Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Playbooks/Notify-ASCAlertAzureResource/azuredeploy.json

554 строки
32 KiB
JSON
Исходник Ответственный История

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata":{
"comments": "This playbook will notify RBAC assigned Owners and Contributors both user and mail enabled security groups on the Azure Resource via a ASC alert generated Sentinel Incident.",
"author": "Nathan Swift"
},
"parameters": {
"PlaybookName": {
"defaultValue": "Notify-ASCAlertAzureResource",
"type": "String"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
},
"AzureSentinelLogAnalyticsWorkspaceName": {
"defaultValue": "yourAzureSentinelworkspacename",
"type": "string"
},
"AzureSentinelLogAnalyticsWorkspaceResourceGroupName": {
"defaultValue": "yourAzureSentinelworkspaceRGname",
"type": "string"
},
"AADTenantID": {
"defaultValue": "Your AAD Tenant ID",
"type": "string"
}
},
"variables": {
"AzureMonitorLogsConnectionName": "[concat('azuremonitorlogs-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"office365ConnectionName": "[concat('office365-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureMonitorLogsConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('office365ConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"LogicAppsCategory": "security"
},
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureMonitorLogsConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"TenantID": {
"defaultValue": "[parameters('AADTenantID')]",
"type": "String"
}
},
"triggers": {
"Microsoft_Sentinel_alert": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
}
}
},
"actions": {
"Alert_-_Get_incident": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Cases/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}"
}
},
"For_each": {
"foreach": "@body('Alert_-_Get_incident')?['properties']?['RelatedAlertIds']",
"actions": {
"Filter_array": {
"runAfter": {
"HTTP_2": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('HTTP_2')?['value']",
"where": "@or(not(equals(item()?['mail'], null)), not(equals(item()?['otherMails'], null)))"
}
},
"Filter_array_2": {
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('HTTP')?['value']",
"where": "@or(contains(item()?['properties']?['roleDefinitionId'], '8e3af657-a8ff-443c-a75c-2fe8c4bcb635'), contains(item()?['properties']?['roleDefinitionId'], 'b24988ac-6180-42a0-ab88-20f7382dd24c'))"
}
},
"For_each_2": {
"foreach": "@body('Filter_array_2')",
"actions": {
"Append_to_array_variable": {
"runAfter": {},
"type": "AppendToArrayVariable",
"inputs": {
"name": "simpleassignarray",
"value": "@items('For_each_2')?['properties']?['principalId']"
}
}
},
"runAfter": {
"Filter_array_2": [
"Succeeded"
]
},
"type": "Foreach"
},
"For_each_3": {
"foreach": "@body('Filter_array')",
"actions": {
"Condition": {
"actions": {
"Append_to_string_variable": {
"runAfter": {},
"type": "AppendToStringVariable",
"inputs": {
"name": "emailstring",
"value": "@{items('For_each_3')?['mail']}; "
}
}
},
"runAfter": {},
"else": {
"actions": {
"For_each_4": {
"foreach": "@items('For_each_3')?['otherMails']",
"actions": {
"Condition_2": {
"actions": {
"Append_to_string_variable_2": {
"runAfter": {},
"type": "AppendToStringVariable",
"inputs": {
"name": "emailstring",
"value": "@{items('For_each_4')}; "
}
}
},
"runAfter": {},
"expression": {
"and": [
{
"not": {
"equals": [
"@items('For_each_4')",
"@null"
]
}
}
]
},
"type": "If"
}
},
"runAfter": {},
"type": "Foreach"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@items('For_each_3')?['mail']",
"@null"
]
}
}
]
},
"type": "If"
}
},
"runAfter": {
"Filter_array": [
"Succeeded"
]
},
"type": "Foreach"
},
"HTTP": {
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "Http",
"inputs": {
"authentication": {
"audience": "https://management.azure.com",
"type": "ManagedServiceIdentity"
},
"method": "GET",
"uri": "https://management.azure.com/@{body('Run_query_and_list_results')['value'][0]['resourceId']}/providers/Microsoft.Authorization/roleAssignments?api-version=2018-09-01-preview"
}
},
"HTTP_2": {
"runAfter": {
"For_each_2": [
"Succeeded"
]
},
"type": "Http",
"inputs": {
"authentication": {
"audience": "https://graph.windows.net/",
"type": "ManagedServiceIdentity"
},
"body": {
"includeDirectoryObjectReferences": true,
"objectIds": "@variables('simpleassignarray')",
"types": [
"user",
"group"
]
},
"method": "POST",
"uri": "https://graph.windows.net/@{parameters('TenantID')}/getObjectsByObjectIds?api-version=1.6"
}
},
"Parse_JSON": {
"runAfter": {
"Run_query_and_list_results": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('Run_query_and_list_results')?['value']",
"schema": {
"items": {
"properties": {
"AlertLink": {
"type": "string"
},
"AlertName": {
"type": "string"
},
"AlertSeverity": {
"type": "string"
},
"AlertType": {
"type": "string"
},
"ConfidenceLevel": {
"type": "string"
},
"ConfidenceScore": {},
"Description": {
"type": "string"
},
"DisplayName": {
"type": "string"
},
"EndTime": {
"type": "string"
},
"Entities": {
"type": "string"
},
"ExtendedLinks": {
"type": "string"
},
"ExtendedProperties": {
"type": "string"
},
"IsIncident": {
"type": "boolean"
},
"ProcessingEndTime": {
"type": "string"
},
"ProductComponentName": {
"type": "string"
},
"ProductName": {
"type": "string"
},
"ProviderName": {
"type": "string"
},
"RemediationSteps": {
"type": "string"
},
"ResourceId": {
"type": "string"
},
"SourceComputerId": {
"type": "string"
},
"SourceSystem": {
"type": "string"
},
"StartTime": {
"type": "string"
},
"SystemAlertId": {
"type": "string"
},
"TenantId": {
"type": "string"
},
"TimeGenerated": {
"type": "string"
},
"Type": {
"type": "string"
},
"VendorName": {
"type": "string"
},
"VendorOriginalId": {
"type": "string"
},
"WorkspaceResourceGroup": {
"type": "string"
},
"WorkspaceSubscriptionId": {
"type": "string"
},
"resourceprovider": {
"type": "string"
},
"resourcergname": {
"type": "string"
}
},
"required": [
"SystemAlertId",
"TimeGenerated",
"TenantId",
"DisplayName",
"AlertName",
"AlertSeverity",
"Description",
"ProviderName",
"VendorName",
"VendorOriginalId",
"ResourceId",
"SourceComputerId",
"AlertType",
"ConfidenceLevel",
"ConfidenceScore",
"IsIncident",
"StartTime",
"EndTime",
"ProcessingEndTime",
"RemediationSteps",
"ExtendedProperties",
"Entities",
"SourceSystem",
"WorkspaceSubscriptionId",
"WorkspaceResourceGroup",
"ExtendedLinks",
"ProductName",
"ProductComponentName",
"AlertLink",
"Type"
],
"type": "object"
},
"type": "array"
}
}
},
"Run_query_and_list_results": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": "SecurityAlert\n| summarize arg_max(TimeGenerated, *) by SystemAlertId\n| where SystemAlertId in (\"@{items('For_each')}\")\n| where TimeGenerated >= ago (90d)",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "[parameters('AzureSentinelLogAnalyticsWorkspaceResourceGroupName')]",
"resourcename": "[parameters('AzureSentinelLogAnalyticsWorkspaceName')]",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "[subscription().subscriptionId]",
"timerange": "Set in query"
}
}
},
"Send_an_email_(V2)": {
"runAfter": {
"For_each_3": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"Body": "<p>SOC Analyst has found an issue that needs further investigation within the Azure resource.<br>\n<br>\nPlease read the following discovery report to take action: @{body('Parse_JSON')[0]?['AlertLink']}<br>\n<br>\nPlease contact your security team with Case: @{body('Alert_-_Get_incident')?['properties']?['CaseNumber']}</p>",
"Importance": "High",
"Subject": "Severity - @{body('Alert_-_Get_incident')?['properties']?['Severity']} - @{triggerBody()?['AlertDisplayName']}",
"To": "@variables('emailstring')"
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
}
},
"method": "post",
"path": "/v2/Mail"
}
}
},
"runAfter": {
"Initialize_variable_2": [
"Succeeded"
]
},
"type": "Foreach"
},
"Initialize_variable": {
"runAfter": {
"Alert_-_Get_incident": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "simpleassignarray",
"type": "array",
"value": []
}
]
}
},
"Initialize_variable_2": {
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "emailstring",
"type": "string",
"value": "@{null}"
}
]
}
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
},
"azuremonitorlogs": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureMonitorLogsConnectionName'))]",
"connectionName": "[variables('AzureMonitorLogsConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
},
"office365": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('office365ConnectionName'))]",
"connectionName": "office365",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
}
}
}
}
}
]
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку