Azure-Sentinel/Playbooks
Sreedhar Ande 3e86787361 updated graphics 2021-09-29 15:31:08 -07:00
..
.template Update playbooks 2021-06-30 19:05:33 +03:00
AD4IoT-AutoCloseIncidents Add screenshots 2021-06-20 10:44:45 +03:00
AD4IoT-MailbyProductionLine Add screenshots 2021-06-20 10:44:45 +03:00
AD4IoT-NewAssetServiceNowTicket Add screenshots 2021-06-20 10:44:45 +03:00
AD4IoT-TritonDetectionAndResponse AD4IoT Playbooks 2021-06-19 16:20:44 +03:00
ADX-Health-Playbook Update README.md 2021-08-24 10:22:14 +02:00
AS_Alert_Spiderfoot_Scan Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Add-IP-Entity-To-Named-Location NamedLocation-AdaptToGallery 2021-08-15 16:33:49 +03:00
Advanced-SNOW-Teams-Integration Merge pull request #3051 from teachjing/master 2021-09-21 10:50:06 -07:00
Aggregate-SNOW-tickets Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
AutoConnect-ASCSubscriptions updates 2021-08-03 15:41:23 -04:00
AzureFirewall Fix tags 2021-08-02 11:13:44 +03:00
Block-AADUser Update azuredeploy.json 2021-09-09 16:10:01 -07:00
Block-ExchangeIP Merge branch 'master' of https://github.com/ThijsLecomte/Azure-Sentinel 2021-07-16 14:24:08 +02:00
Block-IPs-on-MDATP-Using-GraphSecurity Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Block-OnPremADUser Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
CarbonBlack Fix tags 2021-08-02 11:13:44 +03:00
Change-Incident-Severity Adding metadata, adding hidden-tags, support-tier 2021-06-17 15:12:57 +03:00
CiscoASA Fix tags 2021-08-02 11:13:44 +03:00
CiscoFirepower Fix tags 2021-08-02 11:13:44 +03:00
Close-Incident-MCAS Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Close-SentinelIncident-fromSNOW Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Comment-OriginAlertURL Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Comment-RemediationSteps Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Confirm-AADRiskyUser Playbooks gallery adaptions 2021-07-29 12:02:35 +03:00
Create-AzureDevOpsTask Last update time equal to pp start time 2021-07-15 18:37:10 +03:00
Create-AzureSnapshot Add entities to identify VM 2020-10-21 20:58:46 +02:00
Create-IBMResilientIncident yes 2021-08-30 10:08:28 +03:00
Create-Jira-Issue Last update time equal to pp start time 2021-07-15 18:37:10 +03:00
Create-SNOW-record Merge branch 'master' into lior-tamir-patch-5 2021-08-02 10:11:26 +03:00
Create-Zendesk-Ticket Last update time equal to pp start time 2021-07-15 18:37:10 +03:00
CrowdStrike Update dates 2021-08-02 10:59:00 +03:00
Dismiss-AADRiskyUser Last update time equal to pp start time 2021-07-15 18:37:10 +03:00
Dismiss_Upstream_Events Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Edgescan-AzureSentinel-Integration Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Enrich-Sentinel-Incident-AlienVault-OTX Playbooks gallery adaptions 2021-07-29 12:02:35 +03:00
Enrich-SentinelIncident-GreyNoise-IP Merge pull request #2629 from swiftsolves-msft/nateswift-Enrich-SentinelIncident-GreyNoise-IP 2021-07-06 15:18:15 -07:00
Enrich-SentinelIncident-GreyNoiseCommunity-IP Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Enrich-SentinelIncident-MDATPTVM Merge branch 'master' into 1506-logicapp-fix 2021-06-20 10:07:35 +03:00
Export-Incidents-With-Comments Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Export-Report-CSV Correct typo and add content 2021-08-18 05:22:37 -07:00
F5BigIP Modified md and json files 2021-08-17 12:39:45 +05:30
ForcepointNGFW updated the logo path 2021-08-12 11:44:06 +05:30
Fortinet-FortiGate updated UTF-8 encoding instead of UTF-8-BOM encoding 2021-08-05 09:49:56 +05:30
Get-AD4IoTDeviceCVEs Get-AD4IoTDeviceCVEs 2021-08-03 20:54:39 +00:00
Get-ASCRecommendations Adding metadata, adding hidden-tags, support-tier 2021-06-17 15:12:57 +03:00
Get-AlertEntitiesEnrichment Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Get-AlienVault_OTX Fixed Deploy to Azure Gov 2021-09-07 11:45:50 -07:00
Get-CompromisedPasswords Update azuredeploy.json 2021-02-01 13:34:28 -08:00
Get-GeoFromIPandTagIncident-EmailAlertBasedonGeo Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Get-GeoFromIpAndTagIncident Update azuredeploy.json 2021-07-20 07:35:20 -07:00
Get-MDATPVulnerabilities Fixed readme title 2020-04-30 07:29:35 +08:00
Get-MDEFileActivityWithin30Mins Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Get-MDEInvestigationPackage bugfix 2021-08-13 20:20:26 +00:00
Get-MDEProcessActivityWithin30Mins Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Get-MDEStatistics Last update time equal to pp start time 2021-07-15 18:37:10 +03:00
Get-MachineData-EDR-SOAR-ActionsOnMachine Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Get-MerakiData-ConfigurationChanges Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Get-MerakiData-OrgSecurityEvents Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Get-Microsoft-Covid19-Indicators Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Get-O365Data fix docs link 2021-06-16 00:57:53 +00:00
Get-Recipients-EmailMessageID-containing-URL Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Get-SOCActions Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Get-SentinelAlertsEvidence Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Get-TenableVlun Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Get-VTURLPositivesComment Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Get-VirusTotalDomainReport VirusTotal playbooks to gallery 2021-08-02 14:46:29 +03:00
Get-VirusTotalFileInfo Update azuredeploy.json 2021-09-09 10:52:36 +01:00
Get-VirusTotalIPReport VirusTotal playbooks to gallery 2021-08-02 14:46:29 +03:00
Get-VirusTotalURLReport VirusTotal playbooks to gallery 2021-08-02 14:46:29 +03:00
Guardicore-Import-Assets Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Guardicore-Import-Incidents Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Guardicore-ThreatIntel Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
HaveIBeenPwned trimmed the URL to make it as domain format in "Get site breaches enrichment" playbook and added domain as an optional parameter in custom connector action 2021-08-02 19:50:22 +05:30
HaveIBeenPwned-Email Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
IdentityProtection-EmailResponse Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
IdentityProtection-TeamsBotResponse Fix tags 2021-08-02 11:13:44 +03:00
Incident-Assignment-Shifts Last update time equal to pp start time 2021-07-15 18:37:10 +03:00
Incident-Email-Notification Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Incident-Status-Sync-To-WDATP Modified explicitly defined location field to location variable 2021-06-22 16:11:10 -07:00
IncidentUpdate -Get-SentinelAlertsEvidence Update readme.md 2021-06-24 15:29:00 +12:00
Ingest-CanaryTokens Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Ingest-Prisma Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Isolate-AzureStorageAccount Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Isolate-AzureVMtoNSG Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Isolate-MDEMachine Last update time equal to pp start time 2021-07-15 18:37:10 +03:00
M365-Security-Posture Update Readme 2021-08-05 15:09:14 +01:00
Move-LogAnalytics-to-Storage Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Notify-ASCAlertAzureResource Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Okta Update dates 2021-08-02 10:59:00 +03:00
OktaRawLog Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Open-ServiceDeskPlusOnDemand-Ticket Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
PaloAlto-PAN-OS Fix tags 2021-08-02 11:13:44 +03:00
PaloAlto-Wildfire updated block url playbook 2021-08-11 18:33:44 +05:30
Post-Message-Slack Fix tags 2021-08-02 11:13:44 +03:00
Post-Message-Teams Fix tags 2021-08-02 11:13:44 +03:00
Post-Tags-And-Comments-To-Your-IntSights-Account Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Prompt-User Last update time equal to pp start time 2021-07-15 18:37:10 +03:00
QuickStart-SentinelTriggers Fix tags 2021-08-02 11:13:44 +03:00
RecordedFuture-Block-IPs-and-Domains-on-Microsoft-Defender-for-Endpoint Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
RecordedFuture_C2_Malware_Detect Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
RecordedFuture_COVID19_Related_Domain_Lure_Detect Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
RecordedFuture_Dom_C2_DNS_Name Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
RecordedFuture_Generic_Detection Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
RecordedFuture_IOC_Enrichment Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
RecordedFuture_IP_ActCommC2C Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
RecordedFuture_IP_Enrichment Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
RecordedFuture_IP_SCF Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Remove-MDEAppExecution Last update time equal to pp start time 2021-07-15 18:37:10 +03:00
Reset-AADUserPassword Update readme.md 2021-08-14 22:11:08 +03:00
Resolve-McasInfrequentCountryAlerts Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Restrict-MDEAppExecution Last update time equal to pp start time 2021-07-15 18:37:10 +03:00
Restrict-MDEDomain BugFix: Restrict-MDEDomain 2021-09-13 15:17:04 +00:00
Restrict-MDEFileHash Last update time equal to pp start time 2021-07-15 18:37:10 +03:00
Restrict-MDEIPAddress Last update time equal to pp start time 2021-07-15 18:37:10 +03:00
Restrict-MDEUrl Last update time equal to pp start time 2021-07-15 18:37:10 +03:00
Revoke-AADSignInSessions Update readme.md 2021-09-01 15:25:18 +12:00
Run-AzureVMPacketCapture Updating Deploy buttons and links part 2 2021-06-16 01:40:49 +00:00
Run-MDEAntivirus Bug fix for Run-MDEAntivirus 2021-08-04 16:10:22 +00:00
Save-NamedLocations Updating Deploy buttons and links part 2 2021-06-16 01:40:49 +00:00
Send-AnalyticalRulesHealthNotifications updated graphics 2021-09-29 15:31:08 -07:00
Send-AzCommunicationsSMSMessage Fixed new line issue in README 2021-06-22 21:52:59 -07:00
Send-ConnectorHealthStatus Updating Deploy buttons and links part 2 2021-06-16 01:40:49 +00:00
Send-IngestionCostAlert Merge pull request #2848 from iwafula025/master 2021-08-16 10:44:02 -07:00
Send-IngestionCostAnomalyAlert Update readme.md 2021-08-17 03:47:03 +03:00
Send-UrlReport fix deploy to Azure buttons, typos 2021-07-21 04:09:11 +00:00
Send-basic-email Fix tags 2021-08-02 11:13:44 +03:00
Send-email-with-formatted-incident-report Fix tags 2021-08-02 11:13:44 +03:00
Spur-Enrichment Sput ReadMe correction 2021-08-01 23:52:36 +02:00
Start-MDEAutomatedInvestigation Fixed Incident Trigger AzureDeploy 2021-09-01 20:28:15 -07:00
Sync-IncidentsWithJIRA Remove quotes which broke deploy buttons 2021-08-31 09:34:13 +02:00
Sync-Sentinel-Incident-Comments-To-M365Defender Updated readme for Trigger frequency change 2021-06-24 17:57:14 +05:30
Unisolate-MDEMachine Last update time equal to pp start time 2021-07-15 18:37:10 +03:00
Update-BulkIncidents Updating Deploy buttons and links part 2 2021-06-16 01:40:49 +00:00
Update-NamedLocations-TOR Update azuredeploy.json 2021-01-05 08:27:23 -08:00
Update-Watchlist-With-NamedLocation Update azuredeploy.json 2021-08-25 14:40:21 +02:00
Watchlist-Add-HostToWatchList Updating Deploy buttons and links part 2 2021-06-16 01:40:49 +00:00
Watchlist-Add-IPToWatchList Updating Deploy buttons and links part 2 2021-06-16 01:40:49 +00:00
Watchlist-Add-URLToWatchList Updating Deploy buttons and links part 2 2021-06-16 01:40:49 +00:00
Watchlist-Add-UserToWatchList Updating Deploy buttons and links part 2 2021-06-16 01:40:49 +00:00
Watchlist-ChangeIncidentSeverityandTitleIFUserVIP Updating Deploy buttons and links part 2 2021-06-16 01:40:49 +00:00
Watchlist-CloseIncidentKnownIPs Playbooks gallery adaptions 2021-07-29 12:02:35 +03:00
Watchlist-InformSubowner-IncidentTrigger Updating Deploy buttons and links part 2 2021-06-16 01:40:49 +00:00
Watchlist-SendSQLData-Watchlist Updating Deploy buttons and links part 2 2021-06-16 01:40:49 +00:00
Zscaler Update dates 2021-08-02 10:59:00 +03:00
Zscaler-add-Domains-to-URL-Category Updating Deploy buttons and links part 2 2021-06-16 01:40:49 +00:00
CSV-Report-Export Create CSV-Report-Export 2021-08-10 11:48:33 -07:00
ReadMe.md Update ReadMe.md 2020-10-22 13:47:02 +13:00
logic_app_logo.png Add files via upload 2020-10-21 16:37:03 +13:00

