Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Playbooks/Get-GeoFromIPandTagIncident.../azuredeploy.json

419 строки
24 KiB
JSON
Исходник Ответственный История

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "<PlaybookName>",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureSentinelConnection": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"Office365Connection": "[concat('office365-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnection')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('Office365Connection')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('Office365Connection'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnection'))]"
],
"tags": {
"LogicAppsCategory": "security"
},
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
}
}
},
"actions": {
"Alert_-_Get_IPs": {
"runAfter": {
"For_each_2": [
"Succeeded",
"Failed"
]
},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['Entities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/ip"
}
},
"Alert_-_Get_accounts": {
"runAfter": {
"Alert_-_Get_incident": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['Entities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/account"
}
},
"Alert_-_Get_incident": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Cases/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}",
"retryPolicy": {
"count": 10,
"interval": "PT10S",
"type": "exponential"
}
}
},
"For_each": {
"foreach": "@body('Alert_-_Get_IPs')?['IPs']",
"actions": {
"Add_labels_to_incident": {
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"Labels": [
{
"Label": "@body('Parse_JSON')?['city']"
},
{
"Label": "@body('Parse_JSON')?['country']"
},
{
"Label": "@items('For_each')?['Address']"
}
]
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Case/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(body('Alert_-_Get_incident')?['properties']?['CaseNumber'])}/AddLabels"
}
},
"For_each_4": {
"foreach": "@body('Alert_-_Get_accounts')?['Accounts']",
"actions": {
"Condition": {
"actions": {
"Change_incident_status": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
"CloseReason": "FalsePositive",
"CloseReasonText": "Expected geo location."
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Case/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(body('Alert_-_Get_incident')?['properties']?['CaseNumber'])}/Status/@{encodeURIComponent('Closed')}"
}
}
},
"runAfter": {},
"else": {
"actions": {
"Change_incident_status_2": {
"runAfter": {
"For_each_3": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Case/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(body('Alert_-_Get_incident')?['properties']?['CaseNumber'])}/Status/@{encodeURIComponent('InProgress')}"
}
},
"For_each_3": {
"foreach": "@body('Alert_-_Get_accounts')?['Accounts']",
"actions": {
"Send_an_email_(V2)": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
"Body": "<p>Login from: @{body('Parse_JSON')?['city']}, @{body('Parse_JSON')?['country']} &nbsp;User: &nbsp;@{items('For_each_3')?['Name']} &nbsp;IP: @{items('For_each')?['Address']}<br>\nTime (UTC): &nbsp;@{body('Alert_-_Get_incident')?['properties']?['StartTimeUtc']}</p>",
"Importance": "High",
"Subject": "Sentinel Alert: Unexpected Login Outside Business Area",
"To": "alerts@yourdomain.com"
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
}
},
"method": "post",
"path": "/v2/Mail"
}
}
},
"runAfter": {},
"type": "Foreach"
}
}
},
"expression": {
"or": [
{
"equals": [
"@body('Parse_JSON')?['country']",
"[[COUNTRY OF BUSINESS]"
]
},
{
"equals": [
"@body('Parse_JSON')?['city']",
"[[CITY OF BUSINESS]"
]
},
{
"equals": [
"@items('For_each_4')?['Name']",
"[[EXPECTED USER OUTSIDE BUSINESS AREA]"
]
}
]
},
"type": "If"
}
},
"runAfter": {
"Add_labels_to_incident": [
"Succeeded"
]
},
"type": "Foreach"
},
"HTTP": {
"runAfter": {},
"type": "Http",
"inputs": {
"method": "GET",
"uri": "http://ip-api.com/json/@{items('For_each')?['Address']}"
}
},
"Parse_JSON": {
"runAfter": {
"HTTP": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('HTTP')",
"schema": {
"properties": {
"as": {
"type": "string"
},
"city": {
"type": "string"
},
"country": {
"type": "string"
},
"countryCode": {
"type": "string"
},
"isp": {
"type": "string"
},
"lat": {
"type": "number"
},
"lon": {
"type": "number"
},
"org": {
"type": "string"
},
"query": {
"type": "string"
},
"region": {
"type": "string"
},
"regionName": {
"type": "string"
},
"status": {
"type": "string"
},
"timezone": {
"type": "string"
},
"zip": {
"type": "string"
}
},
"type": "object"
}
}
}
},
"runAfter": {
"Alert_-_Get_IPs": [
"Succeeded"
]
},
"type": "Foreach",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
},
"For_each_2": {
"foreach": "@body('Alert_-_Get_accounts')?['Accounts']",
"actions": {
"Add_labels_to_incident_2": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
"Labels": [
{
"Label": "@items('For_each_2')?['Name']"
}
]
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Case/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(body('Alert_-_Get_incident')?['properties']?['CaseNumber'])}/AddLabels",
"retryPolicy": {
"count": 10,
"interval": "PT10S",
"type": "fixed"
}
}
}
},
"runAfter": {
"Alert_-_Get_accounts": [
"Succeeded"
]
},
"type": "Foreach",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnection'))]",
"connectionName": "[variables('AzureSentinelConnection')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
},
"office365": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365Connection'))]",
"connectionName": "[variables('Office365Connection')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
}
}
}
}
}
]
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку