Azure-Sentinel/Playbooks
iwafula025 4e1a3f342c Merge branch 'master' of https://github.com/Azure/Azure-Sentinel 2021-03-10 11:54:18 +03:00
..
Aggregate-SNOW-tickets Fixing Playbook Deploy URLs 2020-02-24 10:06:59 -05:00
AutoConnect-ASCSubscriptions ASC readme update fix (No local links) 2020-10-01 11:42:53 +03:00
Block-AADUser Fixing Playbook Deploy URLs 2020-02-24 10:06:59 -05:00
Block-ExchangeIP Update readme.md 2020-03-04 18:44:53 +01:00
Block-IPs-on-MDATP-Using-GraphSecurity Update approval email message to High Importance 2020-04-27 11:03:18 -07:00
Block-OnPremADUser Readme update 2021-03-10 11:54:07 +03:00
Change-Incident-Severity Fixing Playbook Deploy URLs 2020-02-24 10:06:59 -05:00
Close-Incident-ASCAlert Merge pull request #506 from swiftsolves-msft/nateswi_playbook 2020-02-27 08:56:52 -05:00
Close-Incident-MCAS Added Deploy to Azure button, change name of json to reflect it. 2021-02-15 13:52:06 +00:00
Close-SentinelIncident-fromSNOW commit 2020-09-15 11:40:39 +03:00
Comment-OriginAlertURL Added Readme file 2020-04-22 15:13:01 -07:00
Comment-RemediationSteps Create readme.md 2021-02-03 16:53:08 -08:00
Confirm-AADRiskyUser fixed schema 2020-06-12 14:47:21 +00:00
Create-AzureDevOpsTask readme for the Create-AzureDevOpsTask playbook 2020-04-15 13:55:04 +02:00
Create-AzureSnapshot Add entities to identify VM 2020-10-21 20:58:46 +02:00
Create-IBMResilientIncident initial 2020-02-28 11:48:23 -05:00
Dismiss-AADRiskyUser Fixing Typo in Dismiss-Riskyuser 2020-07-26 09:13:55 -07:00
Dismiss_Upstream_Events New playbook created to dismiss upstream events. 2020-08-25 14:25:35 +01:00
Edgescan-AzureSentinel-Integration Delete azuredeploy1.json 2020-12-03 21:09:17 -08:00
Enrich-Sentinel-Incident-HYAS-Insight-Domain-Current-WHOIS remove en-us in the links 2020-11-27 12:12:48 +05:30
Enrich-Sentinel-Incident-HYAS-Insight-Domain-Historic-WHOIS remove en-us in the links 2020-11-27 12:14:13 +05:30
Enrich-Sentinel-Incident-HYAS-Insight-Domain-Passive-DNS remove en-us in the links 2020-11-27 12:14:48 +05:30
Enrich-Sentinel-Incident-HYAS-Insight-Email-Dynamic-DNS removed typo 2020-11-27 12:31:22 +05:30
Enrich-Sentinel-Incident-HYAS-Insight-Email-Historic-WHOIS remove en-us in the links 2020-11-27 12:15:46 +05:30
Enrich-Sentinel-Incident-HYAS-Insight-IP-Dynamic-DNS remove en-us in the links 2020-11-27 12:16:16 +05:30
Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-DNS remove en-us in the links 2020-11-27 12:16:52 +05:30
Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-Hash remove en-us in the links 2020-11-27 12:17:24 +05:30
Enrich-Sentinel-Incident-HYAS-Insight-IP-SSL-Certificate remove en-us in the links 2020-11-27 12:17:51 +05:30
Enrich-Sentinel-Incident-HYAS-Insight-IP-Sinkhole remove en-us in the links 2020-11-27 12:18:28 +05:30
Enrich-Sentinel-Incident-HYAS-Insight-IPv4-Device-Geo remove en-us in the links 2020-11-27 12:18:53 +05:30
Enrich-Sentinel-Incident-HYAS-Insight-IPv6-Device-Geo remove en-us in the links 2020-11-27 12:19:16 +05:30
Enrich-Sentinel-Incident-HYAS-Insight-Phone-Number-Historic-WHOIS remove en-us in the links 2020-11-27 12:19:42 +05:30
Enrich-SentinelIncident-MDATPTVM Update azuredeploy.json 2020-04-14 22:57:47 +03:00
Enrich-SentinelIncident-ReversingLabs-File-Information Remove docs langauge specifier 2021-03-03 15:54:50 +01:00
Enrich-SentinelIncident-RiskIQ-Host-Passive-DNS Updated playbooks to account for bug in LogicApps 2020-07-17 17:35:59 -04:00
Enrich-SentinelIncident-RiskIQ-Host-SSL-Certificate Updated playbooks to account for bug in LogicApps 2020-07-17 17:35:59 -04:00
Enrich-SentinelIncident-RiskIQ-Host-WHOIS Officially tested the deployment process end-to-end. 2020-06-18 09:59:44 -04:00
Enrich-SentinelIncident-RiskIQ-IP-Passive-DNS Updated playbooks to account for bug in LogicApps 2020-07-17 17:35:59 -04:00
Enrich-SentinelIncident-RiskIQ-IP-SSL-Certificate Updated playbooks to account for bug in LogicApps 2020-07-17 17:35:59 -04:00
Enrich-SentinelIncident-RiskIQ-Summary Officially tested the deployment process end-to-end. 2020-06-18 09:59:44 -04:00
Enrich-SentinelIncident-RiskIQ-Summary-Host Officially tested the deployment process end-to-end. 2020-06-18 09:59:44 -04:00
Enrich-SentinelIncident-RiskIQ-Summary-IP Officially tested the deployment process end-to-end. 2020-06-18 09:59:44 -04:00
Export-Incidents-With-Comments Updated readme. Added link to guide. 2020-08-25 14:25:12 +01:00
Get-ASCRecommendations Initial Playbook (#537) 2020-03-26 17:55:13 -07:00
Get-AlertEntitiesEnrichment Corrected readme and html code preventing PR 2021-01-21 10:57:02 +01:00
Get-AlienVault_OTX Update to correct template input button and major revision to the logic app 2020-11-19 17:34:49 -06:00
Get-CompromisedPasswords Update azuredeploy.json 2021-02-01 13:34:28 -08:00
Get-GeoFromIPandTagIncident-EmailAlertBasedonGeo Update azuredeploy.json 2020-12-24 00:59:14 -05:00
Get-GeoFromIpAndTagIncident fixes #909 2020-07-31 11:05:29 +02:00
Get-IPReputation Fixed a VT Schema change. 2020-11-11 12:07:41 -05:00
Get-MDATPInvestigationPackage Fixed ARMTemplate 2020-12-03 21:46:44 -08:00
Get-MDATPVulnerabilities Fixed readme title 2020-04-30 07:29:35 +08:00
Get-MDEFileActivityWithin30Mins add deploy to azure and deploy to azure gov buttons 2021-02-28 13:19:23 -05:00
Get-MDEProcessActivityWithin30Mins new playbook - initial work 2021-03-05 21:42:09 -05:00
Get-MachineData-EDR-SOAR-ActionsOnMachine Update README.md 2021-01-06 14:26:47 +08:00
Get-Microsoft-Covid19-Indicators add deployment links to playbooks 2020-05-25 15:21:29 -07:00
Get-O365Data fixes to addonguid 2020-05-16 00:14:21 +00:00
Get-ProofPointTapEvents Fixing Playbook Deploy URLs 2020-02-24 10:06:59 -05:00
Get-Recipients-EmailMessageID-containing-URL included fixes for arm template where connector name was wrong 2021-03-09 14:43:46 -05:00
Get-SentinelAlertsEvidence Update readme.md 2020-06-11 19:36:52 +03:00
Get-TenableVlun remove locale 2020-07-09 09:59:27 +03:00
Get-VTURLPositivesComment further apikey fixes 2021-03-09 17:10:27 -05:00
Guardicore-Import-Assets updated deploy links 2020-09-28 14:33:26 -07:00
Guardicore-Import-Incidents updated deploy links 2020-09-28 14:36:56 -07:00
Guardicore-ThreatIntel Minor fixes for nullable fields from Guardicore ThreatIntel feed 2021-02-02 09:46:42 +11:00
HaveIBeenPwned-Email Update readme.md 2021-01-26 10:40:02 -05:00
IdentityProtection-EmailResponse Update readme.md 2020-10-07 17:46:51 -07:00
IdentityProtection-TeamsBotResponse Update readme.md 2020-10-07 17:48:16 -07:00
Incident-Assignment-Shifts Merge pull request #1124 from Azure/Incident-Assignment-Shifts_Update_ReadMe 2020-09-29 17:35:53 +13:00
Incident-Email-Notification Add Incident-Email-Notification playbook 2020-10-16 15:40:18 +02:00
Incident-Status-Sync-To-WDATP Just adding Author name 2021-01-27 07:59:41 +01:00
Ingest-CanaryTokens txt to yaml 2020-12-07 16:01:14 -05:00
Ingest-Prisma Update readme.md 2020-10-01 12:27:42 -03:00
Isolate-AzureStorageAccount Changed concurrency to 1 for the foreach loop setting storageid variable 2020-06-18 09:09:45 -04:00
Isolate-AzureVMtoNSG added depends on 2020-03-19 10:04:20 -04:00
Isolate-MDATPMachine Update to use MDATPDeviceID 2020-08-24 08:53:27 -07:00
Move-LogAnalytics-to-Storage Change date, using old testing date 2020-06-18 14:27:50 -04:00
Notify-ASCAlertAzureResource Updates to Notify playbook 2020-03-08 15:05:20 -04:00
OktaRawLog fix connection issue 2020-05-15 16:24:21 +00:00
Open-JIRA-Ticket Fixes due to connector bug (#647) 2020-05-07 10:53:15 -07:00
Open-SNOW-Ticket open-SNOW 2020-08-14 16:18:39 +03:00
Open-ServiceDeskPlusOnDemand-Ticket Bug fix. Added dependsOn node. 2020-08-25 14:23:56 +01:00
Open-Zendesk-Ticket Fixing Playbook Deploy URLs 2020-02-24 10:06:59 -05:00
Post-Message-Slack fix bug 2020-04-07 08:08:58 -04:00
Post-Message-Teams Fixing ARM Template 2020-07-21 16:35:30 -04:00
Post-Tags-And-Comments-To-Your-IntSights-Account Update parameters and api routes 2021-01-20 13:07:16 +02:00
Prompt-User Fixing Playbook Deploy URLs 2020-02-24 10:06:59 -05:00
RecordedFuture_Dom_C2_DNS_Name Add files via upload 2020-11-26 12:38:37 +00:00
RecordedFuture_IP_ActCommC2C Add files via upload 2020-11-26 12:39:25 +00:00
RecordedFuture_IP_Enrichment Add files via upload 2020-11-26 12:39:55 +00:00
RecordedFuture_IP_SCF Add files via upload 2020-11-26 12:40:23 +00:00
Reset-AADUserPassword Fixing Playbook Deploy URLs 2020-02-24 10:06:59 -05:00
Resolve-McasInfrequentCountryAlerts Update readme.md 2020-09-10 11:40:01 +02:00
Restrict-MDATPAppExectution Update to use MDATPDeviceID 2020-08-24 08:53:27 -07:00
Restrict-MDATPDomain Restrict-MDATPDomain (#652) 2020-05-07 13:10:06 -07:00
Restrict-MDATPFileHash Restrict-MDATPFileHash (#653) 2020-05-07 13:48:49 -07:00
Restrict-MDATPIPAddress Update azuredeploy.json 2020-05-13 13:28:43 -04:00
Restrict-MDATPUrl Update readme.md 2020-09-23 15:05:00 -04:00
Revoke-AADSignInSessions Fixing Playbook Deploy URLs 2020-02-24 10:06:59 -05:00
Run-AzureVMPacketCapture New Playbook - Run-AzureVMPacketCapture 2020-03-18 21:23:03 -04:00
Run-MDATPAntivirus Bug fix for Run-MDATPAntivirus 2020-08-13 14:28:15 -07:00
Save-NamedLocations Update Azure Deploy URL 2020-11-21 14:50:42 +01:00
Send-ConnectorHealthStatus Updated readme 2020-12-14 22:21:31 +03:00
Send-IngestionCostAlert Fixed deploy button 2020-12-23 06:19:33 +03:00
Send-UrlReport Fixing Playbook Deploy URLs 2020-02-24 10:06:59 -05:00
TritonDetectionAndResponse Triton Playbook Fixes 2020-12-14 16:04:26 +02:00
Update-BulkIncidents changes 2020-08-21 12:01:14 -04:00
Update-NamedLocations-TOR Update azuredeploy.json 2021-01-05 08:27:23 -08:00
Watchlist-Add-HostToWatchList 4 new watchlist playbooks 2021-01-27 08:44:01 +02:00
Watchlist-Add-IPToWatchList 4 new watchlist playbooks 2021-01-27 08:44:01 +02:00
Watchlist-Add-URLToWatchList 4 new watchlist playbooks 2021-01-27 08:44:01 +02:00
Watchlist-Add-UserToWatchList 4 new watchlist playbooks 2021-01-27 08:44:01 +02:00
Watchlist-ChangeIncidentSeverityandTitleIFUserVIP logicapp watchlist update incident 2020-10-27 18:32:13 +02:00
Watchlist-CloseIncidentKnownIPs Merge pull request #1196 from Azure/lior 2020-10-26 21:47:00 +02:00
Watchlist-InformSubowner-IncidentTrigger Fix Watchlists-InformSubOwner 2020-11-08 18:43:20 +02:00
Watchlist-SendSQLData-Watchlist commit 2020-11-19 21:39:35 +02:00
Zscaler-add-Domains-to-URL-Category Update README.md 2020-09-28 14:29:28 -07:00
ReadMe.md Update ReadMe.md 2020-10-22 13:47:02 +13:00
logic_app_logo.png Add files via upload 2020-10-21 16:37:03 +13:00

ReadMe.md

LogicApps Logo

About

This repo contains sample security playbooks for security automation, orchestration and response (SOAR). Each folder contains a security playbook ARM template that uses Microsoft Azure Sentinel trigger.

Instructions for deploying a custom template

After selecting a playbook, in the Azure portal:

  1. Search for deploy a custom template
  2. Click build your own template in the editor
  3. Paste the contents from the GitHub playbook
  4. Click Save
  5. Fill in needed data and click Purchase

Once deployment is complete, you will need to authorize each connection.

  1. Click the Azure Sentinel connection resource
  2. Click edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
  6. Repeat steps for other connections
  • For Azure Log Analytics Data Collector, you will need to add the workspace ID and Key You can now edit the playbook in Logic apps.

Instructions for templatizing a playbook

Once you have created a playbook that you want to export to share, go to the Logic App resource in Azure.

Note: this is the generic instructions there may be other steps depending how complex or what connectors are used for the playbook.

  1. Click Export Template from the resource menu in Azure Portal.
  2. Copy the contents of the template.
  3. Using VS code, create a JSON file with the name "azuredeploy.json".
  4. Paste the code into the new file.
  5. In the parameters section, you can remove all parameters and add the following minimum fields. Users can edit the parameters when deploying your template. You can add more parameters based on your playbook requirements.
    "parameters": {
        "PlaybookName": {
            "defaultValue": "<PlaybookName>",
            "type": "string"
        },
        "UserName": {
            "defaultValue": "<username>@<domain>",
            "type": "string"
        }
    },
  • Playbook name and username are minimum requirements that will be used for the connections.
  1. In the variables section, create a variable for each connection the playbook is using.
  • To construct a string variable, use this following snippet. Make sure to replace the connectorname with actual name of the connector.
    [concat('<connectorname>-', parameters('PlaybookName'))]
  • For example, if you are using Azure Active Directory and Azure Sentinel connections in the playbook, then create two variables with actual connection names. The variables will be the connection names. Here we are creating a connection name using the connection (AzureAD) and "-" and the playbook name.
    "variables": {
        "AzureADConnectionName": "[concat('azuread-', parameters('PlaybookName'))]",
        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
    },
  1. Next, you will need to add resources to be created for each connection.
   "resources": [
        {
            "type": "Microsoft.Web/connections",
            "apiVersion": "2016-06-01",
            "name": "[variables('AzureADConnectionName')]",
            "location": "[resourceGroup().location]",
            "properties": {
                "displayName": "[parameters('UserName')]",
                "customParameterValues": {},
                "api": {
                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
                }
            }
        },
  • The name is using the variable we created.
  • The location is using the resource group that was selected as part of the deployment.
  • The displayname is using the Username parameter.
  • Lastly, you can build the string for the id using strings plus properties of the subscription and resource group.
  • Repeat for each connection needed.
  1. In the Microsoft.Logic/workflows resource under parameters / $connections, there will be a value for each connection. You will need to update each like the following.
"parameters": {
                    "$connections": {
                        "value": {
                            "azuread": {
                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
                                "connectionName": "[variables('AzureADConnectionName')]",
                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
                            },
                            "azuresentinel": {
                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
                                "connectionName": "[variables('AzureSentinelConnectionName')]",
                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
                            }
                        }
                    }
                }

  • The connectionId will use a string and variable.
  • The connectionName is the variable.
  • The id is the string we used early for the id when creating the resource.
  1. In the Microsoft.Logic/workflows resource, you will also need the dependsOn field, which is a list of resourceId. The string for each resourceId is constructed using this snippet, followed by an example which contains Azure AD and Azure Sentinel connections.
    [resourceId('Microsoft.Web/connections', <ConnectionVariableName>)]
    "dependsOn": [
        "[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
        "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
    ]
  1. Save the JSON.
  2. Create a Readme.md file with a brief description of the playbook.
  3. Test deployment of your template following Instructions for deploying a custom template. Make sure the deployment succeeds.
  4. If you need samples of a playbook template, refer to an existing playbooks' azuredeploy.json sample file in the repo.
  5. Contribute the playbook template to the repository.

Suggestions and feedback

We value your feedback. Let us know if you run into any problems or share your suggestions and feedback by sending email to AzureSentinel@microsoft.com