ReadMe.md

LogicApps Logo

About

This repo contains sample security playbooks for security automation, orchestration and response (SOAR). Each folder contains a security playbook ARM template that uses Microsoft Azure Sentinel trigger.

Instructions for deploying a custom template

After selecting a playbook, in the Azure portal:

  1. Search for deploy a custom template
  2. Click build your own template in the editor
  3. Paste the contents from the GitHub playbook
  4. Click Save
  5. Fill in needed data and click Purchase

Once deployment is complete, you will need to authorize each connection.

  1. Click the Azure Sentinel connection resource
  2. Click edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
  6. Repeat steps for other connections
  • For Azure Log Analytics Data Collector, you will need to add the workspace ID and Key You can now edit the playbook in Logic apps.

Instructions for templatizing a playbook

Once you have created a playbook that you want to export to share, go to the Logic App resource in Azure.

Note: this is the generic instructions there may be other steps depending how complex or what connectors are used for the playbook.

  1. Click Export Template from the resource menu in Azure Portal.
  2. Copy the contents of the template.
  3. Using VS code, create a JSON file with the name "azuredeploy.json".
  4. Paste the code into the new file.
  5. In the parameters section, you can remove all parameters and add the following minimum fields. Users can edit the parameters when deploying your template. You can add more parameters based on your playbook requirements.
    "parameters": {
        "PlaybookName": {
            "defaultValue": "<PlaybookName>",
            "type": "string"
        },
        "UserName": {
            "defaultValue": "<username>@<domain>",
            "type": "string"
        }
    },
  • Playbook name and username are minimum requirements that will be used for the connections.
  1. In the variables section, create a variable for each connection the playbook is using.
  • To construct a string variable, use this following snippet. Make sure to replace the connectorname with actual name of the connector.
    [concat('<connectorname>-', parameters('PlaybookName'))]
  • For example, if you are using Azure Active Directory and Azure Sentinel connections in the playbook, then create two variables with actual connection names. The variables will be the connection names. Here we are creating a connection name using the connection (AzureAD) and "-" and the playbook name.
    "variables": {
        "AzureADConnectionName": "[concat('azuread-', parameters('PlaybookName'))]",
        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
    },
  1. Next, you will need to add resources to be created for each connection.
   "resources": [
        {
            "type": "Microsoft.Web/connections",
            "apiVersion": "2016-06-01",
            "name": "[variables('AzureADConnectionName')]",
            "location": "[resourceGroup().location]",
            "properties": {
                "displayName": "[parameters('UserName')]",
                "customParameterValues": {},
                "api": {
                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
                }
            }
        },
  • The name is using the variable we created.
  • The location is using the resource group that was selected as part of the deployment.
  • The displayname is using the Username parameter.
  • Lastly, you can build the string for the id using strings plus properties of the subscription and resource group.
  • Repeat for each connection needed.
  1. In the Microsoft.Logic/workflows resource under parameters / $connections, there will be a value for each connection. You will need to update each like the following.
"parameters": {
                    "$connections": {
                        "value": {
                            "azuread": {
                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
                                "connectionName": "[variables('AzureADConnectionName')]",
                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
                            },
                            "azuresentinel": {
                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
                                "connectionName": "[variables('AzureSentinelConnectionName')]",
                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
                            }
                        }
                    }
                }

  • The connectionId will use a string and variable.
  • The connectionName is the variable.
  • The id is the string we used early for the id when creating the resource.
  1. In the Microsoft.Logic/workflows resource, you will also need the dependsOn field, which is a list of resourceId. The string for each resourceId is constructed using this snippet, followed by an example which contains Azure AD and Azure Sentinel connections.
    [resourceId('Microsoft.Web/connections', <ConnectionVariableName>)]
    "dependsOn": [
        "[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
        "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
    ]
  1. Save the JSON.
  2. Create a Readme.md file with a brief description of the playbook.
  3. Test deployment of your template following Instructions for deploying a custom template. Make sure the deployment succeeds.
  4. If you need samples of a playbook template, refer to an existing playbooks' azuredeploy.json sample file in the repo.
  5. Contribute the playbook template to the repository.

Suggestions and feedback

We value your feedback. Let us know if you run into any problems or share your suggestions and feedback by sending email to AzureSentinel@microsoft.com