Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Playbooks/Enrich-SentinelIncident-Rev.../azuredeploy.json

1206 строки
110 KiB
JSON
Исходник Ответственный История

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "ReversingLabsFileInfo",
"type": "string"
},
"UserName": {
"defaultValue": "<username>@<domain>",
"type": "string"
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"ConnectorConnectionName": "[concat('connector-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('ConnectorConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('UserName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/reversinglabsintelligence')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('ConnectorConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
}
}
},
"actions": {
"Alert_-_Get_incident": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
}
},
"Entities_-_Get_FileHashes": {
"runAfter": {
"Alert_-_Get_incident": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['Entities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/filehash"
}
},
"For_each_-_File_Reputation": {
"foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']",
"actions": {
"Add_comment_to_incident_(V3)_-_file_reputation": {
"runAfter": {
"Parse_JSON_-_file_reputation": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"message": "<p><strong>ReversingLabs File Hash Reputation:</strong><br>\n<strong>File name:</strong> @{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['threat_name']}<br>\n<strong>File status: </strong>@{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['status']}<br>\n<strong>Reason: </strong>@{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['reason']}<br>\n<strong>Scanner count:</strong> @{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['scanner_count']}<br>\n<strong>Scanner percent:</strong> @{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['scanner_percent']}<br>\n<strong>Scanner match: </strong>@{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['scanner_match']}<br>\n<strong>First seen: </strong>@{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['first_seen']}<br>\n<strong>Last seen: </strong>@{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['last_seen']}<br>\n<strong>Threat level: </strong>@{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['threat_level']}<br>\n<strong>Trust factor:</strong> @{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['trust_factor']}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Get_File_Hash_Reputation": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"headers": {
"User-Agent": "SentinelPartner-ReversingLabs-ReversingLabs Intelligence/v1.0.0"
},
"host": {
"connection": {
"name": "@parameters('$connections')['reversinglabsintelligence']['connectionId']"
}
},
"method": "get",
"path": "/api/databrowser/malware_presence/query/@{encodeURIComponent(items('For_each_-_File_Reputation')?['Algorithm'])}/@{encodeURIComponent(items('For_each_-_File_Reputation')?['Value'])}",
"queries": {
"extended": true,
"format": "json",
"show_hashes": true
}
}
},
"Parse_JSON_-_file_reputation": {
"runAfter": {
"Get_File_Hash_Reputation": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('Get_File_Hash_Reputation')",
"schema": {
"properties": {
"rl": {
"properties": {
"malware_presence": {
"properties": {
"classification": {
"properties": {
"family_name": {
"type": "string"
},
"is_generic": {
"type": "boolean"
},
"platform": {
"type": "string"
},
"type": {
"type": "string"
}
},
"type": "object"
},
"first_seen": {
"type": "string"
},
"last_seen": {
"type": "string"
},
"query_hash": {
"properties": {
"sha1": {
"type": "string"
}
},
"type": "object"
},
"reason": {
"type": "string"
},
"scanner_count": {
"type": "integer"
},
"scanner_match": {
"type": "integer"
},
"scanner_percent": {
"type": "number"
},
"status": {
"type": "string"
},
"threat_level": {
"type": "integer"
},
"threat_name": {
"type": "string"
},
"trust_factor": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
}
}
}
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Foreach"
},
"For_each_hash_-_Details": {
"foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']",
"actions": {
"For_each_-_entry": {
"foreach": "@body('Parse_JSON_-_details')?['rl']?['sample']?['analysis']?['entries']",
"actions": {
"Add_comment_to_incident_(V3)_-_details": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"message": "<p><strong>ReversingLabs File Hash Details:</strong><br>\n@{items('For_each_-_entry')?['tc_report']?['story']}<br>\n<strong>Sha1: </strong>@{body('Parse_JSON_-_details')?['rl']?['sample']?['sha1']}<br>\n<strong>Sd5: </strong>@{body('Parse_JSON_-_details')?['rl']?['sample']?['md5']}<br>\n<strong>Sha256: </strong>@{body('Parse_JSON_-_details')?['rl']?['sample']?['sha256']}<br>\n<strong>Sha384: </strong>@{body('Parse_JSON_-_details')?['rl']?['sample']?['sha384']}<br>\n<strong>Sha512: </strong>@{body('Parse_JSON_-_details')?['rl']?['sample']?['sha512']}<br>\n<strong>Sample size: </strong>@{body('Parse_JSON_-_details')?['rl']?['sample']?['sample_size']}KB</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
}
},
"runAfter": {
"Parse_JSON_-_details": [
"Succeeded"
]
},
"type": "Foreach"
},
"Get_File_Hash_Analysis_Detail": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"headers": {
"User-Agent": "SentinelPartner-ReversingLabs-ReversingLabs Intelligence/v1.0.0"
},
"host": {
"connection": {
"name": "@parameters('$connections')['reversinglabsintelligence']['connectionId']"
}
},
"method": "get",
"path": "/api/databrowser/rldata/query/@{encodeURIComponent(items('For_each_hash_-_Details')?['Algorithm'])}/@{encodeURIComponent(items('For_each_hash_-_Details')?['Value'])}",
"queries": {
"format": "json"
}
}
},
"Parse_JSON_-_details": {
"runAfter": {
"Get_File_Hash_Analysis_Detail": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('Get_File_Hash_Analysis_Detail')",
"schema": {
"properties": {
"rl": {
"properties": {
"sample": {
"properties": {
"analysis": {
"properties": {
"entries": {
"items": {
"properties": {
"analysis_type": {
"type": "string"
},
"analysis_version": {
"type": "string"
},
"record_time": {
"type": "string"
},
"tc_report": {
"properties": {
"info": {
"properties": {
"file": {
"properties": {
"file_subtype": {
"type": "string"
},
"file_type": {
"type": "string"
}
},
"type": "object"
},
"identification": {
"properties": {
"name": {
"type": "string"
}
},
"type": "object"
},
"validation": {
"properties": {
"valid": {
"type": "boolean"
}
},
"type": "object"
}
},
"type": "object"
},
"interesting_strings": {
"items": {
"properties": {
"category": {
"type": "string"
},
"values": {
"items": {
"type": "string"
},
"type": "array"
}
},
"required": [
"category",
"values"
],
"type": "object"
},
"type": "array"
},
"metadata": {
"properties": {
"application": {
"properties": {
"pe": {
"properties": {
"dos_header": {
"properties": {
"e_cblp": {
"type": "integer"
},
"e_cp": {
"type": "integer"
},
"e_cparhdr": {
"type": "integer"
},
"e_crlc": {
"type": "integer"
},
"e_cs": {
"type": "integer"
},
"e_csum": {
"type": "integer"
},
"e_ip": {
"type": "integer"
},
"e_lfanew": {
"type": "integer"
},
"e_lfarlc": {
"type": "integer"
},
"e_maxalloc": {
"type": "integer"
},
"e_minalloc": {
"type": "integer"
},
"e_oemid": {
"type": "integer"
},
"e_oeminfo": {
"type": "integer"
},
"e_ovno": {
"type": "integer"
},
"e_res": {
"type": "string"
},
"e_res2": {
"type": "string"
},
"e_sp": {
"type": "integer"
},
"e_ss": {
"type": "integer"
},
"has_rich_header": {
"type": "boolean"
}
},
"type": "object"
},
"file_header": {
"properties": {
"characteristics": {
"type": "integer"
},
"machine": {
"type": "integer"
},
"number_of_sections": {
"type": "integer"
},
"number_of_symbols": {
"type": "integer"
},
"pointer_to_symbol_table": {
"type": "integer"
},
"size_of_optional_headers": {
"type": "integer"
},
"time_date_stamp": {
"type": "integer"
},
"time_date_stamp_decoded": {
"type": "string"
}
},
"type": "object"
},
"imports": {
"items": {
"properties": {
"apis": {
"items": {
"type": "string"
},
"type": "array"
},
"name": {
"type": "string"
}
},
"required": [
"name",
"apis"
],
"type": "object"
},
"type": "array"
},
"optional_header": {
"properties": {
"address_of_entry_point": {
"type": "integer"
},
"base_of_code": {
"type": "integer"
},
"base_of_data": {
"type": "integer"
},
"checksum": {
"type": "integer"
},
"data_directories": {
"items": {
"properties": {
"address": {
"type": "integer"
},
"size": {
"type": "integer"
}
},
"required": [
"address",
"size"
],
"type": "object"
},
"type": "array"
},
"dll_characteristics": {
"type": "integer"
},
"file_alignment": {
"type": "integer"
},
"image_base": {
"type": "integer"
},
"is_checksum_valid": {
"type": "boolean"
},
"loader_flags": {
"type": "integer"
},
"major_image_version": {
"type": "integer"
},
"major_linker_version": {
"type": "integer"
},
"major_os_version": {
"type": "integer"
},
"major_subsystem_version": {
"type": "integer"
},
"minor_image_version": {
"type": "integer"
},
"minor_linker_version": {
"type": "integer"
},
"minor_os_version": {
"type": "integer"
},
"minor_subsystem_version": {
"type": "integer"
},
"number_of_rva_and_sizes": {
"type": "integer"
},
"section_alignment": {
"type": "integer"
},
"size_of_code": {
"type": "integer"
},
"size_of_headers": {
"type": "integer"
},
"size_of_heap_commit": {
"type": "integer"
},
"size_of_heap_reserve": {
"type": "integer"
},
"size_of_image": {
"type": "integer"
},
"size_of_initialized_data": {
"type": "integer"
},
"size_of_stack_commit": {
"type": "integer"
},
"size_of_stack_reserve": {
"type": "integer"
},
"size_of_uninitialized_data": {
"type": "integer"
},
"subsystem": {
"type": "integer"
},
"win32_version_value": {
"type": "integer"
}
},
"type": "object"
},
"resources": {
"items": {
"properties": {
"code_page": {
"type": "integer"
},
"language_id": {
"type": "integer"
},
"language_id_name": {
"type": "string"
},
"name": {
"type": "string"
},
"offset": {
"type": "integer"
},
"size": {
"type": "integer"
},
"type": {
"type": "string"
}
},
"required": [
"type",
"name",
"language_id_name",
"language_id",
"code_page",
"offset",
"size"
],
"type": "object"
},
"type": "array"
},
"sections": {
"items": {
"properties": {
"address": {
"type": "integer"
},
"flags": {
"type": "integer"
},
"name": {
"type": "string"
},
"offset": {
"type": "integer"
},
"size": {
"type": "integer"
}
},
"required": [
"name",
"flags",
"size",
"address",
"offset"
],
"type": "object"
},
"type": "array"
}
},
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
},
"story": {
"type": "string"
}
},
"type": "object"
}
},
"required": [
"record_time",
"analysis_type",
"analysis_version",
"tc_report"
],
"type": "object"
},
"type": "array"
}
},
"type": "object"
},
"crc32": {
"type": "string"
},
"dynamic_analysis": {
"properties": {
"entries": {
"items": {
"properties": {
"dynamic_analysis_report": {
"properties": {
"analysed_on": {
"type": "string"
},
"cuckoo_version": {
"type": "string"
},
"network": {
"properties": {
"udp_destinations": {
"items": {
"properties": {
"address": {
"type": "string"
},
"port": {
"type": "integer"
}
},
"required": [
"port",
"address"
],
"type": "object"
},
"type": "array"
}
},
"type": "object"
},
"summary": {
"properties": {
"mutexes": {
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object"
}
},
"type": "object"
},
"dynamic_analysis_report_joe_sandbox": {
"properties": {
"analysed_on": {
"type": "string"
},
"joe_sandbox_version": {
"type": "string"
}
},
"type": "object"
}
},
"required": [],
"type": "object"
},
"type": "array"
}
},
"type": "object"
},
"imphash": {
"type": "string"
},
"md5": {
"type": "string"
},
"relationships": {
"properties": {
"container_sample_sha1": {
"items": {
"type": "string"
},
"type": "array"
},
"parent_sample_sha1": {
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object"
},
"ripemd160": {
"type": "string"
},
"sample_size": {
"type": "integer"
},
"sha1": {
"type": "string"
},
"sha256": {
"type": "string"
},
"sha384": {
"type": "string"
},
"sha512": {
"type": "string"
},
"sources": {
"properties": {
"entries": {
"items": {
"properties": {
"properties": {
"items": {
"properties": {
"name": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"name",
"value"
],
"type": "object"
},
"type": "array"
},
"record_time": {
"type": "string"
},
"tag": {
"type": "string"
}
},
"required": [
"record_time",
"tag"
],
"type": "object"
},
"type": "array"
}
},
"type": "object"
},
"ssdeep": {
"type": "string"
},
"xref": {
"properties": {
"entries": {
"items": {
"properties": {
"info": {
"properties": {
"scanners": {
"items": {
"properties": {
"name": {
"type": "string"
},
"timestamp": {
"type": "string"
},
"version": {
"type": "string"
}
},
"required": [
"name",
"version",
"timestamp"
],
"type": "object"
},
"type": "array"
}
},
"type": "object"
},
"record_time": {
"type": "string"
},
"scanners": {
"items": {
"properties": {
"name": {
"type": "string"
},
"result": {
"type": "string"
}
},
"required": [
"name",
"result"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"record_time",
"scanners",
"info"
],
"type": "object"
},
"type": "array"
},
"first_seen": {
"type": "string"
},
"last_seen": {
"type": "string"
},
"sample_type": {
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
}
}
}
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Foreach"
},
"For_each_hash_-_Multi-AV": {
"foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']",
"actions": {
"Add_comment_to_incident_(V3)": {
"runAfter": {
"For_each_-_xref": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@body('Alert_-_Get_incident')?['id']",
"message": "<p><strong>ReversingLabs Multi-AV Scan Records:<br>\n</strong>@{variables('Scanner results')}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"For_each_-_xref": {
"foreach": "@body('Parse_JSON_-_multi-AV_scan')?['rl']?['sample']?['xref']",
"actions": {
"For_each_-_result": {
"foreach": "@items('For_each_-_xref')?['results']",
"actions": {
"Append_to_string_variable": {
"runAfter": {},
"type": "AppendToStringVariable",
"inputs": {
"name": "Scanner results",
"value": "@{items('For_each_-_result')?['scanner']} : @{items('For_each_-_result')?['result']}"
}
}
},
"runAfter": {},
"type": "Foreach"
}
},
"runAfter": {
"Parse_JSON_-_multi-AV_scan": [
"Succeeded"
]
},
"type": "Foreach"
},
"Get_Historic_Multi-AV_Scan_Records": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"headers": {
"User-Agent": "SentinelPartner-ReversingLabs-ReversingLabs Intelligence/v1.0.0"
},
"host": {
"connection": {
"name": "@parameters('$connections')['reversinglabsintelligence']['connectionId']"
}
},
"method": "get",
"path": "/api/xref/v2/query/@{encodeURIComponent(items('For_each_hash_-_Multi-AV')?['Algorithm'])}/@{encodeURIComponent(items('For_each_hash_-_Multi-AV')?['Value'])}",
"queries": {
"format": "json",
"history": false
}
}
},
"Parse_JSON_-_multi-AV_scan": {
"runAfter": {
"Get_Historic_Multi-AV_Scan_Records": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('Get_Historic_Multi-AV_Scan_Records')",
"schema": {
"properties": {
"rl": {
"properties": {
"sample": {
"properties": {
"first_scanned_on": {
"type": "string"
},
"first_seen_on": {
"type": "string"
},
"last_scanned_on": {
"type": "string"
},
"last_seen_on": {
"type": "string"
},
"md5": {
"type": "string"
},
"ripemd160": {
"type": "string"
},
"sample_size": {
"type": "integer"
},
"sample_type": {
"type": "string"
},
"sha1": {
"type": "string"
},
"sha256": {
"type": "string"
},
"sha384": {
"type": "string"
},
"sha512": {
"type": "string"
},
"single_scan": {
"type": "boolean"
},
"xref": {
"items": {
"properties": {
"results": {
"items": {
"properties": {
"result": {
"type": "string"
},
"scanner": {
"type": "string"
}
},
"required": [
"scanner",
"result"
],
"type": "object"
},
"type": "array"
},
"scanned_on": {
"type": "string"
},
"scanner_count": {
"type": "integer"
},
"scanner_match": {
"type": "integer"
},
"scanners": {
"items": {
"properties": {
"name": {
"type": "string"
},
"timestamp": {
"type": "string"
},
"version": {
"type": "string"
}
},
"required": [
"timestamp",
"version",
"name"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"scanner_match",
"scanner_count",
"scanners",
"scanned_on",
"results"
],
"type": "object"
},
"type": "array"
}
},
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
}
}
}
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Foreach"
},
"Initialize_variable": {
"runAfter": {
"Entities_-_Get_FileHashes": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Scanner results",
"type": "string"
}
]
}
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
},
"reversinglabsintelligence": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('ConnectorConnectionName'))]",
"connectionName": "[variables('ConnectorConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/reversinglabsintelligence')]"
}
}
}
}
}
}
]
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку