Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Playbooks/AS-Incident-Spiderfoot-Scan/azuredeploy.json

480 строки
24 KiB
JSON
Исходник Постоянная ссылка Ответственный История

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "AS-Incident-Spiderfoot-Scan",
"description": "This playbook will pull email addresses from the account entities in a Microsoft Sentinel incident and use them as targets in a Spiderfoot scan. By default, the scan is created using the HaveIBeenPwned module. The resulting report of that scan will be emailed to a recipient specified upon deployment.",
"prerequisites": "1. A Spiderfoot account is needed, along with an API key for this account. Support for the set up and configuration of each of these items can be found here: https://github.com/Accelerynt-Security/AS-Incident-Spiderfoot-Scan",
"lastUpdateTime": "2023-04-21T1:38:11Z",
"entities": ["Account"],
"tags": ["Microsoft Sentinel", "Incident", "Spiderfoot"],
"support": {
"tier": "Partner"
},
"author": {
"name": "Accelerynt"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "AS-Incident-Spiderfoot-Scan",
"type": "string"
},
"SpiderfootSubdomain": {
"type": "string",
"metadata" : {
"description" : "Enter the name of your unique Spiderfoot subdomain"
}
},
"KeyVaultName": {
"type": "string",
"metadata" : {
"description" : "Enter the name of the key vault that stores your Spiderfoot API key"
}
},
"KeySecretName": {
"type": "string",
"metadata": {
"description": "Enter the name of the key vault Secret that contains the value of your Spiderfoot API key"
}
},
"RecipientEmail": {
"type": "string",
"metadata" : {
"description" : "Enter the email address you would like the Spiderfoot report sent to"
}
}
},
"variables": {
"azuresentinel": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"keyvault": "[concat('keyvault-', parameters('PlaybookName'))]",
"office365": "[concat('office365-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuresentinel')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('keyvault')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"parameterValueType": "Alternative",
"alternativeParameterValues": {
"vaultName": "[parameters('KeyVaultName')]"
},
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('office365')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {
},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"LogicAppsCategory": "security"
},
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('azuresentinel'))]",
"[resourceId('Microsoft.Web/connections', variables('keyvault'))]",
"[resourceId('Microsoft.Web/connections', variables('office365'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Get_Secret_API_Key": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['keyvault']['connectionId']"
}
},
"method": "get",
"path": "[concat('/secrets/@{encodeURIComponent(''', parameters('KeySecretName'), ''')}/value')]"
}
},
"Entities_-_Get_Accounts": {
"runAfter": {
"Initialize_variable-_Scan_Targets_Final": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/account"
}
},
"For_each-_Account": {
"foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
"actions": {
"Condition": {
"actions": {
"Append_to_string_variable": {
"runAfter": {},
"type": "AppendToStringVariable",
"inputs": {
"name": "Scan Targets Initial",
"value": "@{concat(items('For_each-_Account')?['Name'], '@', items('For_each-_Account')?['UPNSuffix'])},"
}
}
},
"runAfter": {},
"expression": {
"and": [
{
"not": {
"equals": [
"@items('For_each-_Account')?['Name']",
""
]
}
},
{
"not": {
"equals": [
"@items('For_each-_Account')?['UPNSuffix']",
""
]
}
}
]
},
"type": "If"
}
},
"runAfter": {
"Entities_-_Get_Accounts": [
"Succeeded"
]
},
"type": "Foreach"
},
"HTTP-_Start_Scan": {
"runAfter": {
"Set_variable-_Remove_Last_Comma_From_Loop": [
"Succeeded"
]
},
"type": "Http",
"inputs": {
"method": "GET",
"uri": "[concat('https://', parameters('SpiderfootSubdomain'), '.hx.spiderfoot.net/api?func=scanstart&apikey=@{body(''Get_Secret_API_Key'')?[''value'']}&name=ScanFromSentinel@{formatDateTime(utcNow(), ''MMddyyyy'')}&target=@{variables(''Scan Targets'')}&options=iterate_names=0,correlations=1&modules=sfp_haveibeenpwned')]"
}
},
"Initialize_variable-_Scan_Status": {
"runAfter": {
"Initialize_variable_-_Scan_ID": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Scan Status",
"type": "string",
"value": "STARTED"
}
]
}
},
"Initialize_variable-_Scan_Targets_Final": {
"runAfter": {
"Initialize_variable-_Scan_Targets_Initial": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Scan Targets",
"type": "string"
}
]
}
},
"Initialize_variable-_Scan_Targets_Initial": {
"runAfter": {
"Get_Secret_API_Key": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Scan Targets Initial",
"type": "string"
}
]
}
},
"Initialize_variable-_Scan_Values": {
"runAfter": {
"Initialize_variable-_Scan_Status": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Scan Values",
"type": "array",
"value": [
"STARTED",
"STARTING",
"RUNNING",
"POST",
"PROCESSING",
"ANALYSIS"
]
}
]
}
},
"Initialize_variable_-_Scan_ID": {
"runAfter": {
"Parse_JSON-_Scan_ID": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Scan ID",
"type": "string",
"value": "@{body('Parse_JSON-_Scan_ID')?[1]}"
}
]
}
},
"Parse_JSON-_Scan_ID": {
"runAfter": {
"HTTP-_Start_Scan": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('HTTP-_Start_Scan')",
"schema": {
"items": {
"type": "string"
},
"type": "array"
}
}
},
"Send_an_email_(V2)": {
"runAfter": {
"Until": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"Body": "[concat('<p>Scan on the following targets is complete:<br>\n@{variables(''Scan Targets'')}<br>\n<br>\n<br>\nThese entities were run against the following modules:<br>\nHaveIBeenPwned<br>\n<br>\nSpiderfoot report:<br>\nhttps://', parameters('SpiderfootSubdomain'), '/scaninfo?id=@{variables(''Scan ID'')}<br>\n</p>')]",
"Subject": "Spiderfoot Scan Report ",
"To": "[parameters('RecipientEmail')]"
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
}
},
"method": "post",
"path": "/v2/Mail"
}
},
"Set_variable-_Remove_Last_Comma_From_Loop": {
"runAfter": {
"For_each-_Account": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "Scan Targets",
"value": "@{substring(variables('Scan Targets Initial'), 0, lastIndexOf(variables('Scan Targets Initial'), ','))}"
}
},
"Until": {
"actions": {
"HTTP-_Scan_Status": {
"runAfter": {},
"type": "Http",
"inputs": {
"method": "GET",
"uri": "[concat('https://', parameters('SpiderfootSubdomain'), '.hx.spiderfoot.net/api?func=scanstatus&apikey=@{body(''Get_Secret_API_Key'')?[''value'']}&id=@{variables(''Scan ID'')}')]"
}
},
"Parse_JSON-_Status": {
"runAfter": {
"HTTP-_Scan_Status": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('HTTP-_Scan_Status')",
"schema": {
"properties": {
"created_time": {
"type": "string"
},
"end_time": {
"type": "string"
},
"scan_name": {
"type": "string"
},
"scan_status": {
"type": "string"
},
"scan_target": {
"type": "string"
},
"start_time": {
"type": "string"
}
},
"type": "object"
}
}
},
"Set_variable": {
"runAfter": {
"Parse_JSON-_Status": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "Scan Status",
"value": "@body('Parse_JSON-_Status')?['scan_status']"
}
}
},
"runAfter": {
"Initialize_variable-_Scan_Values": [
"Succeeded"
]
},
"expression": "@not(contains(variables('Scan Values'), variables('Scan Status')))",
"limit": {
"count": 60,
"timeout": "PT1H"
},
"type": "Until"
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('azuresentinel'))]",
"connectionName": "[variables('azuresentinel')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"keyvault": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('keyvault'))]",
"connectionName": "[variables('keyvault')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId,'/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"office365": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('office365'))]",
"connectionName": "[variables('office365')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId,'/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
}
}
}
}
}
]
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку