419 строки
24 KiB
JSON
419 строки
24 KiB
JSON
{
|
|
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
|
|
"contentVersion": "1.0.0.0",
|
|
"parameters": {
|
|
"PlaybookName": {
|
|
"defaultValue": "<PlaybookName>",
|
|
"type": "string"
|
|
},
|
|
"UserName": {
|
|
"defaultValue": "<username>@<domain>",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"variables": {
|
|
"AzureSentinelConnection": "[concat('azuresentinel-', parameters('PlaybookName'))]",
|
|
"Office365Connection": "[concat('office365-', parameters('PlaybookName'))]"
|
|
},
|
|
"resources": [
|
|
{
|
|
"type": "Microsoft.Web/connections",
|
|
"apiVersion": "2016-06-01",
|
|
"name": "[variables('AzureSentinelConnection')]",
|
|
"location": "[resourceGroup().location]",
|
|
"properties": {
|
|
"displayName": "[parameters('UserName')]",
|
|
"customParameterValues": {},
|
|
"api": {
|
|
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"type": "Microsoft.Web/connections",
|
|
"apiVersion": "2016-06-01",
|
|
"name": "[variables('Office365Connection')]",
|
|
"location": "[resourceGroup().location]",
|
|
"properties": {
|
|
"displayName": "[parameters('UserName')]",
|
|
"customParameterValues": {},
|
|
"api": {
|
|
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"type": "Microsoft.Logic/workflows",
|
|
"apiVersion": "2017-07-01",
|
|
"name": "[parameters('PlaybookName')]",
|
|
"location": "[resourceGroup().location]",
|
|
"dependsOn": [
|
|
"[resourceId('Microsoft.Web/connections', variables('Office365Connection'))]",
|
|
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnection'))]"
|
|
],
|
|
"tags": {
|
|
"LogicAppsCategory": "security"
|
|
},
|
|
"properties": {
|
|
"state": "Disabled",
|
|
"definition": {
|
|
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
|
"contentVersion": "1.0.0.0",
|
|
"parameters": {
|
|
"$connections": {
|
|
"defaultValue": {},
|
|
"type": "Object"
|
|
}
|
|
},
|
|
"triggers": {
|
|
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
|
|
"type": "ApiConnectionWebhook",
|
|
"inputs": {
|
|
"body": {
|
|
"callback_url": "@{listCallbackUrl()}"
|
|
},
|
|
"host": {
|
|
"connection": {
|
|
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
|
}
|
|
},
|
|
"path": "/subscribe"
|
|
}
|
|
}
|
|
},
|
|
"actions": {
|
|
"Alert_-_Get_IPs": {
|
|
"runAfter": {
|
|
"For_each_2": [
|
|
"Succeeded",
|
|
"Failed"
|
|
]
|
|
},
|
|
"type": "ApiConnection",
|
|
"inputs": {
|
|
"body": "@triggerBody()?['Entities']",
|
|
"host": {
|
|
"connection": {
|
|
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
|
}
|
|
},
|
|
"method": "post",
|
|
"path": "/entities/ip"
|
|
}
|
|
},
|
|
"Alert_-_Get_accounts": {
|
|
"runAfter": {
|
|
"Alert_-_Get_incident": [
|
|
"Succeeded"
|
|
]
|
|
},
|
|
"type": "ApiConnection",
|
|
"inputs": {
|
|
"body": "@triggerBody()?['Entities']",
|
|
"host": {
|
|
"connection": {
|
|
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
|
}
|
|
},
|
|
"method": "post",
|
|
"path": "/entities/account"
|
|
}
|
|
},
|
|
"Alert_-_Get_incident": {
|
|
"runAfter": {},
|
|
"type": "ApiConnection",
|
|
"inputs": {
|
|
"host": {
|
|
"connection": {
|
|
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
|
}
|
|
},
|
|
"method": "get",
|
|
"path": "/Cases/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}",
|
|
"retryPolicy": {
|
|
"count": 10,
|
|
"interval": "PT10S",
|
|
"type": "exponential"
|
|
}
|
|
}
|
|
},
|
|
"For_each": {
|
|
"foreach": "@body('Alert_-_Get_IPs')?['IPs']",
|
|
"actions": {
|
|
"Add_labels_to_incident": {
|
|
"runAfter": {
|
|
"Parse_JSON": [
|
|
"Succeeded"
|
|
]
|
|
},
|
|
"type": "ApiConnection",
|
|
"inputs": {
|
|
"body": {
|
|
"Labels": [
|
|
{
|
|
"Label": "@body('Parse_JSON')?['city']"
|
|
},
|
|
{
|
|
"Label": "@body('Parse_JSON')?['country']"
|
|
},
|
|
{
|
|
"Label": "@items('For_each')?['Address']"
|
|
}
|
|
]
|
|
},
|
|
"host": {
|
|
"connection": {
|
|
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
|
}
|
|
},
|
|
"method": "put",
|
|
"path": "/Case/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(body('Alert_-_Get_incident')?['properties']?['CaseNumber'])}/AddLabels"
|
|
}
|
|
},
|
|
"For_each_4": {
|
|
"foreach": "@body('Alert_-_Get_accounts')?['Accounts']",
|
|
"actions": {
|
|
"Condition": {
|
|
"actions": {
|
|
"Change_incident_status": {
|
|
"runAfter": {},
|
|
"type": "ApiConnection",
|
|
"inputs": {
|
|
"body": {
|
|
"CloseReason": "FalsePositive",
|
|
"CloseReasonText": "Expected geo location."
|
|
},
|
|
"host": {
|
|
"connection": {
|
|
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
|
}
|
|
},
|
|
"method": "put",
|
|
"path": "/Case/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(body('Alert_-_Get_incident')?['properties']?['CaseNumber'])}/Status/@{encodeURIComponent('Closed')}"
|
|
}
|
|
}
|
|
},
|
|
"runAfter": {},
|
|
"else": {
|
|
"actions": {
|
|
"Change_incident_status_2": {
|
|
"runAfter": {
|
|
"For_each_3": [
|
|
"Succeeded"
|
|
]
|
|
},
|
|
"type": "ApiConnection",
|
|
"inputs": {
|
|
"host": {
|
|
"connection": {
|
|
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
|
}
|
|
},
|
|
"method": "put",
|
|
"path": "/Case/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(body('Alert_-_Get_incident')?['properties']?['CaseNumber'])}/Status/@{encodeURIComponent('InProgress')}"
|
|
}
|
|
},
|
|
"For_each_3": {
|
|
"foreach": "@body('Alert_-_Get_accounts')?['Accounts']",
|
|
"actions": {
|
|
"Send_an_email_(V2)": {
|
|
"runAfter": {},
|
|
"type": "ApiConnection",
|
|
"inputs": {
|
|
"body": {
|
|
"Body": "<p>Login from: @{body('Parse_JSON')?['city']}, @{body('Parse_JSON')?['country']} User: @{items('For_each_3')?['Name']} IP: @{items('For_each')?['Address']}<br>\nTime (UTC): @{body('Alert_-_Get_incident')?['properties']?['StartTimeUtc']}</p>",
|
|
"Importance": "High",
|
|
"Subject": "Sentinel Alert: Unexpected Login Outside Business Area",
|
|
"To": "alerts@yourdomain.com"
|
|
},
|
|
"host": {
|
|
"connection": {
|
|
"name": "@parameters('$connections')['office365']['connectionId']"
|
|
}
|
|
},
|
|
"method": "post",
|
|
"path": "/v2/Mail"
|
|
}
|
|
}
|
|
},
|
|
"runAfter": {},
|
|
"type": "Foreach"
|
|
}
|
|
}
|
|
},
|
|
"expression": {
|
|
"or": [
|
|
{
|
|
"equals": [
|
|
"@body('Parse_JSON')?['country']",
|
|
"[[COUNTRY OF BUSINESS]"
|
|
]
|
|
},
|
|
{
|
|
"equals": [
|
|
"@body('Parse_JSON')?['city']",
|
|
"[[CITY OF BUSINESS]"
|
|
]
|
|
},
|
|
{
|
|
"equals": [
|
|
"@items('For_each_4')?['Name']",
|
|
"[[EXPECTED USER OUTSIDE BUSINESS AREA]"
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"type": "If"
|
|
}
|
|
},
|
|
"runAfter": {
|
|
"Add_labels_to_incident": [
|
|
"Succeeded"
|
|
]
|
|
},
|
|
"type": "Foreach"
|
|
},
|
|
"HTTP": {
|
|
"runAfter": {},
|
|
"type": "Http",
|
|
"inputs": {
|
|
"method": "GET",
|
|
"uri": "http://ip-api.com/json/@{items('For_each')?['Address']}"
|
|
}
|
|
},
|
|
"Parse_JSON": {
|
|
"runAfter": {
|
|
"HTTP": [
|
|
"Succeeded"
|
|
]
|
|
},
|
|
"type": "ParseJson",
|
|
"inputs": {
|
|
"content": "@body('HTTP')",
|
|
"schema": {
|
|
"properties": {
|
|
"as": {
|
|
"type": "string"
|
|
},
|
|
"city": {
|
|
"type": "string"
|
|
},
|
|
"country": {
|
|
"type": "string"
|
|
},
|
|
"countryCode": {
|
|
"type": "string"
|
|
},
|
|
"isp": {
|
|
"type": "string"
|
|
},
|
|
"lat": {
|
|
"type": "number"
|
|
},
|
|
"lon": {
|
|
"type": "number"
|
|
},
|
|
"org": {
|
|
"type": "string"
|
|
},
|
|
"query": {
|
|
"type": "string"
|
|
},
|
|
"region": {
|
|
"type": "string"
|
|
},
|
|
"regionName": {
|
|
"type": "string"
|
|
},
|
|
"status": {
|
|
"type": "string"
|
|
},
|
|
"timezone": {
|
|
"type": "string"
|
|
},
|
|
"zip": {
|
|
"type": "string"
|
|
}
|
|
},
|
|
"type": "object"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"runAfter": {
|
|
"Alert_-_Get_IPs": [
|
|
"Succeeded"
|
|
]
|
|
},
|
|
"type": "Foreach",
|
|
"runtimeConfiguration": {
|
|
"concurrency": {
|
|
"repetitions": 1
|
|
}
|
|
}
|
|
},
|
|
"For_each_2": {
|
|
"foreach": "@body('Alert_-_Get_accounts')?['Accounts']",
|
|
"actions": {
|
|
"Add_labels_to_incident_2": {
|
|
"runAfter": {},
|
|
"type": "ApiConnection",
|
|
"inputs": {
|
|
"body": {
|
|
"Labels": [
|
|
{
|
|
"Label": "@items('For_each_2')?['Name']"
|
|
}
|
|
]
|
|
},
|
|
"host": {
|
|
"connection": {
|
|
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
|
}
|
|
},
|
|
"method": "put",
|
|
"path": "/Case/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Incident')}/@{encodeURIComponent(body('Alert_-_Get_incident')?['properties']?['CaseNumber'])}/AddLabels",
|
|
"retryPolicy": {
|
|
"count": 10,
|
|
"interval": "PT10S",
|
|
"type": "fixed"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"runAfter": {
|
|
"Alert_-_Get_accounts": [
|
|
"Succeeded"
|
|
]
|
|
},
|
|
"type": "Foreach",
|
|
"runtimeConfiguration": {
|
|
"concurrency": {
|
|
"repetitions": 1
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"outputs": {}
|
|
},
|
|
"parameters": {
|
|
"$connections": {
|
|
"value": {
|
|
"azuresentinel": {
|
|
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnection'))]",
|
|
"connectionName": "[variables('AzureSentinelConnection')]",
|
|
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
|
},
|
|
"office365": {
|
|
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365Connection'))]",
|
|
"connectionName": "[variables('Office365Connection')]",
|
|
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|