14326a9aa0 | ||
---|---|---|
.. | ||
.template | ||
AD4IoT-AutoCloseIncidents | ||
AD4IoT-MailbyProductionLine | ||
AD4IoT-NewAssetServiceNowTicket | ||
AD4IoT-TritonDetectionAndResponse | ||
ADX-Health-Playbook | ||
AS-PagerDuty-Integration | ||
AS-Slack-Integration | ||
AS_Alert_Spiderfoot_Scan | ||
Add-IP-Entity-To-Named-Location | ||
Advanced-SNOW-Teams-Integration | ||
Affected-Key-Credentials-CVE-2021-42306 | ||
Aggregate-SNOW-tickets | ||
AutoConnect-ASCSubscriptions | ||
AzureFirewall | ||
Block-AADUser | ||
Block-AADUserOrAdmin | ||
Block-ExchangeIP | ||
Block-IPs-on-MDATP-Using-GraphSecurity | ||
Block-OnPremADUser | ||
Change-Incident-Severity | ||
CiscoASA | ||
CiscoFirepower | ||
Close-Incident-MCAS | ||
Close-SentinelIncident-fromSNOW | ||
Comment-OriginAlertURL | ||
Comment-RemediationSteps | ||
Confirm-AADRiskyUser | ||
Create-AzureDevOpsTask | ||
Create-AzureSnapshot | ||
Create-IBMResilientIncident | ||
Create-Jira-Issue | ||
Create-SNOW-record | ||
Create-Zendesk-Ticket | ||
CrowdStrike | ||
Dismiss-AADRiskyUser | ||
Dismiss_Upstream_Events | ||
Edgescan-AzureSentinel-Integration | ||
Enrich-Sentinel-Incident-AlienVault-OTX | ||
Enrich-SentinelIncident-GreyNoise-IP | ||
Enrich-SentinelIncident-GreyNoiseCommunity-IP | ||
Enrich-SentinelIncident-MDATPTVM | ||
Export-Incidents-With-Comments | ||
Export-Report-CSV | ||
F5BigIP | ||
ForcepointNGFW | ||
Fortinet-FortiGate | ||
Get-AD4IoTDeviceCVEs | ||
Get-ASCRecommendations | ||
Get-AlertEntitiesEnrichment | ||
Get-AlienVault_OTX | ||
Get-CompromisedPasswords | ||
Get-GeoFromIPandTagIncident-EmailAlertBasedonGeo | ||
Get-GeoFromIpAndTagIncident | ||
Get-MDATPVulnerabilities | ||
Get-MDEFileActivityWithin30Mins | ||
Get-MDEInvestigationPackage | ||
Get-MDEProcessActivityWithin30Mins | ||
Get-MDEStatistics | ||
Get-MachineData-EDR-SOAR-ActionsOnMachine | ||
Get-MerakiData-ConfigurationChanges | ||
Get-MerakiData-OrgSecurityEvents | ||
Get-Microsoft-Covid19-Indicators | ||
Get-O365Data | ||
Get-Recipients-EmailMessageID-containing-URL | ||
Get-SOCActions | ||
Get-SentinelAlertsEvidence | ||
Get-TenableVlun | ||
Get-VTURLPositivesComment | ||
Get-VirusTotalDomainReport | ||
Get-VirusTotalFileInfo | ||
Get-VirusTotalIPReport | ||
Get-VirusTotalURLReport | ||
Guardicore-Import-Assets | ||
Guardicore-Import-Incidents | ||
Guardicore-ThreatIntel | ||
HaveIBeenPwned | ||
HaveIBeenPwned-Email | ||
IdentityProtection-EmailResponse | ||
IdentityProtection-TeamsBotResponse | ||
Incident-Assignment-Shifts | ||
Incident-Email-Notification | ||
Incident-Status-Sync-To-WDATP | ||
IncidentUpdate -Get-SentinelAlertsEvidence | ||
Ingest-CanaryTokens | ||
Ingest-Prisma | ||
Isolate-AzureStorageAccount | ||
Isolate-AzureVMtoNSG | ||
Isolate-MDEMachine | ||
M365-Security-Posture | ||
Move-LogAnalytics-to-Storage | ||
Notify-ASCAlertAzureResource | ||
OktaRawLog | ||
Open-ServiceDeskPlusOnDemand-Ticket | ||
PaloAlto-PAN-OS | ||
PaloAlto-Wildfire | ||
Post-Message-Slack | ||
Post-Message-Teams | ||
Post-Tags-And-Comments-To-Your-IntSights-Account | ||
Prompt-User | ||
QuickStart-SentinelTriggers | ||
RecordedFuture-Block-IPs-and-Domains-on-Microsoft-Defender-for-Endpoint | ||
RecordedFuture_C2_Malware_Detect | ||
RecordedFuture_COVID19_Related_Domain_Lure_Detect | ||
RecordedFuture_Dom_C2_DNS_Name | ||
RecordedFuture_Generic_Detection | ||
RecordedFuture_IOC_Enrichment | ||
RecordedFuture_IP_ActCommC2C | ||
RecordedFuture_IP_Enrichment | ||
RecordedFuture_IP_SCF | ||
Remove-MDEAppExecution | ||
Reset-AADUserPassword | ||
Resolve-McasInfrequentCountryAlerts | ||
Restrict-MDEAppExecution | ||
Restrict-MDEDomain | ||
Restrict-MDEFileHash | ||
Restrict-MDEIPAddress | ||
Restrict-MDEUrl | ||
Revoke-AADSignInSessions | ||
Run-AzureVMPacketCapture | ||
Run-MDEAntivirus | ||
Save-NamedLocations | ||
Send-AnalyticalRulesHealthNotifications | ||
Send-AzCommunicationsSMSMessage | ||
Send-ConnectorHealthStatus | ||
Send-IngestionCostAlert | ||
Send-IngestionCostAnomalyAlert | ||
Send-Teams-adaptive-card-on-incident-creation | ||
Send-UrlReport | ||
Send-basic-email | ||
Send-email-with-formatted-incident-report | ||
Spur-Enrichment | ||
Start-MDEAutomatedInvestigation | ||
Sync-IncidentsWithJIRA | ||
Sync-Sentinel-Incident-Comments-To-M365Defender | ||
Unisolate-MDEMachine | ||
Update-BulkIncidents | ||
Update-NamedLocations-TOR | ||
Update-VIPUsers-Watchlist-from-AzureAD-Group | ||
Update-Watchlist-With-NamedLocation | ||
Watchlist-Add-HostToWatchList | ||
Watchlist-Add-IPToWatchList | ||
Watchlist-Add-URLToWatchList | ||
Watchlist-Add-UserToWatchList | ||
Watchlist-ChangeIncidentSeverityandTitleIFUserVIP | ||
Watchlist-CloseIncidentKnownIPs | ||
Watchlist-InformSubowner-IncidentTrigger | ||
Watchlist-SendSQLData-Watchlist | ||
Zscaler | ||
Zscaler-add-Domains-to-URL-Category | ||
CSV-Report-Export | ||
Download.png | ||
ReadMe.md | ||
logic_app_logo.png |
ReadMe.md
About
This repo contains sample security playbooks for security automation, orchestration and response (SOAR). Each folder contains a security playbook ARM template that uses Microsoft Sentinel trigger.
Instructions for deploying a custom template
After selecting a playbook, in the Azure portal:
- Search for deploy a custom template
- Click build your own template in the editor
- Paste the contents from the GitHub playbook
- Click Save
- Fill in needed data and click Purchase
Once deployment is complete, you will need to authorize each connection.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections
- For Azure Log Analytics Data Collector, you will need to add the workspace ID and Key You can now edit the playbook in Logic apps.
Instructions for templatizing a playbook
Option 1: Azure Logic App/Playbook ARM Template Generator
-
Extract the folder and open "Playbook_ARM_Template_Generator.ps1" either in Visual Studio Code/Windows PowerShell/PowerShell Core
Note
The script runs from the user's machine. You must allow PowerShell script execution. To do so, run the following command:Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
-
Script prompts you to enter your Azure Tenant Id
-
You are prompted to authenticate with credentials, once the user is authenticated, you will be prompted to choose
- Subscription
- Playbooks
-
After selecting playbooks, script prompts to select location on your local drive to save ARM Template
Note: Tool converts microsoftsentinel connections to MSI during export
Option 2: Manual
Once you have created a playbook that you want to export to share, go to the Logic App resource in Azure.
Note: this is the generic instructions there may be other steps depending how complex or what connectors are used for the playbook.
- Click Export Template from the resource menu in Azure Portal.
- Copy the contents of the template.
- Using VS code, create a JSON file with the name "azuredeploy.json".
- Paste the code into the new file.
- In the parameters section, you can remove all parameters and add the following minimum fields. Users can edit the parameters when deploying your template. You can add more parameters based on your playbook requirements.
"parameters": {
"PlaybookName": {
"defaultValue": "<PlaybookName>",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
- Playbook name and username are minimum requirements that will be used for the connections.
- In the variables section, create a variable for each connection the playbook is using.
- To construct a string variable, use this following snippet. Make sure to replace the
connectorname
with actual name of the connector.
[concat('<connectorname>-', parameters('PlaybookName'))]
- For example, if you are using Azure Active Directory and Microsoft Sentinel connections in the playbook, then create two variables with actual connection names. The variables will be the connection names. Here we are creating a connection name using the connection (AzureAD) and "-" and the playbook name.
"variables": {
"AzureADConnectionName": "[concat('azuread-', parameters('PlaybookName'))]",
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
},
- Next, you will need to add resources to be created for each connection.
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureADConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
}
}
},
- The
name
is using the variable we created. - The
location
is using the resource group that was selected as part of the deployment. - The
displayname
is using the Username parameter. - Lastly, you can build the string for the
id
using strings plus properties of the subscription and resource group. - Repeat for each connection needed.
- In the
Microsoft.Logic/workflows
resource underparameters / $connections
, there will be avalue
for each connection. You will need to update each like the following.
"parameters": {
"$connections": {
"value": {
"azuread": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
"connectionName": "[variables('AzureADConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
},
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
}
}
- The
connectionId
will use a string and variable. - The
connectionName
is the variable. - The
id
is the string we used early for the id when creating the resource.
- In the
Microsoft.Logic/workflows
resource, you will also need thedependsOn
field, which is a list ofresourceId
. The string for eachresourceId
is constructed using this snippet, followed by an example which contains Azure AD and Azure Sentinel connections.
[resourceId('Microsoft.Web/connections', <ConnectionVariableName>)]
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
]
- Save the JSON.
- Create a Readme.md file with a brief description of the playbook.
- Test deployment of your template following Instructions for deploying a custom template. Make sure the deployment succeeds.
- If you need samples of a playbook template, refer to an existing playbooks' azuredeploy.json sample file in the repo.
- Contribute the playbook template to the repository.
Suggestions and feedback
We value your feedback. Let us know if you run into any problems or share your suggestions and feedback by sending email to AzureSentinel@microsoft.com