Merge pull request #6341 from syed-loginsoft/cybersixgill
Cybersixgill Actionable alerts
This commit is contained in:
v-dvedak
GitHub
Коммит
e932758dde
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
После Ширина: | Высота: | Размер: 5.0 KiB |
|
|
@ -0,0 +1,58 @@
|
|||
[{
|
||||
"alert_name": "Actors are seeking to transact {matched_products} ",
|
||||
"alert_type_id": "5fd0d27be87dd430a82bab1a",
|
||||
"category": "regular",
|
||||
"content": "He denied the money didbt arrive but when i asked fior transaction history, he sent @sixgill-start-highlight@nothing@sixgill-end-highlight@! \nNow here is a twist!",
|
||||
"date": "2022-05-02 05:09:19",
|
||||
"id": "626f677f3a380599da0a7c75",
|
||||
"lang": "English",
|
||||
"langcode": "en",
|
||||
"read": false,
|
||||
"severity": 1,
|
||||
"status": {
|
||||
"name": "treatment_required"
|
||||
},
|
||||
"sub_alerts": [
|
||||
{
|
||||
"aggregate_alert_id": 0,
|
||||
"content": "He denied the money didbt arrive but when i asked fior transaction history, he sent @sixgill-start-highlight@nothing@sixgill-end-highlight@! \nNow here is a twist!",
|
||||
"date": "2022-05-02 05:09:17",
|
||||
"matched_assets": {
|
||||
"organization_aliases": [],
|
||||
"products": []
|
||||
},
|
||||
"read": false,
|
||||
"site": "forum_club2crd",
|
||||
"status": {
|
||||
"name": "treatment_required"
|
||||
}
|
||||
},
|
||||
{
|
||||
"aggregate_alert_id": 1,
|
||||
"content": "Format your computer (I would recommend using a burner laptop, that means a new one with @sixgill-start-highlight@nothing@sixgill-end-highlight@ but a preinstalled OS or not even that), install a new OS.",
|
||||
"date": "2022-05-02 05:09:19",
|
||||
"matched_assets": {
|
||||
"organization_aliases": [],
|
||||
"products": []
|
||||
},
|
||||
"read": false,
|
||||
"site": "forum_envoy",
|
||||
"status": {
|
||||
"name": "treatment_required"
|
||||
}
|
||||
}
|
||||
],
|
||||
"sub_alerts_size": 2,
|
||||
"threat_level": "emerging",
|
||||
"threats": [
|
||||
"Fraud",
|
||||
"Compromised Accounts",
|
||||
"Brand Protection"
|
||||
],
|
||||
"title": "Actors are seeking to transact your products",
|
||||
"user_id": "5eb974f91387700013df9a34",
|
||||
"assets": "Loginsoft",
|
||||
"threat_actor": "",
|
||||
"threat_source": "Telegram",
|
||||
"portal_url": "https://portal.cybersixgill.com/#/?actionable_alert=626f677f3a380599da0a7c75"
|
||||
}]
|
||||
Двоичные данные
Solutions/Cybersixgill-Actionable-Alerts/Data Connectors/CybersixgillAlerts.zip
Normal file
Двоичные данные
Solutions/Cybersixgill-Actionable-Alerts/Data Connectors/CybersixgillAlerts.zip
Normal file
Двоичный файл не отображается.
|
|
@ -0,0 +1,160 @@
|
|||
# import datetime
|
||||
from datetime import datetime, timedelta, timezone
|
||||
from copy import deepcopy
|
||||
from json import dumps
|
||||
from re import match
|
||||
import logging
|
||||
|
||||
from os import environ
|
||||
import azure.functions as func
|
||||
from .state_manager import StateManager
|
||||
from .utils import remove_patterns, save_to_sentinel
|
||||
|
||||
from sixgill.sixgill_actionable_alert_client import SixgillActionableAlertClient
|
||||
|
||||
customer_id = environ['WorkspaceID']
|
||||
shared_key = environ['WorkspaceKey']
|
||||
connection_string = environ['AzureWebJobsStorage']
|
||||
client_id = environ['ClientID']
|
||||
client_secret = environ['ClientSecret']
|
||||
logAnalyticsUri = environ.get('logAnalyticsUri')
|
||||
CHANNEL_ID = "cea9a52effad4bc5e905a5a653f5cf9b"
|
||||
LAST_X_DAYS = 90
|
||||
PAGE_SIZE = 5
|
||||
|
||||
|
||||
# https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api#python-sample
|
||||
if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())):
|
||||
logAnalyticsUri = 'https://' + customer_id + '.ods.opinsights.azure.com'
|
||||
|
||||
pattern = r"https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$"
|
||||
match = match(pattern,str(logAnalyticsUri))
|
||||
if(not match):
|
||||
raise Exception("Invalid Log Analytics Uri.")
|
||||
|
||||
state = StateManager(connection_string)
|
||||
|
||||
def get_from_and_to_date(date_format="%Y-%m-%d %H:%M:%S"):
|
||||
current_date_time = datetime.utcnow().replace(second=0, microsecond=0)
|
||||
last_run_date_time = state.get()
|
||||
logging.debug(last_run_date_time)
|
||||
if last_run_date_time is not None:
|
||||
from_date_time = datetime.strptime(last_run_date_time, date_format)
|
||||
else:
|
||||
from_date_time = current_date_time - timedelta(days=LAST_X_DAYS)
|
||||
|
||||
return format(from_date_time, date_format), format(current_date_time, date_format)
|
||||
|
||||
|
||||
|
||||
def main(mytimer: func.TimerRequest) -> None:
|
||||
logging.info(str(environ))
|
||||
utc_timestamp = datetime.utcnow().replace(
|
||||
tzinfo=timezone.utc).isoformat()
|
||||
|
||||
if mytimer.past_due:
|
||||
logging.info('The timer is past due!')
|
||||
return
|
||||
|
||||
from_date_time, to_date_time = get_from_and_to_date()
|
||||
logging.info(from_date_time)
|
||||
logging.info(to_date_time)
|
||||
|
||||
actionable_alerts_client = SixgillActionableAlertClient(
|
||||
client_id, client_secret, CHANNEL_ID)
|
||||
start = 0
|
||||
logging.info("Going in")
|
||||
while True:
|
||||
actionable_alerts = actionable_alerts_client.get_actionable_alerts_bulk(
|
||||
from_date=from_date_time, limit=PAGE_SIZE, offset=start, sort_order="asc"
|
||||
)
|
||||
logging.info(f"start={start}, offset={PAGE_SIZE}")
|
||||
logging.info(actionable_alerts)
|
||||
start = start + PAGE_SIZE
|
||||
if not actionable_alerts:
|
||||
logging.info("Empty response from API")
|
||||
break
|
||||
else:
|
||||
logging.info(f"# of actionable alerts received : {len(actionable_alerts)}")
|
||||
for actionable_alert in actionable_alerts:
|
||||
alert_id = actionable_alert.get("id")
|
||||
portal_url = f"https://portal.cybersixgill.com/#/?actionable_alert={alert_id}"
|
||||
if "status" not in actionable_alert:
|
||||
actionable_alert["status"] = {
|
||||
"status": "treatment_required",
|
||||
"name": "Treatment Required",
|
||||
"user": "",
|
||||
}
|
||||
# Sub alerts logic
|
||||
alert_info = actionable_alerts_client.get_actionable_alert(alert_id)
|
||||
# Merging assets to a single list
|
||||
if "matched_assets" in alert_info and isinstance(alert_info["matched_assets"], dict):
|
||||
assets = []
|
||||
for _, v in alert_info["matched_assets"].items():
|
||||
assets.extend(v)
|
||||
logging.info(assets)
|
||||
actionable_alert["assets"] = assets # list(set(assets))
|
||||
threat_actor = alert_info.get("es_item", {}).get(
|
||||
"creator_plain_text"
|
||||
) or alert_info.get("es_item", {}).get("creator")
|
||||
threat_actor = threat_actor or ""
|
||||
actionable_alert["threat_actor"] = threat_actor
|
||||
if threat_actor:
|
||||
actor_source = alert_info.get("es_item", {}).get("site")
|
||||
actionable_alert["threat_source"] = actor_source
|
||||
else:
|
||||
actionable_alert["threat_source"] = ""
|
||||
|
||||
sub_alerts = actionable_alert.pop("sub_alerts", [])
|
||||
for sub_alert in filter(None, sub_alerts):
|
||||
unique_id = f'{alert_id}__{int(sub_alert.get("aggregate_alert_id"))}'
|
||||
# Merging assets to a single list
|
||||
sub_alert_assets = []
|
||||
if "matched_assets" in sub_alert and isinstance(sub_alert["matched_assets"], dict):
|
||||
for _, v in sub_alert["matched_assets"].items():
|
||||
sub_alert_assets.extend(v)
|
||||
|
||||
sub_item = deepcopy(actionable_alert)
|
||||
sub_item.update(sub_alert)
|
||||
sub_item["assets"] = sub_alert_assets
|
||||
sub_item["unique_id"] = unique_id
|
||||
sub_item["parent_id"] = alert_id
|
||||
sub_item["portal_url"] = portal_url
|
||||
sub_item = remove_patterns(sub_item)
|
||||
logging.info(sub_item)
|
||||
save_to_sentinel(logAnalyticsUri, customer_id, shared_key ,dumps(sub_item))
|
||||
|
||||
# Sub alerts logic ends
|
||||
actionable_alert["parent_id"] = None
|
||||
actionable_alert["organization_name"] = alert_info.get(
|
||||
"additional_info", {}
|
||||
).get("organization_name")
|
||||
content = alert_info.get("es_item", {}).get("highlight", {}).get("content")
|
||||
content = content[0] if isinstance(content, list) else content
|
||||
existing_content = str(actionable_alert["content"])
|
||||
logging.info(f"creating alert with id={alert_id}")
|
||||
actionable_alert["_time"] = actionable_alert["date"]
|
||||
actionable_alert["alert_creation_date"] = datetime.now().strftime(
|
||||
"%Y-%m-%d %H:%M:%S"
|
||||
)
|
||||
actionable_alert["portal_url"] = portal_url
|
||||
actionable_alert["content"] = str(content) if content else existing_content
|
||||
actionable_alert["matched_assets"] = alert_info.get("matched_assets")
|
||||
actionable_alert["sub_alerts_count"] = len(sub_alerts)
|
||||
if threat_actor:
|
||||
actor_source = alert_info.get("es_item", {}).get("site")
|
||||
actionable_alert["threat_source"] = actor_source
|
||||
actionable_alert[
|
||||
"actor_url_with_context"
|
||||
] = f"https://portal.cybersixgill.com/#/actor/{threat_actor}/{actor_source}"
|
||||
actionable_alert[
|
||||
"actor_url_without_context"
|
||||
] = f"https://portal.cybersixgill.com/#/actor/{threat_actor}/"
|
||||
actionable_alert = remove_patterns(actionable_alert)
|
||||
logging.debug(actionable_alert)
|
||||
save_to_sentinel(logAnalyticsUri, customer_id, shared_key,dumps(actionable_alert))
|
||||
|
||||
|
||||
logging.info('Python timer trigger function ran at %s', utc_timestamp)
|
||||
|
||||
state.post(to_date_time)
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
{
|
||||
"scriptFile": "__init__.py",
|
||||
"bindings": [
|
||||
{
|
||||
"name": "mytimer",
|
||||
"type": "timerTrigger",
|
||||
"direction": "in",
|
||||
"schedule": "%Polling%"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
from azure.storage.fileshare import ShareClient
|
||||
from azure.storage.fileshare import ShareFileClient
|
||||
from azure.core.exceptions import ResourceNotFoundError
|
||||
|
||||
|
||||
class StateManager:
|
||||
def __init__(self, connection_string, share_name='funcstatemarkershare', file_path='funcstatemarkerfile'):
|
||||
self.share_cli = ShareClient.from_connection_string(conn_str=connection_string, share_name=share_name, is_emulated=True)
|
||||
self.file_cli = ShareFileClient.from_connection_string(conn_str=connection_string, share_name=share_name, file_path=file_path, is_emulated=True)
|
||||
|
||||
def post(self, marker_text: str):
|
||||
try:
|
||||
self.file_cli.upload_file(marker_text)
|
||||
except ResourceNotFoundError:
|
||||
self.share_cli.create_share()
|
||||
self.file_cli.upload_file(marker_text)
|
||||
|
||||
def get(self):
|
||||
try:
|
||||
return self.file_cli.download_file().readall().decode()
|
||||
except ResourceNotFoundError:
|
||||
return None
|
||||
|
|
@ -0,0 +1,56 @@
|
|||
from re import escape, sub
|
||||
import hmac
|
||||
import hashlib
|
||||
import requests
|
||||
import logging
|
||||
from base64 import b64decode, b64encode
|
||||
|
||||
|
||||
BLACKLIST_PATTERNS = ["@sixgill-start-highlight@", "@sixgill-end-highlight@"]
|
||||
|
||||
def remove_patterns(alert):
|
||||
new_dict = {}
|
||||
for k, v in alert.items():
|
||||
if isinstance(v, str):
|
||||
new_dict[k] = sub(r"|".join(map(escape, BLACKLIST_PATTERNS)), "", v)
|
||||
elif isinstance(v, list):
|
||||
new_dict[k] = [
|
||||
sub(r"|".join(map(escape, BLACKLIST_PATTERNS)), "", i) for i in v
|
||||
]
|
||||
elif isinstance(v, dict):
|
||||
new_dict[k] = remove_patterns(v)
|
||||
else:
|
||||
new_dict[k] = v
|
||||
return new_dict
|
||||
|
||||
|
||||
def build_signature(customer_id, shared_key, date, content_length, method, content_type, resource):
|
||||
x_headers = 'x-ms-date:' + date
|
||||
string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource
|
||||
bytes_to_hash = bytes(string_to_hash, encoding="utf-8")
|
||||
decoded_key = b64decode(shared_key)
|
||||
encoded_hash = b64encode(hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()).decode()
|
||||
authorization = "SharedKey {}:{}".format(customer_id,encoded_hash)
|
||||
return authorization
|
||||
|
||||
|
||||
def save_to_sentinel(logAnalyticsUri, customer_id, shared_key, alert_obj):
|
||||
from email.utils import formatdate
|
||||
rfc1123date = formatdate(timeval=None, localtime=False, usegmt=True)
|
||||
signature = build_signature(customer_id, shared_key, rfc1123date, len(alert_obj), "POST", "application/json", "/api/logs")
|
||||
uri = logAnalyticsUri + '/api/logs?api-version=2016-04-01'
|
||||
|
||||
headers = {
|
||||
'content-type': "application/json",
|
||||
'Authorization': signature,
|
||||
'Log-Type': "CyberSixgill_Alerts",
|
||||
'x-ms-date': rfc1123date,
|
||||
'time-generated-field': 'date'
|
||||
}
|
||||
response = requests.post(uri,data=alert_obj, headers=headers)
|
||||
if (response.status_code >= 200 and response.status_code <= 299):
|
||||
return response.status_code
|
||||
else:
|
||||
logging.info(response.content)
|
||||
logging.info("Events are not processed into Azure. Response code: {}".format(response.status_code))
|
||||
return None
|
||||
|
|
@ -0,0 +1,119 @@
|
|||
{
|
||||
"id": "CybersixgillActionableAlerts",
|
||||
"title": "Cybersixgill Actionable Alerts",
|
||||
"publisher": "Cybersixgill",
|
||||
"descriptionMarkdown": "Actionable alerts provide customized alerts based on configured assets",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Total data received",
|
||||
"legend": "CyberSixgill_Alerts_CL",
|
||||
"baseQuery": "CyberSixgill_Alerts_CL"
|
||||
}
|
||||
],
|
||||
"sampleQueries": [
|
||||
{
|
||||
"description": "All Alerts",
|
||||
"query": "CyberSixgill_Alerts"
|
||||
}
|
||||
],
|
||||
"dataTypes": [
|
||||
{
|
||||
"name": "CyberSixgill_Alerts_CL",
|
||||
"lastDataReceivedQuery": "CyberSixgill_Alerts_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
}
|
||||
],
|
||||
"connectivityCriterias": [
|
||||
{
|
||||
"type": "IsConnectedQuery",
|
||||
"value": [
|
||||
"CyberSixgill_Alerts_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
|
||||
]
|
||||
}
|
||||
],
|
||||
"availability": {
|
||||
"status": 1,
|
||||
"isPreview": false
|
||||
},
|
||||
"permissions": {
|
||||
"resourceProvider": [
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces",
|
||||
"permissionsDisplayText": "read and write permissions on the workspace are required.",
|
||||
"providerDisplayName": "Workspace",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"write": true,
|
||||
"read": true,
|
||||
"delete": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
|
||||
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
|
||||
"providerDisplayName": "Keys",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"action": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"customs": [
|
||||
{
|
||||
"name": "Microsoft.Web/sites permissions",
|
||||
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
|
||||
},
|
||||
{
|
||||
"name": "REST API Credentials/permissions",
|
||||
"description": "**Client_ID** and **Client_Secret** are required for making API calls."
|
||||
}
|
||||
]
|
||||
},
|
||||
"instructionSteps": [
|
||||
{
|
||||
"title": "",
|
||||
"description": ">**NOTE:** This connector uses Azure Functions to connect to the Cybersixgill API to pull Alerts into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details."
