{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata":{ "comments": "This playbook will add URL entity to a new or exsisting watchlist.", "author": "Yaniv Shasha" }, "parameters": { "PlaybookName": { "defaultValue": "Watchlist-Add-URLToWatchList", "type": "String" }, "AzureSentinelWorkspaceName": { "defaultValue": "The Azure Sentinel workspace name", "type": "string" }, "AzureSentinelResourceGroup": { "defaultValue": "The AzureSentinel resource group", "type": "string" }, "SubscriptionID": { "defaultValue": "The Azure Sentinel subscription ID", "type": "string" }, "WatchlistName": { "defaultValue": "Name of watchlist", "type": "string" } }, "variables": { "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]" }, "resources": [ { "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", "name": "[variables('AzureSentinelConnectionName')]", "location": "[resourceGroup().location]", "properties": { "customParameterValues": {}, "api": { "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" } } }, { "type": "Microsoft.Logic/workflows", "apiVersion": "2017-07-01", "name": "[parameters('PlaybookName')]", "location": "[resourceGroup().location]", "tags": { "LogicAppsCategory": "security" }, "dependsOn": [ "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" ], "properties": { "state": "Enabled", "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "contentVersion": "1.0.0.0", "parameters": { "$connections": { "defaultValue": {}, "type": "Object" } }, "triggers": { "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { "type": "ApiConnectionWebhook", "inputs": { "body": { "callback_url": "@{listCallbackUrl()}" }, "host": { "connection": { "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, "path": "/subscribe" } } }, "actions": { "Condition": { "actions": { "Update_existing_Watchlist_": { "runAfter": {}, "type": "Http", "inputs": { "authentication": { "type": "ManagedServiceIdentity" }, "body": { "properties": { "contentType": "text/csv", "createdBy": { "objectId": "c580700e-878a-4f6d-a6dd-3f2300d4ddca" }, "description": "csv1", "displayName": "@variables('WatchlistName')", "labels": [], "numberOfLinesToSkip": "0", "provider": "Microsoft", "rawContent": "@{body('Create_CSV_table')}", "source": "Local file" } }, "method": "PUT", "uri": "https://management.azure.com/subscriptions/@{variables('SubscriptionID')}/resourceGroups/@{variables('ResourceGroup')}/providers/Microsoft.OperationalInsights/workspaces/@{variables('WorkspaceName')}/providers/Microsoft.SecurityInsights/watchlists/@{variables('WatchlistName')}?api-version=2019-01-01-preview" } } }, "runAfter": { "check_if_watchlist_exist_": [ "Succeeded", "Failed" ] }, "else": { "actions": { "Until": { "actions": { "Create_a_watchlist_and_Watchlist_Items": { "runAfter": {}, "type": "Http", "inputs": { "authentication": { "type": "ManagedServiceIdentity" }, "body": { "properties": { "contentType": "text/csv", "createdBy": { "objectId": "c580700e-878a-4f6d-a6dd-3f2300d4ddca" }, "description": "csv1", "displayName": "@variables('WatchlistName')", "labels": [], "numberOfLinesToSkip": "0", "provider": "Microsoft", "rawContent": "@{body('Create_CSV_table')}", "source": "Local file" } }, "method": "PUT", "uri": "https://management.azure.com/subscriptions/@{variables('SubscriptionID')}/resourceGroups/@{variables('ResourceGroup')}/providers/Microsoft.OperationalInsights/workspaces/@{variables('WorkspaceName')}/providers/Microsoft.SecurityInsights/watchlists/@{variables('WatchlistName')}?api-version=2019-01-01-preview" } }, "Increment_variable": { "runAfter": { "Create_a_watchlist_and_Watchlist_Items": [ "Succeeded" ] }, "type": "IncrementVariable", "inputs": { "name": "runs", "value": 1 } } }, "runAfter": {}, "expression": "@greater(variables('runs'), 1)", "limit": { "count": 60, "timeout": "PT1H" }, "type": "Until" } } }, "expression": { "and": [ { "equals": [ "@outputs('check_if_watchlist_exist_')['statusCode']", 200 ] } ] }, "type": "If" }, "Create_CSV_table": { "runAfter": { "For_each_2": [ "Succeeded" ] }, "type": "Table", "inputs": { "format": "CSV", "from": "@variables('URL')" } }, "Entities_-_Get_URLs": { "runAfter": {}, "type": "ApiConnection", "inputs": { "body": "@triggerBody()?['Entities']", "host": { "connection": { "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, "method": "post", "path": "/entities/url" } }, "For_each_2": { "foreach": "@body('Entities_-_Get_URLs')?['URLs']", "actions": { "Append_to_array_variable": { "runAfter": {}, "type": "AppendToArrayVariable", "inputs": { "name": "URL", "value": { "Url": "@{items('For_each_2')['Url']}" } } } }, "runAfter": { "WatchListName": [ "Succeeded" ] }, "type": "Foreach" }, "Number_of_Runs": { "runAfter": { "Variable_Host": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "runs", "type": "integer", "value": 0 } ] } }, "Parse_JSON": { "runAfter": { "Entities_-_Get_URLs": [ "Succeeded" ] }, "type": "ParseJson", "inputs": { "content": "@body('Entities_-_Get_URLs')?['URLs']", "schema": { "properties": { "Urls": { "items": { "properties": { "$id": { "type": "string" }, "Type": { "type": "string" }, "Url": { "type": "string" } }, "required": [ "$id", "Type", "Url" ], "type": "array" }, "type": "array" } }, "type": "array" } } }, "ResourceGroup": { "runAfter": { "SubscriptionID": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "ResourceGroup", "type": "string", "value": "[parameters('AzureSentinelResourceGroup')]" } ] } }, "SubscriptionID": { "runAfter": { "Number_of_Runs": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "SubscriptionID", "type": "string", "value": "[parameters('SubscriptionID')]" } ] } }, "Variable_Host": { "runAfter": { "Parse_JSON": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "URL", "type": "array" } ] } }, "WatchListName": { "runAfter": { "WorkspaceName": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "WatchlistName", "type": "string", "value": "[parameters('WatchlistName')]" } ] } }, "WorkspaceName": { "runAfter": { "ResourceGroup": [ "Succeeded" ] }, "type": "InitializeVariable", "inputs": { "variables": [ { "name": "WorkspaceName", "type": "string", "value": "[parameters('AzureSentinelWorkspaceName')]" } ] } }, "check_if_watchlist_exist_": { "runAfter": { "Create_CSV_table": [ "Succeeded" ] }, "type": "Http", "inputs": { "authentication": { "type": "ManagedServiceIdentity" }, "method": "GET", "uri": "https://management.azure.com/subscriptions/@{variables('SubscriptionID')}/resourceGroups/@{variables('ResourceGroup')}/providers/Microsoft.OperationalInsights/workspaces/@{variables('WorkspaceName')}/providers/Microsoft.SecurityInsights/watchlists/@{variables('WatchlistName')}?api-version=2019-01-01-preview" } } }, "outputs": {} }, "parameters": { "$connections": { "value": { "azuresentinel": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", "connectionName": "[variables('AzureSentinelConnectionName')]", "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" } } } } } } ] }