Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Solutions/CohesitySecurity/Package/mainTemplate.json

2499 строки
126 KiB
JSON
Исходник Ответственный История

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Cohesity - support@cohesity.com",
"comments": "Solution template for CohesitySecurity"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
},
"variables": {
"email": "support@cohesity.com",
"_email": "[variables('email')]",
"_solutionName": "CohesitySecurity",
"_solutionVersion": "3.0.0",
"solutionId": "cohesitydev1592001764720.cohesity_sentinel_data_connector",
"_solutionId": "[variables('solutionId')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"uiConfigId1": "CohesityDataConnector",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "CohesityDataConnector",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))),variables('dataConnectorVersion1')))]",
"dataConnectorVersion1": "1.0.0",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"Cohesity_Send_Incident_Email": "Cohesity_Send_Incident_Email",
"_Cohesity_Send_Incident_Email": "[variables('Cohesity_Send_Incident_Email')]",
"playbookVersion1": "1.0",
"playbookContentId1": "Cohesity_Send_Incident_Email",
"_playbookContentId1": "[variables('playbookContentId1')]",
"playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
"playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))),variables('playbookVersion1')))]",
"_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
"blanks": "[replace('b', 'b', '')]",
"Cohesity_Restore_From_Last_Snapshot": "Cohesity_Restore_From_Last_Snapshot",
"_Cohesity_Restore_From_Last_Snapshot": "[variables('Cohesity_Restore_From_Last_Snapshot')]",
"playbookVersion2": "1.0",
"playbookContentId2": "Cohesity_Restore_From_Last_Snapshot",
"_playbookContentId2": "[variables('playbookContentId2')]",
"playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]",
"playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))),variables('playbookVersion2')))]",
"_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]",
"Cohesity_Close_Helios_Incident": "Cohesity_Close_Helios_Incident",
"_Cohesity_Close_Helios_Incident": "[variables('Cohesity_Close_Helios_Incident')]",
"playbookVersion3": "1.0",
"playbookContentId3": "Cohesity_Close_Helios_Incident",
"_playbookContentId3": "[variables('playbookContentId3')]",
"playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]",
"playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))),variables('playbookVersion3')))]",
"_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]",
"Cohesity_CreateOrUpdate_ServiceNow_Incident": "Cohesity_CreateOrUpdate_ServiceNow_Incident",
"_Cohesity_CreateOrUpdate_ServiceNow_Incident": "[variables('Cohesity_CreateOrUpdate_ServiceNow_Incident')]",
"playbookVersion4": "1.0",
"playbookContentId4": "Cohesity_CreateOrUpdate_ServiceNow_Incident",
"_playbookContentId4": "[variables('playbookContentId4')]",
"playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]",
"playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))),variables('playbookVersion4')))]",
"_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]",
"Cohesity_Delete_Incident_Blobs": "Cohesity_Delete_Incident_Blobs",
"_Cohesity_Delete_Incident_Blobs": "[variables('Cohesity_Delete_Incident_Blobs')]",
"playbookVersion5": "1.0",
"playbookContentId5": "Cohesity_Delete_Incident_Blobs",
"_playbookContentId5": "[variables('playbookContentId5')]",
"playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]",
"playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))),variables('playbookVersion5')))]",
"_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "CohesitySecurity data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "Cohesity (using Azure Functions)",
"publisher": "Cohesity",
"descriptionMarkdown": "The Cohesity function apps provide the ability to ingest Cohesity Datahawk ransomware alerts into Microsoft Sentinel.",
"additionalRequirementBanner": ">This data connector depends on two functions apps - [one](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentProducer) gets the data about new incidents from Cohesity Datahawk, formats and adds them to the queue; [another one](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentConsumer) takes them from the queue and stores in the MS Sentinel Incidents table. The functions have their own configs and depends on Blob storage and KeyVault",
"graphQueries": [
{
"metricName": "Cohesity logs",
"legend": "Cohesity_CL",
"baseQuery": "Cohesity_CL"
}
],
"sampleQueries": [
{
"description": "All Cohesity logs",
"query": "Cohesity_CL\n| sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "Cohesity_CL",
"lastDataReceivedQuery": "Cohesity_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"Cohesity_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(1d)"
]
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "Azure Blob Storage connection string and container name",
"description": "Azure Blob Storage connection string and container name"
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This connector uses Azure Functions that connect to the Azure Blob Storage and KeyVault. This might result in additional costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/), [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) and [Azure KeyVault pricing page](https://azure.microsoft.com/pricing/details/key-vault/) for details."
},
{
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Functions App."
},
{
"description": "**STEP 1 - Get a Cohesity DataHawk API key (see troubleshooting [instruction 1](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentProducer))**"
},
{
"description": "**STEP 2 - Register Azure app ([link](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps)) and save Application (client) ID, Directory (tenant) ID, and Secret Value ([instructions](https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application)). Grant it Azure Storage (user_impersonation) permission. Also, assign the 'Microsoft Sentinel Contributor' role to the application in the appropriate subscription.**"
},
{
"description": "**STEP 3 - Deploy the connector and the associated Azure Functions**."
},
{
"description": "Use this method for automated deployment of the Cohesity data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-Cohesity-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the parameters that you created at the previous steps\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy.",
"title": "Azure Resource Manager (ARM) Template"
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "CohesitySecurity",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Cohesity",
"email": "[variables('_email')]"
},
"support": {
"tier": "Partner",
"name": "Cohesity",
"email": "support@cohesity.com",
"link": "https://support.cohesity.com/"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId1')]",
"contentKind": "DataConnector",
"displayName": "Cohesity (using Azure Functions)",
"contentProductId": "[variables('_dataConnectorcontentProductId1')]",
"id": "[variables('_dataConnectorcontentProductId1')]",
"version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "CohesitySecurity",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Cohesity",
"email": "[variables('_email')]"
},
"support": {
"tier": "Partner",
"name": "Cohesity",
"email": "support@cohesity.com",
"link": "https://support.cohesity.com/"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "Cohesity (using Azure Functions)",
"publisher": "Cohesity",
"descriptionMarkdown": "The Cohesity function apps provide the ability to ingest Cohesity Datahawk ransomware alerts into Microsoft Sentinel.",
"graphQueries": [
{
"metricName": "Cohesity logs",
"legend": "Cohesity_CL",
"baseQuery": "Cohesity_CL"
}
],
"dataTypes": [
{
"name": "Cohesity_CL",
"lastDataReceivedQuery": "Cohesity_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"Cohesity_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(1d)"
]
}
],
"sampleQueries": [
{
"description": "All Cohesity logs",
"query": "Cohesity_CL\n| sort by TimeGenerated desc"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "Azure Blob Storage connection string and container name",
"description": "Azure Blob Storage connection string and container name"
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This connector uses Azure Functions that connect to the Azure Blob Storage and KeyVault. This might result in additional costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/), [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) and [Azure KeyVault pricing page](https://azure.microsoft.com/pricing/details/key-vault/) for details."
},
{
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Functions App."
},
{
"description": "**STEP 1 - Get a Cohesity DataHawk API key (see troubleshooting [instruction 1](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentProducer))**"
},
{
"description": "**STEP 2 - Register Azure app ([link](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps)) and save Application (client) ID, Directory (tenant) ID, and Secret Value ([instructions](https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application)). Grant it Azure Storage (user_impersonation) permission. Also, assign the 'Microsoft Sentinel Contributor' role to the application in the appropriate subscription.**"
},
{
"description": "**STEP 3 - Deploy the connector and the associated Azure Functions**."
},
{
"description": "Use this method for automated deployment of the Cohesity data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-Cohesity-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the parameters that you created at the previous steps\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy.",
"title": "Azure Resource Manager (ARM) Template"
}
],
"id": "[variables('_uiConfigId1')]",
"additionalRequirementBanner": ">This data connector depends on two functions apps - [one](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentProducer) gets the data about new incidents from Cohesity Datahawk, formats and adds them to the queue; [another one](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentConsumer) takes them from the queue and stores in the MS Sentinel Incidents table. The functions have their own configs and depends on Blob storage and KeyVault"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "My_Cohesity_Send_Incident_Email Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
"parameters": {
"PlaybookName": {
"defaultValue": "My_Cohesity_Send_Incident_Email",
"type": "string"
},
"EmailID": {
"type": "string",
"metadata": {
"description": "Enter value for EmailID"
}
}
},
"variables": {
"MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"OutlookConnectionName": "[[concat('Outlook-', parameters('PlaybookName'))]",
"connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"_connection-2": "[[variables('connection-2')]",
"connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Outlook')]",
"_connection-3": "[[variables('connection-3')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"type": "Object"
},
"EmailID": {
"defaultValue": "[[parameters('EmailID')]",
"type": "string"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Initialize_variable": {
