Update Isolate-MDEMachine
changed name added screenshots and folder structure
This commit is contained in:
Родитель
fdf8af28be
Коммит
e69784a9dc
|
@ -4,7 +4,7 @@
|
||||||
"metadata": {
|
"metadata": {
|
||||||
"title": "Get-ASCRecommendations",
|
"title": "Get-ASCRecommendations",
|
||||||
"description": "This playbook will call the collect invesitgation package in MDE. It will then loop until thats complete, once complete it will add a comment to the incident and post a message in teams with the URL to download the package.",
|
"description": "This playbook will call the collect invesitgation package in MDE. It will then loop until thats complete, once complete it will add a comment to the incident and post a message in teams with the URL to download the package.",
|
||||||
"prerequisites": "1. You will need the Team Id and Chat Id.",
|
"prerequisites": "1. You will need the Team Id and Chat Id. 2. You will need to grant Machine.CollectForensics permissions to the managed identity.",
|
||||||
"lastUpdateTime": "2021-06-03T00:00:00.000Z",
|
"lastUpdateTime": "2021-06-03T00:00:00.000Z",
|
||||||
"entities": [ "Host" ],
|
"entities": [ "Host" ],
|
||||||
"tags": [ "Repsond" ],
|
"tags": [ "Repsond" ],
|
||||||
|
|
|
@ -32,6 +32,19 @@ After deployment, you can run this playbook manually on an alert or attach it to
|
||||||
## Prerequisites
|
## Prerequisites
|
||||||
|
|
||||||
- [This](https://www.linkedin.com/pulse/3-ways-locate-microsoft-team-id-christopher-barber-/) blog shows some simple methods to get the Team Id. You will need the Team Id and Channel Id.
|
- [This](https://www.linkedin.com/pulse/3-ways-locate-microsoft-team-id-christopher-barber-/) blog shows some simple methods to get the Team Id. You will need the Team Id and Channel Id.
|
||||||
|
- You will need to grant Machine.CollectForensics permissions to the managed identity. Run the following code replacing the managed identity object id. You find the managed identity object id on the Identity blade under Settings for the Logic App.
|
||||||
|
```powershell
|
||||||
|
$MIGuid = "<Enter your managed identity guid here>"
|
||||||
|
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
|
||||||
|
|
||||||
|
$MDEAppId = "fc780465-2017-40d4-a0c5-307022471b92"
|
||||||
|
$PermissionName = "Machine.CollectForensics"
|
||||||
|
|
||||||
|
$MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'"
|
||||||
|
$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
|
||||||
|
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
|
||||||
|
-ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id
|
||||||
|
```
|
||||||
|
|
||||||
## Screenshots
|
## Screenshots
|
||||||
**Incident Trigger**<br>
|
**Incident Trigger**<br>
|
||||||
|
|
|
@ -1,11 +0,0 @@
|
||||||
# Isolate-MDATPMachine
|
|
||||||
author: Nicholas DiCola
|
|
||||||
|
|
||||||
This playbook will isolate (full) the machine in Microsoft Defender ATP.
|
|
||||||
|
|
||||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FIsolate-MDATPMachine%2Fazuredeploy.json" target="_blank">
|
|
||||||
<img src="https://aka.ms/deploytoazurebutton""/>
|
|
||||||
</a>
|
|
||||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FIsolate-MDATPMachine%2Fazuredeploy.json" target="_blank">
|
|
||||||
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
|
|
||||||
</a>
|
|
|
@ -2,16 +2,12 @@
|
||||||
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
|
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
|
||||||
"contentVersion": "1.0.0.0",
|
"contentVersion": "1.0.0.0",
|
||||||
"metadata": {
|
"metadata": {
|
||||||
"comments": "This playbook will isolate (full) the machine in Microsoft Defender ATP.",
|
"comments": "This playbook will isolate (full) the machine in Microsoft Defender for Endpoint.",
|
||||||
"author": "Nicholas DiCola"
|
"author": "Nicholas DiCola"
|
||||||
},
|
},
|
||||||
"parameters": {
|
"parameters": {
|
||||||
"PlaybookName": {
|
"PlaybookName": {
|
||||||
"defaultValue": "Isolate-MDATPMachine",
|
"defaultValue": "Isolate-MDEMachine",
|
||||||
"type": "string"
|
|
||||||
},
|
|
||||||
"UserName": {
|
|
||||||
"defaultValue": "<username>@<domain>",
|
|
||||||
"type": "string"
|
"type": "string"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -26,9 +22,11 @@
|
||||||
"apiVersion": "2016-06-01",
|
"apiVersion": "2016-06-01",
|
||||||
"name": "[variables('AzureSentinelConnectionName')]",
|
"name": "[variables('AzureSentinelConnectionName')]",
|
||||||
"location": "[resourceGroup().location]",
|
"location": "[resourceGroup().location]",
|
||||||
|
"kind": "V1",
|
||||||
"properties": {
|
"properties": {
|
||||||
"displayName": "[parameters('UserName')]",
|
"displayName": "[parameters('PlaybookName')]",
|
||||||
"customParameterValues": {},
|
"customParameterValues": {},
|
||||||
|
"parameterValueType": "Alternative",
|
||||||
"api": {
|
"api": {
|
||||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||||
}
|
}
|
||||||
|
@ -39,9 +37,11 @@
|
||||||
"apiVersion": "2016-06-01",
|
"apiVersion": "2016-06-01",
|
||||||
"name": "[variables('MDATPConnectionName')]",
|
"name": "[variables('MDATPConnectionName')]",
|
||||||
"location": "[resourceGroup().location]",
|
"location": "[resourceGroup().location]",
|
||||||
|
"kind": "V1",
|
||||||
"properties": {
|
"properties": {
|
||||||
"displayName": "[parameters('UserName')]",
|
"displayName": "[parameters('PlaybookName')]",
|
||||||
"customParameterValues": {},
|
"customParameterValues": {},
|
||||||
|
"parameterValueType": "Alternative",
|
||||||
"api": {
|
"api": {
|
||||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/wdatp')]"
|
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/wdatp')]"
|
||||||
}
|
}
|
||||||
|
@ -55,6 +55,9 @@
|
||||||
"tags": {
|
"tags": {
|
||||||
"LogicAppsCategory": "security"
|
"LogicAppsCategory": "security"
|
||||||
},
|
},
|
||||||
|
"identity": {
|
||||||
|
"type": "SystemAssigned"
|
||||||
|
},
|
||||||
"dependsOn": [
|
"dependsOn": [
|
||||||
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||||
"[resourceId('Microsoft.Web/connections', variables('MDATPConnectionName'))]"
|
"[resourceId('Microsoft.Web/connections', variables('MDATPConnectionName'))]"
|
||||||
|
@ -64,7 +67,20 @@
|
||||||
"definition": {
|
"definition": {
|
||||||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||||
"actions": {
|
"actions": {
|
||||||
"Alert_-_Get_hosts": {
|
"Alert_-_Get_incident": {
|
||||||
|
"inputs": {
|
||||||
|
"host": {
|
||||||
|
"connection": {
|
||||||
|
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"method": "get",
|
||||||
|
"path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
|
||||||
|
},
|
||||||
|
"runAfter": {},
|
||||||
|
"type": "ApiConnection"
|
||||||
|
},
|
||||||
|
"Entities_-_Get_Hosts": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"body": "@triggerBody()?['Entities']",
|
"body": "@triggerBody()?['Entities']",
|
||||||
"host": {
|
"host": {
|
||||||
|
@ -82,62 +98,89 @@
|
||||||
},
|
},
|