|
||||
},
|
||||
{
|
||||
"title": "",
|
||||
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
|
||||
},
|
||||
{
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"fillWith": [
|
||||
"WorkspaceId"
|
||||
],
|
||||
"label": "Workspace ID"
|
||||
},
|
||||
"type": "CopyableLabel"
|
||||
},
|
||||
{
|
||||
"parameters": {
|
||||
"fillWith": [
|
||||
"PrimaryKey"
|
||||
],
|
||||
"label": "Primary Key"
|
||||
},
|
||||
"type": "CopyableLabel"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "Option 1 - Azure Resource Manager (ARM) Template",
|
||||
"description": "Use this method for automated deployment of the Cybersixgill Actionable Alerts data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fgithub.com%2Fsyed-loginsoft%2FAzure-Sentinel%2Fraw%2Fcybersixgill%2FSolutions%2FCybersixgill-Actionable-Alerts%2FData%20Connectors%2Fazuredeploy_Connector_Cybersixgill_AzureFunction.json)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **Client ID**, **Client Secret**, **TimeInterval** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
|
||||
},
|
||||
{
|
||||
"title": "Option 2 - Manual Deployment of Azure Functions",
|
||||
"description": "Use the following step-by-step instructions to deploy the Cybersixgill Actionable Alerts data connector manually with Azure Functions (Deployment via Visual Studio Code)."
|
||||
},
|
||||
{
|
||||
"title": "",
|
||||
"description": "**1. Deploy a Function App**\n\n> NOTE:You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://github.com/syed-loginsoft/Azure-Sentinel/blob/cybersixgill/Solutions/Cybersixgill-Actionable-Alerts/Data%20Connectors/CybersixgillAlerts.zip?raw=true) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CybersixgillAlertsXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
|
||||
},
|
||||
{
|
||||
"title": "",
|
||||
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tClientID\n\t\tClientSecret\n\t\tPolling\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`\n3. Once all application settings have been entered, click **Save**."
|
||||
}
|
||||
]
|
||||
}
|
||||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
После Ширина: | Высота: | Размер: 5.0 KiB |
|
|
@ -0,0 +1,231 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"FunctionName": {
|
||||
"defaultValue": "CybersixgillAlerts",
|
||||
"minLength": 1,
|
||||
"maxLength": 20,
|
||||
"type": "string"
|
||||
},
|
||||
"WorkspaceID": {
|
||||
"type": "string",
|
||||
"defaultValue": "<workspaceID>",
|
||||
"minLength": 1
|
||||
},
|
||||
"WorkspaceKey": {
|
||||
"type": "securestring",
|
||||
"defaultValue": "<workspaceKey>",
|
||||
"minLength": 1
|
||||
},
|
||||
"ClientID": {
|
||||
"type": "string",
|
||||
"defaultValue": "<Cybersixgill Client ID>",
|
||||
"minLength": 1
|
||||
},
|
||||
"ClientSecret": {
|
||||
"type": "securestring",
|
||||
"defaultValue": "<changeme>",
|
||||
"minLength": 1
|
||||
},
|
||||
"TimeInterval": {
|
||||
"type": "string",
|
||||
"allowedValues": [
|
||||
"Every 5 min",
|
||||
"Every 10 min",
|
||||
"Every 60 min",
|
||||
"Every 6 hours",
|
||||
"Every 12 hours",
|
||||
"Every 24 hours"
|
||||
],
|
||||
"defaultValue": "Every 6 hours",
|
||||
"metadata": {
|
||||
"description": "Select the Interval."
|
||||
}
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"PollingMap": {
|
||||
"Every 5 min": "*/5 * * * *",
|
||||
"Every 10 min": "*/10 * * * *",
|
||||
"Every 60 min": "0 * * * *",
|
||||
"Every 6 hours": "0 */6 * * *",
|
||||
"Every 12 hours": "0 */12 * * *",
|
||||
"Every 24 hours" : "0 0 * * *"
|
||||
},
|
||||
"FunctionName": "[concat(toLower(parameters('FunctionName')), take(uniqueString(resourceGroup().id), 3))]",
|
||||
"StorageSuffix": "[environment().suffixes.storage]",
|
||||
"LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('WorkspaceID')), '.ods.opinsights'))]",
|
||||
"Polling": "[variables('PollingMap')[parameters('TimeInterval')]]"
|
||||
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Insights/components",
|
||||
"apiVersion": "2015-05-01",
|
||||
"name": "[variables('FunctionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"kind": "web",
|
||||
"properties": {
|
||||
"Application_Type": "web",
|
||||
"ApplicationId": "[variables('FunctionName')]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Storage/storageAccounts",
|
||||
"apiVersion": "2019-06-01",
|
||||
"name": "[tolower(variables('FunctionName'))]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"sku": {
|
||||
"name": "Standard_LRS",
|
||||
"tier": "Standard"
|
||||
},
|
||||
"kind": "StorageV2",
|
||||
"properties": {
|
||||
"networkAcls": {
|
||||
"bypass": "AzureServices",
|
||||
"virtualNetworkRules": [],
|
||||
"ipRules": [],
|
||||
"defaultAction": "Allow"
|
||||
},
|
||||
"supportsHttpsTrafficOnly": true,
|
||||
"encryption": {
|
||||
"services": {
|
||||
"file": {
|
||||
"keyType": "Account",
|
||||
"enabled": true
|
||||
},
|
||||
"blob": {
|
||||
"keyType": "Account",
|
||||
"enabled": true
|
||||
}
|
||||
},
|
||||
"keySource": "Microsoft.Storage"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Storage/storageAccounts/blobServices",
|
||||
"apiVersion": "2019-06-01",
|
||||
"name": "[concat(variables('FunctionName'), '/default')]",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
|
||||
],
|
||||
"sku": {
|
||||
"name": "Standard_LRS",
|
||||
"tier": "Standard"
|
||||
},
|
||||
"properties": {
|
||||
"cors": {
|
||||
"corsRules": []
|
||||
},
|
||||
"deleteRetentionPolicy": {
|
||||
"enabled": false
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Storage/storageAccounts/fileServices",
|
||||
"apiVersion": "2019-06-01",
|
||||
"name": "[concat(variables('FunctionName'), '/default')]",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
|
||||
],
|
||||
"sku": {
|
||||
"name": "Standard_LRS",
|
||||
"tier": "Standard"
|
||||
},
|
||||
"properties": {
|
||||
"cors": {
|
||||
"corsRules": []
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/sites",
|
||||
"apiVersion": "2018-11-01",
|
||||
"name": "[variables('FunctionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]",
|
||||
"[resourceId('Microsoft.Insights/components', variables('FunctionName'))]"
|
||||
],
|
||||
"kind": "functionapp,linux",
|
||||
"identity": {
|
||||
"type": "SystemAssigned"
|
||||
},
|
||||
"properties": {
|
||||
"name": "[variables('FunctionName')]",
|
||||
"httpsOnly": true,
|
||||
"clientAffinityEnabled": true,
|
||||
"alwaysOn": true,
|
||||
"reserved": true,
|
||||
"siteConfig": {
|
||||
"linuxFxVersion": "python|3.8"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"apiVersion": "2018-11-01",
|
||||
"type": "config",
|
||||
"name": "appsettings",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.Web/sites/', variables('FunctionName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"FUNCTIONS_EXTENSION_VERSION": "~3",
|
||||
"FUNCTIONS_WORKER_RUNTIME": "python",
|
||||
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
|
||||
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
|
||||
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
|
||||
"WorkspaceID": "[parameters('WorkspaceID')]",
|
||||
"WorkspaceKey": "[parameters('WorkspaceKey')]",
|
||||
"ClientID": "[parameters('ClientID')]",
|
||||
"ClientSecret": "[parameters('ClientSecret')]",
|
||||
"logAnalyticsUri": "[variables('LogAnaltyicsUri')]",
|
||||
"timeInterval": "[parameters('TimeInterval')]",
|
||||
"Polling": "[variables('Polling')]",
|
||||
"WEBSITE_RUN_FROM_PACKAGE": "https://github.com/syed-loginsoft/Azure-Sentinel/blob/cybersixgill/Solutions/Cybersixgill-Actionable-Alerts/Data%20Connectors/CybersixgillAlerts.zip?raw=true"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
|
||||
"apiVersion": "2019-06-01",
|
||||
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-hosts')]",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
|
||||
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"publicAccess": "None"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
|
||||
"apiVersion": "2019-06-01",
|
||||
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-secrets')]",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
|
||||
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"publicAccess": "None"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Storage/storageAccounts/fileServices/shares",
|
||||
"apiVersion": "2019-06-01",
|
||||
"name": "[concat(variables('FunctionName'), '/default/', tolower(variables('FunctionName')))]",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('FunctionName'), 'default')]",
|
||||
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"shareQuota": 5120
|
||||
}
|
||||
}
|
||||
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
{
|
||||
"version": "2.0",
|
||||
"logging": {
|
||||
"applicationInsights": {
|
||||
"samplingSettings": {
|
||||
"isEnabled": true,
|
||||
"excludedTypes": "Request"
|
||||
}
|
||||
}
|
||||
},
|
||||
"extensionBundle": {
|
||||
"id": "Microsoft.Azure.Functions.ExtensionBundle",
|
||||
"version": "[2.*, 3.0.0)"
|
||||
},
|
||||
"functionTimeout": "00:10:00"
|
||||
}
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
{
|
||||
"$schema": "http://json.schemastore.org/proxies",
|
||||
"proxies": {}
|
||||
}
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
# Do not include azure-functions-worker as it may conflict with the Azure Functions platform
|
||||
|
||||
azure-functions
|
||||
azure-storage-file-share==12.3.0
|
||||
sixgill-clients
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
{
|
||||
"Name": "Cybersixgill-Actionable-Alerts",
|
||||
"Author": "Cybersixgill",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Cybersixgill.svg\" width=\"75\" height=\"75\" >",
|
||||
"Description": "Cybersixgill Actionable Alerts provides a premium automated customized threat intelligence feed from the deep and dark web. Monitor activity in the underground regarding your key assets (Names, IP Address, Domains, CVEs, Third party suppliers ) relevant to their brand, industry, and geolocation and receive real time alert notifications on incoming threats on your organization including: Contextual data, assessments and recommendations",
|
||||
"Workbooks": [
|
||||
"Workbooks/ActionableAlertsList.json",
|
||||
"Workbooks/ActionableAlertsDashboard.json"
|
||||
],
|
||||
"Playbooks": [
|
||||
"Playbooks/CybersixgillAlertStatusUpdate/azuredeploy.json",
|
||||
"Playbooks/DeleteCybersixgillAlert/azuredeploy.json"
|
||||
],
|
||||
"Data Connectors": [
|
||||
"Data Connectors/Cybersixgill_FunctionApp.json"
|
||||
],
|
||||
"Hunting Queries": [
|
||||
"Hunting Queries/ActionableAlerts.yaml"
|
||||
],
|
||||
"BasePath": "D:/Sentinel-Forked/Solutions/Cybersixgill-Actionable-Alerts/",
|
||||
"Version": "2.0.0",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1PConnector": false
|
||||
}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
id: 532133dd-a8ed-4062-bf0d-f04dc97bb71a
|
||||
name: Cybersixgill Actionable alerts
|
||||
description: |
|
||||
'View Cybersixgill Actionable alerts for last 30 days'
|
||||
requiredDataConnectors:
|
||||
- connectorId: CybersixgillActionableAlerts
|
||||
dataTypes:
|
||||
- CyberSixgill_Alerts
|
||||
query: |
|
||||
CyberSixgill_Alerts_CL
|
||||
| where TimeGenerated > ago(30d)
|
||||
Двоичный файл не отображается.
|
|
@ -0,0 +1,179 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
|
||||
"handler": "Microsoft.Azure.CreateUIDef",
|
||||
"version": "0.1.2-preview",
|
||||
"parameters": {
|
||||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Cybersixgill.svg\" width=\"75\" height=\"75\" >\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nCybersixgill Actionable Alerts provides a premium automated customized threat intelligence feed from the deep and dark web. Monitor activity in the underground regarding your key assets (Names, IP Address, Domains, CVEs, Third party suppliers ) relevant to their brand, industry, and geolocation and receive real time alert notifications on incoming threats on your organization including: Contextual data, assessments and recommendations\n\n**Data Connectors:** 1, **Workbooks:** 2, **Hunting Queries:** 1, **Playbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"Microsoft.Insights/workbooks",
|
||||
"Microsoft.Logic/workflows"
|
||||
]
|
||||
},
|
||||
"location": {
|
||||
"metadata": {
|
||||
"hidden": "Hiding location, we get it from the log analytics workspace"
|
||||
},
|
||||
"visible": false
|
||||
},
|
||||
"resourceGroup": {
|
||||
"allowExisting": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"basics": [
|
||||
{
|
||||
"name": "getLAWorkspace",
|
||||
"type": "Microsoft.Solutions.ArmApiControl",
|
||||
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
|
||||
"condition": "[greater(length(resourceGroup().name),0)]",
|
||||
"request": {
|
||||
"method": "GET",
|
||||
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "workspace",
|
||||
"type": "Microsoft.Common.DropDown",
|
||||
"label": "Workspace",
|
||||
"placeholder": "Select a workspace",
|
||||
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
|
||||
"constraints": {
|
||||
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
|
||||
"required": true
|
||||
},
|
||||
"visible": true
|
||||
}
|
||||
],
|
||||
"steps": [
|
||||
{
|
||||
"name": "dataconnectors",
|
||||
"label": "Data Connectors",
|
||||
"bladeTitle": "Data Connectors",
|
||||
"elements": [
|
||||
{
|
||||
"name": "dataconnectors1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Solution installs the data connector for Cybersixgill-Actionable-Alerts. You can get Cybersixgill-Actionable-Alerts custom log data in your Microsoft Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) CyberSixgill_Alerts_CL in your Microsoft Sentinel / Azure Log Analytics workspace."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors-link2",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more about connecting data sources",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "workbooks",
|
||||
"label": "Workbooks",
|
||||
"subLabel": {
|
||||
"preValidation": "Configure the workbooks",
|
||||
"postValidation": "Done"
|
||||
},
|
||||
"bladeTitle": "Workbooks",
|
||||
"elements": [
|
||||
{
|
||||
"name": "workbooks-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "workbooks-link",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "huntingqueries",
|
||||
"label": "Hunting Queries",
|
||||
"bladeTitle": "Hunting Queries",
|
||||
"elements": [
|
||||
{
|
||||
"name": "huntingqueries-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "huntingqueries-link",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "huntingquery1",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Cybersixgill Actionable alerts",
|
||||
"elements": [
|
||||
{
|
||||
"name": "huntingquery1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "View Cybersixgill Actionable alerts for last 30 days It depends on the CybersixgillActionableAlerts data connector and CyberSixgill_Alerts data type and CybersixgillActionableAlerts parser."
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "playbooks",
|
||||
"label": "Playbooks",
|
||||
"subLabel": {
|
||||
"preValidation": "Configure the playbooks",
|
||||
"postValidation": "Done"
|
||||
},
|
||||
"bladeTitle": "Playbooks",
|
||||
"elements": [
|
||||
{
|
||||
"name": "playbooks-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "playbooks-link",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"outputs": {
|
||||
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
|
||||
"location": "[location()]",
|
||||
"workspace": "[basics('workspace')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
|
@ -0,0 +1,513 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "Cybersixgill-Alert-Status-Update",
|
||||
"description": "This playbook will update status of Cybersixgill Alerts when respective incident status is updated in Microsoft Sentinel",
|
||||
"prerequisites": "Cybersixgill Client ID and Client Secret should be stored in Azure KeyVault before deploying this playbook.",
|
||||
"prerequisitesDeployTemplateFile": "",
|
||||
"lastUpdateTime": "2022-12-23T18:18:05Z",
|
||||
"entities": [],
|
||||
"tags": [ "Incident", "Sync" ],
|
||||
"support": {
|
||||
"tier": "community",
|
||||
"armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
|
||||
},
|
||||
"author": {
|
||||
"name": "Loginsoft"
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "CybersixgillAlertStatusUpdate",
|
||||
"type": "string"
|
||||
},
|
||||
"Client ID key name": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Enter value for Client ID key name"
|
||||
}
|
||||
},
|
||||
"Client Secret key name": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Enter value for Client Secret key name"
|
||||
}
|
||||
},
|
||||
"Keyvault Name": {
|
||||
"defaultValue": "",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Enter value for Keyvault Name"
|
||||
}
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
|
||||
"KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"properties": {
|
||||
"provisioningState": "Succeeded",
|
||||
"state": "Enabled",
|
||||
"definition": {
|
||||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"defaultValue": {},
|
||||
"type": "Object"
|
||||
},
|
||||
"Keyvault Name": {
|
||||
"type": "string",
|
||||
"defaultValue": "[parameters('Keyvault Name')]"
|
||||
},
|
||||
"Client ID key name": {
|
||||
"type": "string",
|
||||
"defaultValue": "[parameters('Client ID key name')]"
|
||||
},
|
||||
"Client Secret key name": {
|
||||
"type": "string",
|
||||
"defaultValue": "[parameters('Client Secret key name')]"
|
||||
}
|
||||
},
|
||||
"triggers": {
|
||||
"Microsoft_Sentinel_incident": {
|
||||
"type": "ApiConnectionWebhook",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"path": "/incident-creation"
|
||||
}
|
||||
}
|
||||
},
|
||||
"actions": {
|
||||
"Authenticate_Cybersixgill_API": {
|
||||
"runAfter": {
|
||||
"Get_Cybersixgill_Client_Secret": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Http",
|
||||
"inputs": {
|
||||
"body": "client_id=@{body('Get_Cybersixgill_Client_ID')?['value']}&client_secret=@{body('Get_Cybersixgill_Client_Secret')?['value']}&grant_type=client_credentials",
|
||||
"headers": {
|
||||
"Cache-Control": "no-cache",
|
||||
"Content-Type": "application/x-www-form-urlencoded"
|
||||
},
|
||||
"method": "POST",
|
||||
"uri": "https://api.cybersixgill.com/auth/token"
|
||||
}
|
||||
},
|
||||
"Build_Patch_body": {
|
||||
"runAfter": {
|
||||
"Switch": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "alert_status_patch",
|
||||
"type": "object",
|
||||
"value": {
|
||||
"status": {
|
||||
"status": "@{variables('alert_status')}"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"Extract_Access_Token": {
|
||||
"runAfter": {
|
||||
"Authenticate_Cybersixgill_API": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ParseJson",
|
||||
"inputs": {
|
||||
"content": "@body('Authenticate_Cybersixgill_API')",
|
||||
"schema": {
|
||||
"properties": {
|
||||
"access_token": {
|
||||
"type": "string"
|
||||
},
|
||||
"expires_in": {
|
||||
"type": "integer"
|
||||
},
|
||||
"ext_expires_in": {
|
||||
"type": "integer"
|
||||
},
|
||||
"token_type": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Extract_Alert_ID": {
|
||||
"runAfter": {
|
||||
"Initialize_status": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "alert_object",
|
||||
"type": "string",
|
||||
"value": "@{triggerBody()?['object']?['properties']?['Bookmarks']?[0]?['properties']?['queryResult']}"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"Get_Cybersixgill_Client_ID": {
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['keyvault']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "get",
|
||||
"path": "/secrets/@{encodeURIComponent(parameters('Client ID key name'))}/value"
|
||||
}
|
||||
},
|
||||
"Get_Cybersixgill_Client_Secret": {
|
||||
"runAfter": {
|
||||
"Get_Cybersixgill_Client_ID": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['keyvault']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "get",
|
||||
"path": "/secrets/@{encodeURIComponent(parameters('Client Secret key name'))}/value"
|
||||
}
|
||||
},
|
||||
"Initialize_status": {
|
||||
"runAfter": {
|
||||
"Extract_Access_Token": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "alert_status",
|
||||
"type": "string"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"Parse_JSON": {
|
||||
"runAfter": {
|
||||
"Extract_Alert_ID": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ParseJson",
|
||||
"inputs": {
|
||||
"content": "@variables('alert_object')",
|
||||
"schema": {
|
||||
"properties": {
|
||||
"Category": {
|
||||
"type": "string"
|
||||
},
|
||||
"Computer": {
|
||||
"type": "string"
|
||||
},
|
||||
"MG": {
|
||||
"type": "string"
|
||||
},
|
||||
"ManagementGroupName": {
|
||||
"type": "string"
|
||||
},
|
||||
"RawData": {
|
||||
"type": "string"
|
||||
},
|
||||
"Severity": {
|
||||
"type": "integer"
|
||||
},
|
||||
"SourceSystem": {
|
||||
"type": "string"
|
||||
},
|
||||
"TenantId": {
|
||||
"type": "string"
|
||||
},
|
||||
"TimeGenerated": {
|
||||
"type": "string"
|
||||
},
|
||||
"Type": {
|
||||
"type": "string"
|
||||
},
|
||||
"_ResourceId": {
|
||||
"type": "string"
|
||||
},
|
||||
"_time_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"actor_url_with_context_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"actor_url_without_context_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"aggregate_alert_id_d": {
|
||||
"type": "integer"
|
||||
},
|
||||
"alert_creation_date_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"alert_name_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"alert_type_id_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"assets_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"content_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"date_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"id_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"lang_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"langcode_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"matched_assets_organization_aliases_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"matched_assets_organization_name_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"matched_assets_products_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"organization_name_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"parent_id_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"portal_url_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"read_b": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"site_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"status_name_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"sub_alerts_count_d": {
|
||||
"type": "string"
|
||||
},
|
||||
"threat_actor_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"threat_level_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"threat_source_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"threats_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"title_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"unique_id_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"user_id_s": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Switch": {
|
||||
"runAfter": {
|
||||
"Parse_JSON": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"cases": {
|
||||
"Status_Active": {
|
||||
"case": "Active",
|
||||
"actions": {
|
||||
"Status_-_in_treatment": {
|
||||
"runAfter": {},
|
||||
"type": "SetVariable",
|
||||
"inputs": {
|
||||
"name": "alert_status",
|
||||
"value": "in_treatment"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"Status_Closed": {
|
||||
"case": "Closed",
|
||||
"actions": {
|
||||
"Status_resolved": {
|
||||
"runAfter": {},
|
||||
"type": "SetVariable",
|
||||
"inputs": {
|
||||
"name": "alert_status",
|
||||
"value": "resolved"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"Status_New": {
|
||||
"case": "New",
|
||||
"actions": {
|
||||
"Status_treatment_required": {
|
||||
"runAfter": {},
|
||||
"type": "SetVariable",
|
||||
"inputs": {
|
||||
"name": "alert_status",
|
||||
"value": "treatment_required"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"default": {
|
||||
"actions": {}
|
||||
},
|
||||
"expression": "@triggerBody()?['object']?['properties']?['status']",
|
||||
"type": "Switch"
|
||||
},
|
||||
"Update_Alert_Status_": {
|
||||
"runAfter": {
|
||||
"Build_Patch_body": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Http",
|
||||
"inputs": {
|
||||
"body": "@variables('alert_status_patch')",
|
||||
"headers": {
|
||||
"Authorization": "Bearer @{body('Extract_Access_Token')?['access_token']}",
|
||||
"Content-Type": "application/json"
|
||||
},
|
||||
"method": "PATCH",
|
||||
"uri": "https://api.cybersixgill.com/alerts/actionable_alert/@{body('Parse_JSON')?['id_s']}"
|
||||
}
|
||||
}
|
||||
},
|
||||
"outputs": {}
|
||||
},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"value": {
|
||||
"azuresentinel": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
|
||||
"connectionName": "[variables('MicrosoftSentinelConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]",
|
||||
"connectionProperties": {
|
||||
"authentication": {
|
||||
"type": "ManagedServiceIdentity"
|
||||
}
|
||||
}
|
||||
},
|
||||
"keyvault": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]",
|
||||
"connectionName": "[variables('KeyvaultConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]",
|
||||
"connectionProperties": {
|
||||
"authentication": {
|
||||
"type": "ManagedServiceIdentity"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"name": "[parameters('PlaybookName')]",
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"location": "[resourceGroup().location]",
|
||||
"identity": {
|
||||
"type": "SystemAssigned"
|
||||
},
|
||||
"tags": {
|
||||
"hidden-SentinelTemplateName": "CybersixgillAlertStatusUpdate",
|
||||
"hidden-SentinelTemplateVersion": "1.0"
|
||||
},
|
||||
"apiVersion": "2017-07-01",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
|
||||
"[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]"
|
||||
]
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('MicrosoftSentinelConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"kind": "V1",
|
||||
"properties": {
|
||||
"displayName": "[variables('MicrosoftSentinelConnectionName')]",
|
||||
"customParameterValues": {},
|
||||
"parameterValueType": "Alternative",
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('KeyvaultConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"kind": "V1",
|
||||
"properties": {
|
||||
"displayName": "[variables('KeyvaultConnectionName')]",
|
||||
"customParameterValues": {},
|
||||
"parameterValueType": "Alternative",
|
||||
"alternativeParameterValues": {
|
||||
"vaultName": "[parameters('Keyvault Name')]"
|
||||
},
|
||||
"nonSecretParameterValues": {
|
||||
"vaultName": "[parameters('Keyvault Name')]"
|
||||
},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 38 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 38 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 54 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 71 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 41 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 51 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 80 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 37 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 53 KiB |
|
|
@ -0,0 +1,72 @@
|
|||
# CybersixgillAlertStatusUpdate
|
||||
Author: Loginsoft
|
||||
|
||||
This playbook will update status of Actionable alerts in Cybersixgill Portal. When incident is updated in Microsoft Sentinel, playbook will run and update status Actionable alerts from Cybersixgill Portal
|
||||
|
||||
# Prerequisites
|
||||
|
||||
We will need the following data to do one time setup.
|
||||
1. Cybersixgill Client ID (client_id)
|
||||
2. Cybersixgill Client Secret (client_secret)
|
||||
|
||||
Client ID and Client Secret can be obtained from [Cybersixgill Developer Portal](https://developer.cybersixgill.com/dashboard)
|
||||
* You can skip below step if you already have Client ID and Client Secret.
|
||||
* Visit [Cybersixgill Developer Portal](https://developer.cybersixgill.com/dashboard)
|
||||
* Click on Create an application.
|
||||
* Enter Application name and brief description and optional Application image
|
||||
* All other fields can be left to default.
|
||||
* Once done click on Create the app.
|
||||
* Copy Client ID and Client Secret.
|
||||
|
||||
# Deployment instructions
|
||||
1. Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
|
||||
|
||||
[](https%3A%2F%2Fportal.azure.com%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersixgill-Actionable-Alerts%2FPlaybooks%2FCybersixgillAlertStatusUpdate%2Fazuredeploy.json)
|
||||
[](https%3A%2F%2Fportal.azure.us%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersixgill-Actionable-Alerts%2FPlaybooks%2FCybersixgillAlertStatusUpdate%2Fazuredeploy.json)
|
||||
|
||||
2. Fill in the required parameters:
|
||||
* Playbook Name: Enter the playbook name here (Ex: CybersixgillAlertStatusUpdate)
|
||||
* Keyvault name : Enter the key vault name where secret key is stored.
|
||||
* Client ID key name: Key name for Cybersixgill Client ID stored api secret.
|
||||
* Client Secret key name: Key name for Cybersixgill Client Secret the stored api secret.
|
||||
|
||||
### Post-Deployment
|
||||
#### a. Authorize connections (Perform this action if needed)
|
||||
Once deployment is complete, you will need to authorize each connection.
|
||||
1. Click the Microsoft Sentinel connection resource
|
||||
2. Click edit API connection
|
||||
3. Click Authorize
|
||||
4. Sign in
|
||||
5. Click Save
|
||||
|
||||
#### b. Configurations in Sentinel
|
||||
Create new automation rule, ex: CybersixgillStatusUpdateAutomationRule
|
||||
* Trigger = When Incident is updated
|
||||
* Condition = Status Changed
|
||||
|
||||
*Automation rule example*
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### c. Assign Playbook Microsoft Sentinel Responder Role
|
||||
1. Select the Playbook (Logic App) resource
|
||||
2. Click on Identity Blade
|
||||
3. Choose System assigned tab
|
||||
4. Click on Azure role assignments
|
||||
5. Click on Add role assignments
|
||||
6. Select Scope - Resource group
|
||||
7. Select Subscription - where Playbook has been created
|
||||
8. Select Resource group - where Playbook has been created
|
||||
9. Select Role - Microsoft Sentinel Responder
|
||||
10. Click Save (It takes 3-5 minutes to show the added role.)
|
||||
#### d. Assign access policy on key vault for Playbook to fetch the secret key
|
||||
1. Select the Keyvault resource where you have stored the secret
|
||||
2. Click on Access policies Blade
|
||||
3. Click on Create
|
||||
4. Under Secret permissions column , Select Get , List from "Secret Management Operations"
|
||||
5. Click next to go to Principal tab and choose your deployed playbook name
|
||||
6. Click Next leave application tab as it is .
|
||||
7. Click Review and create
|
||||
8. Click Create
|
||||
|
|
@ -0,0 +1,437 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "Delete-Cybersixgill-Alert",
|
||||
"description": "This playbook will delete Alert on Cybersixgill portal when resective Incident is deleted in Microsoft Sentinel",
|
||||
"prerequisites": "Cybersixgill Client ID and Client Secret should be stored in Azure KeyVault before deploying this playbook.",
|
||||
"prerequisitesDeployTemplateFile": "",
|
||||
"lastUpdateTime": "2022-12-23T18:18:05Z",
|
||||
"entities": [],
|
||||
"tags": ["Incident", "Sync"],
|
||||
"support": {
|
||||
"tier": "community",
|
||||
"armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
|
||||
},
|
||||
"author": {
|
||||
"name": "Loginsoft"
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "DeleteCybersixgillAlert",
|
||||
"type": "string"
|
||||
},
|
||||
"Keyvault Name": {
|
||||
"type": "string",
|
||||
"defaultValue":"",
|
||||
"metadata": {
|
||||
"description": "Enter value for Keyvault Name"
|
||||
}
|
||||
},
|
||||
"Client ID key name": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Enter value for Client ID key name"
|
||||
}
|
||||
},
|
||||
"Client Secret key name": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Enter value for Client Secret key name"
|
||||
}
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
|
||||
"KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"properties": {
|
||||
"provisioningState": "Succeeded",
|
||||
"state": "Enabled",
|
||||
"definition": {
|
||||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"defaultValue": {},
|
||||
"type": "Object"
|
||||
},
|
||||
"Client ID key name": {
|
||||
"type": "string",
|
||||
"defaultValue": "[parameters('Client ID key name')]"
|
||||
},
|
||||
"Client Secret key name": {
|
||||
"type": "string",
|
||||
"defaultValue": "[parameters('Client Secret key name')]"
|
||||
},
|
||||
"Keyvault Name": {
|
||||
"type": "string",
|
||||
"defaultValue": "[parameters('Keyvault Name')]"
|
||||
}
|
||||
},
|
||||
"staticResults": {
|
||||
"HTTP0": {
|
||||
"status": "Succeeded",
|
||||
"outputs": {
|
||||
"headers": {},
|
||||
"statusCode": "OK"
|
||||
}
|
||||
}
|
||||
},
|
||||
"triggers": {
|
||||
"Microsoft_Sentinel_incident": {
|
||||
"type": "ApiConnectionWebhook",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"path": "/incident-creation"
|
||||
}
|
||||
}
|
||||
},
|
||||
"actions": {
|
||||
"Authenticate_Sixgill_API": {
|
||||
"runAfter": {
|
||||
"Get_Cybersixgill_Client_Secret": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Http",
|
||||
"inputs": {
|
||||
"body": "client_id=@{body('Get_Cybersixgill_Client_ID')?['value']}&client_secret=@{body('Get_Cybersixgill_Client_Secret')?['value']}&grant_type=client_credentials",
|
||||
"headers": {
|
||||
"Cache-Control": "no-cache",
|
||||
"Content-Type": "application/x-www-form-urlencoded"
|
||||
},
|
||||
"method": "POST",
|
||||
"uri": "https://api.cybersixgill.com/auth/token"
|
||||
},
|
||||
"runtimeConfiguration": {
|
||||
"staticResult": {
|
||||
"staticResultOptions": "Disabled",
|
||||
"name": "HTTP0"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Delete_Incident_from_Cybersixgill": {
|
||||
"runAfter": {
|
||||
"Parse_JSON": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Http",
|
||||
"inputs": {
|
||||
"headers": {
|
||||
"Authorization": "Bearer @{body('Extract_Access_Token')?['access_token']}",
|
||||
"Content-Type": "application/json"
|
||||
},
|
||||
"method": "DELETE",
|
||||
"uri": "https://api.cybersixgill.com/alerts/actionable_alert/@{body('Parse_JSON')?['id_s']}"
|
||||
}
|
||||
},
|
||||
"Extract_Access_Token": {
|
||||
"runAfter": {
|
||||
"Authenticate_Sixgill_API": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ParseJson",
|
||||
"inputs": {
|
||||
"content": "@body('Authenticate_Sixgill_API')",
|
||||
"schema": {
|
||||
"properties": {
|
||||
"access_token": {
|
||||
"type": "string"
|
||||
},
|
||||
"expires_in": {
|
||||
"type": "integer"
|
||||
},
|
||||
"ext_expires_in": {
|
||||
"type": "integer"
|
||||
},
|
||||
"token_type": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Get_Cybersixgill_Client_ID": {
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['keyvault']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "get",
|
||||
"path": "/secrets/@{encodeURIComponent(parameters('Client ID key name'))}/value"
|
||||
}
|
||||
},
|
||||
"Get_Cybersixgill_Client_Secret": {
|
||||
"runAfter": {
|
||||
"Get_Cybersixgill_Client_ID": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ApiConnection",
|
||||
"inputs": {
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['keyvault']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "get",
|
||||
"path": "/secrets/@{encodeURIComponent(parameters('Client Secret key name'))}/value"
|
||||
}
|
||||
},
|
||||
"Initialize_variable": {
|
||||
"runAfter": {
|
||||
"Extract_Access_Token": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable",
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "alert_object",
|
||||
"type": "string",
|
||||
"value": "@{triggerBody()?['object']?['properties']?['Bookmarks']?[0]?['properties']?['queryResult']}"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"Parse_JSON": {
|
||||
"runAfter": {
|
||||
"Initialize_variable": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "ParseJson",
|
||||
"inputs": {
|
||||
"content": "@variables('alert_object')",
|
||||
"schema": {
|
||||
"properties": {
|
||||
"Category": {
|
||||
"type": "string"
|
||||
},
|
||||
"Computer": {
|
||||
"type": "string"
|
||||
},
|
||||
"MG": {
|
||||
"type": "string"
|
||||
},
|
||||
"ManagementGroupName": {
|
||||
"type": "string"
|
||||
},
|
||||
"RawData": {
|
||||
"type": "string"
|
||||
},
|
||||
"Severity": {
|
||||
"type": "integer"
|
||||
},
|
||||
"SourceSystem": {
|
||||
"type": "string"
|
||||
},
|
||||
"TenantId": {
|
||||
"type": "string"
|
||||
},
|
||||
"TimeGenerated": {
|
||||
"type": "string"
|
||||
},
|
||||
"Type": {
|
||||
"type": "string"
|
||||
},
|
||||
"_ResourceId": {
|
||||
"type": "string"
|
||||
},
|
||||
"_time_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"actor_url_with_context_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"actor_url_without_context_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"aggregate_alert_id_d": {
|
||||
"type": "integer"
|
||||
},
|
||||
"alert_creation_date_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"alert_name_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"alert_type_id_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"assets_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"content_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"date_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"id_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"lang_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"langcode_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"matched_assets_organization_aliases_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"matched_assets_organization_name_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"matched_assets_products_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"organization_name_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"parent_id_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"portal_url_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"read_b": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"site_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"status_name_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"sub_alerts_count_d": {
|
||||
"type": "string"
|
||||
},
|
||||
"threat_actor_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"threat_level_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"threat_source_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"threats_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"title_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"unique_id_s": {
|
||||
"type": "string"
|
||||
},
|
||||
"user_id_s": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"outputs": {}
|
||||
},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"value": {
|
||||
"azuresentinel": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
|
||||
"connectionName": "[variables('MicrosoftSentinelConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]",
|
||||
"connectionProperties": {
|
||||
"authentication": {
|
||||
"type": "ManagedServiceIdentity"
|
||||
}
|
||||
}
|
||||
},
|
||||
"keyvault": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]",
|
||||
"connectionName": "[variables('KeyvaultConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]",
|
||||
"connectionProperties": {
|
||||
"authentication": {
|
||||
"type": "ManagedServiceIdentity"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"name": "[parameters('PlaybookName')]",
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"location": "[resourceGroup().location]",
|
||||
"identity": {
|
||||
"type": "SystemAssigned"
|
||||
},
|
||||
"tags": {
|
||||
"hidden-SentinelTemplateName": "DeleteCybersixgillAlert",
|
||||
"hidden-SentinelTemplateVersion": "1.0"
|
||||
},
|
||||
"apiVersion": "2017-07-01",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
|
||||
"[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]"
|
||||
]
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('MicrosoftSentinelConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"kind": "V1",
|
||||
"properties": {
|
||||
"displayName": "[variables('MicrosoftSentinelConnectionName')]",
|
||||
"customParameterValues": {},
|
||||
"parameterValueType": "Alternative",
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('KeyvaultConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"kind": "V1",
|
||||
"properties": {
|
||||
"displayName": "[variables('KeyvaultConnectionName')]",
|
||||
"customParameterValues": {},
|
||||
"parameterValueType": "Alternative",
|
||||
"alternativeParameterValues": {
|
||||
"vaultName": "[parameters('Keyvault Name')]"
|
||||
},
|
||||
"nonSecretParameterValues": {
|
||||
"vaultName": "[parameters('Keyvault Name')]"
|
||||
},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
Двоичные данные
Solutions/Cybersixgill-Actionable-Alerts/Playbooks/DeleteCybersixgillAlert/images/AutomationRuleExampleDark.PNG
Normal file
Двоичные данные
Solutions/Cybersixgill-Actionable-Alerts/Playbooks/DeleteCybersixgillAlert/images/AutomationRuleExampleDark.PNG
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 39 KiB |
Двоичные данные
Solutions/Cybersixgill-Actionable-Alerts/Playbooks/DeleteCybersixgillAlert/images/AutomationRuleExampleLight.PNG
Normal file
Двоичные данные
Solutions/Cybersixgill-Actionable-Alerts/Playbooks/DeleteCybersixgillAlert/images/AutomationRuleExampleLight.PNG
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 33 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 54 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 71 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 39 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 51 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 80 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 37 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 53 KiB |
|
|
@ -0,0 +1,70 @@
|
|||
# DeleteCybersixgillAlert
|
||||
author: Loginsoft
|
||||
|
||||
This playbook will delete Actionable alerts in Cybersixgill Portal. When incident is deleted in Microsoft Sentinel, playbook will run and delete Actionable alerts from Portal
|
||||
|
||||
# Prerequisites
|
||||
We will need the following data to do one time setup
|
||||
|
||||
1. Cybersixgill Client ID (client_id)
|
||||
2. Cybersixgill Client Secret (client_secret)
|
||||
|
||||
Client ID and Client Secret can be obtained from [Cybersixgill Developer Portal](https://developer.cybersixgill.com/dashboard)
|
||||
* You can skip below step if you already have Client ID and Client Secret.
|
||||
* Visit [Cybersixgill Developer Portal](https://developer.cybersixgill.com/dashboard)
|
||||
* Click on Create an application.
|
||||
* Enter Application name and brief description and optional Application image
|
||||
* All other fields can be left to default.
|
||||
* Once done click on Create the app.
|
||||
* Copy Client ID and Client Secret.
|
||||
|
||||
|
||||
# Deployment instructions
|
||||
1. Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
|
||||
|
||||
[](https%3A%2F%2Fportal.azure.com%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersixgill-Actionable-Alerts%2FPlaybooks%2FDeleteCybersixgillAlert%2Fazuredeploy.json)
|
||||
[](https%3A%2F%2Fportal.azure.us%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersixgill-Actionable-Alerts%2FPlaybooks%2FDeleteCybersixgillAlert%2Fazuredeploy.json)
|
||||
|
||||
2. Fill in the required parameters:
|
||||
* Playbook Name: Enter the playbook name here (Ex: DeleteCybersixgillAlert)
|
||||
* Keyvault name : Enter the key vault name where secret key is stored.
|
||||
* Client ID key name: Key name for Cybersixgill Client ID stored api secret.
|
||||
* Client Secret key name: Key name for Cybersixgill Client Secret the stored api secret.
|
||||
|
||||
# Post-deployment
|
||||
#### a. Authorize connections (Perform this action if needed)
|
||||
Once deployment is complete, you will need to authorize each connection.
|
||||
1. Click the Microsoft Sentinel connection resource
|
||||
2. Click edit API connection
|
||||
3. Click Authorize
|
||||
4. Sign in
|
||||
5. Click Save
|
||||
|
||||
#### b. Configurations in Sentinel
|
||||
1. Create new automation rule, ex: CybersixgillAlertDeleteAutomationRule
|
||||
* Trigger = Incident is Updated
|
||||
* Condition = -
|
||||
*Automation rule example*
|
||||
|
||||
|
||||
|
||||
#### c. Assign Playbook Microsoft Sentinel Responder Role
|
||||
1. Select the Playbook (Logic App) resource
|
||||
2. Click on Identity Blade
|
||||
3. Choose System assigned tab
|
||||
4. Click on Azure role assignments
|
||||
5. Click on Add role assignments
|
||||
6. Select Scope - Resource group
|
||||
7. Select Subscription - where Playbook has been created
|
||||
8. Select Resource group - where Playbook has been created
|
||||
9. Select Role - Microsoft Sentinel Responder
|
||||
10. Click Save (It takes 3-5 minutes to show the added role.)
|
||||
#### d. Assign access policy on key vault for Playbook to fetch the secret key
|
||||
1. Select the Keyvault resource where you have stored the secret
|
||||
2. Click on Access policies Blade
|
||||
3. Click on Create
|
||||
4. Under Secret permissions column , Select Get , List from "Secret Management Operations"
|
||||
5. Click next to go to Principal tab and choose your deployed playbook name
|
||||
6. Click Next leave application tab as it is .
|
||||
7. Click Review and create
|
||||
8. Click Create
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"publisherId": "cybersixgill1657701397011",
|
||||
"offerId": "azure-sentinel-solution-cybersixgill-actionable-alerts",
|
||||
"firstPublishDate": "2022-08-30",
|
||||
"lastPublishDate": "2022-08-30",
|
||||
"providers": ["Cybersixgill"],
|
||||
"categories": {
|
||||
"domains" : ["Security - Threat Intelligence"],
|
||||
"verticals": []
|
||||
},
|
||||
"support": {
|
||||
"name": "Cybersixgill",
|
||||
"email": "info@cybersixgill.com",
|
||||
"tier": "Partner",
|
||||
"link": "https://www.cybersixgill.com/"
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,193 @@
|
|||
{
|
||||
"version": "Notebook/1.0",
|
||||
"items": [
|
||||
{
|
||||
"type": 9,
|
||||
"content": {
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"parameters": [
|
||||
{
|
||||
"id": "228d6050-af03-4f13-8075-8a19c58ce548",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "Date",
|
||||
"type": 4,
|
||||
"isGlobal": true,
|
||||
"value": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"typeSettings": {
|
||||
"selectableValues": [
|
||||
{
|
||||
"durationMs": 86400000
|
||||
},
|
||||
{
|
||||
"durationMs": 604800000
|
||||
},
|
||||
{
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
{
|
||||
"durationMs": 5184000000
|
||||
},
|
||||
{
|
||||
"durationMs": 7776000000
|
||||
}
|
||||
],
|
||||
"allowCustom": true
|
||||
},
|
||||
"timeContext": {
|
||||
"durationMs": 86400000
|
||||
}
|
||||
}
|
||||
],
|
||||
"style": "above",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"name": "parameters - 4"
|
||||
},
|
||||
{
|
||||
"type": 12,
|
||||
"content": {
|
||||
"version": "NotebookGroup/1.0",
|
||||
"groupType": "editable",
|
||||
"items": [
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CyberSixgill_Alerts_CL\r\n| summarize count() by threat_level_s\r\n| order by count_",
|
||||
"size": 2,
|
||||
"timeContextFromParameter": "Date",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "tiles",
|
||||
"tileSettings": {
|
||||
"showBorder": false,
|
||||
"titleContent": {
|
||||
"columnMatch": "threat_level_s",
|
||||
"formatter": 1
|
||||
},
|
||||
"leftContent": {
|
||||
"columnMatch": "count_",
|
||||
"formatter": 12,
|
||||
"formatOptions": {
|
||||
"palette": "auto"
|
||||
},
|
||||
"numberFormat": {
|
||||
"unit": 17,
|
||||
"options": {
|
||||
"maximumSignificantDigits": 3,
|
||||
"maximumFractionDigits": 2
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 6"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CyberSixgill_Alerts_CL\r\n| project MyJson = parse_json(assets_s)\r\n| mvexpand MyJson\r\n| summarize count() by tostring(MyJson)\r\n| top 10 by count_",
|
||||
"size": 2,
|
||||
"title": "Top 10 Matched Assets",
|
||||
"timeContextFromParameter": "Date",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 2"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CyberSixgill_Alerts_CL",
|
||||
"size": 0,
|
||||
"timeContextFromParameter": "Date",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "timechart",
|
||||
"chartSettings": {
|
||||
"showMetrics": false,
|
||||
"showDataPoints": true
|
||||
}
|
||||
},
|
||||
"name": "item-1-timeline"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CyberSixgill_Alerts_CL\r\n| where threat_actor_s != \"\"\r\n| summarize count() by threat_actor_s \r\n| top 10 by count_",
|
||||
"size": 2,
|
||||
"title": "Top 10 threat actors",
|
||||
"timeContextFromParameter": "Date",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "item-2-threat-actors"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CyberSixgill_Alerts_CL\r\n| summarize count() by threat_level_s \r\n| top 10 by count_",
|
||||
"size": 2,
|
||||
"title": "Threat Level",
|
||||
"timeContextFromParameter": "Date",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "item-3-theat-level"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CyberSixgill_Alerts_CL\r\n| summarize count() by threat_source_s \r\n| top 10 by count_",
|
||||
"size": 2,
|
||||
"title": "Top 10 Sources",
|
||||
"timeContextFromParameter": "Date",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "item-4-threat-source"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CyberSixgill_Alerts_CL\r\n| project MyJson = parse_json(threats_s)\r\n| mvexpand MyJson\r\n| summarize count() by tostring(MyJson)",
|
||||
"size": 2,
|
||||
"title": "Alerts by Type",
|
||||
"timeContextFromParameter": "Date",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "piechart"
|
||||
},
|
||||
"customWidth": "50",
|
||||
"name": "query - 2"
|
||||
}
|
||||
]
|
||||
},
|
||||
"name": "group - 5"
|
||||
}
|
||||
],
|
||||
"fallbackResourceIds": [
|
||||
""
|
||||
],
|
||||
"styleSettings": {},
|
||||
"fromTemplateId": "sentinel-ActionableAlertsDashboard",
|
||||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||||
}
|
||||
|
|
@ -0,0 +1,148 @@
|
|||
{
|
||||
"version": "Notebook/1.0",
|
||||
"items": [
|
||||
{
|
||||
"type": 9,
|
||||
"content": {
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"parameters": [
|
||||
{
|
||||
"id": "f7f8867d-6fcd-41c3-a908-12de727e6f35",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "date",
|
||||
"label": "Date",
|
||||
"type": 4,
|
||||
"isGlobal": true,
|
||||
"value": {
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
"typeSettings": {
|
||||
"selectableValues": [
|
||||
{
|
||||
"durationMs": 86400000
|
||||
},
|
||||
{
|
||||
"durationMs": 604800000
|
||||
},
|
||||
{
|
||||
"durationMs": 2592000000
|
||||
},
|
||||
{
|
||||
"durationMs": 5184000000
|
||||
},
|
||||
{
|
||||
"durationMs": 7776000000
|
||||
}
|
||||
],
|
||||
"allowCustom": true
|
||||
},
|
||||
"timeContext": {
|
||||
"durationMs": 86400000
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "e5d5d76d-a748-4f16-94f0-ffed5fecfa00",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "threat_type",
|
||||
"label": "Threat Type",
|
||||
"type": 2,
|
||||
"isGlobal": true,
|
||||
"multiSelect": true,
|
||||
"quote": "'",
|
||||
"delimiter": ",",
|
||||
"query": "CyberSixgill_Alerts_CL\r\n| where TimeGenerated > ago(720d)\r\n| project MyJson = parse_json(threats_s)\r\n| mvexpand MyJson\r\n| summarize by tostring(MyJson)\r\n| sort by MyJson asc",
|
||||
"typeSettings": {
|
||||
"additionalResourceOptions": [
|
||||
"value::all"
|
||||
],
|
||||
"showDefault": false
|
||||
},
|
||||
"defaultValue": "value::all",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
{
|
||||
"id": "361f855c-e983-44c9-86b4-4f57286d77e1",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "threat_level",
|
||||
"label": "Threat Level",
|
||||
"type": 2,
|
||||
"isGlobal": true,
|
||||
"multiSelect": true,
|
||||
"quote": "'",
|
||||
"delimiter": ",",
|
||||
"typeSettings": {
|
||||
"additionalResourceOptions": [
|
||||
"value::all"
|
||||
],
|
||||
"showDefault": false
|
||||
},
|
||||
"jsonData": "[{\"label\": \"Emerging\", \"value\": \"emerging\"},\r\n{\"label\": \"Imminent\", \"value\": \"imminent\"}]",
|
||||
"defaultValue": "value::all"
|
||||
},
|
||||
{
|
||||
"id": "a89b3f31-ac61-419b-94a0-553ccd3ac7ac",
|
||||
"version": "KqlParameterItem/1.0",
|
||||
"name": "status",
|
||||
"label": "Status",
|
||||
"type": 2,
|
||||
"isGlobal": true,
|
||||
"multiSelect": true,
|
||||
"quote": "'",
|
||||
"delimiter": ",",
|
||||
"typeSettings": {
|
||||
"additionalResourceOptions": [
|
||||
"value::all"
|
||||
],
|
||||
"showDefault": false
|
||||
},
|
||||
"jsonData": "[{\"label\": \"Treatment Required\", \"value\": \"treatment_required\"},\r\n{\"label\": \"In Treatment\", \"value\": \"in_treatment\"},\r\n{\"label\": \"Resolved\", \"value\": \"resolved\"}]",
|
||||
"defaultValue": "value::all"
|
||||
}
|
||||
],
|
||||
"style": "above",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
},
|
||||
"name": "parameters - 1"
|
||||
},
|
||||
{
|
||||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CyberSixgill_Alerts_CL\n| extend threats = parse_json(threats_s)\n| where threats has_any ({threat_type})\n| where threat_level_s has_any ({threat_level})\n| where status_name_s has_any ({status})\n| project [\"Alert ID\"]=id_s,Title=title_s,[\"Threat Type\"]=strcat_array(threats, \",\"), Status=status_name_s, [\"Threat Actor\"]=threat_actor_s, [\"Threat Source\"]=threat_source_s, [\"Matched Assets\"]=assets_s, [\"Portal URL\"]=portal_url_s, Content=content_s\n//| where TimeGenerated {date}",
|
||||
"size": 2,
|
||||
"timeContextFromParameter": "date",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
"formatters": [
|
||||
{
|
||||
"columnMatch": "Portal URL",
|
||||
"formatter": 7,
|
||||
"formatOptions": {
|
||||
"linkTarget": "Url",
|
||||
"linkLabel": "View in Cybersixgill portal"
|
||||
}
|
||||
},
|
||||
{
|
||||
"columnMatch": "content_s",
|
||||
"formatter": 0,
|
||||
"tooltipFormat": {
|
||||
"tooltip": "{0}"
|
||||
}
|
||||
}
|
||||
],
|
||||
"rowLimit": 50,
|
||||
"filter": true
|
||||
}
|
||||
},
|
||||
"name": "cybersixgill-alerts-list"
|
||||
}
|
||||
],
|
||||
"fallbackResourceIds": [
|
||||
""
|
||||
],
|
||||
"fromTemplateId": "sentinel-ActionableAlertsList",
|
||||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||||
}
|
||||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
После Ширина: | Высота: | Размер: 5.0 KiB |
Двоичные данные
Solutions/Cybersixgill-Actionable-Alerts/Workbooks/Images/Perview/ActionableAlertsDashboardBlack.PNG
Normal file
Двоичные данные
Solutions/Cybersixgill-Actionable-Alerts/Workbooks/Images/Perview/ActionableAlertsDashboardBlack.PNG
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 26 KiB |
Двоичные данные
Solutions/Cybersixgill-Actionable-Alerts/Workbooks/Images/Perview/ActionableAlertsDashboardWhite.PNG
Normal file
Двоичные данные
Solutions/Cybersixgill-Actionable-Alerts/Workbooks/Images/Perview/ActionableAlertsDashboardWhite.PNG
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 32 KiB |
Двоичные данные
Solutions/Cybersixgill-Actionable-Alerts/Workbooks/Images/Perview/ActionableAlertsListBlack.PNG
Normal file
Двоичные данные
Solutions/Cybersixgill-Actionable-Alerts/Workbooks/Images/Perview/ActionableAlertsListBlack.PNG
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 84 KiB |
Двоичные данные
Solutions/Cybersixgill-Actionable-Alerts/Workbooks/Images/Perview/ActionableAlertsListWhite.PNG
Normal file
Двоичные данные
Solutions/Cybersixgill-Actionable-Alerts/Workbooks/Images/Perview/ActionableAlertsListWhite.PNG
Normal file
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 87 KiB |
Загрузка…
Ссылка в новой задаче