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "EmailBody",
"type": "string"
}
]
}
},
"Send_email_(V2)": {
"runAfter": {
"Set_variable_2": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"Body": "<p>@{variables('EmailBody')}</p>",
"Importance": "Normal",
"Subject": "Cohesity Alert",
"To": "@parameters('EmailID')"
},
"host": {
"connection": {
"name": "@parameters('$connections')['outlook']['connectionId']"
}
},
"method": "post",
"path": "/v2/Mail"
}
},
"Set_variable_2": {
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "EmailBody",
"value": "<p>Hello SecurityTeam,</p>\n<p>You have a Cohesity incident from Microsoft Sentinel. Below is information:</p>\n\n<ul>\n<li><strong>Incident ARM Name:&nbsp;</strong>@{triggerBody()?['object']?['name']}</li>\n<li><strong>Description</strong>: @{triggerBody()?['object']?['properties']?['description']}</li>\n<li><strong>Severity</strong>: @{triggerBody()?['object']?['properties']?['severity']}</li>\n<li><strong>Incident ID</strong>: @{triggerBody()?['object']?['properties']?['incidentNumber']}</li>\n<li><strong>Incident Create Time Utc</strong>: @{triggerBody()?['object']?['properties']?['createdTimeUtc']}</li>\n<li><strong>Incident URL</strong>: @{triggerBody()?['object']?['properties']?['incidentUrl']}</li>\n</ul>\n\n<p>Please review and update incident accordingly.</p>\n<p>Cohesity Team</p>"
}
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"outlook": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('OutlookConnectionName'))]",
"connectionName": "[[variables('OutlookConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Outlook')]"
}
}
}
}
},
"name": "[[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[[variables('workspace-location-inline')]",
"tags": {
"hidden-SentinelTemplateName": "My_Cohesity_Send_Incident_Email",
"hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
"identity": {
"type": "SystemAssigned"
},
"apiVersion": "2019-05-01",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('OutlookConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('MicrosoftSentinelConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('MicrosoftSentinelConnectionName')]",
"parameterValueType": "Alternative",
"api": {
"id": "[[variables('_connection-2')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('OutlookConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('OutlookConnectionName')]",
"api": {
"id": "[[variables('_connection-3')]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
"properties": {
"parentId": "[variables('playbookId1')]",
"contentId": "[variables('_playbookContentId1')]",
"kind": "Playbook",
"version": "[variables('playbookVersion1')]",
"source": {
"kind": "Solution",
"name": "CohesitySecurity",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Cohesity",
"email": "[variables('_email')]"
},
"support": {
"tier": "Partner",
"name": "Cohesity",
"email": "support@cohesity.com",
"link": "https://support.cohesity.com/"
}
}
}
],
"metadata": {
"title": "Cohesity Incident Email",
"description": "This playbook sends an email to the recipient with the details related to the incidents.",
"prerequisites": "Create a distribution list (email) that will be used for sending out incident notifications.",
"postDeployment": [
"To enable this playbook, you need to authorize Outlook connection."
],
"lastUpdateTime": "2022-12-23T10:57:00Z",
"entities": [
"Malware"
],
"tags": [
"SOAR",
"Email Notification",
"Threat Response"
],
"releaseNotes": {
"version": "1.0",
"title": "[variables('blanks')]",
"notes": [
"Initial version"
]
}
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId1')]",
"contentKind": "Playbook",
"displayName": "My_Cohesity_Send_Incident_Email",
"contentProductId": "[variables('_playbookcontentProductId1')]",
"id": "[variables('_playbookcontentProductId1')]",
"version": "[variables('playbookVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "My_Cohesity_Restore_From_Last_Snapshot Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
"parameters": {
"PlaybookName": {
"defaultValue": "My_Cohesity_Restore_From_Last_Snapshot",
"type": "String"
}
},
"variables": {
"AzureblobConnectionName": "[[concat('Azureblob-', parameters('PlaybookName'))]",
"MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"KeyvaultConnectionName": "[[concat('Keyvault-', parameters('PlaybookName'))]",
"connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureblob')]",
"_connection-2": "[[variables('connection-2')]",
"connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"_connection-3": "[[variables('connection-3')]",
"connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]",
"_connection-4": "[[variables('connection-4')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2019-05-01",
"name": "[[parameters('PlaybookName')]",
"location": "[[variables('workspace-location-inline')]",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('AzureblobConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]"
],
"tags": {
"hidden-SentinelTemplateName": "Cohesity_Restore_From_Last_Snapshot",
"hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"type": "Object"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Get_cid_from_blob_content": {
"runAfter": {
"Get_jobId_from_blob_content": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azureblob']['connectionId']"
}
},
"method": "get",
"path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath",
"queries": {
"inferContentType": true,
"path": "/cohesity-extra-parameters/@{variables('helioID')}/cid",
"queryParametersSingleEncoded": true
}
}
},
"Get_entityId_from_blob_content": {
"runAfter": {
"Get_jobInstanceId_from_blob_content": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azureblob']['connectionId']"
}
},
"method": "get",
"path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath",
"queries": {
"inferContentType": true,
"path": "/cohesity-extra-parameters/@{variables('helioID')}/entityId",
"queryParametersSingleEncoded": true
}
}
},
"Get_jobId_from_blob_content": {
"runAfter": {
"Initialize_HelioID": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azureblob']['connectionId']"
}
},
"method": "get",
"path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath",
"queries": {
"inferContentType": true,
"path": "/cohesity-extra-parameters/@{variables('helioID')}/jobId",
"queryParametersSingleEncoded": true
}
}
},
"Get_jobInstanceId_from_blob_content": {
"runAfter": {
"Get_jobStartTimeUsecs_from_blob_content": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azureblob']['connectionId']"
}
},
"method": "get",
"path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath",
"queries": {
"inferContentType": true,
"path": "/cohesity-extra-parameters/@{variables('helioID')}/jobInstanceId",
"queryParametersSingleEncoded": true
}
}
},
"Get_jobStartTimeUsecs_from_blob_content": {
"runAfter": {
"Get_cid_from_blob_content": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azureblob']['connectionId']"
}
},
"method": "get",
"path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath",
"queries": {
"inferContentType": true,
"path": "/cohesity-extra-parameters/@{variables('helioID')}/jobStartTimeUsecs",
"queryParametersSingleEncoded": true
}
}
},
"Get_object_from_blob_content": {
"runAfter": {
"Get_entityId_from_blob_content": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azureblob']['connectionId']"
}
},
"method": "get",
"path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/GetFileContentByPath",
"queries": {
"inferContentType": true,
"path": "/cohesity-extra-parameters/@{variables('helioID')}/object",
"queryParametersSingleEncoded": true
}
}
},
"Get_secret": {
"runAfter": {
"Get_object_from_blob_content": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['keyvault']['connectionId']"
}
},
"method": "get",
"path": "/secrets/@{encodeURIComponent('ApiKey')}/value"
}
},
"HTTP": {
"runAfter": {
"Get_secret": [
"Succeeded"
]
},
"type": "Http",
"inputs": {
"body": {
"name": "Sentinel_triggered_restore_task_@{body('Get_object_from_blob_content')}",
"objects": [
{
"jobId": "@int(string(body('Get_jobId_from_blob_content')))",
"jobRunId": "@int(string(body('Get_jobInstanceId_from_blob_content')))",
"protectionSourceId": "@int(string(body('Get_entityId_from_blob_content')))",
"sourceName": "@{body('Get_object_from_blob_content')}",
"startedTimeUsecs": "@int(string(body('Get_jobStartTimeUsecs_from_blob_content')))"
}
],
"type": "kRecoverVMs",
"vmwareParameters": {
"powerOffAndRenameExistingVm": true,
"poweredOn": true,
"prefix": "Recover-",
"recoveryProcessType": "kCopyRecovery",
"suffix": "-VM"
}
},
"headers": {
"Content-Type": "application/json",
"apiKey": "@body('Get_secret')?['value']",
"clusterid": "@{body('Get_cid_from_blob_content')}"
},
"method": "POST",
"uri": "https://helios.cohesity.com/irisservices/api/v1/public/restore/recover"
}
},
"Initialize_Description": {
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "description",
"type": "string",
"value": "@triggerBody()?['object']?['properties']?['description']"
}
]
}
},
"Initialize_HelioID": {
"runAfter": {
"Initialize_Description": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "helioID",
"type": "string",
"value": "@{split(variables('description'), 'Helios ID: ')[1]}"
}
]
}
}
}
},
"parameters": {
"$connections": {
"value": {
"azureblob": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureblobConnectionName'))]",
"connectionName": "[[variables('AzureblobConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureblob')]"
},
"azuresentinel": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"keyvault": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]",
"connectionName": "[[variables('KeyvaultConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('AzureblobConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('AzureblobConnectionName')]",
"api": {
"id": "[[variables('_connection-2')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('MicrosoftSentinelConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('MicrosoftSentinelConnectionName')]",
"parameterValueType": "Alternative",
"api": {
"id": "[[variables('_connection-3')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('KeyvaultConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('KeyvaultConnectionName')]",
"api": {
"id": "[[variables('_connection-4')]"
},
"parameterValueType": "Alternative",
"alternativeParameterValues": {
"vaultName": "[[concat('cohesitypro', uniqueString(resourceGroup().id))]"
},
"nonSecretParameterValues": {
"vaultName": "[[concat('cohesitypro', uniqueString(resourceGroup().id))]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]",
"properties": {
"parentId": "[variables('playbookId2')]",
"contentId": "[variables('_playbookContentId2')]",
"kind": "Playbook",
"version": "[variables('playbookVersion2')]",
"source": {
"kind": "Solution",
"name": "CohesitySecurity",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Cohesity",
"email": "[variables('_email')]"
},
"support": {
"tier": "Partner",
"name": "Cohesity",
"email": "support@cohesity.com",
"link": "https://support.cohesity.com/"
}
}
}
],
"metadata": {
"title": "Restore From Last Cohesity Snapshot",
"description": "This playbook restores the latest good Data Hawk (Helios) snapshot.",
"prerequisites": "Deploy the Cohesity configuration and function apps (see details [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CohesitySecurity/Playbooks/Cohesity_Restore_From_Last_Snapshot/readme.md)).",
"postDeployment": [
"Authorize all connections."
],
"lastUpdateTime": "2023-01-13T10:02:00Z",
"entities": [
"Malware"
],
"tags": [
"DataHawk",
"SOAR",
"Cohesity",
"Threat Response"
],
"releaseNotes": {
"version": "1.0",
"title": "[variables('blanks')]",
"notes": [
"Initial version"
]
}
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId2')]",
"contentKind": "Playbook",
"displayName": "My_Cohesity_Restore_From_Last_Snapshot",
"contentProductId": "[variables('_playbookcontentProductId2')]",
"id": "[variables('_playbookcontentProductId2')]",
"version": "[variables('playbookVersion2')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName3')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "My_Cohesity_Close_Helios_Incident Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
"parameters": {
"PlaybookName": {
"defaultValue": "My_Cohesity_Close_Helios_Incident",
"type": "String"
}
},
"variables": {
"MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"KeyvaultConnectionName": "[[concat('Keyvault-', parameters('PlaybookName'))]",
"connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"_connection-2": "[[variables('connection-2')]",
"connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]",
"_connection-3": "[[variables('connection-3')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[[parameters('PlaybookName')]",
"location": "[[variables('workspace-location-inline')]",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]"
],
"tags": {
"hidden-SentinelTemplateName": "Cohesity_Close_Helios_Incident",
"hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"type": "Object"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Get_secret": {
"runAfter": {
"Initialize_HelioID": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['keyvault']['connectionId']"
}
},
"method": "get",
"path": "/secrets/@{encodeURIComponent('ApiKey')}/value"
}
},
"HTTP": {
"runAfter": {
"Get_secret": [
"Succeeded"
]
},
"type": "Http",
"inputs": {
"body": {
"status": "kSuppressed"
},
"headers": {
"Content-Type": "application/json",
"apiKey": "@body('Get_secret')?['value']"
},
"method": "Patch",
"uri": "https://helios.cohesity.com/mcm/alerts/@{variables('helioID')}"
}
},
"Initialize_Description": {
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "description",
"type": "string",
"value": "@triggerBody()?['object']?['properties']?['description']"
}
]
}
},
"Initialize_HelioID": {
"runAfter": {
"Initialize_Description": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "helioID",
"type": "string",
"value": "@{split(variables('description'), 'Helios ID: ')[1]}"
}
]
}
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"keyvault": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]",
"connectionName": "[[variables('KeyvaultConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('MicrosoftSentinelConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('MicrosoftSentinelConnectionName')]",
"parameterValueType": "Alternative",
"api": {
"id": "[[variables('_connection-2')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('KeyvaultConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"api": {
"id": "[[variables('_connection-3')]",
"type": "Microsoft.Web/locations/managedApis"
},
"parameterValueType": "Alternative",
"alternativeParameterValues": {
"vaultName": "[[concat('cohesitypro', uniqueString(resourceGroup().id))]"
},
"nonSecretParameterValues": {
"vaultName": "[[concat('cohesitypro', uniqueString(resourceGroup().id))]"
},
"displayName": "[[variables('KeyvaultConnectionName')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]",
"properties": {
"parentId": "[variables('playbookId3')]",
"contentId": "[variables('_playbookContentId3')]",
"kind": "Playbook",
"version": "[variables('playbookVersion3')]",
"source": {
"kind": "Solution",
"name": "CohesitySecurity",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Cohesity",
"email": "[variables('_email')]"
},
"support": {
"tier": "Partner",
"name": "Cohesity",
"email": "support@cohesity.com",
"link": "https://support.cohesity.com/"
}
}
}
],
"metadata": {
"title": "Close Cohesity Helios Incident",
"description": "This playbook closes the corresponding Cohesity DataHawk (Helios) ticket.",
"prerequisites": "Deploy the Cohesity configuration and function apps (see details [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CohesitySecurity/Playbooks/Cohesity_Close_Helios_Incident/readme.md)).",
"postDeployment": [
"Grant KeyVault permissions to your playbook."
],
"lastUpdateTime": "2023-01-13T10:02:00Z",
"entities": [
"Malware"
],
"tags": [
"DataHawk",
"SOAR",
"Cohesity",
"Threat Response"
],
"releaseNotes": {
"version": "1.0",
"title": "[variables('blanks')]",
"notes": [
"Initial version"
]
}
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId3')]",
"contentKind": "Playbook",
"displayName": "My_Cohesity_Close_Helios_Incident",
"contentProductId": "[variables('_playbookcontentProductId3')]",
"id": "[variables('_playbookcontentProductId3')]",
"version": "[variables('playbookVersion3')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName4')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "My_Cohesity_CreateOrUpdate_ServiceNow_Incident Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
"parameters": {
"PlaybookName": {
"defaultValue": "My_Cohesity_CreateOrUpdate_ServiceNow_Incident",
"type": "string"
}
},
"variables": {
"MicrosoftsentinelConnectionName": "[[concat('Microsoftsentinel-', parameters('PlaybookName'))]",
"ServiceNowConnectionName": "[[concat('Service-Now-', parameters('PlaybookName'))]",
"connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"_connection-2": "[[variables('connection-2')]",
"connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Service-Now')]",
"_connection-3": "[[variables('connection-3')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"type": "Object"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Condition_-_create_or_update_incident": {
"actions": {
"Create_Record": {
"runAfter": {
"Switch": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"comments": "Link to Microsoft Sentinel Incident: [code]<a href=\"@{triggerBody()?['object']?['properties']?['incidentUrl']}\" target=\"_blank\" rel=\"noopener noreferrer\">Incident_URL</a>[/code] ",
"description": "Incident description: @{triggerBody()?['object']?['properties']?['description']};\nSeverity: @{triggerBody()?['object']?['properties']?['severity']};\nAlerts: @{join(triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames'],'; ')};",
"impact": "@variables('Creation severity')",
"number": "@triggerBody()?['object']?['name']",
"short_description": "@triggerBody()?['object']?['properties']?['title']",
"urgency": "@variables('Creation severity')"
},
"host": {
"connection": {
"name": "@parameters('$connections')['service-now_1']['connectionId']"
}
},
"method": "post",
"path": "/api/now/v2/table/@{encodeURIComponent('incident')}",
"queries": {
"sysparm_display_value": true,
"sysparm_exclude_reference_link": false
}
}
},
"Switch": {
"cases": {
"Case_Severity_High": {
"case": "High",
"actions": {
"Set_Severity_variable_to_High": {
"type": "SetVariable",
"inputs": {
"name": "Creation severity",
"value": "1"
}
}
}
},
"Case_Severity_Medium": {
"case": "Medium",
"actions": {
"Set_Severity_variable_to_Medium": {
"type": "SetVariable",
"inputs": {
"name": "Creation severity",
"value": "2"
}
}
}
}
},
"expression": "@triggerBody()?['object']?['properties']?['severity']",
"type": "Switch"
},
"Update_incident": {
"runAfter": {
"Create_Record": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"tagsToAdd": {
"TagsToAdd": [
{
"Tag": "SNOW System ID: @{body('Create_Record')?['result']?['sys_id']}"
}
]
}
},
"host": {
"connection": {
"name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "put",
"path": "/Incidents"
}
}
},
"runAfter": {
"Initialize_variable_-_creation_severity": [
"Succeeded"
]
},
"else": {
"actions": {
"For_each": {
"foreach": "@triggerBody()?['object']?['properties']?['labels']",
"actions": {
"Condition": {
"actions": {
"Condition_-_is_incident_closed": {
"actions": {
"Update_Record_-_Incident_closed": {
"type": "ApiConnection",
"inputs": {
"body": {
"caller_id": "@triggerBody()?['incidentUpdates']?['updatedBy']?['name']",
"close_code": "Resolved by Caller",
"close_notes": "Classification: @{triggerBody()?['object']?['properties']?['classification']}\nClassification reason: @{triggerBody()?['object']?['properties']?['classificationReason']}\nClassification comment: @{triggerBody()?['object']?['properties']?['classificationComment']}",
"state": "7"
},
"host": {
"connection": {
"name": "@parameters('$connections')['service-now_1']['connectionId']"
}
},
"method": "put",
"path": "/api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('SNOW System ID'))}",
"queries": {
"sysparm_display_value": false,
"sysparm_exclude_reference_link": true
}
}
}
},
"runAfter": {
"Set_variable_-_SNOW_System_ID": [
"Succeeded"
]
},
"else": {
"actions": {
"Condition_-_alert_updated": {
"actions": {
"Compose_alert": {
"runAfter": {
"For_each_-_new_alert": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "Alerts: @{variables('New alert')}"
},
"For_each_-_new_alert": {
"foreach": "@triggerBody()?['incidentUpdates']?['alerts']",
"actions": {
"Append_to_string_variable_-_alert": {
"type": "AppendToStringVariable",
"inputs": {
"name": "New alert",
"value": "@concat(items('For_each_-_new_alert')?['properties']?['alertDisplayName'], '; ')"
}
}
},
"type": "Foreach"
}
},
"runAfter": {
"Condition_-_comment_updated": [
"Succeeded"
]
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Alerts"
]
}
]
},
"type": "If"
},
"Condition_-_comment_updated": {
"actions": {
"Compose_comment": {
"runAfter": {
"For_each_-_new_comment": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "Comment: @{variables('New comments')}"
},
"For_each_-_new_comment": {
"foreach": "@triggerBody()?['incidentUpdates']?['comments']",
"actions": {
"Append_to_string_variable_-_comment": {
"type": "AppendToStringVariable",
"inputs": {
"name": "New comments",
"value": "@concat(items('For_each_-_new_comment')?['properties']?['message'], '; ')"
}
}
},
"type": "Foreach"
}
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Comments"
]
}
]
},
"type": "If"
},
"Condition_-_owner_update": {
"actions": {
"Append_to_string_variable_-_owner": {
"type": "AppendToStringVariable",
"inputs": {
"name": "New owner",
"value": "@triggerBody()?['object']?['properties']?['owner']?['assignedTo']"
}
},
"Compose_owner": {
"runAfter": {
"Append_to_string_variable_-_owner": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "Owner: @{variables('New owner')}"
}
},
"runAfter": {
"Condition_-_tag_updated": [
"Succeeded"
]
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Owner"
]
}
]
},
"type": "If"
},
"Condition_-_severity_update": {
"actions": {
"Append_to_string_variable_-_severity": {
"type": "AppendToStringVariable",
"inputs": {
"name": "New severity",
"value": "@triggerBody()?['object']?['properties']?['severity']"
}
},
"Compose_severity": {
"runAfter": {
"Append_to_string_variable_-_severity": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "Severity: @{variables('New severity')}"
}
},
"runAfter": {
"Condition_-_owner_update": [
"Succeeded"
]
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Severity"
]
}
]
},
"type": "If"
},
"Condition_-_status_update": {
"actions": {
"Append_to_string_variable_-_status": {
"type": "AppendToStringVariable",
"inputs": {
"name": "New status",
"value": "@triggerBody()?['object']?['properties']?['status']"
}
},
"Compose_status": {
"runAfter": {
"Append_to_string_variable_-_status": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "Status: @{variables('New status')}"
}
},
"runAfter": {
"Condition_-_tactics_update": [
"Succeeded"
]
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Status"
]
}
]
},
"type": "If"
},
"Condition_-_tactics_update": {
"actions": {
"Compose_tactics": {
"type": "Compose",
"inputs": "Tactics: @{join(triggerBody()?['incidentUpdates']?['tactics'], '; ')}"
}
},
"runAfter": {
"Condition_-_severity_update": [
"Succeeded"
]
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Tactics"
]
}
]
},
"type": "If"
},
"Condition_-_tag_updated": {
"actions": {
"Compose_tag": {
"runAfter": {
"For_each_-_new_tag": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "Tags: @{variables('New tag')}"
},
"For_each_-_new_tag": {
"foreach": "@triggerBody()?['incidentUpdates']?['labels']",
"actions": {
"Append_to_string_variable_-_tag": {
"type": "AppendToStringVariable",
"inputs": {
"name": "New tag",
"value": "@concat(items('For_each_-_new_tag')?['labelName'], '; ')"
}
}
},
"type": "Foreach"
}
},
"runAfter": {
"Condition_-_alert_updated": [
"Succeeded"
]
},
"expression": {
"and": [
{
"contains": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"Labels"
]
}
]
},
"type": "If"
},
"Update_Record_-_incident_not_closed": {
"runAfter": {
"Condition_-_status_update": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"comments": "Microsoft Sentinel incident is updated:\n\nUpdate fields: @{join(triggerBody()?['incidentUpdates']?['updatedFields'], '; ')}\nUpdate by: @{triggerBody()?['incidentUpdates']?['updatedBy']?['name']}\n\nNew values:\n@{outputs('Compose_alert')}\n@{outputs('Compose_severity')}\n@{outputs('Compose_owner')}\n@{outputs('Compose_status')}\n@{outputs('Compose_tag')}\n@{outputs('Compose_comment')}\n@{outputs('Compose_tactics')}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['service-now_1']['connectionId']"
}
},
"method": "put",
"path": "/api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('SNOW System ID'))}",
"queries": {
"sysparm_display_value": false,
"sysparm_exclude_reference_link": true
}
}
}
}
},
"expression": {
"and": [
{
"equals": [
"@triggerBody()?['object']?['properties']?['status']",
"Closed"
]
}
]
},
"type": "If"
},
"Set_variable_-_SNOW_System_ID": {
"type": "SetVariable",
"inputs": {
"name": "SNOW System ID",
"value": "@{split(items('For_each')?['labelName'],': ')[1]}"
}
}
},
"expression": {
"and": [
{
"contains": [
"@items('For_each')?['labelName']",
"SNOW"
]
}
]
},
"type": "If"
}
},
"type": "Foreach"
}
}
},
"expression": {
"and": [
{
"equals": [
"@triggerBody()?['incidentUpdates']?['updatedFields']",
"@null"
]