||||||
"type": "ApiConnection"
|
"type": "ApiConnection"
|
||||||
},
|
},
|
||||||
"Alert_-_Get_incident": {
|
|
||||||
"inputs": {
|
|
||||||
"host": {
|
|
||||||
"connection": {
|
|
||||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"method": "get",
|
|
||||||
"path": "/Cases/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}"
|
|
||||||
},
|
|
||||||
"runAfter": {},
|
|
||||||
"type": "ApiConnection"
|
|
||||||
},
|
|
||||||
"For_each": {
|
"For_each": {
|
||||||
"actions": {
|
"actions": {
|
||||||
"Actions_-_Isolate_machine_2": {
|
"Condition": {
|
||||||
"inputs": {
|
"actions": {
|
||||||
"body": {
|
"Actions_-_Isolate_machine": {
|
||||||
"Comment": "Isolated from playbook for Azure Sentinel Incident: @{body('Alert_-_Get_incident')?['properties']?['CaseNumber']} - @{body('Alert_-_Get_incident')?['properties']?['Title']}",
|
"inputs": {
|
||||||
"IsolationType": "Full"
|
"body": {
|
||||||
|
"Comment": "Isolated from playbook for Azure Sentinel Incident: @{body('Alert_-_Get_incident')?['properties']?['incidentNumber']} - @{body('Alert_-_Get_incident')?['properties']?['title']}",
|
||||||
|
"IsolationType": "Full"
|
||||||
|
},
|
||||||
|
"host": {
|
||||||
|
"connection": {
|
||||||
|
"name": "@parameters('$connections')['wdatp']['connectionId']"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"method": "post",
|
||||||
|
"path": "/api/machines/@{encodeURIComponent(items('For_each')?['MdatpDeviceId'])}/isolate"
|
||||||
|
},
|
||||||
|
"runAfter": {},
|
||||||
|
"type": "ApiConnection"
|
||||||
},
|
},
|
||||||
"host": {
|
"Add_comment_to_incident_(V3)": {
|
||||||
"connection": {
|
"inputs": {
|
||||||
"name": "@parameters('$connections')['wdatp']['connectionId']"
|
"body": {
|
||||||
}
|
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
|
||||||
},
|
"message": "<p>@{items('For_each')?['HostName']} was isolated in MDE and the status was @{body('Actions_-_Isolate_machine')?['status']}</p>"
|
||||||
"method": "post",
|
},
|
||||||
"path": "/api/machines/@{encodeURIComponent(items('For_each')?['MdatpDeviceId'])}/isolate"
|
"host": {
|
||||||
|
"connection": {
|
||||||
|
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"method": "post",
|
||||||
|
"path": "/Incidents/Comment"
|
||||||
|
},
|
||||||
|
"runAfter": {
|
||||||
|
"Actions_-_Isolate_machine": [
|
||||||
|
"Succeeded"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"type": "ApiConnection"
|
||||||
|
}
|
||||||
},
|
},
|
||||||
"runAfter": {},
|
"else": {
|
||||||
"type": "ApiConnection"
|
"actions": {
|
||||||
},
|
"Add_comment_to_incident_(V3)_2": {
|
||||||
"Add_comment_to_incident_(V2)_2": {
|
"inputs": {
|
||||||
"inputs": {
|
"body": {
|
||||||
"body": {
|
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
|
||||||
"Value": "@{items('For_each')?['HostName']} was isolated in MDATP and the status was @{body('Actions_-_Isolate_machine_2')?['status']}"
|
"message": "<p>@{items('For_each')?['HostName']} does not have MDEDeviceID in the Entities list. It was not isolated. </p>"
|
||||||
},
|
},
|
||||||
"host": {
|
"host": {
|
||||||
"connection": {
|
"connection": {
|
||||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"method": "post",
|
||||||
|
"path": "/Incidents/Comment"
|
||||||
|
},
|
||||||
|
"runAfter": {},
|
||||||
|
"type": "ApiConnection"
|
||||||
}
|
}
|
||||||
},
|
}
|
||||||
"method": "put",
|
|
||||||
"path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(body('Alert_-_Get_incident')?['properties']?['CaseNumber'])}"
|
|
||||||
},
|
},
|
||||||
"runAfter": {
|
"expression": {
|
||||||
"Actions_-_Isolate_machine_2": [
|
"and": [
|
||||||
"Succeeded"
|
{
|
||||||
|
"not": {
|
||||||
|
"equals": [
|
||||||
|
"@items('For_each')?['MdatpDeviceId']",
|
||||||
|
"@null"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"type": "ApiConnection"
|
"runAfter": {},
|
||||||
|
"type": "If"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"foreach": "@body('Alert_-_Get_hosts')?['Hosts']",
|
"foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
|
||||||
"runAfter": {
|
