403 строки
20 KiB
JSON
403 строки
20 KiB
JSON
{
|
|
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
|
|
"contentVersion": "1.0.0.0",
|
|
"metadata":{
|
|
"comments": "This playbook will add URL entity to a new or exsisting watchlist.",
|
|
"author": "Yaniv Shasha"
|
|
},
|
|
"parameters": {
|
|
"PlaybookName": {
|
|
"defaultValue": "Watchlist-Add-URLToWatchList",
|
|
"type": "String"
|
|
},
|
|
"AzureSentinelWorkspaceName": {
|
|
"defaultValue": "The Azure Sentinel workspace name",
|
|
"type": "string"
|
|
},
|
|
"AzureSentinelResourceGroup": {
|
|
"defaultValue": "The AzureSentinel resource group",
|
|
"type": "string"
|
|
},
|
|
"SubscriptionID": {
|
|
"defaultValue": "The Azure Sentinel subscription ID",
|
|
"type": "string"
|
|
},
|
|
"WatchlistName": {
|
|
"defaultValue": "Name of watchlist",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"variables": {
|
|
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
|
|
},
|
|
"resources": [
|
|
{
|
|
"type": "Microsoft.Web/connections",
|
|
"apiVersion": "2016-06-01",
|
|
"name": "[variables('AzureSentinelConnectionName')]",
|
|
"location": "[resourceGroup().location]",
|
|
"properties": {
|
|
"customParameterValues": {},
|
|
"api": {
|
|
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"type": "Microsoft.Logic/workflows",
|
|
"apiVersion": "2017-07-01",
|
|
"name": "[parameters('PlaybookName')]",
|
|
"location": "[resourceGroup().location]",
|
|
"tags": {
|
|
"LogicAppsCategory": "security"
|
|
},
|
|
"dependsOn": [
|
|
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
|
|
],
|
|
"properties": {
|
|
"state": "Enabled",
|
|
"definition": {
|
|
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
|
"contentVersion": "1.0.0.0",
|
|
"parameters": {
|
|
"$connections": {
|
|
"defaultValue": {},
|
|
"type": "Object"
|
|
}
|
|
},
|
|
"triggers": {
|
|
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
|
|
"type": "ApiConnectionWebhook",
|
|
"inputs": {
|
|
"body": {
|
|
"callback_url": "@{listCallbackUrl()}"
|
|
},
|
|
"host": {
|
|
"connection": {
|
|
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
|
}
|
|
},
|
|
"path": "/subscribe"
|
|
}
|
|
}
|
|
},
|
|
"actions": {
|
|
"Condition": {
|
|
"actions": {
|
|
"Update_existing_Watchlist_": {
|
|
"runAfter": {},
|
|
"type": "Http",
|
|
"inputs": {
|
|
"authentication": {
|
|
"type": "ManagedServiceIdentity"
|
|
},
|
|
"body": {
|
|
"properties": {
|
|
"contentType": "text/csv",
|
|
"createdBy": {
|
|
"objectId": "c580700e-878a-4f6d-a6dd-3f2300d4ddca"
|
|
},
|
|
"description": "csv1",
|
|
"displayName": "@variables('WatchlistName')",
|
|
"labels": [],
|
|
"numberOfLinesToSkip": "0",
|
|
"provider": "Microsoft",
|
|
"rawContent": "@{body('Create_CSV_table')}",
|
|
"source": "Local file"
|
|
}
|
|
},
|
|
"method": "PUT",
|
|
"uri": "https://management.azure.com/subscriptions/@{variables('SubscriptionID')}/resourceGroups/@{variables('ResourceGroup')}/providers/Microsoft.OperationalInsights/workspaces/@{variables('WorkspaceName')}/providers/Microsoft.SecurityInsights/watchlists/@{variables('WatchlistName')}?api-version=2019-01-01-preview"
