Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Playbooks/Update-BulkIncidents
История
swiftsolves-msft 11ffe48f82 updated with a fix and more notes 
Hat Tip Josh Kolka for finding issues after deployment.  Updated ReadMe to include some additional notes and PowerShell Example, also update Deployment template to capture user input SentinelWorkspaceName and also added Benign Positive as close classification reason as this field is now required.
 		2024-03-06 16:33:49 -05:00
..
images update readme 2020-08-18 19:56:43 -04:00
azuredeploy.json updated with a fix and more notes 2024-03-06 16:33:49 -05:00
readme.md updated with a fix and more notes 2024-03-06 16:33:49 -05:00

readme.md

Update-BulkIncidents

authors: Priscila Viana, Nathan Swift

This Logic App will act as listener, you can pass json object to a HTTP Endpoint to use KQL query to discover Azure Sentinel Security Incidents through the SecurityIncident table you wish to bulk change on. It includes a method to selective update by array [].

Deploy to Azure Deploy to Azure Gov

Additional Post Install Notes:

The Logic App requires the SecurityIncident Table preview, check the Global Paramaters in the editor view of Logic App sometimes paramter SentinelResourceGroup has a prefix of a space causing errors, remove prrefix space from string.

Usage Notes

To obtain your Logic App URI to make POST calls to, go to the Logic App designer mode and the first action and copy the URI

You can use Postman, PowerShell, or your favorite shell to send a JSON body to the Logic App Endpoint. Below are some PowerShell code examples of usage.

At this time the Logic App can only bulk update the Status of Azure Sentinel Incidents.

When finished disable/delete Logic App until next use.

<#

    Object parameters accepted are:

    operationtype - acceptable values are 'kql' or 'ids' | 'kql' = you will pass a parameter 'operationquery' with the kql language, those results will be passed to bulk update incidents | 'ids' = use an array list in parameter 'operationids'
    operationstatus - Closed, New, InProgress  
    operationkql - use a kql query to send results of Azure Sentinel Incidents to bulk update
    operationids - using an array list of Azure Sentinel Incident Ids/case numbers to bulk update

    See below for examples

#>

# Your URI from the Deployed LogicApp - 
$uri = "https://prod-38.eastus.logic.azure.com:443/workflows/r794bb6/triggers/request/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Frequest%2Frun&sv=1.0&sig=b_7K3GTyGxvJ2V"

# Header should be JSON
$header = @{'Content-Type' = 'application/json'}

# See $json examples below
$json =

# Execute and Invoke Web Request to Logic App
Invoke-WebRequest -Uri $uri -Method POST -Body $json -Headers $header


## Example 1 using the KQL query to bulk update incidents

$json = @"
{  "bulkoperation": {
        "operationtype": "kql",
        "operationquery": "SecurityIncident | where TimeGenerated >= ago(7d) | where Status == 'New'",
        "operationstatus": "Closed"
    }
}
"@

## Example 2 using an array of incidents you want to update

$json = @"
{  "bulkoperation": {
        "operationtype": "ids",
        "operationids": [933, 934, 935, 935, 936],
        "operationstatus": "Closed"
    }
}
"@