Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/ManualSentinelIncident.json

276 строки
12 KiB
JSON
Исходник Постоянная ссылка Ответственный История

{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "# How this workbook works\r\nMicrosoft Sentinel Incident creation. Manual incident created with ARM Action.\r\n\r\n- Choose correct Azure Subscription and Log Analytics workspace\r\n- Insert incident title\r\n- Insert incident description\r\n- Choose incident severity\r\n\t- High, Medium, Low, or Informational\r\n- Choose incident status\r\n\t- New, Active, or Closed\r\n- Insert owner for the incident in UPN format\r\n- Incident GUID will be created automatically\r\n\r\n",
"style": "upsell"
},
"name": "text - 3"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": [],
"includeAll": true,
"showDefault": false
},
"value": null
},
{
"version": "KqlParameterItem/1.0",
"name": "DefaultSubscription_Internal",
"type": 1,
"query": "resources\r\n| limit 1\r\n| project subscriptionId",
"crossComponentResources": [
"{Subscription}"
],
"isHiddenWhenLocked": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"type": 5,
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\n| project id",
"crossComponentResources": [
"{Subscription}"
],
"value": null,
"typeSettings": {
"resourceTypeFilter": {
"microsoft.operationalinsights/workspaces": true
},
"additionalResourceOptions": []
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"version": "KqlParameterItem/1.0",
"name": "resourceGroup",
"type": 1,
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| where id == \"{Workspace}\"\r\n| project resourceGroup",
"crossComponentResources": [
"value::selected"
],
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"version": "KqlParameterItem/1.0",
"name": "WorkspaceName",
"type": 1,
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| where id == \"{Workspace}\"\r\n| project name",
"crossComponentResources": [
"{Subscription}"
],
"isHiddenWhenLocked": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
}
],
"style": "above",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
"name": "parameters - 1"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"version": "KqlParameterItem/1.0",
"name": "incidentTitle",
"label": "Incident title",
"type": 1,
"isRequired": true,
"timeContext": {
"durationMs": 86400000
},
"value": ""
},
{
"version": "KqlParameterItem/1.0",
"name": "description",
"label": "Description",
"type": 1,
"isRequired": true,
"value": ""
},
{
"version": "KqlParameterItem/1.0",
"name": "severity",
"label": "Severity",
"type": 2,
"isRequired": true,
"query": "{\"version\":\"1.0.0\",\"content\":\"[\\\"High\\\", \\\"Medium\\\", \\\"Low\\\", \\\"Informational\\\"]\",\"transformers\":null}",
"typeSettings": {
"additionalResourceOptions": []
},
"queryType": 8,
"value": "High"
},
{
"version": "KqlParameterItem/1.0",
"name": "status",
"label": "Status",
"type": 2,
"isRequired": true,
"query": "{\"version\":\"1.0.0\",\"content\":\"[\\\"New\\\", \\\"Active\\\", \\\"Closed\\\"]\",\"transformers\":null}",
"typeSettings": {
"additionalResourceOptions": []
},
"queryType": 8,
"value": "New"
},
{
"version": "KqlParameterItem/1.0",
"name": "UserUPN",
"label": "UserPrincipalName",
"type": 1,
"description": "Fill in your UPN",
"isRequired": true,
"value": ""
},
{
"version": "KqlParameterItem/1.0",
"name": "GUID",
"label": "ID for Sentinel Incident",
"type": 1,
"isRequired": true,
"query": "print guid=new_guid()",
"crossComponentResources": [
"{Workspace}"
],
"typeSettings": {
"paramValidationRules": [
{
"regExp": "^{?([0-9a-fA-F]){8}(-([0-9a-fA-F]){4}){3}-([0-9a-fA-F]){12}}?$",
"match": true,
"message": ""
}
]
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "formVertical",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 4"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "list",
"links": [
{
"linkTarget": "ArmAction",
"linkLabel": "Create Incident",
"preText": "❗",
"postText": "at {WorkspaceName}",
"style": "primary",
"icon": "Alert",
"linkIsContextBlade": true,
"templateRunContext": {
"componentIdSource": "parameter",
"templateUriSource": "static",
"templateParameters": [
{
"name": "subscriptionid",
"source": "parameter",
"value": "Subscription",
"kind": "stringValue"
},
{
"name": "workspaces",
"source": "parameter",
"value": "Sentinel",
"kind": "stringValue"
},
{
"name": "resourcegroup",
"source": "parameter",
"value": "Sentinel",
"kind": "stringValue"
}
],
"titleSource": "static",
"descriptionSource": "static",
"runLabelSource": "static"
},
"armActionContext": {
"path": "/subscriptions/{DefaultSubscription_Internal}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{WorkspaceName}/providers/Microsoft.SecurityInsights/incidents/{GUID}",
"headers": [],
"params": [
{
"key": "api-version",
"value": "2022-07-01-preview"
}
],
"body": "{\r\n \"properties\": {\r\n \"title\": \"{incidentTitle}\",\r\n \"description\": \"{description}\",\r\n \"severity\": \"{severity}\",\r\n \"status\": \"{status}\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": \"{UserUPN}\",\r\n \"ownerType\": null\r\n }\r\n }\r\n}",
"httpMethod": "PUT",
"title": "Create new Microsoft Sentinel incident",
"description": "# Actions can potentially modify resources.\n## Please use caution and include a confirmation message in this description when authoring this command.\n\n<span style= \"font-size:15px;\"> You are creating a new Microsoft Sentinel incident in **{WorkspaceName}** Log Analytics workspace!</span>\n\nThe current information that will be created with the incident:\n\n- Incident Title: {incidentTitle}\n- Incident ID: {GUID}\n- Incident description: {description}\n- Incident severity: {severity}\n- Assigned to: {UserUPN}\n- Incident status: {status}",
"actionName": "CreateIncident-{GUID}",
"runLabel": "Create Incident"
}
},
{
"cellValue": "https://portal.azure.com/#view/Microsoft_Azure_Security_Insights/MainMenuBlade/~/6/id/%2Fsubscriptions%2F{DefaultSubscription_Internal}%2Fresourcegroups%2F{resourceGroup}%2Fproviders%2Fmicrosoft.securityinsightsarg%2Fsentinel%2F{WorkspaceName}",
"linkTarget": "Url",
"linkLabel": "Go to Sentinel Incident pane",
"subTarget": "Incidents",
"preText": "👆",
"postText": "at {WorkspaceName}",
"style": "link"
},
{
"cellValue": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/{DefaultSubscription_Internal}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{WorkspaceName}/providers/Microsoft.SecurityInsights/Incidents/{GUID}",
"linkTarget": "Url",
"linkLabel": "Go to newly created incident",
"preText": "⚠️",
"postText": "at {WorkspaceName} (only works if the incident is created)",
"style": "link"
}
]
},
"name": "links - 4"
}
]
},
"name": "group - 4"
}
],
"fromTemplateId": "sentinel-manualincident",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку