Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Playbooks/Watchlist-Add-URLToWatchList/azuredeploy.json

403 строки
20 KiB
JSON
Исходник Ответственный История

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata":{
"comments": "This playbook will add URL entity to a new or exsisting watchlist.",
"author": "Yaniv Shasha"
},
"parameters": {
"PlaybookName": {
"defaultValue": "Watchlist-Add-URLToWatchList",
"type": "String"
},
"AzureSentinelWorkspaceName": {
"defaultValue": "The Azure Sentinel workspace name",
"type": "string"
},
"AzureSentinelResourceGroup": {
"defaultValue": "The AzureSentinel resource group",
"type": "string"
},
"SubscriptionID": {
"defaultValue": "The Azure Sentinel subscription ID",
"type": "string"
},
"WatchlistName": {
"defaultValue": "Name of watchlist",
"type": "string"
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"LogicAppsCategory": "security"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
}
}
},
"actions": {
"Condition": {
"actions": {
"Update_existing_Watchlist_": {
"runAfter": {},
"type": "Http",
"inputs": {
"authentication": {
"type": "ManagedServiceIdentity"
},
"body": {
"properties": {
"contentType": "text/csv",
"createdBy": {
"objectId": "c580700e-878a-4f6d-a6dd-3f2300d4ddca"
},
"description": "csv1",
"displayName": "@variables('WatchlistName')",
"labels": [],
"numberOfLinesToSkip": "0",
"provider": "Microsoft",
"rawContent": "@{body('Create_CSV_table')}",
"source": "Local file"
}
},
"method": "PUT",
"uri": "https://management.azure.com/subscriptions/@{variables('SubscriptionID')}/resourceGroups/@{variables('ResourceGroup')}/providers/Microsoft.OperationalInsights/workspaces/@{variables('WorkspaceName')}/providers/Microsoft.SecurityInsights/watchlists/@{variables('WatchlistName')}?api-version=2019-01-01-preview"
}
}
},
"runAfter": {
"check_if_watchlist_exist_": [
"Succeeded",
"Failed"
]
},
"else": {
"actions": {
"Until": {
"actions": {
"Create_a_watchlist_and_Watchlist_Items": {
"runAfter": {},
"type": "Http",
"inputs": {
"authentication": {
"type": "ManagedServiceIdentity"
},
"body": {
"properties": {
"contentType": "text/csv",
"createdBy": {
"objectId": "c580700e-878a-4f6d-a6dd-3f2300d4ddca"
},
"description": "csv1",
"displayName": "@variables('WatchlistName')",
"labels": [],
"numberOfLinesToSkip": "0",
"provider": "Microsoft",
"rawContent": "@{body('Create_CSV_table')}",
"source": "Local file"
}
},
"method": "PUT",
"uri": "https://management.azure.com/subscriptions/@{variables('SubscriptionID')}/resourceGroups/@{variables('ResourceGroup')}/providers/Microsoft.OperationalInsights/workspaces/@{variables('WorkspaceName')}/providers/Microsoft.SecurityInsights/watchlists/@{variables('WatchlistName')}?api-version=2019-01-01-preview"
}
},
"Increment_variable": {
"runAfter": {
"Create_a_watchlist_and_Watchlist_Items": [
"Succeeded"
]
},
"type": "IncrementVariable",
"inputs": {
"name": "runs",
"value": 1
}
}
},
"runAfter": {},
"expression": "@greater(variables('runs'), 1)",
"limit": {
"count": 60,
"timeout": "PT1H"
},
"type": "Until"
}
}
},
"expression": {
"and": [
{
"equals": [
"@outputs('check_if_watchlist_exist_')['statusCode']",
200
]
}
]
},
"type": "If"
},
"Create_CSV_table": {
"runAfter": {
"For_each_2": [
"Succeeded"
]
},
"type": "Table",
"inputs": {
"format": "CSV",
"from": "@variables('URL')"
}
},
"Entities_-_Get_URLs": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['Entities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/url"
}
},
"For_each_2": {
"foreach": "@body('Entities_-_Get_URLs')?['URLs']",
"actions": {
"Append_to_array_variable": {
"runAfter": {},
"type": "AppendToArrayVariable",
"inputs": {
"name": "URL",
"value": {
"Url": "@{items('For_each_2')['Url']}"
}
}
}
},
"runAfter": {
"WatchListName": [
"Succeeded"
]
},
"type": "Foreach"
},
"Number_of_Runs": {
"runAfter": {
"Variable_Host": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "runs",
"type": "integer",
"value": 0
}
]
}
},
"Parse_JSON": {
"runAfter": {
"Entities_-_Get_URLs": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('Entities_-_Get_URLs')?['URLs']",
"schema": {
"properties": {
"Urls": {
"items": {
"properties": {
"$id": {
"type": "string"
},
"Type": {
"type": "string"
},
"Url": {
"type": "string"
}
},
"required": [
"$id",
"Type",
"Url"
],
"type": "array"
},
"type": "array"
}
},
"type": "array"
}
}
},
"ResourceGroup": {
"runAfter": {
"SubscriptionID": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ResourceGroup",
"type": "string",
"value": "[parameters('AzureSentinelResourceGroup')]"
}
]
}
},
"SubscriptionID": {
"runAfter": {
"Number_of_Runs": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "SubscriptionID",
"type": "string",
"value": "[parameters('SubscriptionID')]"
}
]
}
},
"Variable_Host": {
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "URL",
"type": "array"
}
]
}
},
"WatchListName": {
"runAfter": {
"WorkspaceName": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "WatchlistName",
"type": "string",
"value": "[parameters('WatchlistName')]"
}
]
}
},
"WorkspaceName": {
"runAfter": {
"ResourceGroup": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "WorkspaceName",
"type": "string",
"value": "[parameters('AzureSentinelWorkspaceName')]"
}
]
}
},
"check_if_watchlist_exist_": {
"runAfter": {
"Create_CSV_table": [
"Succeeded"
]
},
"type": "Http",
"inputs": {
"authentication": {
"type": "ManagedServiceIdentity"
},
"method": "GET",
"uri": "https://management.azure.com/subscriptions/@{variables('SubscriptionID')}/resourceGroups/@{variables('ResourceGroup')}/providers/Microsoft.OperationalInsights/workspaces/@{variables('WorkspaceName')}/providers/Microsoft.SecurityInsights/watchlists/@{variables('WatchlistName')}?api-version=2019-01-01-preview"
}
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
}
}
}
}
]
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку