Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Solutions/CiscoMeraki/ConsolidatedTemplate.json

6046 строки
467 KiB
JSON
Исходник Ответственный История

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Logic Apps Custom Connector and Playbook templates - Cisco Meraki",
"description": "This is a consolidated json file for deploying Cisco Meraki custom connector + 5 playbooks.",
"mainSteps": [
"Block Device Client: 1. Fetches a list of potentially hosts 2. If malicious host is not blocked by Cisco meraki network then blocks it.",
"Block IP Address: 1. Fetches a list of potentially malicious IP addresses 2. If malicious IP address is not blocked by Cisco meraki network then blocks it.",
"Block URL: 1. Fetches a list of potentially malicious URLs 2. If malicious URL is not blocked by Cisco meraki network then blocks it.",
"Enrichment IP Address: 1. Fetches a list of potentially malicious IP addresses 2. Enrich the incident with IP status information.",
"Enrichment URL: 1. Fetches a list of potentially malicious URLs 2. Enrich the incident with URL status information."
],
"prerequisites": [
"1. Cisco Meraki API Key should be known to establish a connection with Cisco Meraki Custom Connector.",
"2. Cisco Meraki Dashboard API service endpoint should be known.",
"3. Organization name should be known.",
"4. Network name should be known.",
"5. Network Group Policy name should be known."
],
"lastUpdateTime": "2021-08-03T00:00:00.000Z",
"entities": [ "IP", "URL", "Host" ],
"tags": [ "Remediation", "Enrichment" ],
"support": {
"tier": "community"
},
"author": {
"name": "Accenture"
}
},
"parameters": {
"BlockDeviceClientPlaybookName": {
"type": "string",
"defaultValue": "Block-Device-Client-Meraki",
"metadata": {
"description": "Enter name for Block Device Client playbook without spaces"
}
},
"BlockIPAddressPlaybookName": {
"type": "string",
"defaultValue": "Block-IP-Address-Meraki",
"metadata": {
"description": "Enter name for Block IP Address playbook without spaces"
}
},
"BlockURLPlaybookName": {
"type": "string",
"defaultValue": "Block-URL-Meraki",
"metadata": {
"description": "Enter name for Block URL playbook without spaces"
}
},
"EnrichmentIPAddressPlaybookName": {
"type": "string",
"defaultValue": "IP-Address-Enrichment-Meraki",
"metadata": {
"description": "Enter name for IP Address Enrichment playbook without spaces"
}
},
"EnrichmentURLPlaybookName": {
"type": "string",
"defaultValue": "URL-Enrichment-Meraki",
"metadata": {
"description": "Enter name for URL Enrichment playbook without spaces"
}
},
"OrganizationName": {
"type": "string",
"metadata": {
"description": "Enter organization name"
}
},
"NetworkName": {
"type": "string",
"metadata": {
"description": "Enter network name"
}
},
"GroupPolicy": {
"type": "string",
"metadata": {
"description": "Enter group policy name"
}
},
"CiscoMerakiConnectorName": {
"type": "string",
"defaultValue": "MerakiConnector",
"metadata": {
"description": "Enter name of Cisco Meraki custom connector without spaces"
}
},
"ServiceEndPoint": {
"type": "String",
"defaultValue": "https://{CiscoMerakiDomain}/api/{VersionNumber}",
"metadata": {
"description": "Enter the Cisco Meraki Dashboard API Service EndPoint as 'https://{CiscoMerakiDomain}/api/{VersionNumber}'"
}
}
},
"variables": {
"Meraki_Connection": "[concat('Meraki-', 'CiscoMerakiPlaybooks')]",
"AzureSentinel_Connection": "[concat('Azuresentienl-', 'CiscoMerakiPlaybooks')]"
},
"resources": [
{
"type": "Microsoft.Web/customApis",
"apiVersion": "2016-06-01",
"name": "[parameters('CiscoMerakiConnectorName')]",
"location": "[resourceGroup().location]",
"properties": {
"connectionParameters": {
"api_key": {
"type": "securestring",
"uiDefinition": {
"displayName": "API Key",
"description": "The API Key for this api",
"tooltip": "Provide your API Key",
"constraints": {
"tabIndex": 2,
"clearText": false,
"required": "true"
}
}
}
},
"brandColor": "#FFFFFF",
"description": "Cisco Meraki custom connector connects to Meraki Dashboard API service endpoint and programmatically manages and monitors Meraki networks at scale.",
"displayName": "[parameters('CiscoMerakiConnectorName')]",
"backendService": {
"serviceUrl": "[parameters('ServiceEndPoint')]"
},
"swagger": {
"swagger": "2.0",
"info": {
"version": "1.0",
"title": "Meraki Dashboard API",
"description": "Cisco Meraki custom connector connects to Meraki Dashboard API service endpoint and programmatically manages and monitors Meraki networks at scale."
},
"host": "[parameters('ServiceEndPoint')]",
"basePath": "/",
"schemes": [ "https" ],
"consumes": [ "application/json" ],
"produces": [ "application/json" ],
"paths": {
"/organizations": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "id",
"title": "Organization Id"
},
"name": {
"type": "string",
"description": "name",
"title": "Organization Name"
},
"url": {
"type": "string",
"description": "url",
"title": "Organization URL"
}
}
}
}
}
},
"summary": "Get Organizations",
"operationId": "GetOrganizations",
"description": "List the organizations that the user has privileges on"
}
},
"/organizations/{organizationId}/networks": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "id",
"title": "Network Id"
},
"organizationId": {
"type": "string",
"description": "organizationId",
"title": "Organization Id"
},
"name": {
"type": "string",
"description": "name",
"title": "Network Name"
},
"timeZone": {
"type": "string",
"description": "timeZone",
"title": "Time Zone"
},
"tags": {
"type": "array",
"items": { "type": "string" },
"description": "tags",
"title": "Tags"
},
"productTypes": {
"type": "array",
"items": { "type": "string" },
"description": "productTypes",
"title": "Product Types"
},
"enrollmentString": {
"type": "string",
"description": "enrollmentString",
"title": "Enrollment String"
}
}
}
}
}
},
"summary": "Get Networks",
"description": "List the networks that the user has privileges on in an organization",
"operationId": "GetNetworks",
"parameters": [
{
"name": "organizationId",
"in": "path",
"required": true,
"type": "string",
"description": "Organization Id",
"x-ms-summary": "Organization Id"
},
{
"name": "configTemplateId",
"in": "query",
"required": false,
"type": "string",
"x-ms-summary": "Config Template Id",
"description": "An optional parameter that is the ID of a config template. Will return all networks bound to that template."
},
{
"name": "tags",
"in": "query",
"required": false,
"type": "string",
"description": "An optional parameter to filter networks by tags. The filtering is case-sensitive. If tags are included tagsFilterType should also be included.",
"x-ms-summary": "Tags"
},
{
"name": "tagsFilterType",
"in": "query",
"required": false,
"type": "string",
"x-ms-summary": "Tag Filter Type",
"description": "An optional parameter of value withAnyTags or withAllTags to indicate whether to return networks which contain ANY or ALL of the included tags. If no type is included withAnyTags will be selected."
},
{
"name": "perPage",
"in": "query",
"required": false,
"type": "integer",
"default": 1000,
"x-ms-summary": "Per Page",
"description": "The number of entries per page returned. Acceptable range is 3 - 100000."
},
{
"name": "startingAfter",
"in": "query",
"required": false,
"type": "string",
"x-ms-summary": "Starting After",
"description": "A token used by the server to indicate the start of the page. Often this is a timestamp or an ID but it is not limited to those. This parameter should not be defined by client applications. The link for the first last prev or next page in the HTTP Link header should define it."
},
{
"name": "endingBefore",
"in": "query",
"required": false,
"type": "string",
"x-ms-summary": "Ending Before",
"description": "A token used by the server to indicate the end of the page. Often this is a timestamp or an ID but it is not limited to those. This parameter should not be defined by client applications. The link for the first last prev or next page in the HTTP Link header should define it."
}
]
}
},
"/networks/{networkId}/devices": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name",
"title": "Device Name"
},
"lat": {
"type": "number",
"format": "float",
"description": "lat",
"title": "Latitude"
},
"lng": {
"type": "number",
"format": "float",
"description": "lng",
"title": "Longitude"
},
"serial": {
"type": "string",
"description": "serial",
"title": "Serial"
},
"mac": {
"type": "string",
"description": "mac",
"title": "MAC"
},
"model": {
"type": "string",
"description": "model",
"title": "Model"
},
"address": {
"type": "string",
"description": "address",
"title": "Address"
},
"notes": {
"type": "string",
"description": "notes",
"title": "Notes"
},
"lanIp": {
"type": "string",
"description": "lanIp",
"title": "LAN IP Address"
},
"tags": {
"type": "array",
"items": { "type": "string" },
"description": "tags",
"title": "Tags"
},
"networkId": {
"type": "string",
"description": "networkId",
"title": "Network Id"
},
"beaconIdParams": {
"type": "object",
"properties": {
"uuid": {
"type": "string",
"description": "uuid",
"title": "UUID"
},
"major": {
"type": "integer",
"format": "int32",
"description": "major",
"title": "Major"
},
"minor": {
"type": "integer",
"format": "int32",
"description": "minor",
"title": "Minor"
}
},
"description": "beaconIdParams",
"title": "Beacon Id Parameters"
},
"firmware": {
"type": "string",
"description": "firmware",
"title": "Firmware"
},
"floorPlanId": {
"type": "string",
"description": "floorPlanId",
"title": "Floor Plan Id"
}
}
}
}
}
},
"summary": "Get Network Devices",
"description": "List the devices in a network",
"operationId": "GetNetworkDevices",
"parameters": [
{
"name": "networkId",
"in": "path",
"required": true,
"type": "string",
"description": "Network Id",
"x-ms-summary": "Network Id"
}
]
}
},
"/networks/{networkId}/clients": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "array",
"items": {
"type": "object",
"properties": {
"usage": {
"type": "object",
"properties": {
"sent": {
"type": "integer",
"format": "int32",
"description": "sent",
"title": "Usage Sent"
},
"recv": {
"type": "integer",
"format": "int32",
"description": "recv",
"title": "Usage Receive"
}
},
"description": "usage",
"title": "Usage"
},
"id": {
"type": "string",
"description": "id",
"title": "Client Id"
},
"description": {
"type": "string",
"description": "description",
"title": "Description"
},
"mac": {
"type": "string",
"description": "mac",
"title": "MAC"
},
"ip": {
"type": "string",
"description": "ip",
"title": "IP Address"
},
"user": {
"type": "string",
"description": "user",
"title": "User"
},
"vlan": {
"type": "integer",
"format": "int32",
"description": "vlan",
"title": "VLAN"
},
"switchport": {
"type": "string",
"description": "switchport",
"title": "Switch Port"
},
"adaptivePolicyGroup": {
"type": "string",
"description": "adaptivePolicyGroup",
"title": "Adaptive Policy Group"
},
"ip6": {
"type": "string",
"description": "ip6",
"title": "IP6"
},
"firstSeen": {
"type": "integer",
"format": "int32",
"description": "firstSeen",
"title": "First Seen"
},
"lastSeen": {
"type": "integer",
"format": "int32",
"description": "lastSeen",
"title": "Last Seen"
},
"manufacturer": {
"type": "string",
"description": "manufacturer",
"title": "Manufacturer"
},
"os": {
"type": "string",
"description": "os",
"title": "OS"
},
"recentDeviceSerial": {
"type": "string",
"description": "recentDeviceSerial",
"title": "Recent Device Serial"
},
"recentDeviceName": {
"type": "string",
"description": "recentDeviceName",
"title": "Recent Device Name"
},
"recentDeviceMac": {
"type": "string",
"description": "recentDeviceMac",
"title": "Recent Device MAC"
},
"recentDeviceConnection": {
"type": "string",
"description": "recentDeviceConnection",
"title": "Recent Device Connection"
},
"ssid": {
"type": "string",
"description": "ssid",
"title": "SSID"
},
"status": {
"type": "string",
"description": "status",
"title": "Status"
},
"notes": {
"type": "string",
"description": "notes",
"title": "Notes"
},
"ip6Local": {
"type": "string",
"description": "ip6Local",
"title": "IP6 Local"
},
"smInstalled": {
"type": "boolean",
"description": "smInstalled",
"title": "SM Installed",
"enum": [ "", "true", "false" ]
},
"groupPolicy8021x": {
"type": "string",
"description": "groupPolicy8021x",
"title": "Group Policy 8021x"
}
}
}
}
}
},
"description": "List the clients that have used this network in the timespan",
"summary": "Get Network Clients",
"operationId": "GetNetworkClients",
"parameters": [
{
"name": "networkId",
"in": "path",
"required": true,
"type": "string",
"description": "Network Id",
"x-ms-summary": "Network Id"
},
{
"name": "t0",
"in": "query",
"required": false,
"type": "string",
"description": "The beginning of the timespan for the data. The maximum lookback period is 31 days from today.",
"x-ms-summary": "Timespan Beginning"
},
{
"name": "timespan",
"in": "query",
"required": false,
"type": "number",
"x-ms-summary": "Timespan",
"description": "The timespan for which the information will be fetched. If specifying timespan do not specify parameter t0. The value must be in seconds and be less than or equal to 31 days. The default is 1 day."
},
{
"name": "perPage",
"in": "query",
"required": false,
"type": "integer",
"default": 10,
"description": "The number of entries per page returned. Acceptable range is 3 - 1000.",
"x-ms-summary": "Per Page"
},
{
"name": "startingAfter",
"in": "query",
"required": false,
"type": "string",
"x-ms-summary": "Starting After",
"description": "A token used by the server to indicate the start of the page. Often this is a timestamp or an ID but it is not limited to those. This parameter should not be defined by client applications. The link for the first last prev or next page in the HTTP Link header should define it."
},
{
"name": "endingBefore",
"in": "query",
"required": false,
"type": "string",
"x-ms-summary": "Ending Before",
"description": "A token used by the server to indicate the end of the page. Often this is a timestamp or an ID but it is not limited to those. This parameter should not be defined by client applications. The link for the first last prev or next page in the HTTP Link header should define it."
}
]
}
},
"/networks/{networkId}/appliance/contentFiltering": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"allowedUrlPatterns": {
"type": "array",
"items": { "type": "string" },
"description": "allowedUrlPatterns",
"title": "Allowrd URL Patterns"
},
"blockedUrlPatterns": {
"type": "array",
"items": { "type": "string" },
"description": "blockedUrlPatterns",
"title": "Blocked URL Patterns"
},
"blockedUrlCategories": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "id",
"title": "Category Id"
},
"name": {
"type": "string",
"description": "name",
"title": "Category Name"
}
}
},
"description": "blockedUrlCategories",
"title": "Blocked URL Categories"
},
"urlCategoryListSize": {
"type": "string",
"description": "urlCategoryListSize",
"title": "URL Category List Size"
}
}
}
}
},
"summary": "Get Network Appliance Content Filtering",
"description": "Return the content filtering settings for an MX network",
"operationId": "GetNetworkApplianceContentFiltering",
"parameters": [
{
"name": "networkId",
"in": "path",
"required": true,
"type": "string",
"description": "Network Id",
"x-ms-summary": "Network Id"
}
]
},
"put": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"allowedUrlPatterns": {
"type": "array",
"items": { "type": "string" },
"description": "allowedUrlPatterns",
"title": "Allowed URL Patterns"
},
"blockedUrlPatterns": {
"type": "array",
"items": { "type": "string" },
"description": "blockedUrlPatterns",
"title": "Blocked URL Patterns"
},
"blockedUrlCategories": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "id",
"title": "Category Id"
},
"name": {
"type": "string",
"description": "name",
"title": "Category Name"
}
}
},
"description": "blockedUrlCategories",
"title": "Blocked URL Categories"
},
"urlCategoryListSize": {
"type": "string",
"description": "urlCategoryListSize",
"title": "URL Category List Size"
}
}
}
}
},
"description": "Update the content filtering settings for an MX network",
"summary": "Update Network Appliance Content Filtering",
"operationId": "UpdateNetworkApplianceContentFiltering",
"parameters": [
{
"name": "networkId",
"in": "path",
"required": true,
"type": "string",
"description": "Network Id",
"x-ms-summary": "Network Id"
},
{
"name": "Content-Type",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"description": "The content type of the request",
"x-ms-summary": "Content Type",
"x-ms-visibility": "internal"
},
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"type": "object",
"properties": {
"allowedUrlPatterns": {
"type": "array",
"items": { "type": "string" },
"description": "A list of URL patterns that are allowed",
"title": "Allowed URL Patterns"
},
"blockedUrlPatterns": {
"type": "array",
"items": { "type": "string" },
"description": "A list of URL patterns that are blocked",
"title": "Blocked URL Patterns"
},
"blockedUrlCategories": {
"type": "array",
"items": { "type": "string" },
"description": "A list of URL categories to block",
"title": "Blocked URL Categories"
},
"urlCategoryListSize": {
"type": "string",
"description": "URL category list size (topSites or fullList)",
"title": "URL Category List Size",
"enum": [ "topSites", "fullList" ],
"default": "topSites"
}
}
}
}
]
}
},
"/networks/{networkId}/appliance/firewall/l3FirewallRules": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"comment": {
"type": "string",
"description": "comment",
"title": "Comment"
},
"policy": {
"type": "string",
"description": "policy",
"title": "Policy"
},
"protocol": {
"type": "string",
"description": "protocol",
"title": "Protocol"
},
"destPort": {
"type": "string",
"description": "destPort",
"title": "Destination Port"
},
"destCidr": {
"type": "string",
"description": "destCidr",
"title": "Destination IP Address"
},
"srcPort": {
"type": "string",
"description": "srcPort",
"title": "Source Port"
},
"srcCidr": {
"type": "string",
"description": "srcCidr",
"title": "Source IP Address"
},
"syslogEnabled": {
"type": "boolean",
"description": "syslogEnabled",
"title": "Syslog Enabled"
}
}
},
"description": "rules",
"title": "Rules"
}
}
}
}
},
"summary": "Get Network Appliance Firewall L3 Firewall Rules",
"description": "Return the L3 firewall rules for an MX network",
"operationId": "GetNetworkApplianceL3FirewallRules",
"parameters": [
{
"name": "networkId",
"in": "path",
"required": true,
"type": "string",
"description": "Network Id",
"x-ms-summary": "Network Id"
}
]
},
"put": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"comment": {
"type": "string",
"description": "comment",
"title": "Comment"
},
"policy": {
"type": "string",
"description": "policy",
"title": "Policy"
},
"protocol": {
"type": "string",
"description": "protocol",
"title": "Protocol"
},
"destPort": {
"type": "string",
"description": "destPort",
"title": "Destination Port"
},
"destCidr": {
"type": "string",
"description": "destCidr",
"title": "Destination IP Address"
},
"srcPort": {
"type": "string",
"description": "srcPort",
"title": "Source Port"
},
"srcCidr": {
"type": "string",
"description": "srcCidr",
"title": "Source IP Address"
},
"syslogEnabled": {
"type": "boolean",
"description": "syslogEnabled",
"title": "Syslog Enabled"
}
}
},
"description": "rules",
"title": "Rules"
}
}
}
}
},
"description": "Update the L3 firewall rules of an MX network",
"summary": "Update Network Appliance L3 Firewall Rules",
"operationId": "UpdateNetworkApplianceL3FirewallRules",
"parameters": [
{
"name": "networkId",
"in": "path",
"required": true,
"type": "string",
"description": "Network Id",
"x-ms-summary": "Network Id"
},
{
"name": "Content-Type",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"description": "The Content Type of the request",
"x-ms-summary": "Content Type",
"x-ms-visibility": "internal"
},
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"type": "object",
"properties": {
"rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"comment": {
"type": "string",
"description": "Description of the rule",
"title": "Comment"
},
"policy": {
"type": "string",
"description": "allow or deny traffic specified by the rule",
"title": "Policy",
"enum": [ "allow", "deny" ]
},
"protocol": {
"type": "string",
"description": "The type of protocol (tcp, udp, icmp or any)",
"title": "Protocol",
"enum": [ "tcp", "udp", "icmp", "any" ]
},
"destPort": {
"type": "string",
"description": "Comma-separated list of destination port(s) (integer in the range 1-65535) or any",
"title": "Destination Port"
},
"destCidr": {
"type": "string",
"description": "Comma-separated list of destination IP address(es) (in IP or CIDR notation) fully-qualified domain names (FQDN) or any",
"title": "Destination IP Address"
},
"srcPort": {
"type": "string",
"description": "Comma-separated list of source IP address(es) (in IP or CIDR notation) or any (FQDN not supported for source addresses)",
"title": "Source Port"
},
"srcCidr": {
"type": "string",
"description": "Comma-separated list of source port(s) (integer in the range 1-65535) or any",
"title": "Source IP Address"
},
"syslogEnabled": {
"type": "boolean",
"description": "Log this rule to syslog (true or false - boolean value) - only applicable if a syslog has been configured",
"title": "Syslog Enabled",
"enum": [ true, false ],
"default": false
}
},
"required": [ "destCidr", "destPort", "policy", "protocol", "srcCidr", "srcPort" ]
},
"description": "rules",
"title": "Rules"
}
},
"required": [ "rules" ]
}
}
]
}
},
"/networks/{networkId}/appliance/firewall/l7FirewallRules": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"policy": {
"type": "string",
"description": "policy",
"title": "Policy"
},
"type": {
"type": "string",
"description": "type",
"title": "Type"
},
"value": {
"type": "array",
"items": { "type": "string" },
"description": "value",
"title": "Value"
}
}
},
"description": "rules",
"title": "Rules"
}
}
}
}
},
"operationId": "GetNetworkApplianceFirewallL7FirewallRules",
"description": "List the MX L7 firewall rules for an MX network",
"summary": "Get Network Appliance Firewall L7 Firewall Rules",
"parameters": [
{
"name": "networkId",
"in": "path",
"required": true,
"type": "string",
"x-ms-summary": "Network Id",
"description": "Network Id"
}
]
},
"put": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"policy": {
"type": "string",
"description": "policy",
"title": "Policy"
},
"type": {
"type": "string",
"description": "type",
"title": "Type"
},
"value": {
"type": "array",
"items": { "type": "string" },
"description": "value",
"title": "Value"
}
}
},
"description": "rules",
"title": "Rules"
}
}
}
}
},
"operationId": "UpdateNetworkApplianceFirewallL7FirewallRules",
"summary": "Update Network Appliance Firewall L7 Firewall Rules",
"description": "Update the MX L7 firewall rules for an MX network",
"parameters": [
{
"name": "networkId",
"in": "path",
"required": true,
"type": "string",
"description": "Network Id",
"x-ms-summary": "Network Id"
},
{
"name": "Content-Type",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"x-ms-summary": "Content Type",
"x-ms-visibility": "internal",
"description": "The content type of the request"
},
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"type": "object",
"properties": {
"rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"policy": {
"type": "string",
"description": "Deny traffic specified by rule",
"title": "Policy",
"default": "deny"
},
"type": {
"type": "string",
"description": "Type of the L7 rule (application, applicationCategory, host, port, ipRange)",
"title": "Type",
"enum": [ "application", "applicationCategory", "host", "port", "ipRange" ]
},
"value": {
"type": "array",
"items": { "type": "string" },
"description": "The value of what you want to block. Format of value varies depending on type of the rule.",
"title": "Value"
}
}
},
"description": "An ordered array of the MX L7 firewall rules",
"title": "Rules"
}
}
}
}
]
}
},
"/networks/{networkId}/clients/{clientId}/policy": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"mac": {
"type": "string",
"description": "mac",
"title": "MAC"
},
"devicePolicy": {
"type": "string",
"description": "devicePolicy",
"title": "Device Policy"
},
"groupPolicyId": {
"type": "string",
"description": "groupPolicyId",
"title": "Group Policy Id"
}
}
}
}
},
"summary": "Get Network Client Policy",
"description": "Return the policy assigned to a client on the network. Clients can be identified by a client key or either the MAC or IP depending on whether the network uses Track-by-IP.",
"operationId": "GetNetworkClientPolicy",
"parameters": [
{
"name": "networkId",
"in": "path",
"required": true,
"type": "string",
"description": "Network Id",
"x-ms-summary": "Network Id"
},
{
"name": "clientId",
"in": "path",
"required": true,
"type": "string",
"description": "Client Id",
"x-ms-summary": "Client Id"
}
]
},
"put": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"mac": {
"type": "string",
"description": "mac",
"title": "MAC"
},
"devicePolicy": {
"type": "string",
"description": "devicePolicy",
"title": "Device Policy"
},
"groupPolicyId": {
"type": "string",
"description": "groupPolicyId",
"title": "Group Policy Id"
}
}
}
}
},
"summary": "Update Network Client Policy",
"operationId": "UpdateNetworkClientPolicy",
"description": "Update the policy assigned to a client on the network. Clients can be identified by a client key or either the MAC or IP depending on whether the network uses Track-by-IP",
"parameters": [
{
"name": "networkId",
"in": "path",
"required": true,
"type": "string",
"description": "Network Id",
"x-ms-summary": "Network Id"
},
{
"name": "clientId",
"in": "path",
"required": true,
"type": "string",
"description": "Client Id",
"x-ms-summary": "Client Id"
},
{
"name": "Content-Type",
"in": "header",
"required": true,
"type": "string",
"default": "application/json",
"x-ms-summary": "Content Type",
"x-ms-visibility": "internal",
"description": "The content type of the request"
},
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"type": "object",
"properties": {
"devicePolicy": {
"type": "string",
"description": "The policy to assign (Whitelisted, Blocked, Normal, Group policy)",
"title": "Device Policy",
"enum": [ "Whitelisted", "Blocked", "Normal", "Group policy" ]
},
"groupPolicyId": {
"type": "string",
"description": "If devicePolicy is set to Group policy this param is used to specify the group policy ID",
"title": "Group Policy Id"
}
},
"required": [ "devicePolicy" ]
}
}
]
}
},
"/networks/{networkId}/groupPolicies": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name",
"title": "Group Policy Name"
},
"groupPolicyId": {
"type": "string",
"description": "groupPolicyId",
"title": "Group Policy Id"
},
"scheduling": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "enabled",
"title": "Enabled"
},
"monday": {
"type": "object",
"properties": {
"active": {
"type": "boolean",
"description": "active",
"title": "Active"
},
"from": {
"type": "string",
"description": "from",
"title": "From"
},
"to": {
"type": "string",
"description": "to",
"title": "To"
}
},
"description": "monday",
"title": "Monday"
},
"tuesday": {
"type": "object",
"properties": {
"active": {
"type": "boolean",
"description": "active",
"title": "Active"
},
"from": {
"type": "string",
"description": "from",
"title": "From"
},
"to": {
"type": "string",
"description": "to",
"title": "To"
}
},
"description": "tuesday",
"title": "Tuesday"
},
"wednesday": {
"type": "object",
"properties": {
"active": {
"type": "boolean",
"description": "active",
"title": "Active"
},
"from": {
"type": "string",
"description": "from",
"title": "From"
},
"to": {
"type": "string",
"description": "to",
"title": "To"
}
},
"description": "wednesday",
"title": "Wednesday"
},
"thursday": {
"type": "object",
"properties": {
"active": {
"type": "boolean",
"description": "active",
"title": "Active"
},
"from": {
"type": "string",
"description": "from",
"title": "From"
},
"to": {
"type": "string",
"description": "to",
"title": "To"
}
},
"description": "thursday",
"title": "Thursday"
},
"friday": {
"type": "object",
"properties": {
"active": {
"type": "boolean",
"description": "active",
"title": "Active"
},
"from": {
"type": "string",
"description": "from",
"title": "From"
},
"to": {
"type": "string",
"description": "to",
"title": "To"
}
},
"description": "friday",
"title": "Friday"
},
"saturday": {
"type": "object",
"properties": {
"active": {
"type": "boolean",
"description": "active",
"title": "Active"
},
"from": {
"type": "string",
"description": "from",
"title": "From"
},
"to": {
"type": "string",
"description": "to",
"title": "To"
}
},
"description": "saturday",
"title": "Saturday"
},
"sunday": {
"type": "object",
"properties": {
"active": {
"type": "boolean",
"description": "active",
"title": "Active"
},
"from": {
"type": "string",
"description": "from",
"title": "From"
},
"to": {
"type": "string",
"description": "to",
"title": "To"
}
},
"description": "sunday",
"title": "Sunday"
}
},
"description": "scheduling",
"title": "Scheduling"
},
"bandwidth": {
"type": "object",
"properties": {
"settings": {
"type": "string",
"description": "settings",
"title": "Settings"
},
"bandwidthLimits": {
"type": "object",
"properties": {
"limitUp": {
"type": "integer",
"format": "int32",
"description": "limitUp",
"title": "Limit Up"
},
"limitDown": {
"type": "integer",
"format": "int32",
"description": "limitDown",
"title": "Limit Down"
}
},
"description": "bandwidthLimits",
"title": "Bandwidth Limits"
}
},
"description": "bandwidth",
"title": "Bandwidth"
},
"firewallAndTrafficShaping": {
"type": "object",
"properties": {
"settings": {
"type": "string",
"description": "settings",
"title": "Settings"
},
"trafficShapingRules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"definitions": {
"type": "array",
"items": {
"type": "object",
"properties": {
"type": {
"type": "string",
"description": "type",
"title": "Type"
},
"value": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "id",
"title": "Id"
},
"name": {
"type": "string",
"description": "name",
"title": "Name"
}
},
"description": "value",
"title": "Value"
}
}
},
"description": "definitions",
"title": "Definitions"
},
"perClientBandwidthLimits": {
"type": "object",
"properties": {
"settings": {
"type": "string",
"description": "settings",
"title": "Settings"
},
"bandwidthLimits": {
"type": "object",
"properties": {
"limitUp": {
"type": "integer",
"format": "int32",
"description": "limitUp",
"title": "Limit Up"
},
"limitDown": {
"type": "integer",
"format": "int32",
"description": "limitDown",
"title": "Limit Down"
}
},
"description": "bandwidthLimits",
"title": "Bandwidth Limits"
}
},
"description": "perClientBandwidthLimits",
"title": "Per Client Bandwidth Limits"
},
"dscpTagValue": {
"type": "string",
"description": "dscpTagValue",
"title": "DSCP Tag Value"
},
"pcpTagValue": {
"type": "string",
"description": "pcpTagValue",
"title": "PCP Tag Value"
}
}
},
"description": "trafficShapingRules",
"title": "Traffic Shaping Rules"
},
"l3FirewallRules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"comment": {
"type": "string",
"description": "comment",
"title": "Comment"
},
"policy": {
"type": "string",
"description": "policy",
"title": "Policy"
},
"protocol": {
"type": "string",
"description": "protocol",
"title": "Protocol"
},
"destPort": {
"type": "integer",
"format": "int32",
"description": "destPort",
"title": "Destination Port"
},
"destCidr": {
"type": "string",
"description": "destCidr",
"title": "Destination Cidr"
}
}
},
"description": "l3FirewallRules",
"title": "L3 Firewall Rules"
},
"l7FirewallRules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"policy": {
"type": "string",
"description": "policy",
"title": "Policy"
},
"type": {
"type": "string",
"description": "type",
"title": "Type"
},
"value": {
"type": "array",
"items": { "type": "string" },
"description": "value",
"title": "Value"
}
}
},
"description": "l7FirewallRules",
"title": "L7 Firewall Rules"
}
},
"description": "firewallAndTrafficShaping",
"title": "Firewall And Traffic Shaping"
},
"contentFiltering": {
"type": "object",
"properties": {
"allowedUrlPatterns": {
"type": "object",
"properties": {
"settings": {
"type": "string",
"description": "settings",
"title": "Settings"
},
"patterns": {
"type": "array",
"items": { "type": "string" },
"description": "patterns",
"title": "Patterns"
}
},
"description": "allowedUrlPatterns",
"title": "Allowed URL Patterns"
},
"blockedUrlPatterns": {
"type": "object",
"properties": {
"settings": {
"type": "string",
"description": "settings",
"title": "Settings"
},
"patterns": {
"type": "array",
"items": { "type": "string" },
"description": "patterns",
"title": "Patterns"
}
},
"description": "blockedUrlPatterns",
"title": "Blocked URL Patterns"
},
"blockedUrlCategories": {
"type": "object",
"properties": {
"settings": {
"type": "string",
"description": "settings",
"title": "Settings"
},
"categories": {
"type": "array",
"items": { "type": "string" },
"description": "categories",
"title": "Categories"
}
},
"description": "blockedUrlCategories",
"title": "Blocked URL Categories"
}
},
"description": "contentFiltering",
"title": "Content Filtering"
},
"splashAuthSettings": {
"type": "string",
"description": "splashAuthSettings",
"title": "Splash Auth Settings"
},
"vlanTagging": {
"type": "object",
"properties": {
"settings": {
"type": "string",
"description": "settings",
"title": "Settings"
},
"vlanId": {
"type": "string",
"description": "vlanId",
"title": "VLAN Id"
}
},
"description": "vlanTagging",
"title": "VLAN Tagging"
},
"bonjourForwarding": {
"type": "object",
"properties": {
"settings": {
"type": "string",
"description": "settings",
"title": "Settings"
},
"rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"description": {
"type": "string",
"description": "description",
"title": "Description"
},
"vlanId": {
"type": "string",
"description": "vlanId",
"title": "VLAN Id"
},
"services": {
"type": "array",
"items": { "type": "string" },
"description": "services",
"title": "Services"
}
}
},
"description": "rules",
"title": "Rules"
}
},
"description": "bonjourForwarding",
"title": "Bonjour Forwarding"
}
}
}
}
}
},
"summary": "Get Network Group Policies",
"description": "List the group policies in a network",
"operationId": "GetNetworkGroupPolicies",
"parameters": [
{
"name": "networkId",
"in": "path",
"required": true,
"type": "string",
"description": "Network Id",
"x-ms-summary": "Network Id"
}
]
}
},
"/networks/{networkId}/groupPolicies/{groupPolicyId}": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "name",
"title": "Group Policy Name"
},
"groupPolicyId": {
"type": "string",
"description": "groupPolicyId",
"title": "Group Policy Id"
},
"scheduling": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "enabled",
"title": "Enabled"
},
"monday": {
"type": "object",
"properties": {
"active": {
"type": "boolean",
"description": "active",
"title": "Active"
},
"from": {
"type": "string",
"description": "from",
"title": "From"
},
"to": {
"type": "string",
"description": "to",
"title": "To"
}
},
"description": "monday",
"title": "Monday"
},
"tuesday": {
"type": "object",
"properties": {
"active": {
"type": "boolean",
"description": "active",
"title": "Active"
},
"from": {
"type": "string",
"description": "from",
"title": "From"
},
"to": {
"type": "string",
"description": "to",
"title": "To"
}
},
"description": "tuesday",
"title": "Tuesday"
},
"wednesday": {
"type": "object",
"properties": {
"active": {
"type": "boolean",
"description": "active",
"title": "Active"
},
"from": {
"type": "string",
"description": "from",
"title": "From"
},
"to": {
"type": "string",
"description": "to",
"title": "To"
}
},
"description": "wednesday",
"title": "Wednesday"
},
"thursday": {
"type": "object",
"properties": {
"active": {
"type": "boolean",
"description": "active",
"title": "Active"
},
"from": {
"type": "string",
"description": "from",
"title": "From"
},
"to": {
"type": "string",
"description": "to",
"title": "To"
}
},
"description": "thursday",
"title": "Thursday"
},
"friday": {
"type": "object",
"properties": {
"active": {
"type": "boolean",
"description": "active",
"title": "Active"
},
"from": {
"type": "string",
"description": "from",
"title": "From"
},
"to": {
"type": "string",
"description": "to",
"title": "To"
}
},
"description": "friday",
"title": "Friday"
},
"saturday": {
"type": "object",
"properties": {
"active": {
"type": "boolean",
"description": "active",
"title": "Active"
},
"from": {
"type": "string",
"description": "from",
"title": "From"
},
"to": {
"type": "string",
"description": "to",
"title": "To"
}
},
"description": "saturday",
"title": "Saturday"
},
"sunday": {
"type": "object",
"properties": {
"active": {
"type": "boolean",
"description": "active",
"title": "Active"
},
"from": {
"type": "string",
"description": "from",
"title": "From"
},
"to": {
"type": "string",
"description": "to",
"title": "To"
}
},
"description": "sunday",
"title": "Sunday"
}
},
"description": "scheduling",
"title": "Scheduling"
},
"bandwidth": {
"type": "object",
"properties": {
"settings": {
"type": "string",
"description": "settings",
"title": "Settings"
},
"bandwidthLimits": {
"type": "object",
"properties": {
"limitUp": {
"type": "integer",
"format": "int32",
"description": "limitUp",
"title": "Limit Up"
},
"limitDown": {
"type": "integer",
"format": "int32",
"description": "limitDown",
"title": "Limit Down"
}
},
"description": "bandwidthLimits",
"title": "Bandwidth Limits"
}
},
"description": "bandwidth",
"title": "Bandwidth"
},
"firewallAndTrafficShaping": {
"type": "object",
"properties": {
"settings": {
"type": "string",
"description": "settings",
"title": "Settings"
},
"trafficShapingRules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"definitions": {
"type": "array",
"items": {
"type": "object",
"properties": {
"type": {
"type": "string",
"description": "type",
"title": "Type"
},
"value": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "id",
"title": "Id"
},
"name": {
"type": "string",
"description": "name",
"title": "Name"
}
},
"description": "value",
"title": "Value"
}
}
},
"description": "definitions",
"title": "Definitions"
},
"perClientBandwidthLimits": {
"type": "object",
"properties": {
"settings": {
"type": "string",
"description": "settings",
"title": "Settings"
},
"bandwidthLimits": {
"type": "object",
"properties": {
"limitUp": {
"type": "integer",
"format": "int32",
"description": "limitUp",
"title": "Limit Up"
},
"limitDown": {
"type": "integer",
"format": "int32",
"description": "limitDown",
"title": "Limit Down"
}
},
"description": "bandwidthLimits",
"title": "Bandwidth Limits"
}
},
"description": "perClientBandwidthLimits",
"title": "Per Client Bandwidth Limits"
},
"dscpTagValue": {
"type": "string",
"description": "dscpTagValue",
"title": "DSCP ag Value"
},
"pcpTagValue": {
"type": "string",
"description": "pcpTagValue",
"title": "PCP Tag Value"
}
}
},
"description": "trafficShapingRules",
"title": "Traffic Shaping Rules"
},
"l3FirewallRules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"comment": {
"type": "string",
"description": "comment",
"title": "Comment"
},
"policy": {
"type": "string",
"description": "policy",
"title": "Policy"
},
"protocol": {
"type": "string",
"description": "protocol",
"title": "Protocol"
},
"destPort": {
"type": "integer",
"format": "int32",
"description": "destPort",
"title": "Destination Port"
},
"destCidr": {
"type": "string",
"description": "destCidr",
"title": "Destination CIDR"
}
}
},
"description": "l3FirewallRules",
"title": "L3 Firewall Rules"
},
"l7FirewallRules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"policy": {
"type": "string",
"description": "policy",
"title": "Policy"
},
"type": {
"type": "string",
"description": "type",
"title": "Type"
},
"value": {
"type": "array",
"items": { "type": "string" },
"description": "value",
"title": "Value"
}
}
},
"description": "l7FirewallRules",
"title": "L7 Firewall Rules"
}
},
"description": "firewallAndTrafficShaping",
"title": "Firewall And Traffic Shaping"
},
"contentFiltering": {
"type": "object",
"properties": {
"allowedUrlPatterns": {
"type": "object",
"properties": {
"settings": {
"type": "string",
"description": "settings",
"title": "Settings"
},
"patterns": {
"type": "array",
"items": { "type": "string" },
"description": "patterns",
"title": "Patterns"
}
},
"description": "allowedUrlPatterns",
"title": "Allowed URL Patterns"
},
"blockedUrlPatterns": {
"type": "object",
"properties": {
"settings": {
"type": "string",
"description": "settings",
"title": "Settings"
},
"patterns": {
"type": "array",
"items": { "type": "string" },
"description": "patterns",
"title": "Patterns"
}
},
"description": "blockedUrlPatterns",
"title": "Blocked URL Patterns"
},
"blockedUrlCategories": {
"type": "object",
"properties": {
"settings": {
"type": "string",
"description": "settings",
"title": "Settings"
},
"categories": {
"type": "array",
"items": { "type": "string" },
"description": "categories",
"title": "Categories"
}
},
"description": "blockedUrlCategories",
"title": "Blocked URL Categories"
}
},
"description": "contentFiltering",
"title": "Content Filtering"
},
"splashAuthSettings": {
"type": "string",
"description": "splashAuthSettings",
"title": "Splash Auth Settings"
},
"vlanTagging": {
"type": "object",
"properties": {
"settings": {
"type": "string",
"description": "settings",
"title": "Settings"
},
"vlanId": {
"type": "string",
"description": "vlanId",
"title": "VLAN Id"
}
},
"description": "vlanTagging",
"title": "VLAN Tagging"
},
"bonjourForwarding": {
"type": "object",
"properties": {
"settings": {
"type": "string",
"description": "settings",
"title": "Settings"
},
"rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"description": {
"type": "string",
"description": "description",
"title": "Description"
},
"vlanId": {
"type": "string",
"description": "vlanId",
"title": "VLAN Id"
},
"services": {
"type": "array",
"items": { "type": "string" },
"description": "services",
"title": "Services"
}
}
},
"description": "rules",
"title": "Rules"
}
},
"description": "bonjourForwarding",
"title": "Bonjour Forwarding"
}
}
}
}
},
"summary": "Get Network Group Policy",
"description": "Display a group policy on the network",
"operationId": "GetNetworkGroupPolicy",
"parameters": [
{
"name": "networkId",
"in": "path",
"required": true,
"type": "string",
"description": "Network Id",
"x-ms-summary": "Network Id"
},
{
"name": "groupPolicyId",
"in": "path",
"required": true,
"type": "string",
"description": "Group Policy Id",
"x-ms-summary": "Group Policy Id"
}
]
}
}
},
"parameters": {},
"responses": {},
"securityDefinitions": {
"API Key": {
"type": "apiKey",
"in": "header",
"name": "X-Cisco-Meraki-API-Key"
}
},
"security": [ { "API Key": [] } ]
},
"iconUri": "data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEABAQEBAREBIUFBIZGxgbGSUiHx8iJTgoKygrKDhVNT41NT41VUtbSkVKW0uHal5eaoecg3yDnL2pqb3u4u7///8BEBAQEBEQEhQUEhkbGBsZJSIfHyIlOCgrKCsoOFU1PjU1PjVVS1tKRUpbS4dqXl5qh5yDfIOcvampve7i7v/////CABEIA4QDhAMBIgACEQEDEQH/xAAaAAEBAAMBAQAAAAAAAAAAAAAAAQQFBgMC/9oACAEBAAAAANmAAoAFRQAoAAAUAVAUACgAB4iFAURQBQAKAAACgAAUAoCKB4BQAUAAsKAKAAAFAABQAKAB4BQAFEUAKRQCgAAUAAAUAoCFeACgAUAAsKAKAFgAUALAUACgHgAFABQAAoAqKAABQAAKACgGOoAUAFAALCgAoBYABQCwCgAoeAgoKABQAAoigKAAAFAAAoChjqAAoABQAKAAUAAAKAACgFHgAABQACgAKIoFAAABQAAKAeABUoCpQAKAAqKAUAAAKAACgHgAFABQACgAKABQAAAoAAKB4ABRKBQAAoAKIoBQAAAKALAoeAABQAUAAoACgAKAAAFAACmOoACkUCpQAKAAoAFAAAAoAqB4FAABQBQACgABQBQAAAoAAeAoAAVFAqAoCgAFRQAUAAAoAHgBQAAUAKAAoAAUACgAAKAB4AFAAFRQLFABSKAFIUBQAAAoB4AAUAAUAFAAoAAUlBQAAAoB4AAKAAVFPTYzWRQAFAAKe+dj4QBQAABQxxQAoACgm92DU6kUACgAFdJ6ufxgCgFgAFMcFAAoAAdLkXA0IFABQAHp0tabXFAKAAAHgBQAFAAOlyWBoKBQABQD06X6aXXUACgAAGOoBQAUADpshgaAUFAAKgr06atLrqIUBQAAPAAKAACgnTZLA0FAAoAFB6dNWl1xUKAFAAHgIoBQAX08wOmyGBoKD08wUAL9fCj06atLrgfb4FAUAAxygAKCxehy8Tn4HTZDB58PToffX6QAoPbf+uq1RXp01aXXBl7y6fAAAoAGOKIUBQMnpU53EVOmyWBoA2O8Tl/NQKRtdu8uag9emrS62jdbBjc+EUBQAxwKAAoZPTJzuGHTZLA0AbLeJy3moAXbbV8cuHp09aXXCbzPeHOFgoBQDHACgApk9Mc5hh02SwNAGy3ict8CKBdttnny4enT1pdcRvM94c7ABQFAxwAoGbcEGX0pzmGHTZLA0AbLeJy3mqfeZ5YwNttr58uHp09aTXKbvPeHOwPXKxfMAFDHAAU2e7avShldMc5hh02SwNAGy3ict5hv81oMKjb7Z58uHp09ml1xW7z3hzgt6T08+c+CooBjlABW+2NxuYDK6Y5zDE6fJYHP0bLeJyvwL1Po1GpDbbd58vB69PWl1obzPeHOBk9DZz+KFADHBQA3+yY/LhldMc5hh02SwOfDZ7xOW+Beo9Go1FRt9u8+Xg9em+ml1obzYMfnAyeiOfxAoihjgUAb/ZMflwyumOcwlTp8lgc+Gy3qct5i9T6NRqFjb7d58vB69PWk1wbzYMfnAyeiTQYgVBQxwAoN/smNzAZXTJzmGHT5LA58NnvE5bzF6n0ajUBt9tfPl4PXp60muDeZ7H5wrJ6GufxACiLjgAUbra3A54X26izmPAOnyWBz4ZnRPPmPkOlyZpNaGy3bH5sPTp/ppNbRt9ow9AHt0lnN+NAUDHAApPTcXU+INjn4GvCdRksDn5Rs8vXYQXI2njqoF2vvq8YPXp/ppNap97W6rzBnZ2FgUACmMUAAFBZYVOoyLr+fUlAWCgAPXp/ppNZQCgAKAGOCgAFAFg6bKa/QFAAKAAenT/bRa8AoAFAAxwKAAoAC7HdufwwBQBQAG82PhzvnQFAAKAGOAFABQAWfb4oCygBQAS/fzFACgAKAY6KBQAFAAUACgAUABUUCgACopjooAoAFABQAFABQACxQAoABRjgAFAAUACgAoACgAFRQAKAKYwKABQACgCgAKAAoABQAoABjgFgoFAPb7nn8AAUeno+POFIr1+3n5lJT1+3l8FQoKAAY4AUAFR6bbZex84vNjYbw5jyFztx7/SfHPYor62uw9qnhznwLdlsvevnF1mCsKAKAGOABSFBcvoPYqeXKQ2W/TlfIbPeVYc5hhk7/ANyy/HL+Y9t/kgTX6X5FhQFAMYUAFAMjp/RA8+Thst+cp5H31Ponn5+n3zuIPXpfZAnLeZ99HkoFNbowFACgxgpFAoiulzPp563DZGXzsNl0ByfkZXTGs0cek+Kb/YnzrsOe2doPM3G2r51+Lc7Mqc/hAVBQKMYCgAqGV1SfHNYpQbLoDk/KMzpTA0PwB7dTb889hCo++o9E0GCXb7Yw+eAoAAYygUigWNtvk0+lChst+cp4r99V9nxg4GBBsd+us0QFZfRmu0QfXS5Dz5f5AFQUFxgAoALu9wnN4IKNlv15PxG23VVMLQeZtd2aLWUBsd+mi1wN5sjlvMACgDHEUCkKG73Kc3gKBdlv15PxDY7jIqNfz5td2aLWFBsd+aLWg32wTl/MABRFMYoAKAbXfGq0JQNl0JyXkJblbLZfcnK+TYdBWv5+UDK6UwOfsPvp/aefL/KgAKimMoIUFEMnqq+ef11Pr5Gy6GOT8gDdbhOZxXr1P1Zo9XSyW9R7Gk1h9bzYVr9AFAAFMYAoAoTo9hb84WGyMrlobPfnJeS+2XjeTI3mW+eV8TfbOxiYU9szm/NNtufpMTEuf7x887igUABUxwFCKAr16fIQPLk5Gz6A5LyMzpkLWDzZfvpchUJynwXos1BUajT0AoABjgAKAWPfo8oHlycjZ9Acl5Gb0oHhzuOHtvs0HzyvnT73mfQfOp1MoAUADGUAKAA+tjtMn7nlh6CGw3cc15Vk7/19E8Ndq/Oguw2OV9vjF0HyFztllejywtZjBQAoAYwoBQAA+7PkAFF+j4soA+rfgBZbUgFAAoBjAUAUABQAKACgAKAFABQAChjAUAKlABQAKAFAAoAUABQAKGMAFAFAAKACgAoAKABQAUAAuMigFhRSUACgAqKBQAFABQAKABjKABQBQACgAoAKACgAKAAoBjFABRFFJUUAsKAqKBQAFACkUAoBjAUAFAFAlAoACgFAAUAFAAKGMAoAFRQoJQCooCoUFAAUAFIoAVjABQBQAKAAoAWFAFABQAoABWMAAoAUAAUCiKAWFBQAFACiKAY4ABQAFACgAKABQBQAFACgBjooAFAen35/CgPv7+fhCgKhQFhRfXyAL6fHyUAFAMYUAAKN/ttRoQob7baTTFABQAUDK6Xk/gont1Wj1gUAFAxgFAAo6Da+fIfIUvX+uj0woACgAoyen5PzAfe51+IBQAUMYBQAA6DJydDrAWbLf+Ot04FAAoAKyen5LzoKACgBQxgCwoAOg9vDK5cB03hk4OlKWwAKlABldPyXmUAKAoAGOABQAdB76HrOVxKHt13Lb3B0qvfc5/38YWmxhn++v3me5XxbHa5V8tfpvkyun5LzPvdTSydDqMcACgBjKAFAB0HtzPU4ugBudpyfUYOmMvpcDUY/vtNpzeEbbN9fHWMP53O20uB55e6vMxldPyXnfTopz3lZ1/P4JQAUAxhQAKA6D25nZ7/kPkOs1Wo6jB0r66vB0Ibna8p8NtvNfz0PXrdBrR99Zotay+n5Lyy+iw9D82Ow57BCgAUGMBQBQHQe3M3sdDqxmdRyHl1OBpmy6DkfgT667Ra1tt9yeOX7ztf8ldNiaRl9PyOZ0Gp0xTr+ewQKAChjAFABR0HtzF32ZyqXoPTm3Va/TN/7c0UdF8aBtt1x4Av3kb3D0bK6jT7bRa0DsOdwVBQAFYwAUAUdD7cwyer5XFffX85gOq1+ldNkYVBl+fLtvteUUPfY5vv6eHtrNGyuparRAOw53BqUCgAY4AFAB0PtzMdViaFtN3yMdTgaV1F1pUPLXNvteTou52+Br8bHdH4aJl9Ro93pNUB2HO4IoAUAxhQAoA6H25mNn0HH/PU4WkjqcDSuh++cADb7TlQz+j5rBo6Tw0TL6jkM7oNLqYV2HO4IqKBQDGBQAoDofbmD67DRYXW8njnU4Glbbd8j8Bc7yxm32nKUbzN5Wh1eDo2T1PIfGf0Wn0wdjzuCFAAUMYBQAoOh9uYG9zsDN5cdTgaS/fXanSBk9Xzmvbba8oWbvZcmGf0uo0TK6nkPhn9DqNNY7DnsEAoAoYwAUAUdD7cvTI6755/WE6rA0psei1Go8rm9Dic4bfacoLl9Pp9P8fey3Hhj6JldRyPwmd0es0R2PO4IAKAoxgAKADe+vOqnS5PK/A6XB1JM/eZPn9XU6WGz2XNA2e8+/L0xdDsGnZPR8v5jN3+q1Lq9DhgAUAMcABQAKEUCg9vSeHyWKAuRfPxFAKEooAFihjgAFAAKAKlAAoAFAFAAKACgY5KAAUAFAAoACgApFCpQAKACoY4oAAUAUACgACgBQAUAAoAKYwFAAFAAKAoAAUAFRQqUACooBjgFAAFABQAoAAUAFAFAAKAGOigUAAUAKALKAAUhQURRQABSKGMCgKAAUAKAAoABQAUAKAAoGMAUFAAFACgAUAAKACwooIoFIY4AUFAAFAAoAKAAUABQCgAUYwAFBQAAoAoALBQAKAFAKEKAY4ACgUAAKACgAoABQAFACgBjgABQUAAKAKABYUAFAAoApChjKABYUBQACgCgAFAAKACgAUGMKAAFBQAAoAKAFhQAKACgCgYxYUAFhQFAAKAKAAUAAUAKAAuMAUAAUFAACgAoAVCgBQAKIopjABQABQCgAKABQAUAAoAKAGMUAUAAUCgACgAUAUAAKACiKYwoAUACxQCgAKABQAUAAoAKBjAoAFABUKCgACgBQBQAAoAKGMAoAUAAUBQACgAUAUAAKigFf//EABkBAQADAQEAAAAAAAAAAAAAAAABAwQFAv/aAAgBAhAAAADggAAAQAAIAAgsABAABAACAACLAAEAAEAABAAewAEAABAAAQAewAAgAAQAAQAewAAEAAIAABAewAACAAEAABAewAAgAAAQAAD2IAAEAAAQAAD2AgAAAgAiRAAD2AgAdCMABAE9KjGEAAWIAEBPYjjgAIe+zRygCACxAAQJ7EccAEST2qOUAEAWAgC2/HE9iORE7c1QI0WZI99mnkvezH4AQFgCA6OrkVuxHIi7rY+eB1buLHrs08lq6fOxgCCwAsrh0tXHrdiORF3Xx85Pus61vF8++zTyWvp87En3WAi1AL+nzs0dLVx6568chb18fObOhyaXWt4vn32aeU1dPnYnR18bwAsBDT0ufkdHVx6568cmLevi57du5ed1reLHvsU8pq6XPxulr4tYCwENPS52V0NXH8T145MW9bFgbd/KodW3jR77FPKaenzsjo6+NWAsAL6IeraDrxyYX1+E354WzS99mjlJvoh7tzwAsAIAOpHLACAnr0c4CAAsAAQJeUkAIHryAACLAACAQAEAAAAewAEy8w9RBMvAmZ8IT6iIAAewANG2xhx3dLLhbNsxya2jfYw4o0b7VPPpAA9gAv6SmKMlvUy8/wB9aMc5PNvVUxRit6s0zd45HgAHsAHR0YsYt6mXn++vGLN4dDXhxQdDXiwujr5+IAFgAh1LeVWLeplwNmyfPNp6l/KpQ6enk0tPTxYEACwARPQ04sSYt6mXATt2ZMG/XiwjfsxYXR1c/EACwAFvTVxnx29TLg97fNt+HHZ1JrjPis6s1rK+V5AgLAALttjDlt6WXF76kxnwwu22sWNbvtUYPEAEFgAETKBBMxAJeQlCABBYAAAgAAIACACwAgAEAABAAgAsAEAABAABACALAAIAAQAAEAITCwABAAAQAAQAFiABZdkDXRWAIB6toGirwQAWAgF+3nVlnS59IACHvViFnnyEAWAgF90YzVblp9aPVFSybsnrRNFXvVim6n34gCAsAENE3YYb6a6t+WvVVR0PGbzuxxsxtOTbno2Z6wCCwAF8vNF1kVzZlTtwdDD5e/E6q6trHW25qwAewAXzRsw7ct9fu/wMW7DDV7j3nq6ebGbM1YAPYAL2fbn04dPh7zHrzuwxddjafNerx6xtmasAHsAF857N2OjT4q3Za7/eTdhWacfrblr1YtPvHrz+EAD2AD3NbRni3z49aPdWddSX2+KvMWUr6vfjwAD2AAAEAAIAAID2AAABAACAAICwABAABAAIAAIsAAEAAQAAgAB7AAAQABAAIAB7ABAAABAACABYAgAAIABAAEAWAIAACAAQAAQFgAIAAIAAQAARYACAAAgABAAD2AAQAAEAAgAD/8QAGAEBAQEBAQAAAAAAAAAAAAAAAAIBAwT/2gAIAQMQAAAA5AAaAADQAAAEgAaAADQAAAEgABoAANAAAEgABoAANAAAEgAAGgAAaAAEgAABoAANAAEgAAAaAABoAENAAAA0AAGgAgaAAABoAAAAkGgAAAaAAAAkA0AtAAGi8kAAEgBoHRzAAG9MgAAEgAGnRzAAG9MgAAEgAVsnXOZc4Buy3pkFSAAkADpXLHbObekwBdcm9M5quYGgEAFYdK5Y6uW70mDcOm8m9M5quYbuAEAL6c5dK5Y7Zy3ekwq+eOm8jrnNVzDpvMAgBfSIdK5Y7Zyb1mFXEum88dc5quYdN5gEAL6RDpXLHVyb1nmu+eOm8jrnNVxK654AkAuWbuM7ORuG7jN3DrnMqTTAEaADWHVzANM0dMgAAEaAAGgANAAAAjQAGmaAAGgAAENAA0BjdwGmGgAAgaAXeucV1jm6WcSr1EKvWRgAEAAvqlMb2jnvbJQ3qxMb1Y3OYAEAGnWucDe0c97IhnWogXcQ6VEaAEAA7VxnSusc3S2c867ywdK5YrpPPQAgAHW45ab2jmbdzy61EC7iHSojQAgAFdk7HOu0c9tWxzrqxPOurG5zwNAgACuu5Eb1nnvXU88V01znKukxgNAgAABoAAGgAGkAAAGgAGgAAEgAAAaAAaAAEgAAAaAAaAAENAAAANAANAAgABoAAaAAaAEAGm1AdIwAAbUisw0AgAF9eOD0cZABo2oGsABDQBdOebdc8XsypXPa2Z24bm4ABA0Be1yOuTPWMuZ7ZGdeTpzXHSZucABADRbciqY2Dry7csG3k9c5lzgAIANLT05dedzvSRz68jpubGdp546TgAIAB0R159OXTGwM7clVzXmXm83SMNAIABexvbnHSc688rY6c29OW9Ym+d7z6RhoBAAN2XSFZm3uRlyy6ycVKs3MA0IAADQBoAAAAIGgANADQAAABA0AANAaAAAAIGgAAaA0AAABABoAA0BoAAAIANAABoBoAABAAGgADQA0AAIAANAADQGgABzDQAaAAGgAABAaAA0AANAAAIA0ABoAABoAB//EAD8QAAEDAQQIAwYFBAEDBQAAAAEAAgMEBREgMRASITIzQVFxEzRQIjBSU2FyFBVCQ4EjQGDRYiSRsGOQoKGx/9oACAEBAAE/AP8APx/4Am5XFX+ibFeP8JjjdKdVoTLN2bXqSziBe1yc1zSWuG0ehwUz5shs6oWds31LQyRi9vtf4TQQhkesczptGEXB49CDdYtAULAxgA0EKrjEcpu5/wCDnIqm4LOyu0V/Ad6FDxWhNyGm0uLH2/wc5Km4LO2m0PLuXIegw8RibkNNpcWPt/g/JU3BZ202h5dy5egw8RibkNNp8WPt6+e3uDkVS8BnbTaHl3LpiH93DxWJuQ0clafGj7e5Hq2a8GTPVOM5Kl4LO2m0PLuXTENuwAlGGS7a0rL+xa1zsgU6GQbSDjh4jE3IabT40fbGGPdk0p0b25g+rBpcQ0c1TUrIWrVHRVNKyVp2bU4Fhc05g4TkqXgs7abQ8u5DByUTDK9rAoadkTAA0LVHRVdK17S5o2/2FPD4z7uSjiZG0NAVzTyCrKUXGRmeKHiMTchptPjR9sVJT+MbzuprGNAAARa3mAqymEftt5+q0Y/6qNDTWtundhORVLwWdtNoeXchg6KzgDKTpIUt3jSXdff2Zk/TML439kdl4+uGHisTcho5FWnxY+2Kzx/SPfTVD+g/1Wi81GhpruPhORVLwGdtNoeXcumGzeI7SVNxZfu9/ZmT++mXccjvO74YeIxNyGjkVaXFj7YrP4J7o6KrgP8AVaLzUaGmu4+HkVS8BnbTaHl3LkMNm8R2kqbjSfd7+zMn6ZdxyO87vhh4jE3IaORVpcWPtis/gnvpquA/0y4nYFHQzvF9wCfZ87douKIINxFxGKi81GhpruOcPIql4LO2m0PLuXTDZvEdgm4sv3YT9ExjpDc0IWfMQpKSaIXkbMdl5P0y7jkd53fDDxGJuQ02nxY+2Kz+Ce+mq4D8cUMsu61fgJvopYZIt4Ll6FZ0DX6zz102hTt1PEGwjFReajQ013HwnIql4LO2gK0PLuXTDZvEdgm4sv3YfqFRwCOMG7adBaCLiq2ERSaw5rnhsvJ+mXccjvO74YeKxNyGm0+LH2xWfwT301XAfiiYZHtaOZUUbY2gBbFLGJG3EKRhZI9voVm8F3fTVgGnkvxUXmo0NNdx8JyKpeAztptDy7sVm8R2CXiy/dhbvBR7je2m0/0I4bLyf30y7jkd53fDDxWJuQ02nxY+2Kz+Ce+mp4D8VH5mPBWcc+hWbwT301XAkXXDReajQ013HOE5FUvAZ202h5d2KzeI7BLxZfuwtzCj3GdtHJWn+jFZeUnfTNuOTt53fDDxWJuQ0FWnxY+2Kz+Ce6Oiq4D8VH5mNDTW8Y+hWbwT301fAkxUXmo0NNdxzhORVLwGdtNocB2KzOI7BLxZfuwtzCj3GdtNp/oxWXlJ30zbjkc3d8MPFYm5DQVafFj7YrP4J7o6KrgPxUfmY0NNbxj6FZvAPfTV+XkRw0Xmo0NNd5g4eRVLwWdtNo8B2KzeI7SVLxpfuwt2EKPcZ202n+jFZeUnfTLuOTs3d8MPFYm5DQVafFj7YrP4J76argPxUfmY0NNbxz6FZkoLCzmr9FfKGwObzdipniOdjkCLtDnAbVUyeJM93IYTkVS8BnbTaPl3LlhoX6k46FA6Hv1WEp7taR56nD0UEgfE0hXi7RaMl72tCOGzpQ17mHnpqZAyJxKO3b1ww8VibkNBVp8aLtis6S9jm6ayQMiIPPFTv1JmOKa6/boc64XlVD/EmcR6FHI+N4e3YVFacd3t7FJacI3NqmnfM+92XLD1XRU1e+MXP2r8xp7t4qprzJ7LEOeE81S8BnbTaPAcuWEKntDUGrIjaNPyKqat0+wbAuV2KnqXQHZtCbaMBG0qa0RddGP5Tnl5LnG84mvcw3tUNotuAkTrRg/Sbyp6l85+mKHisTchptPjRdsUcjon6zSo7RZd7exOtGLbqqaZ07r3K/FBWuj9lwvC/MKf4lUVrpBqtFw6+h/Vc7/7E5FUvBj7abR8u73H0/uoeKxNyGgq0+NH2/sf49W6qkdfAz6DTaLroCOqHoMJukYSm5DQVaTgZWfQf4RRVYj9hyY9rxeDenyNYL3EBVlT477hkPQgqSqa5rWONzlepaiOIEuKlkMry48/8I+q8R43XuCL3neeT6J/9FeLJ8xyJJ3iT/7AwF+SbTzu3YyV+DqvklfhKr5JTopW7zCMd/u2wyu3WEr8JU/JK/CVPySjBM3ejIRF2YPu2wTO3WEr8JU/JK/C1PyUYZW7zCF9PdNhldusJX4Wp+SjS1PyinRvbvNI9ZZG+U6rReobMF18pvKZTxMyYFq3L+dBa05tBU9PC5jjqBEAEgYLOaHSOvaCvCj+Bq8KP4Grwo/gapuPLdkHYqegfLc5+xqipIYsmoNAyGkhOijObAqtrWTFoQxMY95uYL1DZozkKZTwsyYEGgadUHMBSwROBvYFKAHvAwhNaXm5rbyoLOc7bKf4UdNDHusQaBkBpLGnNoKlooZOVymoXxXlu0L6eqZKmpHzm+4hvVRQMibc1tyAxTcN/ZO3nd8FmcU4J+PN92GhpNf23hAY63jlAYYKZ85uu9nqoYGQi5oxuyKm4r++GGF07rgDcoKZkLbgNvX3NVRNkGs3YU5rmHVcLj6nTU5nku5KNgY0NbkMV+ibhv7J2bu+CzOKcE/Hm+7Axus9repUTAxjW4HSxtzeEauD40J4j+tqDgcnAqt45wwxGZ4aFDEImBo9w7IqXiv74GML3BozKp4BCwAe7raYSAvbvBXcvUfoqKARRDZtKGlzw0XkgBS2mxuxg1inWlOf03JtpTjMXplq/MZcEKqGaN+q7knbzu+CzOKcFRx5vuwUQvqI8FoVD4g1rc3IkuN5JV45oXJssrN2QhPc9+1xXTBQQCOPXI2nA4gbSbgpbQYw3M2p1pTE7Gr8xm6Jlpn9TEyqilBAdtuUvEf3wWfT3DxHIaS4AXkqa0I2bGbSjaUvywm2m/nGoKyKXnccBVbB4Ul43T6jSReLOwdNqGl7wxpJyCqal87jt2cvdWZxTgn4833YKI3VEYwVtN47LxvBSRvj2PBHuIGeJPG1AXN7IaHG4XlVdWZ3Frdwe4+qY0ve1nxFRs1GNb0GlxABJVXVumdqN3UNN92SoqzX9h+Cuj14T9PULlZbL3OfgtOYgCMc81d7qzOKcFRx5vuwRO8OVj+iY7Wa13UYHMY8XOAKks6F+WwqWz5Y9rTroi43EEHDZrL5XO6YLRm1Gagzcv8A89zRMDp2Houem0ZvDj1Rm7RlgDtUhwzCp5PEiY7rpe0Oa4dVILnvb0Pp4VkcKT7sFom+qd293ZnFOCo4833YaCqu/pPOOppGTDK5ykifE4tdgsrflwWmb5me6szjPwWk6+Vox2ab4iNJU3Gl+708KyOHL92C0W3VRP093ZnFOCo4833Yb/4Kpq98ZAk3VFUwy7rsVdTiWMuG8FlpsrfmwWmz+qw+6s0jxnDBaTf6rD1x2c26G/rpKm40v3eoWW+6RzMFpQa7NcDaPd2ZxTgn4833YwS3I3FR1s8XMuUNpMdcH7CmuBbeDeNJF4VQ3VmlH102c8NmLfiwV8PiREjML+Mlno2c8VG7UqGDrgr4PFi2ZhdsLGl72tGZUMYjjazoNMjtVjndAnnWe53U+oU0vhTtcgRdfpc0EXFVdC+MlzNq76e6axzt1pw2ZxTgn4833e6suRzg9p5YKzjyd9MLxHKx6a7WaD1GkhVtEWnXjX0y0901r37rb0R10tdcQ7mCoXiSNjtJGarKIj24wjs2HSxrnbGi8qjpBCNY7xQ018upEW8z6lQVPixXHeGAj6Kaghk5apRskcpSvykc5So7Nhbve0nRMjicGNA2J287vgszinBPx5vuwQQ+LKGX7CpLNmG5tTqSobmxFjx+lyEbzkxyiop5OVypqcQM+vPSTcL1UODppT9dJF+xWfUF7NRx2jBcpaKGTbq3FGyxfskX5V/6pUdmxN3nFybDHG06jQNim4r++CzqjOJx7YZKOCTbq7U6y28pCmWYwZvJUVPFFusAWzS43beQVXN40mw7B6lBM6GQPaoJ2TMDmn3E3Df2Tt53fBZfFOCfjzfdgoPMM06v0C1foMNbOIYj1OGOR8Tw4clTztnYHD3DsipeLJ3wA3EEZhUtS2dg27Rn7uvqrv6bD6pT1D6d97TsKp6uOcbCr8U3Df2Tt53fBZfFOnoqjjzfdgoPMMx3qaoZC29xVTOZ33k9lywwzPhde0qnq2TDO52C7S7J3ZTcV+GN7o3BzTtVNWsl2ONzlfjc4N2k3BVVfm2Mo7dp9T+mgOLTrAkH6KC05WbJBeFFXwSfquTZmO3XgrWHVa45kJ1RC3OQBVFfBquaNqJvJOCz5GRyEveAvxdP81q/F03zmoVVP85qnIM8habwTp5KkkEczXOyTaynI4gTZo3ZPBWsOoWsOoRewZuCfV07c5AprT5Rt2qSV8hve5DG03G8OuKhtCSPY7aFFXwvzOr3TZY3ZPBWuOoV46ozxNzeFNXwNB23p7tdxcAcWSgrpYtjtrVFXwyf8U2aN2Twtb6rXHVOqIm5vAUtpRt2NF6mqpZr9twXb1kOcMnELxJfmOWvJ8xyJJzN+O4dFcOgVw6K7D/CDnDJxC8ST5jl4knzHIvec3n3tyDnDJxC8R/xuXiSfMciScyfdgkZOKMknzHLxJPmORJOe3/4iTIpZBexhcF+GqPlFOY9huc0g+7Yx7zcxpcV+Gn+UU+N8d2u0t9DaC43NF5X4ef5RXO73IBOwLwJ/llOY9mxzSD6lZO2J6uVqQktbI0ZZq+/3Vlw3Rl55q5Wv+36HR+YZ3Tx7LuykF0j+/uYOMxNyCtPijt6lZPCeiQFMzxY3N6hPZqvLTyPuWtLntaOZuUMYijYzoNFr/t+h0fmGd0/dcpeK/v7mNwY9jihakI5FVdQ2okBb6lZPCeq+Qxw6w6qJ4kjY4cwrUhLJfE5HGNFmRF82vyCmeI4nuPJpVE8yU8bjzVsfteh0fmGd07dPZS8V/f12yeE9Wn5VysqYOj8Lm1V8PiwHqPcclZ8PhQfdtVqzasXh83KzvKRK2P2sdx6Farvgcrj0Pu7j8LlcfhdiuPwuVzvgcv4OKj8wzunbrlLxZO/rtk8J/dWn5V6o5fBmjJ/lC4juqyHwp3jkcdPGZZmN+qADW3dAq2Xxah55NVneUiVsftYYKaSc3MFyhsuJovk9opkETBsYFc3/inQxPG1gKlsyF257BVRSywZi9vXDQU8c7nB4VfSQwQ6zG81FC+Z4a1QWfDGA54vcmsY3JoTmMObQqkBszw3qvoh0uvVPZ8ktzneyFHQU7P0XlBjG5BquafhT6eF42sCnsxucRu/4p7HxuLXjBR+YZ3T913ZScR/fSExhe7Va28lQ2bGGjxNpU1NRwNJcE64uJbsCzXfmUyz6ctadXkqyJkU2q31KyOE/urT8q9dFQTeLA08wrVhDmB4x2TFeXSqsmEMDnI33FWd5SJWxnFgpKV1Q/8A4BRxsibc0XBVNosi9lntOUlbPJm9F789dyjq548nqmtMOubLsPVOayRlx2gqspDTvvG6V202VxXdlabS6luGeuqOnZBGNntHNVNeyD2W+05OtGqJ3gE20aoHaRcpH+I8vOZOiz6MXeK8dlI9kbC55uap7TkJuh2NT55pN55Qe8ZPco66oi53hUtYyoHR3RVVM2eM7Nqc0tcWuzGmj8wzun7ruyk4j++gKGF8z7mhUtKyBn1VVVsgHV3IKWV8ziXu0HkuncKPcZ9oVo+a/j1KyeE/urT8q9dFZc2pKWHmpYw+NzeoUjDG97D+k4br8s1SxCKBrforVm9tkY0Wd5SJWx+1o+qa0uIbzJVNCIYms581aNXqDwmnaVzJOAnkrNqzf4TiqiITROaU9hY9zDy02VxXdk5gcLirQqREzVB2lHbnghYXysb9U0BoAVo1BkmMfJqywRvMbmuByKik8SNj+oVpxBkwd8emj8wzunbrlKbpJO+impX1B6N6qGBkDQ1oVXXNiva3a5OeXuLnHbg/2FHuM+1Wh5k9vUrJ4T+6tPyr1yTHljmvHIqF/iRMcOYVqQ6koeMjhoYvFqG/8U8hjHO6BTSeLK9/VdVZ3lIlbH7WmzIhJUaxyAUjtVjndApJDK8vPM4muLSHDkVBIJYmP6hWnFqTa3J2myeI5E3C9VUnizvdy5I4IpXRPD2o2pVfC1PeXv1nZnPFZ7r6doVrDZGdNH5lndP3XdlJxJO6paIzEOfsamsZG25twCrK/OOL+Sibz1w/7Cj3GfaFaHmj29SsnhP7q0/KvXTRZU17DEVXQiaBw5jbhsqHUiMhG1ytKXw4dUHadB5qzvKRK2P2tF6shl0Lj9VabyylcR7iy3h0Gr8KtVl8TXdNNk8RynOrE8/8T7rZ1QBOW1CKU5RuTaCofkLlRwvhh1Xq1d1mmj8yzunbWu7KCg15XPlyv2BEsjZtuDQqyvdIdSPdx/7Cj3GfaFaPmvUrI4T1aflXrpopZTDOx1+wnatjh9CFWReDUPHInYuaCjYZHtaOajYGMa3oFaM3iVGzJuzQeas7ykStj9pHRZrbqcKop21DNVxX5VD8RX5VD8RX5VD8RX5VD8RX5VD8RX5VD8RX5XD8RVNTNpw4NOatAX0r100WTxndlWeXf7iKmnm3WqOyeb5CEyz6ZubNZNp4GZRgLXjb+poT62nZm9QzMmZewq1t1mmj8yzvoCtKKZzb2k6gzCGP/YUe4z7QrR8z/cD+6sjhPVqeVeummgmEsA6t2K1Yb2CQcl9FzVlwh8xeRkqmTwonuv5bE4l5cTmTo6qzvKRK2P2l1XJWef8Apwq2qdTMvDV+byfKX5vL8tfm8ny1+byfLX5vJ8tfm0vy1+bSfLQtaT5antF00TmammyOM5Vnl34s8lR0A2SS/wDZexG3kAprSjYbmDWUlpzv3PZTqupdsdIiS7MnRZvAVq7jNNH5lndO3XdlT1pimex5vbegWubfmCq6hLP6kY2cxj/2FHuM+0K0fNepWRwnq1PKvXTTZk3hzahOxyljEkbmnopGGN7mnMHRQQ+FTt6lWtNsbEF20dVZ3lIlbH7WmyXXwOH1VqMLqY/Qq+/H2wWTxXdlWeXfh+is+ETTXnIIkNbf0VXVvmkIDrmhdkdJVm+XCtbdZpo/MM7p+47speK/uqSudDc121qa5r23g3hVtBq3yRDuF9Dh/wBhR7jPtCtHzPqVkcJ/dWn5V66aMk12o5rhyN6gk8WJj+oVqwhkrZANjs1TReNOxnJbGt+gCqpTLO93Q3DT1VneUiVsZxabKm1ZTH1U0fiROb1Cewse5rswccdBPK1r281PTSQauvz02TxXdlWeXfisnccVXOLaZ5C5YPovoqNhjp2A53bVa26zTR+YZ3T913ZS8V/fRRVjoCGuN7Cmua9oLdoKrqDN8WH/AGFHuM+1Wj5n1KyOE/urT8q9dMFkz3tdE7Pkq6EzU7wMwrJh35HDsrQmEdO4c3bBg6qzvKRK2M4tMb/Dka8cioZRLG145hWlSbfFYO674aWB08oAGxNaGNDRkFaU4lm1OTNNk8V3ZVnl34eislwuexVcfiQPaFlfevpgoaUzPDiPYCGWxWtux6aPzLO6fuu7KXiv76L1RVhgOq43sQc14vBvvVdRZyRjuF9Ffy0dO4Ue4z7VaPmfUrI4T+6tPyr100fTRSzeDUMcgQ5vcKONsTdVqtOfxJdTk3B17KzvJxK2P2sFBV+A/UefYK2SN5FpVVZmb4k6KVmxzCF3QBOTSVBQTzHaNVqp6dkDNVqrqwQsLWm9xRJO3TZPFcqzy78VHOIZw4800hwvVZZ5LnSR/wDZGN7djmOCvQY926xxVNZr33GXY1OdHTR8gAqGcziVx6q1t1mmj8xH3T913ZS8R/fBSVj4DcdrEx7JGXjaCq2g1gXx5q4gm/PQeXcJm4z7QrR8z/HqVlysZE/WeArRmjfTuDXg4qGqY6Boc8AhPqoWtJ1wVI8vke7qdNyP6lQTRspYml4Vqva/w9VwR0gclTV0tPc0+01QV0E2Trj9UQx423ORpac5whNghbuxgJ0sbRteAqm1BtbCnOc46ztpwWY9rJXaxA2KrmiMDgHg4u6pK90NzX7WqOoilF7XhOYx+bQV+Fp/ktQbHHkA1T10UPO8qoqZJ3Xu3eisuRkbJA5wF5VpyMe1mq4HTSODZ2EnmnVEVx9tql4jz9Vy057FR1boHXHaxCpgc2/XCroIX/1GPF62roPqmTxajfbbkq54dU3ggi71m4e/ZUTs3ZCF+Nq/nFGsqiOMU57n7XEk+/BLdoJQq6obBMV+NqvnFPqJ37HSEhfzjuGE/wDhZf/EAC8RAAEDAwMDBAEEAgMBAAAAAAEAAgMEEBESMTIzQFEgISJBExRQYXEwUiNCkID/2gAIAQIBAT8A/wDBPHaH9lhp24BKmgaG5HYgZKipmBuSqiFrPcfsg3Cj4NU3TKPYMPzam7BVXSP7I3dRcGqbplHsGc2/2m7Kq6R/YIojIU+kwM5RsN1FwCm6ZR3sGlxwhSfHdSxFh/wQwGT3UlLoGQbs5tQ2VV0jdjC84Qo/bdPYWHHd0vC0vUNhuouDVN0yjvaHqNtV8R/gpukE7iU7kbM5tTdgqrpG9KPnasHzHbYX4pMcURi9L07S8zYbqLgFN0yjvaDqD+7VfEXAJX4n4zj0U/SCfxKdyNmc2puwVT0jel52rOQuGudxRikAyW9lTtDnjKwqpoD70vC0vUNhuouDVNwKO9oOoLVfEXpWhxKwFO3TJen6QT+JTuRszm1N2Cqekb0vO1ZyF6RoxlOGQQpBh57Gm52q+Tb0vC0vUNhuouDVN03I2g6g/u1XxF6Pd1qnqXp+kE7iU7kbM5tTdgqnpG9LztWchek4IqXm7saYgPtVEFwvSkaETgKQgvNhuouDVN0yjaE4kFqsjAF6QgE2nIMhvTEGMJ5AaU7kbM5tTdgqnpG9MQH2qyC69IRpwiVKcvPYgkHIX6h+MIkk3Y9zDkJ1Q9wR82G6i4BTdMo73FQ9ownuc85N2ktOQjUyEYRObxyuZsnTveMXZzam7BVPSNwSChUvAxlOcXHJux5YctT6h7hhDuvtQvBaBlTyNDCFuewYcOCje1zd1Uvboxn9lBI2KznstRGxRJP7Jn92wStDj/1K0OG7SiMX0nwiCNx6A1x+l+N/+pWh3j0gZQY//UrQ4f8AVEEejGUI3H6K0PH0iMd5FAX77JsTG/SwFgFVIAIwLQgawg1vhVQAaLwwZ93IMaNm2IapBhxvFAX/ANJsLG/SwEWhVTQMXigc/wDpMhY0bIAIgFPgY8bYUsToz3UMesoDAwsgBGojahUMKqXNdjFoeoLVfFtmDLwmjGAnu0NyjVHwhVeQnuy4m0Met38JoDRgWdOxv2hUsKqXBwGLRM1vwmtDRgWM8bTglNnY44BtIwPbgqRpa7Hc0wwy1RJ74BW/oh6gtV8W2jOHhA5wU9ocMFPpSNk5jmb3pW/HNqmU50j00rfYm1TKc6RbOFTS6/ibVbcEHuYemLS51n0w9QWq+Lbwz49ig4O2s5gcMFTRljrU/TtP1Hemm4Wnz+Q3pR87Vew7mmdluLTxHORfFoeoLVXFvoa9zT7FQzFxwbVQ+ItSuyMWqIifkF72x7WpXfEi1RET8gtigCTgKni0DJtVPycdzFJocgQRmxiYfpCFgVSAMYtDzFqri2zBl4CdTMX6QeVHC1lqp+SG2ik0OTXBws6Jh+kIIwqpoAGAsqJ5Y7Ka4PGRYxMP0mxMb9WkeGNJTnanE91HMWf0mzMcFqb5WpvlVLgT7WhOHha2f7BVTgWjBtHzC1s8rU3yi9o+1JUBuycdRzeOZzCmTsctTfKL2+VUvafa8croz/CZOxy1t8rW3ynzsbspJHPPe6itR/wZK1O8rJ9eo+VqPq1FFzj/APHMTNbsJ9OGtJHqZThzclSN0Ox2LRk4U0QjA9MMIkCe3Q4juafmiQSWqRulxHojblwCGBgKfqHsY+QVVs30skLB7IkuOT3NPzTnaZQqhmzvRTt3cmO1SFT9Q2a0uOAm0zvs4X6Xw5Phey4jJZqTInPRpsDknDBTWOdshTeSjTeHJ8TmWj5hVWzbAElGBwGTZkZfsiCDjuafqKf2em/8kScMG2PddOJU/IqbqFAEnCa0RMyd0+ZzkHuUU2fi5Tx6TnzaEaocKSTR8Wr8kmd1ycsthZ/KdK932g9w+1E8SjBUjdLiFHyCqdmprS44CYxsQy7dSyl5/i1LsVLnWe5p+aqOSp3YOFO3S60LdT1Uu2aqbcqfqFQDL1Uu98XG6f8AOLKwoTiLKccuNtk55dvYNcfpU7HB2yqOaj5hTMLy1fCEfynyF5sFS/al5nuafmqjkmnBypBrjzaEYYXKQ6nEqm5KfqFU3JSGIO+S1QLVCtUPhOlZowLR9Ao73jgyMuWYWL9QwbNUUxe7CqOaZyanSBmMqeIu+Q9FLs5S8z3NPzVRytA7LC0osw/ClOiPFqbkp+ZUBw9VDffPo0OAyRaPolHe0LcvCqHkYaL0w+RVRzUfIKq2aoZsfF2ymhz8m3pftS8z3NP1FUc7RP0vCMYLg5Tu1OtTcip+oUDhAtmjx9p8Tm/SwfCihJOSp3jiLR9Ao7m0LsPU0ZeNQWHeE2Nzjsog2P2+1UH5pnIKp2FoZsfFylhz8mrGFS7FS8z3Mb9DsqR+s5v+chuFnJtHIWFOcXkk2a4tPshUeQvzR+E+cnb2R97NmIZpuFHO5vsV+dnhOqPpoTZXB2pSP1nKBxgqSXWLsnLRjdOIcc4wopTGnu1HP/kB/8QAJxEAAQUAAgICAwACAwAAAAAAAQACEBExIEASITJBAyJQMJBRYID/2gAIAQMBAT8A/wBJgARHSoIj+IEEc6Z/ihHOiIOfwALXjIg5wpEf4AERIg5NLxRHbbkHYCGI5I2Hf4AjIgy2HdejwbkHZGI5Ldh3CuAzgIMt2HcK6Tdh0tyDsBDEcluw6WwdkZwEGW7DpGQei3YfH2m5B2AhiOL7huw6Ww7ZGQYEGW7DpbkHot2HbLcg7AQxOxfcN2HS2DsjEZEGW7DpGQel5Hha8uAxOzgHFWZBXlwBRMiDnC+Fq+4CE4+ukCif41/9t9qiqPCiq4UqKo8qVcqVHugICXQ3YdIHA7Iaql0gKpIRHaaJsBeQTobsPyBsFea8kYA9yXBeQRMAIRauSOwE3IceLdEPyPuS1EES3IceLYcZBh3ZbkO4t2H4JDuBFGG5Dt4tyHbLIdnZZkOHFuw/OAJTTDshmQ4cWwRGoCHIdhppCKCoBPhmw/IC8AvBBsOgFCKCoJ+QChFBUIKJ7QcQg4RaeYbqsJ59QNViS5GQ5XL5BQIi0Sr/APOAFosocgywnCj0QnCuIFoiuyzYIo8Boh29EJ/EFHss1OPtPHrgwfaBtxT9gC0GLwRaRNekGkrwX2gCUGFeCIIganz4wBfaZqfqHsL7jSsamaU/UFXiEXFWU130U4UYb8UXUvIrSviEXEoEhA+QRFFDU9AIABF1wxHeyzU/Uwp4ow0WU8r8f2nfJMHtPkI+2w34o7PkTLAnahqcLXoBEkyxHeyzU/VhT/YhgoWibK/HpTvkvx6jVr9F+itq8hUD48A1W0LyCabKfqGolObwYjvZZqfsMP0iP2T/AEI/HpTvkmGin8KMD4yyrTzUsT9Q1PTXJzZYnb2Wan7DT7VCwU82UV+PSn/KB+wRaRDWm0931A+MjQnC4AJTQAn6m6nwHJzfsQwI72QaKJufP1LXUrswCQg//leYReZDqHAPIXmEXoONomzBNyHELU00jv8AqA//2Q=="
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('BlockIPAddressPlaybookName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('Meraki_Connection'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinel_Connection'))]"
],
"identity": {
"type": "SystemAssigned"
},
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"NetworkName": {
"defaultValue": "[parameters('NetworkName')]",
"type": "String"
},
"OrganizationName": {
"defaultValue": "[parameters('OrganizationName')]",
"type": "String"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Check_if_body_present_in_Azure_Sentinel_incident": {
"actions": {
"Check_if_Organization_exists": {
"actions": {
"Check_if_Network_exists": {
"actions": {
"Add_comment_to_incident": {
"runAfter": {
"Create_incident_HTML_table": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>@{outputs('Cisco_Meraki_Logo')} <strong>Cisco Meraki Block IP Address Playbook</strong><br>\n<br>\nBelow incident IP address(s) are found in Azure Sentinel have the following status in network - <strong>@{parameters('NetworkName')}</strong> for organization - <strong>@{parameters('OrganizationName')}</strong><br>\n@{body('Create_incident_HTML_table')}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Compose_Network_Id": {
"runAfter": {},
"type": "Compose",
"inputs": "@body('Filter_Network')?[0]?['id']",
"description": "To store network id from filter network result"
},
"Create_incident_HTML_table": {
"runAfter": {
"Update_Network_Appliance_L3_Firewall_Rules": [
"Succeeded"
]
},
"type": "Table",
"inputs": {
"columns": [
{
"header": "Incident IP Address",
"value": "@item()?['IP']"
},
{
"header": "Source",
"value": "@item()?['SourceCidr']"
},
{
"header": "Source Port",
"value": "@item()?['SourcePort']"
},
{
"header": "Destination",
"value": "@item()?['DestinationCidr']"
},
{
"header": "Destination Port",
"value": "@item()?['DestinationPort']"
},
{
"header": "Policy",
"value": "@toUpper(item()?['Policy'])"
},
{
"header": "Protocol",
"value": "@toUpper(item()?['Protocol'])"
},
{
"header": "Previous Status",
"value": "@item()?['PreviousStatus']"
},
{
"header": "Current Status",
"value": "@item()?['CurrentStatus']"
},
{
"header": "Action",
"value": "@item()?['Action']"
}
],
"format": "HTML",
"from": "@variables('ConsolidatedAction')"
},
"description": "To create incident HTML table from consolidated action array"
},
"Filter_L3_firewall_default_rule": {
"runAfter": {
"Get_Network_Appliance_Firewall_L3_Firewall_Rules": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('Get_Network_Appliance_Firewall_L3_Firewall_Rules')?['rules']",
"where": "@not(equals(item()?['comment'], string('Default rule')))"
},
"description": "To filter out L3 firewall default rule"
},
"For_each_IP_Address": {
"foreach": "@body('Entities_-_Get_IPs')?['IPs']",
"actions": {
"Check_if_IP_Address_exists_in_L3_Firewall_Rules": {
"actions": {
"Check_if_IP_address_is_blocked_by_L3_firewall_rule": {
"actions": {
"Append_to_consolidated_action_variable_for_blocked_IP_address_in_L3_firewall": {
"runAfter": {
"Set_action_variable_for_blocked_IP_address_in_L3_firewall": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": "To append action JSON object"
},
"Set_action_variable_for_blocked_IP_address_in_L3_firewall": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Action": "Blocked using L3 firewall rule",
"CurrentStatus": "Blocked",
"DestinationCidr": "@{outputs('Compose_L3_firewall_rule')?['destCidr']}",
"DestinationPort": "@{outputs('Compose_L3_firewall_rule')?['destPort']}",
"IP": "@{items('For_each_IP_Address')?['Address']}",
"Policy": "@{outputs('Compose_L3_firewall_rule')?['policy']}",
"PreviousStatus": "Blocked",
"Protocol": "@{outputs('Compose_L3_firewall_rule')?['protocol']}",
"SourceCidr": "@{outputs('Compose_L3_firewall_rule')?['srcCidr']}",
"SourcePort": "@{outputs('Compose_L3_firewall_rule')?['srcPort']}"
}
},
"description": "To create action JSON object"
},
"Set_classification_reason_variable_for_blocked_IP_address_in_L3_firewall": {
"runAfter": {
"Append_to_consolidated_action_variable_for_blocked_IP_address_in_L3_firewall": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ClassificationReason",
"value": "TruePositive - SuspiciousActivity"
},
"description": " To store incident closing reason"
}
},
"runAfter": {
"Compose_L3_firewall_rule": [
"Succeeded"
]
},
"else": {
"actions": {
"Condition_if_IP_address_exists_in_L7_firewall_rules": {
"actions": {
"Append_to_consolidated_action_variable_for_IP_address_blocked_in_L7_firewall": {
"runAfter": {
"Set_action_variable_for_IP_address_blocked_in_L7_firewall": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": "To append action JSON object"
},
"Compose_L7_firewall_rule": {
"runAfter": {},
"type": "Compose",
"inputs": "@body('Filter_L7_firewall_rule')?[0]",
"description": "To create firewall rule item"
},
"Set_action_variable_for_IP_address_blocked_in_L7_firewall": {
"runAfter": {
"Compose_L7_firewall_rule": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Action": "Blocked using L7 firewall rule",
"CurrentStatus": "Blocked",
"DestinationCidr": "@{outputs('Compose_L7_firewall_rule')?['value']}",
"DestinationPort": "NA",
"IP": "@{items('For_each_IP_Address')?['Address']}",
"Policy": "@{outputs('Compose_L7_firewall_rule')?['policy']}",
"PreviousStatus": "Blocked",
"Protocol": "NA",
"SourceCidr": "NA",
"SourcePort": "NA"
}
},
"description": "To create action JSON object"
},
"Set_classification_reason_variable_for_IP_address_blocked_in_L7_firewall": {
"runAfter": {
"Append_to_consolidated_action_variable_for_IP_address_blocked_in_L7_firewall": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ClassificationReason",
"value": "TruePositive - SuspiciousActivity"
},
"description": " To store incident closing reason"
}
},
"runAfter": {},
"else": {
"actions": {
"Append_to_consolidated_action_variable_for_IP_address_allowed_in_firewall": {
"runAfter": {
"Set_action_variable_for_IP_address_allowed_in_firewall": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": "To append action JSON object"
},
"Set_action_variable_for_IP_address_allowed_in_firewall": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Action": "Allowed using L3 & L7 firewall rules",
"CurrentStatus": "Allowed",
"DestinationCidr": "@{outputs('Compose_L3_firewall_rule')?['destCidr']}",
"DestinationPort": "@{outputs('Compose_L3_firewall_rule')?['destPort']}",
"IP": "@{items('For_each_IP_Address')?['Address']}",
"Policy": "@{outputs('Compose_L3_firewall_rule')?['policy']}",
"PreviousStatus": "Allowed",
"Protocol": "@{outputs('Compose_L3_firewall_rule')?['protocol']}",
"SourceCidr": "@{outputs('Compose_L3_firewall_rule')?['srcCidr']}",
"SourcePort": "@{outputs('Compose_L3_firewall_rule')?['srcPort']}"
}
},
"description": "To create action json object"
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_L7_firewall_rule'))",
0
]
}
]
},
"type": "If",
"description": "Condition to check if filter L7 firewall rule"
}
}
},
"expression": {
"and": [
{
"equals": [
"@outputs('Compose_L3_firewall_rule')?['Policy']",
"deny"
]
}
]
},
"type": "If",
"description": " Condition to check if IP address is blocked by L3 firewall"
},
"Compose_L3_firewall_rule": {
"runAfter": {},
"type": "Compose",
"inputs": "@body('Filter_L3_firewall_rule')?[0]",
"description": "To store L3 firewall rule"
}
},
"runAfter": {
"Filter_L7_firewall_rule": [
"Succeeded"
]
},
"else": {
"actions": {
"Check_if_IP_address_exists_in_L7_firewall_rule": {
"actions": {
"Append_to_consolidated_action_variable_for_blocked_IP_address_in_L7_firewall": {
"runAfter": {
"Set_action_variable_for_blocked_IP_address_in_L7_firewall": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": "To append action JSON object"
},
"Compose_L7_firewall_rule_item": {
"runAfter": {},
"type": "Compose",
"inputs": "@body('Filter_L7_firewall_rule')?[0]",
"description": "To create firewall rule item"
},
"Set_action_variable_for_blocked_IP_address_in_L7_firewall": {
"runAfter": {
"Compose_L7_firewall_rule_item": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Action": "Blocked using L7 firewall rule",
"CurrentStatus": "Blocked",
"DestinationCidr": "@{outputs('Compose_L7_firewall_rule_item')?['value']}",
"DestinationPort": "NA",
"IP": "@{items('For_each_IP_Address')?['Address']}",
"Policy": "@{outputs('Compose_L7_firewall_rule_item')?['policy']}",
"PreviousStatus": "Blocked",
"Protocol": "NA",
"SourceCidr": "NA",
"SourcePort": "NA"
}
},
"description": "To create action JSON object"
}
},
"runAfter": {},
"else": {
"actions": {
"Append_to_L3_firewall_rules_variable": {
"runAfter": {},
"type": "AppendToArrayVariable",
"inputs": {
"name": "L3FirewallRules",
"value": {
"comment": "Blocked by playbook",
"destCidr": "@items('For_each_IP_Address')?['Address']",
"destPort": "any",
"policy": "deny",
"protocol": "any",
"srcCidr": "any",
"srcPort": "any",
"syslogEnabled": false
}
}
},
"Append_to_consolidated_action_variable_for_new_IP_address": {
"runAfter": {
"Set_action_variable_for_new_IP_address": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": " To append action JSON object"
},
"Set_action_variable_for_new_IP_address": {
"runAfter": {
"Append_to_L3_firewall_rules_variable": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Action": "Blocked using L3 firewall rule by playbook",
"CurrentStatus": "Blocked",
"DestinationCidr": "@{items('For_each_IP_Address')?['Address']}",
"DestinationPort": "Any",
"IP": "@{items('For_each_IP_Address')?['Address']}",
"Policy": "deny",
"PreviousStatus": "Not Found",
"Protocol": "any",
"SourceCidr": "Any",
"SourcePort": "Any"
}
},
"description": "To create action JSON object for IP address"
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_L7_firewall_rule'))",
0
]
}
]
},
"type": "If",
"description": "Condition to check if IP address exists in L7 firewall rule"
},
"Set_classification_reason_variable": {
"runAfter": {
"Check_if_IP_address_exists_in_L7_firewall_rule": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ClassificationReason",
"value": "TruePositive - SuspiciousActivity"
},
"description": "To store incident closing reason"
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_L3_firewall_rule'))",
0
]
}
]
},
"type": "If",
"description": "Condition to check if filter IP address returns network object"
},
"Filter_L3_firewall_rule": {
"runAfter": {},
"type": "Query",
"inputs": {
"from": "@body('Get_Network_Appliance_Firewall_L3_Firewall_Rules')?['rules']",
"where": "@contains(item()?['destCidr'], items('For_each_IP_Address')?['Address'])"
},
"description": "To filter rule detail from get network appliance L3 firewall rule action based on IP address"
},
"Filter_L7_firewall_rule": {
"runAfter": {
"Filter_L3_firewall_rule": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('Get_Network_Appliance_Firewall_L7_Firewall_Rules')?['rules']",
"where": "@contains(item()?['value'], items('For_each_IP_Address')?['Address'])"
},
"description": "To filter rule detail from get network appliance L7 firewall rule action based on IP address"
}
},
"runAfter": {
"Get_Network_Appliance_Firewall_L7_Firewall_Rules": [
"Succeeded"
]
},
"type": "Foreach",
"description": "For each loop for IP addresses from Azure Sentinel",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
},
"Get_Network_Appliance_Firewall_L3_Firewall_Rules": {
"runAfter": {
"Compose_Network_Id": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/appliance/firewall/l3FirewallRules"
}
},
"Get_Network_Appliance_Firewall_L7_Firewall_Rules": {
"runAfter": {
"Set_L3_firewall_rules_variable": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/appliance/firewall/l7FirewallRules"
}
},
"Set_L3_firewall_rules_variable": {
"runAfter": {
"Filter_L3_firewall_default_rule": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "L3FirewallRules",
"value": "@body('Filter_L3_firewall_default_rule')"
},
"description": " To create L3 firewall rules array"
},
"Update_Network_Appliance_L3_Firewall_Rules": {
"runAfter": {
"For_each_IP_Address": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"rules": "@variables('L3FirewallRules')"
},
"headers": {
"Content-Type": "application/json"
},
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "put",
"path": "/networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/appliance/firewall/l3FirewallRules"
}
},
"Update_incident": {
"runAfter": {
"Add_comment_to_incident": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"classification": {
"ClassificationAndReason": "@variables('ClassificationReason')"
},
"incidentArmId": "@triggerBody()?['object']?['id']",
"status": "Closed"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Incidents"
}
}
},
"runAfter": {
"Filter_Network": [
"Succeeded"
]
},
"else": {
"actions": {
"Terminate_if_network_not_found": {
"runAfter": {},
"type": "Terminate",
"inputs": {
"runError": {
"code": "404",
"message": "Network Not Found"
},
"runStatus": "Failed"
}
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_Network'))",
0
]
}
]
},
"type": "If",
"description": "Condition to check if filter network returns network object"
},
"Filter_Network": {
"runAfter": {
"Get_Networks": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('Get_Networks')",
"where": "@equals(item()?['name'], parameters('NetworkName'))"
},
"description": "To filter network detail from get networks action based on network name"
},
"Get_Networks": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/organizations/@{encodeURIComponent(body('Filter_Organization')?[0]?['id'])}/networks",
"queries": {
"perPage": 1000
}
}
}
},
"runAfter": {
"Filter_Organization": [
"Succeeded"
]
},
"else": {
"actions": {
"Terminate_if_organization_not_found": {
"runAfter": {},
"type": "Terminate",
"inputs": {
"runError": {
"code": "404",
"message": "Organization Not Found"
},
"runStatus": "Failed"
}
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_Organization'))",
0
]
}
]
},
"type": "If",
"description": "Condition to check if filter organization returns organization object"
},
"Filter_Organization": {
"runAfter": {
"Get_Organizations": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('Get_Organizations')",
"where": "@equals(item()?['name'], parameters('OrganizationName'))"
},
"description": "To filter organization detail from get organizations action based on organization name"
},
"Get_Organizations": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/organizations"
}
}
},
"runAfter": {
"Cisco_Meraki_Logo": [
"Succeeded"
]
},
"else": {
"actions": {
"Terminate_if_IP_address_not_found": {
"runAfter": {},
"type": "Terminate",
"inputs": {
"runError": {
"code": "404",
"message": "IP Address Not Found in Azure Sentinel Incident"
},
"runStatus": "Failed"
}
}
}
},
"expression": {
"and": [
{
"contains": [
"@outputs('Entities_-_Get_IPs')",
"body"
]
},
{
"greater": [
"@length(body('Entities_-_Get_IPs')?['IPs'])",
0
]
}
]
},
"type": "If",
"description": "Condition to check if body present in the sentinel incident"
},
"Cisco_Meraki_Logo": {
"runAfter": {
"Initialize_classification_reason_variable": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "<img src=\"https://www.kellerschroeder.com/wp-content/uploads/2017/05/Cisco-Meraki.jpg\" alt=\"CiscoMerakiLogo\" width=\"32\" height=\"32\">",
"description": "To add logo for incident "
},
"Entities_-_Get_IPs": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/ip"
}
},
"Initialize_L3_firewall_rules_variable": {
"runAfter": {
"Entities_-_Get_IPs": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "L3FirewallRules",
"type": "array"
}
]
},
"description": "To store L3 firewall rule object"
},
"Initialize_action_object_variable": {
"runAfter": {
"Initialize_L3_firewall_rules_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Action",
"type": "object"
}
]
},
"description": "To create JSON action object"
},
"Initialize_classification_reason_variable": {
"runAfter": {
"Initialize_consolidated_action_array_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ClassificationReason",
"type": "string",
"value": "BenignPositive - SuspiciousButExpected"
}
]
},
"description": "To store incident closing reason"
},
"Initialize_consolidated_action_array_variable": {
"runAfter": {
"Initialize_action_object_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ConsolidatedAction",
"type": "array"
}
]
},
"description": "To create consolidated array variable for HTML incident table"
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"MerakiConnector": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Meraki_Connection'))]",
"connectionName": "[variables('Meraki_Connection')]",
"id": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Web/customApis/',parameters('CiscoMerakiConnectorName'))]"
},
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinel_Connection'))]",
"connectionName": "[variables('AzureSentinel_Connection')]",
"id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('BlockDeviceClientPlaybookName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('Meraki_Connection'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinel_Connection'))]"
],
"identity": {
"type": "SystemAssigned"
},
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"GroupPolicy": {
"defaultValue": "[parameters('GroupPolicy')]",
"type": "String"
},
"NetworkName": {
"defaultValue": "[parameters('NetworkName')]",
"type": "String"
},
"OrganizationName": {
"defaultValue": "[parameters('OrganizationName')]",
"type": "String"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Check_if_body_present_in_Azure_Sentinel_incident": {
"actions": {
"Check_if_Organization_exists": {
"actions": {
"Check_if_Network_exists": {
"actions": {
"Check_if_Group_Policy_exists": {
"actions": {
"Add_comment_to_incident": {
"runAfter": {
"Create_incident_HTML_table": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>@{outputs('Cisco_Meraki_Logo')} <strong>Cisco Meraki Block Device Client Playbook</strong><br>\n<br>\nBelow Incident Device Client(s) are found in Azure Sentinel have the following status in Network - <strong></strong><strong>@{parameters('NetworkName')}</strong><strong></strong> for Organization - <strong></strong><strong>@{parameters('OrganizationName')}</strong><strong></strong><br>\n@{body('Create_incident_HTML_table')}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Compose_Group_Policy": {
"runAfter": {},
"type": "Compose",
"inputs": "@body('Filter_Group_Policy')?[0]"
},
"Create_incident_HTML_table": {
"runAfter": {
"For_each_Host": [
"Succeeded"
]
},
"type": "Table",
"inputs": {
"columns": [
{
"header": "Incident Device Client",
"value": "@item()?['Host']"
},
{
"header": "Client Id",
"value": "@item()?['ClientId']"
},
{
"header": "MAC",
"value": "@item()?['MAC']"
},
{
"header": "Manufacturer",
"value": "@item()?['Manufacturer']"
},
{
"header": "Client Status",
"value": "@item()?['ClientStatus']"
},
{
"header": "Previous Policy",
"value": "@item()?['PreviousPolicy']"
},
{
"header": "Current Policy",
"value": "@item()?['CurrentPolicy']"
},
{
"header": "Group Policy",
"value": "@item()?['GroupPolicy']"
},
{
"header": "Action",
"value": "@item()?['Action']"
}
],
"format": "HTML",
"from": "@variables('ConsolidatedAction')"
},
"description": "To create incident HTML table from consolidated action array"
},
"For_each_Host": {
"foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
"actions": {
"Check_if_host_exists_in_network_clients": {
"actions": {
"Check_if_client_policy_exists": {
"actions": {
"Condition_for_client_policy": {
"runAfter": {},
"cases": {
"Case_Blocked": {
"case": "Blocked",
"actions": {
"Append_to_consolidated_action_variable_for_blocked_client_policy": {
"runAfter": {
"Set_action_variable_for_blocked_client_policy": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": " To append action json object"
},
"Set_action_variable_for_blocked_client_policy": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Action": "Blocked using client policy",
"ClientId": "@{outputs('Compose_network_client')?['id']}",
"ClientStatus": "@{outputs('Compose_network_client')?['status']}",
"CurrentPolicy": "@{body('Get_Network_Client_Policy')?['devicePolicy']}",
"GroupPolicy": "NA",
"Host": "@{items('For_each_Host')?['HostName']}",
"MAC": "@{outputs('Compose_network_client')?['mac']}",
"Manufacturer": "@{outputs('Compose_network_client')?['manufacturer']}",
"PreviousPolicy": "@{body('Get_Network_Client_Policy')?['devicePolicy']}"
}
},
"description": " To create action JSON object"
},
"Set_classification_reason_variable_for_blocked_client_policy": {
"runAfter": {
"Append_to_consolidated_action_variable_for_blocked_client_policy": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ClassificationReason",
"value": "TruePositive - SuspiciousActivity"
},
"description": "To store incident closing reason"
}
}
},
"Case_Group_Policy": {
"case": "Group policy",
"actions": {
"Append_to_consolidated_action_variable_for_group_policy": {
"runAfter": {
"Set_action_variable_for_group_policy": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": "To append action json object"
},
"Get_Network_Group_Policy": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/groupPolicies/@{encodeURIComponent(body('Get_Network_Client_Policy')?['groupPolicyId'])}"
}
},
"Set_action_variable_for_group_policy": {
"runAfter": {
"Get_Network_Group_Policy": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Action": "Blocked using group policy ",
"ClientId": "@{outputs('Compose_network_client')?['id']}",
"ClientStatus": "@{outputs('Compose_network_client')?['status']}",
"CurrentPolicy": "@{body('Get_Network_Client_Policy')?['devicePolicy']}",
"GroupPolicy": "@{body('Get_Network_Group_Policy')?['name']}",
"Host": "@{items('For_each_Host')?['HostName']}",
"MAC": "@{outputs('Compose_network_client')?['mac']}",
"Manufacturer": "@{outputs('Compose_network_client')?['manufacturer']}",
"PreviousPolicy": "@{body('Get_Network_Client_Policy')?['devicePolicy']}"
}
},
"description": "To store action json object"
}
}
},
"Case_Whitelisted": {
"case": "Whitelisted",
"actions": {
"Append_to_consolidated_action_variable_for_allowed_client_policy": {
"runAfter": {
"Set_action_variable_for_allowed_client_policy": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": " To append action json object"
},
"Set_action_variable_for_allowed_client_policy": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Action": "Allowed using client policy",
"ClientId": "@{outputs('Compose_network_client')?['id']}",
"ClientStatus": "@{outputs('Compose_network_client')?['status']}",
"CurrentPolicy": "@{body('Get_Network_Client_Policy')?['devicePolicy']}",
"GroupPolicy": "NA",
"Host": "@{items('For_each_Host')?['HostName']}",
"MAC": "@{outputs('Compose_network_client')?['mac']}",
"Manufacturer": "@{outputs('Compose_network_client')?['manufacturer']}",
"PreviousPolicy": "@{body('Get_Network_Client_Policy')?['devicePolicy']}"
}
},
"description": "To create action JSON object"
}
}
}
},
"default": {
"actions": {
"Append_to_consolidated_action_variable_for_normal_client_policy": {
"runAfter": {
"Set_action_variable_for_normal_client_policy": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": " To append action json object"
},
"Set_action_variable_for_normal_client_policy": {
"runAfter": {
"Update_Network_Client_Policy": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Action": "Blocked using group policy by playbook",
"ClientId": "@{outputs('Compose_network_client')?['id']}",
"ClientStatus": "@{outputs('Compose_network_client')?['status']}",
"CurrentPolicy": "@{body('Update_Network_Client_Policy')?['devicePolicy']}",
"GroupPolicy": "@{parameters('GroupPolicy')}",
"Host": "@{items('For_each_Host')?['HostName']}",
"MAC": "@{outputs('Compose_network_client')?['mac']}",
"Manufacturer": "@{outputs('Compose_network_client')?['manufacturer']}",
"PreviousPolicy": "@{body('Get_Network_Client_Policy')?['devicePolicy']}"
}
},
"description": " To create action JSON object"
},
"Set_classification_reason_variable_for_normal_policy": {
"runAfter": {
"Append_to_consolidated_action_variable_for_normal_client_policy": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ClassificationReason",
"value": "TruePositive - SuspiciousActivity"
},
"description": "To store incident closing reason"
},
"Update_Network_Client_Policy": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
"devicePolicy": "Group policy",
"groupPolicyId": "@{outputs('Compose_Group_Policy')?['groupPolicyId']}"
},
"headers": {
"Content-Type": "application/json"
},
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "put",
"path": "/networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/clients/@{encodeURIComponent(outputs('Compose_network_client')?['id'])}/policy"
}
}
}
},
"expression": "@body('Get_Network_Client_Policy')?['devicePolicy']",
"type": "Switch"
}
},
"runAfter": {
"Get_Network_Client_Policy": [
"Succeeded"
]
},
"else": {
"actions": {
"Append_to_consolidated_action_variable_for_unknown_client_policy": {
"runAfter": {
"Set_action_variable_for_unknown_client_policy": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": "To append action json object"
},
"Set_action_variable_for_unknown_client_policy": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Action": "@{outputs('Get_Network_Client_Policy')?['errors']}",
"ClientId": "@{outputs('Compose_network_client')?['id']}",
"ClientStatus": "@{outputs('Compose_network_client')?['status']}",
"CurrentPolicy": "NA",
"GroupPolicy": "NA",
"Host": "@{items('For_each_Host')?['HostName']}",
"MAC": "@{outputs('Compose_network_client')?['mac']}",
"Manufacturer": "@{outputs('Compose_network_client')?['manufacturer']}",
"PreviousPolicy": "NA"
}
},
"description": "To create action JSON object for host"
}
}
},
"expression": {
"and": [
{
"equals": [
"@outputs('Get_Network_Client_Policy')?['statusCode']",
200
]
}
]
},
"type": "If",
"description": "Condition to check if network client returns policy details"
},
"Compose_network_client": {
"runAfter": {},
"type": "Compose",
"inputs": "@body('Filter_network_client')?[0]",
"description": "To create network client item"
},
"Get_Network_Client_Policy": {
"runAfter": {
"Compose_network_client": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/clients/@{encodeURIComponent(outputs('Compose_network_client')?['id'])}/policy"
}
}
},
"runAfter": {
"Filter_network_client": [
"Succeeded"
]
},
"else": {
"actions": {
"Append_to_consolidated_action_variable_for_unknow_client": {
"runAfter": {
"Set_action_variable_for_unknow_client": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": "To append action object"
},
"Set_action_variable_for_unknow_client": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Action": "Client Not Found",
"ClientId": "NA",
"ClientStatus": "NA",
"CurrentPolicy": "NA",
"GroupPolicy": "NA",
"Host": "@{items('For_each_Host')?['HostName']}",
"MAC": "NA",
"Manufacturer": "NA",
"PreviousPolicy": "NA"
}
},
"description": "To create action JSON object"
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_network_client'))",
0
]
}
]
},
"type": "If",
"description": "Condition to check if filter network client returns client object"
},
"Filter_network_client": {
"runAfter": {},
"type": "Query",
"inputs": {
"from": "@body('Get_Network_Clients')",
"where": "@contains(item()?['mac'], items('For_each_Host')?['HostName'])"
},
"description": "To filter client detail from get network clients action based on host"
}
},
"runAfter": {
"Get_Network_Clients": [
"Succeeded"
]
},
"type": "Foreach",
"description": "For each loop for host from Azure Sentinel",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
},
"Get_Network_Clients": {
"runAfter": {
"Compose_Group_Policy": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/clients",
"queries": {
"perPage": 100
}
}
},
"Update_incident": {
"runAfter": {
"Add_comment_to_incident": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"classification": {
"ClassificationAndReason": "@variables('ClassificationReason')"
},
"incidentArmId": "@triggerBody()?['object']?['id']",
"status": "Closed"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Incidents"
}
}
},
"runAfter": {
"Filter_Group_Policy": [
"Succeeded"
]
},
"else": {
"actions": {
"Terminate_if_group_policy_not_found": {
"runAfter": {},
"type": "Terminate",
"inputs": {
"runError": {
"code": "404",
"message": "Group Policy Not Found in Network"
},
"runStatus": "Failed"
}
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_Group_Policy'))",
0
]
}
]
},
"type": "If",
"description": "Condition to check if filter group policy returns policy object"
},
"Compose_Network_Id": {
"runAfter": {},
"type": "Compose",
"inputs": "@body('Filter_Network')?[0]?['id']",
"description": "To store network id from filter network result"
},
"Filter_Group_Policy": {
"runAfter": {
"Get_Network_Group_Policies": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('Get_Network_Group_Policies')",
"where": "@equals(item()?['name'], parameters('GroupPolicy'))"
}
},
"Get_Network_Group_Policies": {
"runAfter": {
"Compose_Network_Id": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/groupPolicies"
}
}
},
"runAfter": {
"Filter_Network": [
"Succeeded"
]
},
"else": {
"actions": {
"Terminate_if_network_not_found": {
"runAfter": {},
"type": "Terminate",
"inputs": {
"runError": {
"code": "404",
"message": "Network Not Found"
},
"runStatus": "Failed"
}
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_Network'))",
0
]
}
]
},
"type": "If",
"description": "Condition to check if filter network returns network object"
},
"Filter_Network": {
"runAfter": {
"Get_Networks": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('Get_Networks')",
"where": "@equals(item()?['name'], parameters('NetworkName'))"
},
"description": "To filter network detail from get networks action based on network name"
},
"Get_Networks": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/organizations/@{encodeURIComponent(body('Filter_Organization')?[0]?['id'])}/networks",
"queries": {
"perPage": 1000
}
}
}
},
"runAfter": {
"Filter_Organization": [
"Succeeded"
]
},
"else": {
"actions": {
"Terminate_if_organization_not_found": {
"runAfter": {},
"type": "Terminate",
"inputs": {
"runError": {
"code": "404",
"message": "Organization Not Found"
},
"runStatus": "Failed"
}
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_Organization'))",
0
]
}
]
},
"type": "If",
"description": "Condition to check if filter organization returns organization object"
},
"Filter_Organization": {
"runAfter": {
"Get_Organizations": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('Get_Organizations')",
"where": "@equals(item()?['name'], parameters('OrganizationName'))"
},
"description": "To filter organization detail from get organizations action based on organization name"
},
"Get_Organizations": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/organizations"
}
}
},
"runAfter": {
"Cisco_Meraki_Logo": [
"Succeeded"
]
},
"else": {
"actions": {
"Terminate_if_host_not_found": {
"runAfter": {},
"type": "Terminate",
"inputs": {
"runError": {
"code": "404",
"message": "Host Not Found in Azure Sentinel Incident"
},
"runStatus": "Failed"
}
}
}
},
"expression": {
"and": [
{
"contains": [
"@outputs('Entities_-_Get_Hosts')",
"body"
]
},
{
"greater": [
"@length(body('Entities_-_Get_Hosts')?['Hosts'])",
0
]
}
]
},
"type": "If",
"description": "Condition to check if body present in the sentinel incident"
},
"Cisco_Meraki_Logo": {
"runAfter": {
"Initialize_classification_reason_variable": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "<img src=\"https://www.kellerschroeder.com/wp-content/uploads/2017/05/Cisco-Meraki.jpg\" alt=\"CiscoMerakiLogo\" width=\"32\" height=\"32\">",
"description": "To add logo for incident "
},
"Entities_-_Get_Hosts": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/host"
}
},
"Initialize_action_object_variable": {
"runAfter": {
"Entities_-_Get_Hosts": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Action",
"type": "object"
}
]
},
"description": "To create JSON action object"
},
"Initialize_classification_reason_variable": {
"runAfter": {
"Initialize_consolidated_action_array_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ClassificationReason",
"type": "string",
"value": "BenignPositive - SuspiciousButExpected"
}
]
},
"description": "To store incident closing reason"
},
"Initialize_consolidated_action_array_variable": {
"runAfter": {
"Initialize_action_object_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ConsolidatedAction",
"type": "array"
}
]
},
"description": "To create consolidated array variable for HTML incident table"
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"MerakiConnector": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Meraki_Connection'))]",
"connectionName": "[variables('Meraki_Connection')]",
"id": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Web/customApis/',parameters('CiscoMerakiConnectorName'))]"
},
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinel_Connection'))]",
"connectionName": "[variables('AzureSentinel_Connection')]",
"id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('BlockURLPlaybookName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('Meraki_Connection'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinel_Connection'))]"
],
"identity": {
"type": "SystemAssigned"
},
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"NetworkName": {
"defaultValue": "[parameters('NetworkName')]",
"type": "String"
},
