Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

feat: add Playbooks/Enrich-MalwareBazaar

This commit is contained in:
juju4 2023-01-08 16:55:12 +00:00
Родитель 4186db7002
Коммит e1965c969d
4 изменённых файлов: 599 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

150
Playbooks/Enrich-MalwareBazaar/CustomConnector/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,150 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceTags": {
"type": "object",
"defaultValue": {
"LogicAppsCategory": "security"
}
},
"CustomConnectorName": {
"defaultValue": "MalwareBazaar",
"type": "String",
"metadata": {
"description": "Name of the connector"
}
},
"Service EndPoint": {
"defaultValue": "https://mb-api.abuse.ch",
"type": "string",
"metadata": {
"description": ""
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Web/customApis",
"apiVersion": "2016-06-01",
"name": "[parameters('CustomConnectorName')]",
"location": "[parameters('location')]",
"tags": "[parameters('resourceTags')]",
"properties": {
"backendService": {
"serviceUrl": "[parameters('Service EndPoint')]"
},
"capabilities": [],
"description": "MalwareBazaar-API",
"displayName": "[parameters('CustomConnectorName')]",
"iconUri": "/Content/retail/assets/default-connection-icon.e6bb72160664a5e37b9923c3d9f50ca5.2.svg",
"swagger": {
"swagger": "2.0",
"info": {
"version": "1.0.0",
"title": "MalwareBazaar-API",
"description": "MalwareBazaar-API"
},
"host": "mb-api.abuse.ch",
"basePath": "/",
"schemes": [
"https"
],
"consumes": [],
"produces": [
"application/json"
],
"paths": {
"/api/v1/": {
"post": {
"summary": "MalwareBazaar query",
"description": "MalwareBazaar API query - https://bazaar.abuse.ch/api/",
"operationId": "malwarebazaar_query",
"consumes": [
"application/x-www-form-urlencoded"
],
"x-ms-visibility": "important",
"parameters": [
{
"in": "formData",
"name": "query",
"type": "string",
"required": true,
"enum": [
"get_info",
"get_taginfo",
"get_siginfo",
"get_imphash",
"get_tlsh",
"get_issuerinfo",
"get_subjectinfo"
]
},
{
"in": "formData",
"name": "hash",
"type": "string"
},
{
"in": "formData",
"name": "tag",
"type": "string"
},
{
"in": "formData",
"name": "limit",
"type": "integer",
"default": 100,
"minimum": 1,
"maximum": 1000
},
{
"in": "formData",
"name": "imphash",
"type": "string"
},
{
"in": "formData",
"name": "tlsh",
"type": "string"
},
{
"in": "formData",
"name": "issuer_cn",
"type": "string"
},
{
"in": "formData",
"name": "subject_cn",
"type": "string"
}
],
"responses": {
"default": {
"description": "default",
"schema": {}
}
}
}
}
},
"definitions": {},
"parameters": {},
"responses": {},
"securityDefinitions": {},
"security": [],
"tags": []
},
"apiType": "Rest"
}
}
]
}

417
Playbooks/Enrich-MalwareBazaar/Playbook/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,417 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceTags": {
"type": "object",
"defaultValue": {
"LogicAppsCategory": "security"
}
},
"PlaybookName": {
"defaultValue": "Enrich-MalwareBazaar",
"type": "string"
},
"workflows_Enrich_MalwareBazaar_name": {
"defaultValue": "Enrich-MalwareBazaar",
"type": "String"
},
"customApis_MalwareBazaar_name": {
"defaultValue": "MalwareBazaar",
"type": "String"
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"customApisConnectionName": "[concat('customApis-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[parameters('location')]",
"tags": "[parameters('resourceTags')]",
"properties": {
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('customApisConnectionName')]",
"location": "[parameters('location')]",
"tags": "[parameters('resourceTags')]",
"properties": {
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_MalwareBazaar_name'))]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2019-05-01",
"name": "[parameters('workflows_Enrich_MalwareBazaar_name')]",
"location": "[parameters('location')]",
"tags": "[parameters('resourceTags')]",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('customApisConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Condition_-_No_entities": {
"actions": {
"Terminate": {
"runAfter": {},
"type": "Terminate",
"inputs": {
"runStatus": "Cancelled"
}
}
},
"runAfter": {
"Entities_-_Get_FileHashes": [
"Succeeded"
]
},
"expression": {
"and": [
{
"equals": [
"@length(body('Entities_-_Get_FileHashes')?['Filehashes'])",
0
]
}
]
},
"type": "If"
},
"Condition_if_hash_match": {
"actions": {
"Add_comment_to_incident_(V3)": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p><span style=\"font-size: 14px\"><strong>MalwareBazaar enrichment playbook run results:</strong></span><br>\n<span style=\"font-size: 14px\"><strong>@{if(greater(length(variables('comment')), 3000), concat(take(variables('comment'), 2800), '... TRUNCATED'), variables('comment'))}</strong></span></p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Update_incident_2": {
"runAfter": {
"Add_comment_to_incident_(V3)": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"tagsToAdd": {
"TagsToAdd": [
{
"Tag": "ThreatIntelFound-MalwareBazaar"
}
]
}
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Incidents"
}
}
},
"runAfter": {
"For_each_Filehashes": [
"Succeeded"
]
},
"else": {
"actions": {
"Update_incident": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"tagsToAdd": {
"TagsToAdd": [
{
"Tag": "NoThreatIntelFound-MalwareBazaar"
}
]
}
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Incidents"
}
}
}
},
"expression": {
"and": [
{
"equals": [
"@variables('hash_match')",
"@bool(true)"
]
}
]
},
"type": "If"
},
"Entities_-_Get_FileHashes": {
"runAfter": {
"Initialize_variable_hash_match": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/filehash"
}
},
"For_each_Filehashes": {
"foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']",
"actions": {
"Condition_if_query_output_and_not_hash_not_found": {
"actions": {},
"runAfter": {
"MalwareBazaar_query": [
"Succeeded"
]
},
"else": {
"actions": {
"Append_to_string_variable_comment": {
"runAfter": {},
"type": "AppendToStringVariable",
"inputs": {
"name": "comment",
"value": "@{body('Parse_JSON_FileHash')?['hashValue']}: @{body('MalwareBazaar_query')}\n"
}
},
"Set_variable_hash_match": {
"runAfter": {
"Append_to_string_variable_comment": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "hash_match",
"value": "@bool(true)"
}
}
}
},
"expression": {
"and": [
{
"contains": [
"@string(body('MalwareBazaar_query'))",
"hash_not_found"
]
}
]
},
"type": "If"
},
"MalwareBazaar_query": {
"runAfter": {
"Parse_JSON_FileHash": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"$content-type": "multipart/form-data",
"$multipart": [
{
"body": "get_info",
"headers": {
"Content-Disposition": "form-data; name=\"query\""
}
},
{
"body": "@body('Parse_JSON_FileHash')?['hashValue']",
"headers": {
"Content-Disposition": "form-data; name=\"hash\""
}
},
{
"body": "100",
"headers": {
"Content-Disposition": "form-data; name=\"limit\""
}
}
]
},
"host": {
"connection": {
"name": "@parameters('$connections')['MalwareBazaar']['connectionId']"
}
},
"method": "post",
"path": "/api/v1/"
}
},
"Parse_JSON_FileHash": {
"runAfter": {},
"type": "ParseJson",
"inputs": {
"content": "@items('For_each_Filehashes')",
"schema": {
"properties": {
"Type": {
"type": "string"
},
"Value": {
"type": "string"
},
"algorithm": {
"type": "string"
},
"friendlyName": {
"type": "string"
},
"hashValue": {
"type": "string"
}
},
"type": "object"
}
}
}
},
"runAfter": {
"Condition_-_No_entities": [
"Succeeded"
]
},
"type": "Foreach"
},
"Initialize_variable_comment": {
"runAfter": {},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "comment",
"type": "string"
}
]
}
},
"Initialize_variable_hash_match": {
"runAfter": {
"Initialize_variable_comment": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "hash_match",
"type": "boolean",
"value": "@bool(false)"
}
]
}
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"MalwareBazaar": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('customApisConnectionName'))]",
"connectionName": "[variables('customApisConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_MalwareBazaar_name'))]"
},
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
}
}
]
}

Двоичные данные
Playbooks/Enrich-MalwareBazaar/images/Enrich-MalwareBazaar.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 96 KiB

32
Playbooks/Enrich-MalwareBazaar/readme.md Normal file
Просмотреть файл

@ -0,0 +1,32 @@
# Enrich-MalwareBazaar
Add information from [MalwareBazaar](https://bazaar.abuse.ch/api/) aka abuse.ch to a Sentinel Incident
## Quick Deployment
**Deploy with incident trigger** (recommended)
After deployment, attach this playbook to an **automation rule** so it runs when the incident is created.
[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FEnrich-MalwareBazaar%2FPlaybook%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FEnrich-MalwareBazaar%2FPlaybook%2Fazuredeploy.json)
## Prerequisites
* No API key for malwarebazaar
* Logic Apps Custom Connector for MalwareBazaar
* Logic App managed identity should be given Sentinel Responder role to read incident trigger and write comment/tag to incident
## Screenshots
![Enrich-MalwareBazaar](./images/Enrich-MalwareBazaar.png)
## Workflow explained
(step by step pseudo-code)
1. Sentinel incident trigger
2. Get FileHashes entities
3. Validate that entities list is not empty or terminate
4. For each FileHashes, do a malwarebazaar query and append output to comment
5. Update sentinel incident with comment and appropriate tag Found/NotFound