"runAfter": {
|
||||||
"Alert_-_Get_hosts": [
|
"Entities_-_Get_Hosts": [
|
||||||
"Succeeded"
|
"Succeeded"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
@ -175,12 +218,22 @@
|
||||||
"azuresentinel": {
|
"azuresentinel": {
|
||||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||||
"connectionName": "[variables('AzureSentinelConnectionName')]",
|
"connectionName": "[variables('AzureSentinelConnectionName')]",
|
||||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
|
||||||
|
"connectionProperties": {
|
||||||
|
"authentication": {
|
||||||
|
"type": "ManagedServiceIdentity"
|
||||||
|
}
|
||||||
|
}
|
||||||
},
|
},
|
||||||
"wdatp": {
|
"wdatp": {
|
||||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('MDATPConnectionName'))]",
|
"connectionId": "[resourceId('Microsoft.Web/connections', variables('MDATPConnectionName'))]",
|
||||||
"connectionName": "[variables('MDATPConnectionName')]",
|
"connectionName": "[variables('MDATPConnectionName')]",
|
||||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/wdatp')]"
|
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/wdatp')]",
|
||||||
|
"connectionProperties": {
|
||||||
|
"authentication": {
|
||||||
|
"type": "ManagedServiceIdentity"
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
Двоичные данные
Playbooks/Isolate-MDEMachine/alert-trigger/images/Isolate-MDEMachine_alert.png
Normal file
Двоичные данные
Playbooks/Isolate-MDEMachine/alert-trigger/images/Isolate-MDEMachine_alert.png
Normal file
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 49 KiB |
|
@ -0,0 +1,237 @@
|
||||||
|
{
|
||||||
|
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
|
||||||
|
"contentVersion": "1.0.0.0",
|
||||||
|
"metadata": {
|
||||||
|
"title": "Isolate-MDEMachine",
|
||||||
|
"description": "This playbook will isolate (full) the machine in Microsoft Defender for Endpoint.",
|
||||||
|
"prerequisites": "You will need to grant Machine.Isolate permissions to the managed identity.",
|
||||||
|
"lastUpdateTime": "2021-06-08T00:00:00.000Z",
|
||||||
|
"entities": [ "Host" ],
|
||||||
|
"tags": [ "Remediation" ],
|
||||||
|
"support": {
|
||||||
|
"kind": "Community"
|
||||||
|
},
|
||||||
|
"author": {
|
||||||
|
"name": "Nicholas DiCola"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"parameters": {
|
||||||
|
"PlaybookName": {
|
||||||
|
"defaultValue": "Isolate-MDEMachine",
|
||||||
|
"type": "string"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"variables": {
|
||||||
|
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
|
||||||
|
"MDATPConnectionName": "[concat('wdatp-', parameters('PlaybookName'))]"
|
||||||
|
|
||||||
|
},
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"type": "Microsoft.Web/connections",
|
||||||
|
"apiVersion": "2016-06-01",
|
||||||
|
"name": "[variables('AzureSentinelConnectionName')]",
|
||||||
|
"location": "[resourceGroup().location]",
|
||||||
|
"kind": "V1",
|
||||||
|
"properties": {
|
||||||
|
"displayName": "[parameters('PlaybookName')]",
|
||||||
|
"customParameterValues": {},
|
||||||
|
"parameterValueType": "Alternative",
|
||||||
|
"api": {
|
||||||
|
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "Microsoft.Web/connections",
|
||||||
|
"apiVersion": "2016-06-01",
|
||||||
|
"name": "[variables('MDATPConnectionName')]",
|
||||||
|
"location": "[resourceGroup().location]",
|
||||||
|
"kind": "V1",
|
||||||
|
"properties": {
|
||||||
|
"displayName": "[parameters('PlaybookName')]",
|
||||||
|
"customParameterValues": {},
|
||||||
|
"parameterValueType": "Alternative",
|
||||||
|
"api": {
|
||||||
|
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/wdatp')]"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "Microsoft.Logic/workflows",
|
||||||
|
"apiVersion": "2017-07-01",
|
||||||
|
"name": "[parameters('PlaybookName')]",
|
||||||
|
"location": "[resourceGroup().location]",
|
||||||
|
"tags": {
|
||||||
|
"LogicAppsCategory": "security"
|
||||||
|
},
|
||||||
|
"identity": {
|
||||||
|
"type": "SystemAssigned"
|
||||||
|
},
|
||||||
|
"dependsOn": [