"OrganizationName": {
"defaultValue": "[parameters('OrganizationName')]",
"type": "String"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Check_if_body_present_in_Azure_Sentinel_incident": {
"actions": {
"Check_if_Organization_exists": {
"actions": {
"Check_if_Network_exists": {
"actions": {
"Add_comment_to_incident": {
"runAfter": {
"Create_Incident_HTML_table": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>@{outputs('Cisco_Meraki_Logo')} <strong>Cisco Meraki Block URL Playbook</strong><br>\n<br>\nBelow incident URL(s) are found in Azure Sentinel have the following status in network - <strong></strong><strong>@{parameters('NetworkName')}</strong><strong></strong> for organization - <strong></strong><strong>@{parameters('OrganizationName')}</strong><strong></strong><br>\n@{body('Create_Incident_HTML_table')}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Compose_Network_Id": {
"runAfter": {},
"type": "Compose",
"inputs": "@body('Filter_Network')?[0]?['id']",
"description": "To store network id from filter network result"
},
"Create_Incident_HTML_table": {
"runAfter": {
"Update_Network_Appliance_Content_Filtering": [
"Succeeded"
]
},
"type": "Table",
"inputs": {
"columns": [
{
"header": "Incident URL",
"value": "@item()?['URL']"
},
{
"header": "Previous Status",
"value": "@item()?['PreviousStatus']"
},
{
"header": "Current Status",
"value": "@item()?['CurrentStatus']"
},
{
"header": "Action",
"value": "@item()?['Action']"
}
],
"format": "HTML",
"from": "@variables('ConsolidatedAction')"
},
"description": "To create incident HTML table from consolidated action array"
},
"For_each_URL": {
"foreach": "@body('Entities_-_Get_URLs')?['URLs']",
"actions": {
"Check_if_URL_is_allowed": {
"actions": {
"Append_to_consolidated_action_variable_for_allowed_URL": {
"runAfter": {
"Set_action_variable_for_allowed_URL": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": "To append action JSON object"
},
"Set_action_variable_for_allowed_URL": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Action": "Allowed using content filtering",
"CurrentStatus": "Allowed",
"PreviousStatus": "Allowed",
"URL": "@{items('For_each_URL')?['Url']}"
}
},
"description": " To create action JSON object"
}
},
"runAfter": {
"Filter_Allowed_URL_Pattern": [
"Succeeded"
]
},
"else": {
"actions": {
"Check_if_URL_is_blocked": {
"actions": {
"Append_to_consolidated_action_variable_for_blocked_URL": {
"runAfter": {
"Set_action_variable_for_blocked_URL": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": "To append action JSON object"
},
"Set_action_variable_for_blocked_URL": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Action": "Blocked using content filtering",
"CurrentStatus": "Blocked",
"PreviousStatus": "Blocked",
"URL": "@{items('For_each_URL')?['Url']}"
}
},
"description": " To create action JSON object"
}
},
"runAfter": {},
"else": {
"actions": {
"Append_to_blocked_URL_pattern_variable": {
"runAfter": {},
"type": "AppendToArrayVariable",
"inputs": {
"name": "BlockedURLPatterns",
"value": "@items('For_each_URL')?['Url']"
},
"description": " To append blocked URL"
},
"Append_to_consolidated_action_variable_for_new_URL": {
"runAfter": {
"Set_action_variable_for_new_URL": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": "To append action JSON object"
},
"Set_action_variable_for_new_URL": {
"runAfter": {
"Append_to_blocked_URL_pattern_variable": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Action": "Blocked using content filtering by playbook",
"CurrentStatus": "Blocked",
"PreviousStatus": "Not Found",
"URL": "@{items('For_each_URL')?['Url']}"
}
},
"description": "To create action JSON object"
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_Blocked_URL_Pattern'))",
0
]
}
]
},
"type": "If",
"description": " Condition to check if URL is belongs to blocked URL patterns"
},
"Set_classification_reason_variable": {
"runAfter": {
"Check_if_URL_is_blocked": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ClassificationReason",
"value": "TruePositive - SuspiciousActivity"
},
"description": "To store incident closing reason"
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_Allowed_URL_Pattern'))",
0
]
}
]
},
"type": "If",
"description": "Condition to check if URL belongs to allowed URL patterns"
},
"Filter_Allowed_URL_Pattern": {
"runAfter": {
"Filter_Blocked_URL_Pattern": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('Get_Network_Appliance_Content_Filtering')?['allowedUrlPatterns']",
"where": "@contains(item(), items('For_each_URL')?['Url'])"
},
"description": "To filter allowed URL pattern from get network appliance content filtering action based on URL"
},
"Filter_Blocked_URL_Pattern": {
"runAfter": {},
"type": "Query",
"inputs": {
"from": "@body('Get_Network_Appliance_Content_Filtering')?['blockedUrlPatterns']",
"where": "@contains(item(), items('For_each_URL')?['Url'])"
},
"description": " To filter blocked URL pattern from get network appliance content filtering action based on URL"
}
},
"runAfter": {
"Set_blocked_URL_patterns_variable": [
"Succeeded"
]
},
"type": "Foreach",
"description": "For each loop for URLs from Azure Sentinel",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
},
"Get_Network_Appliance_Content_Filtering": {
"runAfter": {
"Compose_Network_Id": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/appliance/contentFiltering"
}
},
"Set_blocked_URL_patterns_variable": {
"runAfter": {
"Get_Network_Appliance_Content_Filtering": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "BlockedURLPatterns",
"value": "@body('Get_Network_Appliance_Content_Filtering')?['blockedUrlPatterns']"
},
"description": " To create blocked URL pattern array"
},
"Update_Network_Appliance_Content_Filtering": {
"runAfter": {
"For_each_URL": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"blockedUrlPatterns": "@variables('BlockedURLPatterns')"
},
"headers": {
"Content-Type": "application/json"
},
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "put",
"path": "/networks/@{encodeURIComponent(outputs('Compose_Network_Id'))}/appliance/contentFiltering"
}
},
"Update_incident": {
"runAfter": {
"Add_comment_to_incident": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"classification": {
"ClassificationAndReason": "@variables('ClassificationReason')"
},
"incidentArmId": "@triggerBody()?['object']?['id']",
"status": "Closed"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Incidents"
}
}
},
"runAfter": {
"Filter_Network": [
"Succeeded"
]
},
"else": {
"actions": {
"Terminate_if_network_not_found": {
"runAfter": {},
"type": "Terminate",
"inputs": {
"runError": {
"code": "404",
"message": "Network Not Found"
},
"runStatus": "Failed"
}
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_Network'))",
0
]
}
]
},
"type": "If",
"description": "Condition to check if filter network returns network object"
},
"Filter_Network": {
"runAfter": {
"Get_Networks": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('Get_Networks')",
"where": "@equals(item()?['name'], parameters('NetworkName'))"
},
"description": " To filter network detail from get networks action based on network name"
},
"Get_Networks": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/organizations/@{encodeURIComponent(body('Filter_Organization')?[0]?['id'])}/networks",
"queries": {
"perPage": 1000
}
}
}
},
"runAfter": {
"Filter_Organization": [
"Succeeded"
]
},
"else": {
"actions": {
"Terminate_if_organization_not_found": {
"runAfter": {},
"type": "Terminate",
"inputs": {
"runError": {
"code": "404",
"message": "Organization Not Found"
},
"runStatus": "Failed"
}
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_Organization'))",
0
]
}
]
},
"type": "If",
"description": " Condition to check if filter organization returns organization object"
},
"Filter_Organization": {
"runAfter": {
"Get_Organizations": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('Get_Organizations')",
"where": "@equals(item()?['name'], parameters('OrganizationName'))"
},
"description": " To filter organization detail from get organizations action based on organization name"
},
"Get_Organizations": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/organizations"
}
}
},
"runAfter": {
"Cisco_Meraki_Logo": [
"Succeeded"
]
},
"else": {
"actions": {
"Terminate_if_URL_not_found": {
"runAfter": {},
"type": "Terminate",
"inputs": {
"runError": {
"code": "404",
"message": "URL Not Found in Azure Sentinel Incident"
},
"runStatus": "Failed"
}
}
}
},
"expression": {
"and": [
{
"contains": [
"@outputs('Entities_-_Get_URLs')",
"body"
]
},
{
"greater": [
"@length(body('Entities_-_Get_URLs')?['URLs'])",
0
]
}
]
},
"type": "If",
"description": " Condition to check if body present in the sentinel incident"
},
"Cisco_Meraki_Logo": {
"runAfter": {
"Initialize_classification_reason_variable": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "<img src=\"https://www.kellerschroeder.com/wp-content/uploads/2017/05/Cisco-Meraki.jpg\" alt=\"CiscoMerakiLogo\" width=\"32\" height=\"32\">",
"description": "To add cisco meraki logo"
},
"Entities_-_Get_URLs": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/url"
}
},
"Initialize_action_object_variable": {
"runAfter": {
"Initialize_blocked_URL_patterns_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Action",
"type": "object"
}
]
},
"description": "To create JSON action object"
},
"Initialize_blocked_URL_patterns_variable": {
"runAfter": {
"Entities_-_Get_URLs": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "BlockedURLPatterns",
"type": "array"
}
]
},
"description": "To store blocked URL pattern"
},
"Initialize_classification_reason_variable": {
"runAfter": {
"Initialize_consolidated_action_array_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ClassificationReason",
"type": "string",
"value": "BenignPositive - SuspiciousButExpected"
}
]
},
"description": "To store incident closing reason"
},
"Initialize_consolidated_action_array_variable": {
"runAfter": {
"Initialize_action_object_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ConsolidatedAction",
"type": "array"
}
]
},
"description": "To create consolidated array variable for HTML incident table"
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"MerakiConnector": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Meraki_Connection'))]",
"connectionName": "[variables('Meraki_Connection')]",
"id": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Web/customApis/',parameters('CiscoMerakiConnectorName'))]"
},
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinel_Connection'))]",
"connectionName": "[variables('AzureSentinel_Connection')]",
"id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('EnrichmentIPAddressPlaybookName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('Meraki_Connection'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinel_Connection'))]"
],
"identity": {
"type": "SystemAssigned"
},
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"OrganizationName": {
"defaultValue": "[parameters('OrganizationName')]",
"type": "String"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Check_if_body_present_in_Azure_Sentinel_incident": {
"actions": {
"Check_if_Organization_exists": {
"actions": {
"Add_comment_to_incident": {
"runAfter": {
"Create_incident_HTML_table": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>@{outputs('Cisco_Meraki_Logo')} <strong>Cisco Meraki IP Address Enrichment Playbook</strong><br>\n<br>\nBelow incident IP address(s) are found in Azure Sentinel have the following status in networks for organization - <strong></strong><strong>@{parameters('OrganizationName')}</strong><strong></strong><br>\n@{body('Create_Incident_HTML_table')}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Create_incident_HTML_table": {
"runAfter": {
"For_each_Network": [
"Succeeded"
]
},
"type": "Table",
"inputs": {
"columns": [
{
"header": "Incident IP Address",
"value": "@item()?['IP']"
},
{
"header": "Network Name",
"value": "@item()?['NetworkName']"
},
{
"header": "Source",
"value": "@item()?['SourceCidr']"
},
{
"header": "Source Port",
"value": "@item()?['SourcePort']"
},
{
"header": "Destination",
"value": "@item()?['DestinationCidr']"
},
{
"header": "Destination Port",
"value": "@item()?['DestinationPort']"
},
{
"header": "Policy",
"value": "@item()?['Policy']"
},
{
"header": "Protocol",
"value": "@item()?['Protocol']"
},
{
"header": "Status",
"value": "@item()?['Status']"
},
{
"header": "Comment",
"value": "@item()?['Comment']"
}
],
"format": "HTML",
"from": "@variables('ConsolidatedAction')"
},
"description": "To create incident HTML table from consolidated action array"
},
"For_each_Network": {
"foreach": "@body('Get_Networks')",
"actions": {
"For_each_IP_Address": {
"foreach": "@body('Entities_-_Get_IPs')?['IPs']",
"actions": {
"Check_if_IP_Address_exists_in_L3_firewall_rules": {
"actions": {
"Check_if_IP_Address_is_blocked_by_L3_firewall_rule": {
"actions": {
"Append_to_consolidated_action_variable_for_blocked_IP_address_in_L3_firewall": {
"runAfter": {
"Set_action_variable_for_IP_address_blocked_in_L3_firewall": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": " To append action JSON object"
},
"Set_action_variable_for_IP_address_blocked_in_L3_firewall": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Comment": "Blocked using L3 firewall rule",
"DestinationCidr": "@{outputs('Compose_L3_firewall_rule')?['destCidr']}",
"DestinationPort": "@{outputs('Compose_L3_firewall_rule')?['destPort']}",
"IP": "@{items('For_each_IP_Address')?['Address']}",
"NetworkName": "@{items('For_each_Network')?['name']}",
"Policy": "@{outputs('Compose_L3_firewall_rule')?['policy']}",
"Protocol": "@{outputs('Compose_L3_firewall_rule')?['protocol']}",
"SourceCidr": "@{outputs('Compose_L3_firewall_rule')?['srcCidr']}",
"SourcePort": "@{outputs('Compose_L3_firewall_rule')?['srcPort']}",
"Status": "Blocked"
}
},
"description": "To create action JSON object"
}
},
"runAfter": {
"Compose_L3_firewall_rule": [
"Succeeded"
]
},
"else": {
"actions": {
"Check_if_IP_Address_exists_in_L7_firewall_rules": {
"actions": {
"Append_to_consolidated_action_variable_for_IP_address_blocked_in_L7_firewall": {
"runAfter": {
"Set_action_variable_for_IP_address_blocked_in_L7_firewall": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": " To append action JSON object"
},
"Compose_L7_firewall_rule": {
"runAfter": {},
"type": "Compose",
"inputs": "@body('Filter_L7_firewall_rule')?[0]",
"description": "To create firewall rule item"
},
"Set_action_variable_for_IP_address_blocked_in_L7_firewall": {
"runAfter": {
"Compose_L7_firewall_rule": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Comment": "Blocked using L7 firewall rule",
"DestinationCidr": "@{outputs('Compose_L7_firewall_rule')?['value']}",
"DestinationPort": "NA",
"IP": "@{items('For_each_IP_Address')?['Address']}",
"NetworkName": "@{items('For_each_Network')?['name']}",
"Policy": "@{outputs('Compose_L7_firewall_rule')?['policy']}",
"Protocol": "NA",
"SourceCidr": "NA",
"SourcePort": "NA",
"Status": "Blocked"
}
},
"description": "To create action JSON object"
}
},
"runAfter": {},
"else": {
"actions": {
"Append_to_consolidated_action_variable_for_IP_address_allowed_in_firewall": {
"runAfter": {
"Set_action_variable_for_IP_address_allowed_in_firewall": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": " To append action JSON object"
},
"Set_action_variable_for_IP_address_allowed_in_firewall": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Comment": "Allowed using L3 & L7 firewall rules",
"DestinationCidr": "@{outputs('Compose_L3_firewall_rule')?['destCidr']}",
"DestinationPort": "@{outputs('Compose_L3_firewall_rule')?['destPort']}",
"IP": "@{items('For_each_IP_Address')?['Address']}",
"NetworkName": "@{items('For_each_Network')?['name']}",
"Policy": "@{outputs('Compose_L3_firewall_rule')?['policy']}",
"Protocol": "@{outputs('Compose_L3_firewall_rule')?['protocol']}",
"SourceCidr": "@{outputs('Compose_L3_firewall_rule')?['srcCidr']}",
"SourcePort": "@{outputs('Compose_L3_firewall_rule')?['srcPort']}",
"Status": "Allowed"
}
},
"description": "To create action json object"
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_L7_firewall_rule'))",
0
]
}
]
},
"type": "If",
"description": " Condition to check if IP address exists in L7 firewall rule"
}
}
},
"expression": {
"and": [
{
"equals": [
"@outputs('Compose_L3_firewall_rule')?['Policy']",
"deny"
]
}
]
},
"type": "If",
"description": "Condition to check if IP address is blocked by L3 firewall"
},
"Compose_L3_firewall_rule": {
"runAfter": {},
"type": "Compose",
"inputs": "@body('Filter_L3_firewall_rule')?[0]",
"description": "To create firewall rule item"
}
},
"runAfter": {
"Filter_L7_firewall_rule": [
"Succeeded"
]
},
"else": {
"actions": {
"Check_if_IP_Address_exists_in_L7_firewall_rule": {
"actions": {
"Append_to_consolidated_action_variable_for_blocked_IP_address_in_L7_firewall": {
"runAfter": {
"Set_action_variable_for_blocked_IP_address_in_L7_firewall": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": "To append action JSON object"
},
"Compose_L7_Firewall_rule_item": {
"runAfter": {},
"type": "Compose",
"inputs": "@body('Filter_L7_firewall_rule')?[0]",
"description": "To create firewall rule item"
},
"Set_action_variable_for_blocked_IP_address_in_L7_firewall": {
"runAfter": {
"Compose_L7_Firewall_rule_item": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Comment": "Blocked using L7 firewall rule",
"DestinationCidr": "@{outputs('Compose_L7_firewall_rule_item')?['value']}",
"DestinationPort": "NA",
"IP": "@{items('For_each_IP_Address')?['Address']}",
"NetworkName": "@{items('For_each_Network')?['name']}",
"Policy": "@{outputs('Compose_L7_firewall_rule_item')?['policy']}",
"Protocol": "NA",
"SourceCidr": "NA",
"SourcePort": "NA",
"Status": "Blocked"
}
},
"description": "To create action JSON object"
}
},
"runAfter": {},
"else": {
"actions": {
"Append_to_consolidated_action_variable_for_new_IP_address": {
"runAfter": {
"Set_action_variable_for_new_IP_address": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": " To append action JSON object"
},
"Set_action_variable_for_new_IP_address": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Comment": "Not Found using L3 & L7 firewall rules",
"DestinationCidr": "@{items('For_each_IP_Address')?['Address']}",
"DestinationPort": "NA",
"IP": "@{items('For_each_IP_Address')?['Address']}",
"NetworkName": "@{items('For_each_Network')?['name']}",
"Policy": "NA",
"Protocol": "NA",
"SourceCidr": "NA",
"SourcePort": "NA",
"Status": "Not Found"
}
},
"description": "To create JSON action object"
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_L7_firewall_rule'))",
0
]
}
]
},
"type": "If",
"description": "Condition to check if IP address exists in L7 firewall rule"
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_L3_firewall_rule'))",
0
]
}
]
},
"type": "If",
"description": "Condition to check if IP address exists in L3 firewall rule"
},
"Filter_L3_firewall_rule": {
"runAfter": {},
"type": "Query",
"inputs": {
"from": "@body('Get_Network_Appliance_Firewall_L3_Firewall_Rules')?['rules']",
"where": "@contains(item()?['destCidr'], items('For_each_IP_Address')?['Address'])"
},
"description": "To filter rule detail from get network appliance L3 firewall rule action based on IP address"
},
"Filter_L7_firewall_rule": {
"runAfter": {
"Filter_L3_firewall_rule": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('Get_Network_Appliance_Firewall_L7_Firewall_Rules')?['rules']",
"where": "@contains(item()?['value'], items('For_each_IP_Address')?['Address'])"
},
"description": " To filter rule detail from get network appliance L7 firewall rule action based on IP address"
}
},
"runAfter": {
"Get_Network_Appliance_Firewall_L7_Firewall_Rules": [
"Succeeded"
]
},
"type": "Foreach",
"description": "For each loop for IP address from Azure Sentinel",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
},
"Get_Network_Appliance_Firewall_L3_Firewall_Rules": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/networks/@{encodeURIComponent(items('For_each_Network')?['id'])}/appliance/firewall/l3FirewallRules"
}
},
"Get_Network_Appliance_Firewall_L7_Firewall_Rules": {
"runAfter": {
"Get_Network_Appliance_Firewall_L3_Firewall_Rules": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/networks/@{encodeURIComponent(items('For_each_Network')?['id'])}/appliance/firewall/l7FirewallRules"
}
}
},
"runAfter": {
"Get_Networks": [
"Succeeded"
]
},
"type": "Foreach",
"description": "For each loop for network",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
},
"Get_Networks": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/organizations/@{encodeURIComponent(body('Filter_Organization')?[0]?['id'])}/networks",
"queries": {
"perPage": 1000
}
}
}
},
"runAfter": {
"Filter_Organization": [
"Succeeded"
]
},
"else": {
"actions": {
"Terminate_if_organization_not_found": {
"runAfter": {},
"type": "Terminate",
"inputs": {
"runError": {
"code": "404",
"message": "Organization Not Found"
},
"runStatus": "Failed"
}
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_Organization'))",
0
]
}
]
},
"type": "If",
"description": "Condition to check if filtered organization is same as organization"
},
"Filter_Organization": {
"runAfter": {
"Get_Organizations": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('Get_Organizations')",
"where": "@equals(item()?['name'], parameters('OrganizationName'))"
},
"description": "To filter organization detail from get organizations action based on organization name"
},
"Get_Organizations": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/organizations"
}
}
},
"runAfter": {
"Cisco_Meraki_Logo": [
"Succeeded"
]
},
"else": {
"actions": {
"Terminate_if_IP_Address_not_found": {
"runAfter": {},
"type": "Terminate",
"inputs": {
"runError": {
"code": "404",
"message": "IP Address Not Found in Azure Sentinel Incident"
},
"runStatus": "Failed"
}
}
}
},
"expression": {
"and": [
{
"contains": [
"@outputs('Entities_-_Get_IPs')",
"body"
]
},
{
"greater": [
"@length(body('Entities_-_Get_IPs')?['IPs'])",
0
]
}
]
},
"type": "If",
"description": "Condition to check if body present in the sentinel incident"
},
"Cisco_Meraki_Logo": {
"runAfter": {
"Initialize_consolidated_action_array_variable": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "<img src=\"https://www.kellerschroeder.com/wp-content/uploads/2017/05/Cisco-Meraki.jpg\" alt=\"CiscoMerakiLogo\" width=\"32\" height=\"32\">",
"description": "To store meraki logo"
},
"Entities_-_Get_IPs": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/ip"
}
},
"Initialize_action_object_variable": {
"runAfter": {
"Entities_-_Get_IPs": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Action",
"type": "object"
}
]
},
"description": "To create JSON action object"
},
"Initialize_consolidated_action_array_variable": {
"runAfter": {
"Initialize_action_object_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ConsolidatedAction",
"type": "array"
}
]
},
"description": "To create consolidated action array variable for incident comment"
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"MerakiConnector": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Meraki_Connection'))]",
"connectionName": "[variables('Meraki_Connection')]",
"id": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Web/customApis/',parameters('CiscoMerakiConnectorName'))]"
},
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinel_Connection'))]",
"connectionName": "[variables('AzureSentinel_Connection')]",
"id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('EnrichmentURLPlaybookName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('Meraki_Connection'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinel_Connection'))]"
],
"identity": {
"type": "SystemAssigned"
},
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"OrganizationName": {
"defaultValue": "[parameters('OrganizationName')]",
"type": "String"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Check_if_body_present_in_Azure_Sentinel_incident": {
"actions": {
"Check_if_Organization_exists": {
"actions": {
"Add_comment_to_incident": {
"runAfter": {
"Create_Incident_HTML_table": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>@{outputs('Cisco_Meraki_Logo')} <strong>Cisco Meraki URL Enrichment Playbook<br>\n<br>\n</strong>Below incident URL(s) are found in Azure Sentinel have the following status in networks for organization - <strong></strong><strong>@{parameters('OrganizationName')}</strong><strong></strong><br>\n@{body('Create_Incident_HTML_table')}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Create_Incident_HTML_table": {
"runAfter": {
"For_each_Network": [
"Succeeded"
]
},
"type": "Table",
"inputs": {
"columns": [
{
"header": "Incident URL",
"value": "@item()?['URL']"
},
{
"header": "Network Name",
"value": "@item()?['NetworkName']"
},
{
"header": "Status",
"value": "@item()?['Status']"
},
{
"header": "Comment",
"value": "@item()?['Comment']"
}
],
"format": "HTML",
"from": "@variables('ConsolidatedAction')"
},
"description": "To create incident HTML table from consolidated action array"
},
"For_each_Network": {
"foreach": "@body('Get_Networks')",
"actions": {
"For_each_URL": {
"foreach": "@body('Entities_-_Get_URLs')?['URLs']",
"actions": {
"Check_if_URL_is_allowed": {
"actions": {
"Append_to_consolidated_action_variable_for_allowed_URL": {
"runAfter": {
"Set_action_variable_for_allowed_URL": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": "To append action JSON object"
},
"Set_action_variable_for_allowed_URL": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Comment": "Allowed using content filtering",
"NetworkName": "@{items('For_each_Network')?['name']}",
"Status": "Allowed",
"URL": "@{items('For_each_URL')?['Url']}"
}
},
"description": "To create action JSON object for allowed URL"
}
},
"runAfter": {
"Filter_Blocked_URL_Pattern": [
"Succeeded"
]
},
"else": {
"actions": {
"Check_if_URL_is_blocked": {
"actions": {
"Append_to_consolidated_action_variable_for_blocked_URL": {
"runAfter": {
"Set_action_variable_for_blocked_URL": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": "To append action JSON object"
},
"Set_action_variable_for_blocked_URL": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Comment": "Blocked using content filtering",
"NetworkName": "@{items('For_each_Network')?['name']}",
"Status": "Blocked",
"URL": "@{items('For_each_URL')?['Url']}"
}
},
"description": "To create action JSON object for blocked URL"
}
},
"runAfter": {},
"else": {
"actions": {
"Append_to_consolidated_action_variable": {
"runAfter": {
"Set_action_variable": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "ConsolidatedAction",
"value": "@variables('Action')"
},
"description": "To append action JSON object"
},
"Set_action_variable": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "Action",
"value": {
"Comment": "Not Found using content filtering",
"NetworkName": "@{items('For_each_Network')?['name']}",
"Status": "Not Found",
"URL": "@{items('For_each_URL')?['Url']}"
}
},
"description": "To create action JSON object"
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_Blocked_URL_Pattern'))",
0
]
}
]
},
"type": "If",
"description": "Condition to check if URL belongs to blocked URL patterns"
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_Allowed_URL_Pattern'))",
0
]
}
]
},
"type": "If",
"description": "Condition to check if URL belongs to allowed URL patterns"
},
"Filter_Allowed_URL_Pattern": {
"runAfter": {},
"type": "Query",
"inputs": {
"from": "@body('Get_Network_Appliance_Content_Filtering')?['allowedUrlPatterns']",
"where": "@contains(item(), items('For_each_URL')?['Url'])"
},
"description": "To filter allowed URL pattern from get network appliance content filtering action based on URL"
},
"Filter_Blocked_URL_Pattern": {
"runAfter": {
"Filter_Allowed_URL_Pattern": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('Get_Network_Appliance_Content_Filtering')?['blockedUrlPatterns']",
"where": "@contains(item(), items('For_each_URL')?['Url'])"
},
"description": "To filter blocked URL pattern from get network appliance content filtering action based on URL"
}
},
"runAfter": {
"Get_Network_Appliance_Content_Filtering": [
"Succeeded"
]
},
"type": "Foreach",
"description": "For each loop for URLs from Azure Sentinel",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
},
"Get_Network_Appliance_Content_Filtering": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/networks/@{encodeURIComponent(items('For_each_Network')?['id'])}/appliance/contentFiltering"
}
}
},
"runAfter": {
"Get_Networks": [
"Succeeded"
]
},
"type": "Foreach",
"description": " For each loop for network",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
},
"Get_Networks": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/organizations/@{encodeURIComponent(body('Filter_Organization')?[0]?['id'])}/networks",
"queries": {
"perPage": 1000
}
}
}
},
"runAfter": {
"Filter_Organization": [
"Succeeded"
]
},
"else": {
"actions": {
"Terminate_if_organization_not_found": {
"runAfter": {},
"type": "Terminate",
"inputs": {
"runError": {
"code": "404",
"message": "Organization Not Found"
},
"runStatus": "Failed"
}
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_Organization'))",
0
]
}
]
},
"type": "If",
"description": "Condition to check if filtered organization is same as organization"
},
"Filter_Organization": {
"runAfter": {
"Get_Organizations": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('Get_Organizations')",
"where": "@equals(item()?['name'], parameters('OrganizationName'))"
},
"description": "To filter organization detail from get organizations action based on organization name"
},
"Get_Organizations": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['MerakiConnector']['connectionId']"
}
},
"method": "get",
"path": "/organizations"
}
}
},
"runAfter": {
"Cisco_Meraki_Logo": [
"Succeeded"
]
},
"else": {
"actions": {
"Terminate_if_URL_not_found": {
"runAfter": {},
"type": "Terminate",
"inputs": {
"runError": {
"code": "404",
"message": "URL Not Found in Azure Sentinel Incident"
},
"runStatus": "Failed"
}
}
}
},
"expression": {
"and": [
{
"contains": [
"@outputs('Entities_-_Get_URLs')",
"body"
]
},
{
"greater": [
"@length(body('Entities_-_Get_URLs')?['URLs'])",
0
]
}
]
},
"type": "If",
"description": "Condition to check if body present in the sentinel incident"
},
"Cisco_Meraki_Logo": {
"runAfter": {
"Initialize_consolidated_action_array_variable": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "<img src=\"https://www.kellerschroeder.com/wp-content/uploads/2017/05/Cisco-Meraki.jpg\" alt=\"CiscoMerakiLogo\" width=\"32\" height=\"32\">",
"description": "To store meraki logo"
},
"Entities_-_Get_URLs": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/url"
}
},
"Initialize_action_object_variable": {
"runAfter": {
"Entities_-_Get_URLs": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Action",
"type": "object"
}
]
},
"description": "To create JSON action object"
},
"Initialize_consolidated_action_array_variable": {
"runAfter": {
"Initialize_action_object_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ConsolidatedAction",
"type": "array"
}
]
},
"description": "To create consolidated action array variable for incident comment"
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"MerakiConnector": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Meraki_Connection'))]",
"connectionName": "[variables('Meraki_Connection')]",
"id": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Web/customApis/',parameters('CiscoMerakiConnectorName'))]"
},
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinel_Connection'))]",
"connectionName": "[variables('AzureSentinel_Connection')]",
"id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
}
},
{
"type": "MICROSOFT.WEB/CONNECTIONS",
"apiVersion": "2016-06-01",
"name": "[variables('Meraki_Connection')]",
"location": "[resourceGroup().location]",
"properties": {
"api": {
"id": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Web/customApis/',parameters('CiscoMerakiConnectorName'))]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/customApis', parameters('CiscoMerakiConnectorName'))]"
]
},
{
"type": "MICROSOFT.WEB/CONNECTIONS",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinel_Connection')]",
"kind": "V1",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[variables('AzureSentinel_Connection')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/azuresentinel')]"
}
}
}
]
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку