Azure-Sentinel/Playbooks
v-atulyadav a6594e2697
Merge pull request #10492 from Accelerynt-Security/05-15-2024--AS-Revoke-Azure-AD-User-Session-From-Entity
Update azuredeploy.json
2024-05-24 14:21:00 +05:30
..
.template Fix more issues in validations 2022-02-27 12:32:57 +02:00
2S-Sentinel2MISP Conflicats resolved 2023-08-16 12:39:15 +05:30
AD4IoT-AutoCloseIncidents Update playbook trigger names 2022-02-22 17:02:56 +02:00
AD4IoT-MailbyProductionLine Update playbook trigger names 2022-02-22 17:02:56 +02:00
AD4IoT-NewAssetServiceNowTicket Update playbook trigger names 2022-02-22 17:02:56 +02:00
AD4IoT-TritonDetectionAndResponse Update readme.md 2022-03-14 10:43:16 -07:00
ADX-Health-Playbook Update README.md 2021-08-24 10:22:14 +02:00
AS-AI-Commandline-Analysis Update readme to make instructions clearer 2023-02-09 18:14:54 +00:00
AS-Add-Azure-AD-User-Job-Title-to-Incident Update README.md 2024-02-23 17:55:11 -08:00
AS-Add-Machine-Logon-Users-to-Incident Add files via upload 2023-05-16 17:53:13 -07:00
AS-Azure-AD-Disable-User Add files via upload 2023-04-21 17:17:29 -07:00
AS-Azure-AD-Enable-User Add files via upload 2023-04-21 16:51:15 -07:00
AS-Azure-AD-Group Update README.md 2022-10-24 19:49:34 -07:00
AS-Blob-Storage-Add-Domains-to-Zscaler-URL-Category Update azuredeploy.json 2023-06-20 17:02:39 -07:00
AS-Block-GitHub-User Add files via upload 2023-07-12 17:54:48 -07:00
AS-Block-Hash-in-Defender Update README.md 2024-02-23 17:53:17 -08:00
AS-Clear-Okta-Network-Zone-List Update azuredeploy.json 2024-04-05 08:05:37 -07:00
AS-Compromised-Machine-Tagging Update azuredeploy.json 2022-09-29 12:09:01 -07:00
AS-Create-Opsgenie-Incident Update azuredeploy.json 2023-03-31 15:09:21 -07:00
AS-Delete-App-Registration Update README.md 2023-06-16 07:40:10 -07:00
AS-Disable-Microsoft-Entra-ID-User-From-Entity initial copy of Accelerynt-Security AS-Enable-Microsoft-Entra-ID-User-From-Entity and AS-Disable-Microsoft-Entra-ID-User-From-Entity repos 2023-12-05 17:53:52 -08:00
AS-Edgescan-Integration Update README.md 2023-05-02 17:17:08 -07:00
AS-Enable-Microsoft-Entra-ID-User-From-Entity Update README.md 2023-12-08 16:33:36 -08:00
AS-IAM-Entra-ID-Master-Playbook Update azuredeploy.json 2024-05-22 16:42:40 -07:00
AS-IAM-Master-Playbook Update azuredeploy.json 2024-05-22 16:42:57 -07:00
AS-IP-Blocklist Update azuredeploy.json 2022-12-13 16:42:47 -08:00
AS-IP-Blocklist-Remove-IPs AAD -> Entra ID 2023-12-04 15:59:25 -08:00
AS-Import-Azure-AD-Group-Users-to-MS-Watchlist 11102022 as import ad group users to ms watchlist (#6597) 2022-12-15 12:33:49 +05:30
AS-Incident-Host-Exposure-Level Update README.md 2023-02-13 15:19:43 -08:00
AS-Incident-IP-Matched-on-Watchlist Update azuredeploy.json 2023-06-15 20:34:15 -07:00
AS-Incident-Response-Approval-Email Update README.md 2023-02-13 15:31:17 -08:00
AS-Incident-Spiderfoot-Scan Add files via upload 2023-04-21 15:12:28 -07:00
AS-MDE-Isolate-Machine Update azuredeploy.json 2024-03-06 12:37:08 -08:00
AS-MDE-Unisolate-Machine Update azuredeploy.json 2024-03-06 12:36:55 -08:00
AS-Make-GitHub-Repository-Private Deployment and document-section link updates for Azure Org 2023-08-19 22:32:56 -07:00
AS-Okta-NetworkZoneUpdate Update azuredeploy.json 2022-09-29 12:11:16 -07:00
AS-PagerDuty-Integration Update README.md 2022-04-20 19:08:04 -07:00
AS-Recurring-Host-Entity Deployment and document-section link updates for Azure Org 2023-09-15 20:00:24 -07:00
AS-Remove-Domains-from-Zscaler-URL-Category Update README.md 2023-04-04 17:49:33 -07:00
AS-Revoke-Azure-AD-User-Session-From-Entity Update azuredeploy.json 2024-05-22 16:41:52 -07:00
AS-Revoke-Azure-AD-User-Session-From-Incident Update azuredeploy.json 2024-05-22 16:41:48 -07:00
AS-Sign-Out-Google-User link fixes 2023-09-15 20:14:05 -07:00
AS-Slack-Integration Update README.md 2022-04-20 19:24:41 -07:00
AS-Terminate-Okta-User-Session-From-Entity Update azuredeploy.json 2023-09-20 18:19:34 -07:00
AS-Update-Okta-Network-Zone-From-Entity Deployment and document-section link updates for Azure Org 2023-10-03 15:43:51 -07:00
Add-IP-Entity-To-NSG Create azuredeploy.json 2022-09-30 09:24:43 -04:00
Add-IP-Entity-To-Named-Location playbooks commit 2022-10-26 18:11:24 +05:30
Affected-Key-Credentials-CVE-2021-42306 update Affected-Key-Credentials-CVE-2021-42306 ARM 2022-03-16 15:47:09 -07:00
Aggregate-SNOW-tickets Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
AutoConnect-ASCSubscriptions updates 2021-08-03 15:41:23 -04:00
AzureMonitor-ManagedId feat: add Playbooks/AzureMonitor-ManagedId (#7894) 2023-05-08 18:49:06 +05:30
Block-AADUserOrAdmin Update playbook trigger names 2022-02-22 17:02:56 +02:00
Block-ExchangeIP Update playbook trigger names 2022-02-22 17:02:56 +02:00
Block-IPs-on-MDATP-Using-GraphSecurity reverted changes done by mistake 2022-10-05 15:48:23 +02:00
Block-OnPremADUser Fix issues raised by automatic validations 2022-02-27 12:00:11 +02:00
Change-Incident-Severity Update playbook trigger names 2022-02-22 17:02:56 +02:00
CiscoASA Update azuredeploy.json 2022-07-28 18:32:02 +05:30
Close-Incident-MCAS Update playbook trigger names 2022-02-22 17:02:56 +02:00
Close-SentinelIncident-fromSNOW Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Comment-OriginAlertURL Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Comment-RemediationSteps Update playbook trigger names 2022-02-22 17:02:56 +02:00
Create Incidents From Http Update Readme.md 2024-01-17 23:39:09 +05:30
Create Incidents with Email Update azuredeploy.json 2023-03-14 11:45:49 +05:30
Create-AzureDevOpsTask playbooks commit 2022-10-26 18:11:24 +05:30
Create-AzureSnapshot Update playbook trigger names 2022-02-22 17:02:56 +02:00
Create-IBMResilientIncident Update playbook trigger names 2022-02-22 17:02:56 +02:00
Create-Zendesk-Ticket playbooks commit 2022-10-26 18:11:24 +05:30
CrowdStrike Prepare Playbooks for Crowdstrike solution and package (#5712) 2022-07-29 21:18:17 +05:30
CybleLogicApp added changes from beta 2024-03-05 11:33:37 +05:30
Dismiss_Upstream_Events Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Dynamic-Summaries-API-Upsert [Playbooks] Dynamic summaries PDF document update 2023-01-12 17:14:24 -08:00
Enrich-AzureResourceGraph use subscription().tenantId 2023-08-05 13:17:23 +00:00
Enrich-AzureResourceGraph-Incident docs: add IAM Sentinel Responder to readme 2023-04-30 13:51:23 +00:00
Enrich-CIRCL-hashlookup change custom connector variable name 2023-01-28 19:30:05 +00:00
Enrich-Intezer-Analyze docs: keyvault extra information 2023-01-21 15:48:23 +00:00
Enrich-MalwareBazaar docs: prerequisites update 2023-01-21 15:52:00 +00:00
Enrich-Sentinel-Incident-AlienVault-OTX updated release notes 2023-06-14 14:06:30 +02:00
Enrich-SentinelIncident-GreyNoise-IP Add array 2022-07-21 13:03:32 +02:00
Enrich-SentinelIncident-GreyNoiseCommunity-IP Add array 2022-07-21 13:03:32 +02:00
Enrich-SentinelIncident-MDATPTVM Update playbook trigger names 2022-02-22 17:02:56 +02:00
Export-Incidents-With-Comments Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Export-Report-CSV Correct typo and add content 2021-08-18 05:22:37 -07:00
F5BigIP Revert change for F5, HaveIBeenPwned 2022-02-27 12:04:52 +02:00
ForcepointNGFW Update playbook trigger names 2022-02-22 17:02:56 +02:00
Fortinet-FortiGate migrate app insights to log analytic workspace code change in azure deploy files 2024-01-10 15:30:29 +05:30
Get-AD4IoTDeviceCVEs Update playbook trigger names 2022-02-22 17:02:56 +02:00
Get-ASCRecommendations Update playbook trigger names 2022-02-22 17:02:56 +02:00
Get-AlertEntitiesEnrichment Update playbook trigger names 2022-02-22 17:02:56 +02:00
Get-AlienVault_OTX Added step to enable the "Threat Intelligence Platforms (Preview)" connector in the Sentinel workspace (#6565) 2022-11-09 10:50:53 +05:30
Get-CompromisedPasswords Update playbook trigger names 2022-02-22 17:02:56 +02:00
Get-GeoFromIPandTagIncident-EmailAlertBasedonGeo Update playbook trigger names 2022-02-22 17:02:56 +02:00
Get-GeoFromIpAndTagIncident Get-GeoFromIpAndTagIncident Playbook Issue fix (#7513) 2023-03-09 11:02:51 +05:30
Get-MDATPVulnerabilities Update playbook trigger names 2022-02-22 17:02:56 +02:00
Get-MDEFileActivityWithin30Mins Update playbook trigger names 2022-02-22 17:02:56 +02:00
Get-MDEInvestigationPackage Removed private preview in screenshots and workflow for entity trigger 2022-12-06 14:13:06 +05:30
Get-MDEProcessActivityWithin30Mins Fix issues raised by automatic validations 2022-02-27 12:00:11 +02:00
Get-MDEStatistics Fix more issues in validations 2022-02-27 12:32:57 +02:00
Get-MachineData-EDR-SOAR-ActionsOnMachine Update playbook trigger names 2022-02-22 17:02:56 +02:00
Get-MerakiData-ConfigurationChanges Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Get-MerakiData-OrgSecurityEvents Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Get-Microsoft-Covid19-Indicators reverted changes done by mistake 2022-10-05 15:48:23 +02:00
Get-O365Data fix docs link 2021-06-16 00:57:53 +00:00
Get-Recipients-EmailMessageID-containing-URL Fix issues raised by automatic validations 2022-02-27 12:00:11 +02:00
Get-SOCActions Merge pull request #4182 from rinure-msft/patch-2 2022-04-04 11:11:56 +05:30
Get-SOCTasks Get-SOCTasks 2023-06-15 19:31:43 -04:00
Get-SentinelAlertsEvidence update to SOCProcess soltuon and playbook Get-Sent 2023-04-21 15:57:58 +01:00
Get-TenableVlun Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Get-VTURLPositivesComment Fix issues raised by automatic validations 2022-02-27 12:00:11 +02:00
Guardicore-Import-Assets Update azuredeploy.json 2022-04-28 17:59:29 -07:00
Guardicore-Import-Incidents Update azuredeploy.json 2022-04-28 17:58:08 -07:00
Guardicore-ThreatIntel reverted changes done by mistake 2022-10-05 15:48:23 +02:00
HaveIBeenPwned Revert change for F5, HaveIBeenPwned 2022-02-27 12:04:52 +02:00
HaveIBeenPwned-Email Update playbook trigger names 2022-02-22 17:02:56 +02:00
IdentityProtection-EmailResponse Update playbook trigger names 2022-02-22 17:02:56 +02:00
IdentityProtection-TeamsBotResponse solution updated teams (#6029) 2022-08-30 17:28:24 +05:30
Incident-Email-Notification Update playbook trigger names 2022-02-22 17:02:56 +02:00
Incident-Status-Sync-To-WDATP Update playbook trigger names 2022-02-22 17:02:56 +02:00
IncidentUpdate -Get-SentinelAlertsEvidence Update readme.md 2021-06-24 15:29:00 +12:00
Ingest-CanaryTokens Update azuredeploy.json 2023-12-05 17:17:16 +05:30
Ingest-Prisma Fix typo in README 2024-02-19 11:55:00 +11:00
Isolate-AzureStorageAccount Update playbook trigger names 2022-02-22 17:02:56 +02:00
Isolate-AzureVMtoNSG Update playbook trigger names 2022-02-22 17:02:56 +02:00
M365-Security-Posture Fixed error in sending Secure Score (#4399) 2022-03-15 11:22:36 +05:30
Move-LogAnalytics-to-Storage Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Netskope/Add-Url-to-netskope-url-list Update readme.md 2022-12-02 17:42:51 +05:30
Notify-ASCAlertAzureResource Update playbook trigger names 2022-02-22 17:02:56 +02:00
OktaRawLog Updating Deploy buttons and links part 1 2021-06-16 00:25:40 +00:00
Open-ServiceDeskPlusOnDemand-Ticket Update playbook trigger names 2022-02-22 17:02:56 +02:00
PaloAlto-PAN-OS Update readme.md 2022-10-18 15:58:35 +01:00
PaloAlto-Wildfire Update playbook trigger names 2022-02-22 17:02:56 +02:00
Post-Tags-And-Comments-To-Your-IntSights-Account Fix issues raised by automatic validations 2022-02-27 12:00:11 +02:00
Put-MDEAlert-Hunting-GitHub Update readme.md 2023-01-17 07:45:46 -08:00
QuickStart-SentinelTriggers Standalone metadata updates (#7914) 2023-04-28 10:10:42 +05:30
RecordedFuture-Block-IPs-and-Domains-on-Microsoft-Defender-for-Endpoint Change default risk lists, updated defaults and update documentation. 2024-03-19 12:24:19 +01:00
RecordedFuture_IP_SCF Change default risk lists, updated defaults and update documentation. 2024-03-19 12:24:19 +01:00
Remove-MDEAppExecution Playbook bug fixes (#5813) 2022-08-04 13:08:35 +05:30
Resolve-McasInfrequentCountryAlerts Update azuredeploy.json 2022-02-27 13:46:29 +02:00
Run-AzureVMPacketCapture Fix issues raised by automatic validations 2022-02-27 12:00:11 +02:00
Run-Notebook-After-Incident-Creation Update metadata 2022-11-17 13:28:51 -08:00
Save-NamedLocations Updating Deploy buttons and links part 2 2021-06-16 01:40:49 +00:00
Send-AnalyticalRulesHealthNotifications Updated Send-AnalyticalRulesHealthNotifications 2021-12-01 15:21:16 -08:00
Send-AzCommunicationsSMSMessage Fix issues raised by automatic validations 2022-02-27 12:00:11 +02:00
Send-ConnectorHealthStatus Updated deploy buttons 2021-10-20 14:02:18 -04:00
Send-IngestionCostAlert image and readme updates 2022-06-06 18:00:06 -04:00
Send-IngestionCostAnomalyAlert Updating sentinel cost anomaly alert 2023-07-18 15:55:13 +05:30
Send-Slack-Message-Webhook Updated with Managed identity 2022-09-01 12:33:44 +05:30
Send-UnhealthyAzureArcResourceAlert Screenshot update 2023-07-26 10:10:09 +02:00
Send-UrlReport correction 2023-07-09 20:02:45 +02:00
Spur-Enrichment Merge pull request #2903 from tokesr/tokesr-patch-1 2022-03-11 10:36:43 +05:30
Start-MDEAutomatedInvestigation Update playbook trigger names 2022-02-22 17:02:56 +02:00
Sync-IncidentCommentToM365DOnUpdate Update azuredeploy.json 2022-05-25 09:42:39 +03:00
Sync-Sentinel-Incident-Comments-To-M365Defender Updated readme for Trigger frequency change 2021-06-24 17:57:14 +05:30
ThinkstCanary-Alert-Ingestion Update readme.md 2023-02-21 08:31:21 +00:00
Update-BulkIncidents updated with a fix and more notes 2024-03-06 16:33:49 -05:00
Update-CVE-IPs-WatchListwithGreyNoise Update NetworkSearchingForGreyNoiseIPbyCVEActivity.yaml 2023-10-12 18:50:55 +05:30
Update-NamedLocations-TOR Update azuredeploy.json 2021-01-05 08:27:23 -08:00
Update-VIPUsers-Watchlist-from-AzureAD-Group Update-VIPUsers-Watchlist-from-AzureAD-Group 2022-03-20 22:49:23 +00:00
Update-Watchlist-With-NamedLocation Update azuredeploy.json 2021-08-25 14:40:21 +02:00
Watchlist-SendSQLData-Watchlist Updating Deploy buttons and links part 2 2021-06-16 01:40:49 +00:00
Zscaler Moving playbook files 2023-04-03 18:18:00 +05:30
Zscaler-add-Domains-to-URL-Category Update azuredeploy.json 2023-04-04 17:36:01 -07:00
CSV-Report-Export Create CSV-Report-Export 2021-08-10 11:48:33 -07:00
Download.png Added Download Icon 2022-03-29 21:50:07 -07:00
ReadMe.md Updated Note 2022-03-29 21:53:19 -07:00
logic_app_logo.png Add files via upload 2020-10-21 16:37:03 +13:00

ReadMe.md

LogicApps Logo

About

This repo contains sample security playbooks for security automation, orchestration and response (SOAR). Each folder contains a security playbook ARM template that uses Microsoft Sentinel trigger.

Instructions for deploying a custom template

After selecting a playbook, in the Azure portal:

  1. Search for deploy a custom template
  2. Click build your own template in the editor
  3. Paste the contents from the GitHub playbook
  4. Click Save
  5. Fill in needed data and click Purchase

Once deployment is complete, you will need to authorize each connection.

  1. Click the Microsoft Sentinel connection resource
  2. Click edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
  6. Repeat steps for other connections
  • For Azure Log Analytics Data Collector, you will need to add the workspace ID and Key You can now edit the playbook in Logic apps.

Instructions for templatizing a playbook

Option 1: Azure Logic App/Playbook ARM Template Generator

  1. Download tool and run the PowerShell script
    Download

  2. Extract the folder and open "Playbook_ARM_Template_Generator.ps1" either in Visual Studio Code/Windows PowerShell/PowerShell Core

    Note
    The script runs from the user's machine. You must allow PowerShell script execution. To do so, run the following command:

    Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass  
    
  3. Script prompts you to enter your Azure Tenant Id

  4. You are prompted to authenticate with credentials, once the user is authenticated, you will be prompted to choose

    • Subscription
    • Playbooks
  5. After selecting playbooks, script prompts to select location on your local drive to save ARM Template

Note: Tool converts microsoftsentinel connections to MSI during export

Option 2: Manual

Once you have created a playbook that you want to export to share, go to the Logic App resource in Azure.

Note: this is the generic instructions there may be other steps depending how complex or what connectors are used for the playbook.

  1. Click Export Template from the resource menu in Azure Portal.
  2. Copy the contents of the template.
  3. Using VS code, create a JSON file with the name "azuredeploy.json".
  4. Paste the code into the new file.
  5. In the parameters section, you can remove all parameters and add the following minimum fields. Users can edit the parameters when deploying your template. You can add more parameters based on your playbook requirements.
    "parameters": {
        "PlaybookName": {
            "defaultValue": "<PlaybookName>",
            "type": "string"
        },
        "UserName": {
            "defaultValue": "<username>@<domain>",
            "type": "string"
        }
    },
  • Playbook name and username are minimum requirements that will be used for the connections.
  1. In the variables section, create a variable for each connection the playbook is using.
  • To construct a string variable, use this following snippet. Make sure to replace the connectorname with actual name of the connector.
    [concat('<connectorname>-', parameters('PlaybookName'))]
  • For example, if you are using Azure Active Directory and Microsoft Sentinel connections in the playbook, then create two variables with actual connection names. The variables will be the connection names. Here we are creating a connection name using the connection (AzureAD) and "-" and the playbook name.
    "variables": {
        "AzureADConnectionName": "[concat('azuread-', parameters('PlaybookName'))]",
        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
    },
  1. Next, you will need to add resources to be created for each connection.
   "resources": [
        {
            "type": "Microsoft.Web/connections",
            "apiVersion": "2016-06-01",
            "name": "[variables('AzureADConnectionName')]",
            "location": "[resourceGroup().location]",
            "properties": {
                "displayName": "[parameters('UserName')]",
                "customParameterValues": {},
                "api": {
                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
                }
            }
        },
  • The name is using the variable we created.
  • The location is using the resource group that was selected as part of the deployment.
  • The displayname is using the Username parameter.
  • Lastly, you can build the string for the id using strings plus properties of the subscription and resource group.
  • Repeat for each connection needed.
  1. In the Microsoft.Logic/workflows resource under parameters / $connections, there will be a value for each connection. You will need to update each like the following.
"parameters": {
                    "$connections": {
                        "value": {
                            "azuread": {
                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
                                "connectionName": "[variables('AzureADConnectionName')]",
                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
                            },
                            "azuresentinel": {
                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
                                "connectionName": "[variables('AzureSentinelConnectionName')]",
                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
                            }
                        }
                    }
                }

  • The connectionId will use a string and variable.
  • The connectionName is the variable.
  • The id is the string we used early for the id when creating the resource.
  1. In the Microsoft.Logic/workflows resource, you will also need the dependsOn field, which is a list of resourceId. The string for each resourceId is constructed using this snippet, followed by an example which contains Azure AD and Azure Sentinel connections.
    [resourceId('Microsoft.Web/connections', <ConnectionVariableName>)]
    "dependsOn": [
        "[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
        "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
    ]
  1. Save the JSON.
  2. Create a Readme.md file with a brief description of the playbook.
  3. Test deployment of your template following Instructions for deploying a custom template. Make sure the deployment succeeds.
  4. If you need samples of a playbook template, refer to an existing playbooks' azuredeploy.json sample file in the repo.
  5. Contribute the playbook template to the repository.

Suggestions and feedback

We value your feedback. Let us know if you run into any problems or share your suggestions and feedback by sending email to AzureSentinel@microsoft.com