|
|
}
|
|
}
|
|
},
|
|
"runAfter": {
|
|
"check_if_watchlist_exist_": [
|
|
"Succeeded",
|
|
"Failed"
|
|
]
|
|
},
|
|
"else": {
|
|
"actions": {
|
|
"Until": {
|
|
"actions": {
|
|
"Create_a_watchlist_and_Watchlist_Items": {
|
|
"runAfter": {},
|
|
"type": "Http",
|
|
"inputs": {
|
|
"authentication": {
|
|
"type": "ManagedServiceIdentity"
|
|
},
|
|
"body": {
|
|
"properties": {
|
|
"contentType": "text/csv",
|
|
"createdBy": {
|
|
"objectId": "c580700e-878a-4f6d-a6dd-3f2300d4ddca"
|
|
},
|
|
"description": "csv1",
|
|
"displayName": "@variables('WatchlistName')",
|
|
"labels": [],
|
|
"numberOfLinesToSkip": "0",
|
|
"provider": "Microsoft",
|
|
"rawContent": "@{body('Create_CSV_table')}",
|
|
"source": "Local file"
|
|
}
|
|
},
|
|
"method": "PUT",
|
|
"uri": "https://management.azure.com/subscriptions/@{variables('SubscriptionID')}/resourceGroups/@{variables('ResourceGroup')}/providers/Microsoft.OperationalInsights/workspaces/@{variables('WorkspaceName')}/providers/Microsoft.SecurityInsights/watchlists/@{variables('WatchlistName')}?api-version=2019-01-01-preview"
|
|
}
|
|
},
|
|
"Increment_variable": {
|
|
"runAfter": {
|
|
"Create_a_watchlist_and_Watchlist_Items": [
|
|
"Succeeded"
|
|
]
|
|
},
|
|
"type": "IncrementVariable",
|
|
"inputs": {
|
|
"name": "runs",
|
|
"value": 1
|
|
}
|
|
}
|
|
},
|
|
"runAfter": {},
|
|
"expression": "@greater(variables('runs'), 1)",
|
|
"limit": {
|
|
"count": 60,
|
|
"timeout": "PT1H"
|
|
},
|
|
"type": "Until"
|
|
}
|
|
}
|
|
},
|
|
"expression": {
|
|
"and": [
|
|
{
|
|
"equals": [
|
|
"@outputs('check_if_watchlist_exist_')['statusCode']",
|
|
200
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"type": "If"
|
|
},
|
|
"Create_CSV_table": {
|
|
"runAfter": {
|
|
"For_each_2": [
|
|
"Succeeded"
|
|
]
|
|
},
|
|
"type": "Table",
|
|
"inputs": {
|
|
"format": "CSV",
|
|
"from": "@variables('URL')"
|
|
}
|
|
},
|
|
"Entities_-_Get_URLs": {
|
|
"runAfter": {},
|
|
"type": "ApiConnection",
|
|
"inputs": {
|
|
"body": "@triggerBody()?['Entities']",
|
|
"host": {
|
|
"connection": {
|
|
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
|
}
|
|
},
|
|
"method": "post",
|
|
"path": "/entities/url"
|
|
}
|
|
},
|
|
"For_each_2": {
|
|
"foreach": "@body('Entities_-_Get_URLs')?['URLs']",
|
|
"actions": {
|
|
"Append_to_array_variable": {
|
|
"runAfter": {},
|
|
"type": "AppendToArrayVariable",
|
|
"inputs": {
|
|
"name": "URL",
|
|
"value": {
|
|
"Url": "@{items('For_each_2')['Url']}"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"runAfter": {
|
|
"WatchListName": [
|
|
"Succeeded"
|
|
]
|
|
},
|
|
"type": "Foreach"
|
|
},
|
|
"Number_of_Runs": {
|
|
"runAfter": {
|
|
"Variable_Host": [
|
|
"Succeeded"
|
|
]
|
|
},
|
|
"type": "InitializeVariable",
|
|
"inputs": {
|
|
"variables": [
|
|
{
|
|
"name": "runs",
|
|
"type": "integer",
|
|
"value": 0
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"Parse_JSON": {
|
|
"runAfter": {
|
|
"Entities_-_Get_URLs": [
|
|
"Succeeded"
|
|
]
|
|
},
|
|
"type": "ParseJson",
|
|
"inputs": {
|
|
"content": "@body('Entities_-_Get_URLs')?['URLs']",
|
|
"schema": {
|
|
"properties": {
|
|
"Urls": {
|
|
"items": {
|
|
"properties": {
|
|
"$id": {
|
|
"type": "string"
|
|
},
|
|
"Type": {
|
|
"type": "string"
|
|
},
|
|
"Url": {
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"$id",
|
|
"Type",
|
|
"Url"
|
|
],
|
|
"type": "array"
|
|
},
|
|
"type": "array"
|
|
}
|
|
},
|
|
"type": "array"
|
|
}
|
|
}
|
|
},
|
|
"ResourceGroup": {
|
|
"runAfter": {
|
|
"SubscriptionID": [
|
|
"Succeeded"
|
|
]
|
|
},
|
|
"type": "InitializeVariable",
|
|
"inputs": {
|
|
"variables": [
|
|
{
|
|
"name": "ResourceGroup",
|
|
"type": "string",
|
|
"value": "[parameters('AzureSentinelResourceGroup')]"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"SubscriptionID": {
|
|
"runAfter": {
|
|
"Number_of_Runs": [
|
|
"Succeeded"
|
|
]
|
|
},
|
|
"type": "InitializeVariable",
|
|
"inputs": {
|
|
"variables": [
|
|
{
|
|
"name": "SubscriptionID",
|
|
"type": "string",
|
|
"value": "[parameters('SubscriptionID')]"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"Variable_Host": {
|
|
"runAfter": {
|
|
"Parse_JSON": [
|
|
"Succeeded"
|
|
]
|
|
},
|
|
"type": "InitializeVariable",
|
|
"inputs": {
|
|
"variables": [
|
|
{
|
|
"name": "URL",
|
|
"type": "array"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"WatchListName": {
|
|
"runAfter": {
|
|
"WorkspaceName": [
|
|
"Succeeded"
|
|
]
|
|
},
|
|
"type": "InitializeVariable",
|
|
"inputs": {
|
|
"variables": [
|
|
{
|
|
"name": "WatchlistName",
|
|
"type": "string",
|
|
"value": "[parameters('WatchlistName')]"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"WorkspaceName": {
|
|
"runAfter": {
|
|
"ResourceGroup": [
|
|
"Succeeded"
|
|
]
|
|
},
|
|
"type": "InitializeVariable",
|
|
"inputs": {
|
|
"variables": [
|
|
{
|
|
"name": "WorkspaceName",
|
|
"type": "string",
|
|
"value": "[parameters('AzureSentinelWorkspaceName')]"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"check_if_watchlist_exist_": {
|
|
"runAfter": {
|
|
"Create_CSV_table": [
|
|
"Succeeded"
|
|
]
|
|
},
|
|
"type": "Http",
|
|
"inputs": {
|
|
"authentication": {
|
|
"type": "ManagedServiceIdentity"
|
|
},
|
|
"method": "GET",
|
|
"uri": "https://management.azure.com/subscriptions/@{variables('SubscriptionID')}/resourceGroups/@{variables('ResourceGroup')}/providers/Microsoft.OperationalInsights/workspaces/@{variables('WorkspaceName')}/providers/Microsoft.SecurityInsights/watchlists/@{variables('WatchlistName')}?api-version=2019-01-01-preview"
|
|
}
|
|
}
|
|
},
|
|
"outputs": {}
|
|
},
|
|
"parameters": {
|
|
"$connections": {
|
|
"value": {
|
|
"azuresentinel": {
|
|
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
|
"connectionName": "[variables('AzureSentinelConnectionName')]",
|
|
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
]
|
|
} |