|
||||||
|
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||||
|
"[resourceId('Microsoft.Web/connections', variables('MDATPConnectionName'))]"
|
||||||
|
],
|
||||||
|
"properties": {
|
||||||
|
"state": "Enabled",
|
||||||
|
"definition": {
|
||||||
|
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||||
|
"actions": {
|
||||||
|
"Entities_-_Get_Hosts": {
|
||||||
|
"inputs": {
|
||||||
|
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
|
||||||
|
"host": {
|
||||||
|
"connection": {
|
||||||
|
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"method": "post",
|
||||||
|
"path": "/entities/host"
|
||||||
|
},
|
||||||
|
"runAfter": {},
|
||||||
|
"type": "ApiConnection"
|
||||||
|
},
|
||||||
|
"For_each": {
|
||||||
|
"actions": {
|
||||||
|
"Condition": {
|
||||||
|
"actions": {
|
||||||
|
"Actions_-_Isolate_machine": {
|
||||||
|
"inputs": {
|
||||||
|
"body": {
|
||||||
|
"Comment": "Isolated from playbook for Azure Sentinel Incident: @{triggerBody()?['object']?['properties']?['incidentNumber']} - @{triggerBody()?['object']?['properties']?['title']}",
|
||||||
|
"IsolationType": "Full"
|
||||||
|
},
|
||||||
|
"host": {
|
||||||
|
"connection": {
|
||||||
|
"name": "@parameters('$connections')['wdatp']['connectionId']"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"method": "post",
|
||||||
|
"path": "/api/machines/@{encodeURIComponent(items('For_each')?['MdatpDeviceId'])}/isolate"
|
||||||
|
},
|
||||||
|
"runAfter": {},
|
||||||
|
"type": "ApiConnection"
|
||||||
|
},
|
||||||
|
"Add_comment_to_incident_(V3)": {
|
||||||
|
"inputs": {
|
||||||
|
"body": {
|
||||||
|
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||||
|
"message": "<p>@{items('For_each')?['HostName']} was isolated in MDE and the status was @{body('Actions_-_Isolate_machine')?['status']}</p>"
|
||||||
|
},
|
||||||
|
"host": {
|
||||||
|
"connection": {
|
||||||
|
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"method": "post",
|
||||||
|
"path": "/Incidents/Comment"
|
||||||
|
},
|
||||||
|
"runAfter": {
|
||||||
|
"Actions_-_Isolate_machine": [
|
||||||
|
"Succeeded"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"type": "ApiConnection"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"else": {
|
||||||
|
"actions": {
|
||||||
|
"Add_comment_to_incident_(V3)_2": {
|
||||||
|
"inputs": {
|
||||||
|
"body": {
|
||||||
|
"incidentArmId": "@triggerBody()?['object']?['id']",
|
||||||
|
"message": "<p>@{items('For_each')?['HostName']} does not have MDEDeviceID in the Entities list. It was not isolated. </p>"
|
||||||
|
},
|
||||||
|
"host": {
|
||||||
|
"connection": {
|
||||||
|
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"method": "post",
|
||||||
|
"path": "/Incidents/Comment"
|
||||||
|
},
|
||||||
|
"runAfter": {},
|
||||||
|
"type": "ApiConnection"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"expression": {
|
||||||
|
"and": [
|
||||||
|
{
|
||||||
|
"not": {
|
||||||
|
"equals": [
|
||||||
|
"@items('For_each')?['MdatpDeviceId']",
|
||||||
|
"@null"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"runAfter": {},
|
||||||
|
"type": "If"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
|
||||||
|
"runAfter": {
|
||||||
|
"Entities_-_Get_Hosts": [
|
||||||
|
"Succeeded"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"type": "Foreach"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"contentVersion": "1.0.0.0",
|
||||||
|
"outputs": {},
|
||||||
|
"parameters": {
|
||||||
|
"$connections": {
|
||||||
|
"defaultValue": {},
|
||||||
|
"type": "Object"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"triggers": {
|
||||||
|
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
|
||||||
|
"inputs": {
|
||||||
|
"body": {
|
||||||
|
"callback_url": "@{listCallbackUrl()}"
|
||||||
|
},
|
||||||
|
"host": {
|
||||||
|
"connection": {
|
||||||
|
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"path": "/incident-creation"
|
||||||
|
},
|
||||||
|
"type": "ApiConnectionWebhook"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"parameters": {
|
||||||
|
"$connections": {
|
||||||
|
"value": {
|
||||||
|
"azuresentinel": {
|
||||||
|
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||||
|
"connectionName": "[variables('AzureSentinelConnectionName')]",
|
||||||
|
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
|
||||||
|
"connectionProperties": {
|
||||||
|
"authentication": {
|
||||||
|
"type": "ManagedServiceIdentity"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"wdatp": {
|
||||||
|
"connectionId": "[resourceId('Microsoft.Web/connections', variables('MDATPConnectionName'))]",
|
||||||
|
"connectionName": "[variables('MDATPConnectionName')]",
|
||||||
|
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/wdatp')]",
|
||||||
|
"connectionProperties": {
|
||||||
|
"authentication": {
|
||||||
|
"type": "ManagedServiceIdentity"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
Двоичные данные
Playbooks/Isolate-MDEMachine/incident-trigger/images/Isolate-MDEMachine_incident.png
Normal file
Двоичные данные
Playbooks/Isolate-MDEMachine/incident-trigger/images/Isolate-MDEMachine_incident.png
Normal file
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 44 KiB |
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 45 KiB |
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 44 KiB |
|
@ -0,0 +1,52 @@
|
||||||
|
# Isolate-MDEMachine
|
||||||
|
author: Nicholas DiCola
|
||||||
|
|
||||||
|
This playbook will isolate (full) the machine in Microsoft Defender for Endpoint.
|
||||||
|
|
||||||
|
## Quick Deployment
|
||||||
|
**Deploy with incident trigger** (recommended)
|
||||||
|
|
||||||
|
After deployment, attach this playbook to an **automation rule** so it runs when the incident is created.
|
||||||
|
|
||||||
|
[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules)
|
||||||
|
|
||||||
|
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FIsolate-MDEMachine%2Fincident-trigger%2Fazuredeploy.json" target="_blank">
|
||||||
|
<img src="https://aka.ms/deploytoazurebutton"/>
|
||||||
|
</a>
|
||||||
|
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FIsolate-MDEMachine%2Fincident-trigger%2Fazuredeploy.json" target="_blank">
|
||||||
|
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
|
||||||
|
</a>
|
||||||
|
|
||||||
|
|
||||||
|
**Deploy with alert trigger**
|
||||||
|
|
||||||
|
After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will rune when an alert is created.
|
||||||
|
|
||||||
|
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FIsolate-MDEMachine%2Falert-trigger%2Fazuredeploy.json" target="_blank">
|
||||||
|
<img src="https://aka.ms/deploytoazurebutton"/>
|
||||||
|
</a>
|
||||||
|
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FIsolate-MDEMachine%2Falert-trigger%2Fazuredeploy.json" target="_blank">
|
||||||
|
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
|
||||||
|
</a>
|
||||||
|
|
||||||
|
## Prerequisites
|
||||||
|
|
||||||
|
- You will need to grant Machine.Isolate permissions to the managed identity. Run the following code replacing the managed identity object id. You find the managed identity object id on the Identity blade under Settings for the Logic App.
|
||||||
|
```powershell
|
||||||
|
$MIGuid = "<Enter your managed identity guid here>"
|
||||||
|
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
|
||||||
|
|
||||||
|
$MDEAppId = "fc780465-2017-40d4-a0c5-307022471b92"
|
||||||
|
$PermissionName = "Machine.Isolate"
|
||||||
|
|
||||||
|
$MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'"
|
||||||
|
$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
|
||||||
|
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
|
||||||
|
-ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id
|
||||||
|
```
|
||||||
|
|
||||||
|
## Screenshots
|
||||||
|
**Incident Trigger**<br>
|
||||||
|
![Incident Trigger](./incident-trigger/images/Isolate-MDEMachine_incident.png)<br>
|
||||||
|
**Alert Trigger**<br>
|
||||||
|
![Alert Trigger](./alert-trigger/images/Isolate-MDEMachine_alert.png)<br>
|
Загрузка…
Ссылка в новой задаче