Succeeded"
]
},
"type": "Select"
}
},
"else": {
"actions": {
"Set_Empty_portion_value": {
"inputs": {
"name": "IsPortionEmpty",
"value": true
},
"runAfter": {},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_items_from_response')?['items'])",
0
]
}
}
]
},
"runAfter": {
"Reset_seqUpdate": [
"Succeeded"
]
},
"type": "If"
},
"Reset_seqUpdate": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_items_from_response')?['seqUpdate']"
},
"runAfter": {
"Get_items_from_response": [
"Succeeded"
]
},
"type": "SetVariable"
},
"Save_seqUpdate": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{variables('seqUpdate')}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"IfPortionHasItems": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"expression": "@equals(variables('IsPortionEmpty'), true)",
"limit": {
"count": 100,
"timeout": "PT1H"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Until"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"Collection Name": {
"defaultValue": "suspicious_ip/open_proxy",
"type": "String"
},
"GIB API URL ": {
"defaultValue": "https://bt.group-ib.com/api/v2/",
"type": "String"
},
"GIB Open Proxy Address Action": {
"defaultValue": "unknown",
"type": "String"
},
"GIB Username": {
"defaultValue": "xxxx@domain.com",
"type": "String"
},
"Save only indicators": {
"defaultValue": true,
"type": "Bool"
}
},
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Hour",
"interval": 1
},
"type": "Recurrence"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
},
"azuremonitorlogs": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('azuremonitorlogsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
}
}
}
}
]
}

685
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_Suspicious_ip_socks_proxy.json Normal file
Просмотреть файл

@ -0,0 +1,685 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "GIBTIA_Suspicious_ip_socks_proxy",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"azuremonitorlogsConnectionName": "[concat('azuremon-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuremonitorlogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/microsoftgraphsecurity')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Condition": {
"actions": {
"Set_variable": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'][0]['seqUpdate_d']"
},
"runAfter": {},
"type": "SetVariable"
}
},
"else": {
"actions": {
"HTTP": {
"inputs": {
"headers": {
"accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"collection": "@parameters('Collection Name')",
"date": "@{addDays(utcNow(), -1, 'yyyy-MM-dd')}"
},
"uri": "@{parameters('GIB API URL ')}sequence_list"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON": {
"inputs": {
"content": "@body('HTTP')",
"schema": {
"properties": {
"list": {
"properties": {
"suspicious_ip/socks_proxy": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Update_Last_Item_id_in_Tech_table_": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{body('Parse_JSON')?['list']?['suspicious_ip/socks_proxy']}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"set_seqUpdate_": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Parse_JSON')?['list']?['suspicious_ip/socks_proxy']"
},
"runAfter": {
"Update_Last_Item_id_in_Tech_table_": [
"Succeeded"
]
},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'])",
0
]
}
}
]
},
"runAfter": {
"Get_last_received_item_ID_from_Azure_Log_DB": [
"Succeeded"
]
},
"type": "If"
},
"Get_last_received_item_ID_from_Azure_Log_DB": {
"inputs": {
"body": "GIBTechTable_CL | where collection_name_s == \"@{parameters('Collection Name')}\" | sort by TimeGenerated | limit 1",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "Group-IB-WS",
"resourcename": "Group-IB",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "xx-xxx-xxxx-xxxx-xxx",
"timerange": "Last 7 days"
}
},
"runAfter": {
"Initialize_table": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_API_Key": {
"inputs": {
"variables": [
{
"name": "GIB API Key",
"type": "string",
"value": "XXXXXXXXXXXXXX"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Initialize_seqUpdate": {
"inputs": {
"variables": [
{
"name": "seqUpdate",
"type": "integer"
}
]
},
"runAfter": {
"Initialize_API_Key": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_table": {
"inputs": {
"body": "{\"collection_name\" : \"test/collection\",\n \"seqUpdate\": 0\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Initialize_seqUpdate": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "IsPortionEmpty",
"type": "boolean",
"value": false
}
]
},
"runAfter": {
"Condition": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Until": {
"actions": {
"Get_items_from_response": {
"inputs": {
"content": "@body('Get_next_portion_of_events_from_GIB')",
"schema": {
"properties": {
"count": {
"type": [
"integer",
"null"
]
},
"items": {
"items": {
"properties": {
"dateDetected": {
"type": [
"string",
"null"
]
},
"dateFirstSeen": {
"type": [
"string",
"null"
]
},
"dateLastSeen": {
"type": [
"string",
"null"
]
},
"evaluation": {
"properties": {
"admiraltyCode": {
"type": [
"string",
"null"
]
},
"credibility": {
"type": [
"integer",
"null"
]
},
"reliability": {
"type": [
"integer",
"null"
]
},
"severity": {
"type": [
"string",
"null"
]
},
"tlp": {
"type": [
"string",
"null"
]
},
"ttl": {
"type": [
"integer",
"null"
]
}
},
"type": "object"
},
"id": {
"type": [
"string",
"null"
]
},
"ipv4": {
"properties": {
"asn": {
"type": [
"string",
"null"
]
},
"city": {
"type": [
"string",
"null"
]
},
"countryCode": {
"type": [
"string",
"null"
]
},
"countryName": {
"type": [
"string",
"null"
]
},
"ip": {
"type": [
"string",
"null"
]
},
"provider": {
"type": [
"string",
"null"
]
},
"region": {
"type": [
"string",
"null"
]
}
},
"type": "object"
},
"isFavourite": {
"type": "boolean"
},
"isHidden": {
"type": "boolean"
},
"oldId": {
"type": [
"string",
"null"
]
},
"portalLink": {
"type": [
"string",
"null"
]
},
"seqUpdate": {
"type": [
"integer",
"null"
]
},
"source": {
"type": [
"string",
"null"
]
}
},
"required": [
"dateDetected",
"dateFirstSeen",
"dateLastSeen",
"evaluation",
"id",
"ipv4",
"isFavourite",
"isHidden",
"oldId",
"portalLink",
"seqUpdate",
"source"
],
"type": "object"
},
"type": "array"
},
"resultId": {
"type": [
"string",
"null"
]
}
},
"type": "object"
}
},
"runAfter": {
"Get_next_portion_of_events_from_GIB": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Get_next_portion_of_events_from_GIB": {
"inputs": {
"headers": {
"Accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"limit": "100",
"seqUpdate": "@{variables('seqUpdate')}"
},
"uri": "@{parameters('GIB API URL ')}@{parameters('Collection Name')}/updated"
},
"runAfter": {},
"type": "Http"
},
"IfPortionHasItems": {
"actions": {
"GIBIndicatorProcessor": {
"inputs": {
"batchName": "GIBIndicatorsBatch",
"content": "@body('Select')",
"host": {
"triggerName": "Batch_messages",
"workflow": {
"id": "/subscriptions/xx-xxx-xxxx-xxxx-xxx/resourceGroups/Group-IB-WS/providers/Microsoft.Logic/workflows/GIBIndicatorProcessor"
}
}
},
"runAfter": {
"Select": [
"Succeeded"
]
},
"type": "SendToBatch"
},
"Save_only_as_Indicators": {
"actions": {},
"else": {
"actions": {
"Send_Data": {
"inputs": {
"body": "@{body('Get_items_from_response')?['items']}",
"headers": {
"Log-Type": "GIBTIASuspiciousIPSocksProxy"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"equals": [
"@parameters('Save only indicators')",
true
]
}
]
},
"runAfter": {},
"type": "If"
},
"Select": {
"inputs": {
"from": "@body('Get_items_from_response')?['items']",
"select": {
"action": "@parameters('GIB Socks Proxy Address Action')",
"activityGroupNames": [],
"confidence": "@int(item()?['evaluation']?['credibility'])",
"description": "GIB Socks Proxy Address",
"expirationDateTime": "@addDays(item()?['dateDetected'], item()?['evaluation']?['ttl'])",
"externalId": "@{item()?['id']}",
"killChain": [],
"malwareFamilyNames": [],
"networkIPv4": "@item()?['ipv4']?['ip']",
"severity": 1,
"tags": "@array('socks-proxy')",
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "@item()?['evaluation']?['tlp']"
}
},
"runAfter": {
"Save_only_as_Indicators": [
"Succeeded"
]
},
"type": "Select"
}
},
"else": {
"actions": {
"Set_Empty_portion_value": {
"inputs": {
"name": "IsPortionEmpty",
"value": true
},
"runAfter": {},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_items_from_response')?['items'])",
0
]
}
}
]
},
"runAfter": {
"Reset_seqUpdate": [
"Succeeded"
]
},
"type": "If"
},
"Reset_seqUpdate": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_items_from_response')?['seqUpdate']"
},
"runAfter": {
"Get_items_from_response": [
"Succeeded"
]
},
"type": "SetVariable"
},
"Save_seqUpdate": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{variables('seqUpdate')}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"IfPortionHasItems": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"expression": "@equals(variables('IsPortionEmpty'), true)",
"limit": {
"count": 1000,
"timeout": "PT1H"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Until"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"Collection Name": {
"defaultValue": "suspicious_ip/socks_proxy",
"type": "String"
},
"GIB API URL ": {
"defaultValue": "https://bt.group-ib.com/api/v2/",
"type": "String"
},
"GIB Socks Proxy Address Action": {
"defaultValue": "unknown",
"type": "String"
},
"GIB Username": {
"defaultValue": "xxxx@domain.com",
"type": "String"
},
"Save only indicators": {
"defaultValue": true,
"type": "Bool"
}
},
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Hour",
"interval": 1
},
"type": "Recurrence"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
},
"azuremonitorlogs": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('azuremonitorlogsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
}
}
}
}
]
}

638
Solutions/Group-IB/Playbooks/azuredeploy-GIBTIA_Suspicious_ip_tor_node.json Normal file
Просмотреть файл

@ -0,0 +1,638 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "GIBTIA_Suspicious_ip_tor_node",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureLogAnalyticsDataCollectorConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
"azuremonitorlogsConnectionName": "[concat('azuremon-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuremonitorlogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/microsoftgraphsecurity')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Condition": {
"actions": {
"Set_variable": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'][0]['seqUpdate_d']"
},
"runAfter": {},
"type": "SetVariable"
}
},
"else": {
"actions": {
"HTTP": {
"inputs": {
"headers": {
"accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"collection": "@parameters('Collection Name')",
"date": "@{addDays(utcNow(), -1, 'yyyy-MM-dd')}"
},
"uri": "@{parameters('GIB API URL ')}sequence_list"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON": {
"inputs": {
"content": "@body('HTTP')",
"schema": {
"properties": {
"list": {
"properties": {
"suspicious_ip/tor_node": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Update_Last_Item_id_in_Tech_table_": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{body('Parse_JSON')?['list']?['suspicious_ip/tor_node']}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"set_seqUpdate_": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Parse_JSON')?['list']?['suspicious_ip/tor_node']"
},
"runAfter": {
"Update_Last_Item_id_in_Tech_table_": [
"Succeeded"
]
},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_last_received_item_ID_from_Azure_Log_DB')?['value'])",
0
]
}
}
]
},
"runAfter": {
"Get_last_received_item_ID_from_Azure_Log_DB": [
"Succeeded"
]
},
"type": "If"
},
"Get_last_received_item_ID_from_Azure_Log_DB": {
"inputs": {
"body": "GIBTechTable_CL | where collection_name_s == \"@{parameters('Collection Name')}\" | sort by TimeGenerated | limit 1",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "Group-IB-WS",
"resourcename": "Group-IB",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "xx-xxx-xxxx-xxxx-xxx",
"timerange": "Last 7 days"
}
},
"runAfter": {
"Init_TechTable": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Init_TechTable": {
"inputs": {
"body": "{\"collection_name\" : \"test/collection\",\n \"seqUpdate\": 0\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Initialize_seqUpdate": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Initialize_seqUpdate": {
"inputs": {
"variables": [
{
"name": "seqUpdate",
"type": "integer"
}
]
},
"runAfter": {
"Inititalize_API_Key": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "IsPortionEmpty",
"type": "boolean",
"value": false
}
]
},
"runAfter": {
"Condition": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Inititalize_API_Key": {
"inputs": {
"variables": [
{
"name": "GIB API Key",
"type": "string",
"value": "XXXXXXXXXXXXXXX"
}
]
},
"runAfter": {},
"type": "InitializeVariable"
},
"Until": {
"actions": {
"Get_items_from_response": {
"inputs": {
"content": "@body('Get_next_portion_of_events_from_GIB')",
"schema": {
"properties": {
"count": {
"type": [
"integer",
"null"
]
},
"items": {
"items": {
"properties": {
"dateFirstSeen": {
"type": [
"string",
"null"
]
},
"dateLastSeen": {
"type": [
"string",
"null"
]
},
"evaluation": {
"properties": {
"admiraltyCode": {
"type": [
"string",
"null"
]
},
"credibility": {
"type": [
"integer",
"null"
]
},
"reliability": {
"type": [
"integer",
"null"
]
},
"severity": {
"type": [
"string",
"null"
]
},
"tlp": {
"type": [
"string",
"null"
]
},
"ttl": {
"type": [
"integer",
"null"
]
}
},
"type": "object"
},
"id": {
"type": [
"string",
"null"
]
},
"ipv4": {
"properties": {
"asn": {},
"city": {},
"countryCode": {},
"countryName": {},
"ip": {
"type": [
"string",
"null"
]
},
"provider": {},
"region": {}
},
"type": "object"
},
"nodes": {
"type": "array"
},
"portalLink": {
"type": [
"string",
"null"
]
},
"seqUpdate": {
"type": [
"integer",
"null"
]
},
"source": {
"type": [
"string",
"null"
]
}
},
"required": [
"dateFirstSeen",
"dateLastSeen",
"evaluation",
"id",
"ipv4",
"portalLink",
"seqUpdate",
"source"
],
"type": "object"
},
"type": "array"
},
"seqUpdate": {
"type": [
"integer",
"null"
]
}
},
"type": "object"
}
},
"runAfter": {
"Get_next_portion_of_events_from_GIB": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Get_next_portion_of_events_from_GIB": {
"inputs": {
"headers": {
"Accept": "*/*",
"x-auth-key": "@variables('GIB API Key')",
"x-auth-login": "@parameters('GIB Username')"
},
"method": "GET",
"queries": {
"limit": "100",
"seqUpdate": "@{variables('seqUpdate')}"
},
"uri": "@{parameters('GIB API URL ')}@{parameters('Collection Name')}/updated"
},
"runAfter": {},
"type": "Http"
},
"IfPortionHasItems": {
"actions": {
"GIBIndicatorProcessor": {
"inputs": {
"batchName": "GIBIndicatorsBatch",
"content": "@body('Select')",
"host": {
"triggerName": "Batch_messages",
"workflow": {
"id": "/subscriptions/xx-xxx-xxxx-xxxx-xxx/resourceGroups/Group-IB-WS/providers/Microsoft.Logic/workflows/GIBIndicatorProcessor"
}
}
},
"runAfter": {
"Select": [
"Succeeded"
]
},
"type": "SendToBatch"
},
"Save_only_as_Indicators": {
"actions": {},
"else": {
"actions": {
"Send_Data": {
"inputs": {
"body": "@{body('Get_items_from_response')?['items']}",
"headers": {
"Log-Type": "GIBTIASuspiciousIPTorNode"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
}
},
"expression": {
"and": [
{
"equals": [
"@parameters('Save only indicators')",
true
]
}
]
},
"runAfter": {},
"type": "If"
},
"Select": {
"inputs": {
"from": "@body('Get_items_from_response')?['items']",
"select": {
"action": "@parameters('GIB Tor Node Address Action')",
"activityGroupNames": [],
"confidence": "@int(item()?['evaluation']?['credibility'])",
"description": "GIB Tor Node Address",
"expirationDateTime": "@addDays(item()?['dateLastSeen'], item()?['evaluation']?['ttl'])",
"externalId": "@item()?['id']",
"killChain": [],
"malwareFamilyNames": [],
"networkIPv4": "@item()?['ipv4']?['ip']",
"severity": 1,
"tags": [
"tor-node"
],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "@item()?['evaluation']?['tlp']"
}
},
"runAfter": {
"Save_only_as_Indicators": [
"Succeeded"
]
},
"type": "Select"
}
},
"else": {
"actions": {
"Set_Empty_portion_value": {
"inputs": {
"name": "IsPortionEmpty",
"value": true
},
"runAfter": {},
"type": "SetVariable"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@length(body('Get_items_from_response')?['items'])",
0
]
}
}
]
},
"runAfter": {
"Reset_seqUpdate": [
"Succeeded"
]
},
"type": "If"
},
"Reset_seqUpdate": {
"inputs": {
"name": "seqUpdate",
"value": "@body('Get_items_from_response')?['seqUpdate']"
},
"runAfter": {
"Get_items_from_response": [
"Succeeded"
]
},
"type": "SetVariable"
},
"Save_seqUpdate": {
"inputs": {
"body": "{\n\"collection_name\" : \"@{parameters('Collection Name')}\",\n\"seqUpdate\" : @{variables('seqUpdate')}\n}",
"headers": {
"Log-Type": "GIBTechTable"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"IfPortionHasItems": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"expression": "@equals(variables('IsPortionEmpty'), true)",
"limit": {
"count": 100,
"timeout": "PT1H"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Until"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"Collection Name": {
"defaultValue": "suspicious_ip/tor_node",
"type": "String"
},
"GIB API URL ": {
"defaultValue": "https://bt.group-ib.com/api/v2/",
"type": "String"
},
"GIB Tor Node Address Action": {
"defaultValue": "unknown",
"type": "String"
},
"GIB Username": {
"defaultValue": "xxxx@domain.com",
"type": "String"
},
"Save only indicators": {
"defaultValue": true,
"type": "Bool"
}
},
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Hour",
"interval": 1
},
"type": "Recurrence"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('AzureLogAnalyticsDataCollectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]"
},
"azuremonitorlogs": {
"connectionId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', 'Group-IB-WS', '/providers/Microsoft.Web/connections/')]",
"connectionName": "[variables('azuremonitorlogsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
}
}
}
}
]
}

10
Solutions/Group-IB/Playbooks/readme.md
Просмотреть файл

@ -7,6 +7,16 @@ There are a number of pre-configuration steps required before deploying the play
## Group-IB Sentinel Playbooks Collections Detailed Description
0. "GIBIndicatorProcessor" Playbook<br>
This playbook is used to send indicators to Microsoft Security Graph API from all other GIB playbooks.
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmaster%2FSolutions%2FGroup-IB%2FPlaybooks%2FPlaybooks%2Fazuredeploy-GIBIndicatorProcessor.json" target="_blank">
<img src="https://aka.ms/deploytoazurebutton""/>
</a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmaster%2FSolutions%2FGroup-IB%2FPlaybooks%2FPlaybooks%2Fazuredeploy-GIBIndicatorProcessor.json" target="_blank">
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
</a>
1. "GIBTIA_APT_Threats" Playbook<br>
a. Collection: apt/threat<br>
b. Has Indicators: Yes<br>