}
]
},
"type": "If"
},
"Initialize_variable_-_SNOW_System_ID": {
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "SNOW System ID",
"type": "string"
}
]
}
},
"Initialize_variable_-_alert": {
"runAfter": {
"Initialize_variable_-_comment": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "New alert",
"type": "string"
}
]
}
},
"Initialize_variable_-_comment": {
"runAfter": {
"Initialize_variable_-_SNOW_System_ID": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "New comments",
"type": "string"
}
]
}
},
"Initialize_variable_-_creation_severity": {
"runAfter": {
"Initialize_variable_-_status": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Creation severity",
"type": "string",
"value": "3"
}
]
}
},
"Initialize_variable_-_owner": {
"runAfter": {
"Initialize_variable_-_tag": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "New owner",
"type": "string"
}
]
}
},
"Initialize_variable_-_severity": {
"runAfter": {
"Initialize_variable_-_owner": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "New severity",
"type": "string"
}
]
}
},
"Initialize_variable_-_status": {
"runAfter": {
"Initialize_variable_-_severity": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "New status",
"type": "string"
}
]
}
},
"Initialize_variable_-_tag": {
"runAfter": {
"Initialize_variable_-_alert": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "New tag",
"type": "string"
}
]
}
}
}
},
"parameters": {
"$connections": {
"value": {
"microsoftsentinel": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftsentinelConnectionName'))]",
"connectionName": "[[variables('MicrosoftsentinelConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"service-now_1": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('ServiceNowConnectionName'))]",
"connectionName": "[[variables('ServiceNowConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Service-Now')]"
}
}
}
}
},
"name": "[[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[[variables('workspace-location-inline')]",
"tags": {
"hidden-SentinelTemplateName": "Cohesity_CreateOrUpdate_ServiceNow_Incident",
"hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
"identity": {
"type": "SystemAssigned"
},
"apiVersion": "2019-05-01",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('MicrosoftsentinelConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('ServiceNowConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('MicrosoftsentinelConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('MicrosoftsentinelConnectionName')]",
"parameterValueType": "Alternative",
"api": {
"id": "[[variables('_connection-2')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('ServiceNowConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('ServiceNowConnectionName')]",
"api": {
"id": "[[variables('_connection-3')]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]",
"properties": {
"parentId": "[variables('playbookId4')]",
"contentId": "[variables('_playbookContentId4')]",
"kind": "Playbook",
"version": "[variables('playbookVersion4')]",
"source": {
"kind": "Solution",
"name": "CohesitySecurity",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Cohesity",
"email": "[variables('_email')]"
},
"support": {
"tier": "Partner",
"name": "Cohesity",
"email": "support@cohesity.com",
"link": "https://support.cohesity.com/"
}
}
}
],
"metadata": {
"title": "Cohesity Create or Update ServiceNow incident",
"description": "This playbook creates and updates the incident in the ServiceNow platform.",
"prerequisites": "Create an account for ServiceNow.",
"postDeployment": [
"1. Update ServiceNow credentials in the playbook.",
"2. For the playbook to run, there is a need to assign the Microsoft Sentinel Responder role to the playbook's managed identity.",
"3. (Recommendation) You can create an automation rule to close the corresponding ServiceNow ticket when the corresponding Sentinel ticket is closed."
],
"lastUpdateTime": "2022-12-23T10:02:00Z",
"entities": [
"Malware"
],
"tags": [
"ServiceNow",
"SOAR",
"Notification",
"Threat Response"
],
"releaseNotes": {
"version": "1.0",
"title": "[variables('blanks')]",
"notes": [
"Initial version"
]
}
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId4')]",
"contentKind": "Playbook",
"displayName": "My_Cohesity_CreateOrUpdate_ServiceNow_Incident",
"contentProductId": "[variables('_playbookcontentProductId4')]",
"id": "[variables('_playbookcontentProductId4')]",
"version": "[variables('playbookVersion4')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName5')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "My_Cohesity_Delete_Incident_Blobs Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion5')]",
"parameters": {
"PlaybookName": {
"type": "string",
"defaultValue": "My_Cohesity_Delete_Incident_Blobs",
"metadata": {
"description": "Enter value for PlaybookName"
}
}
},
"variables": {
"AzureblobConnectionName": "[[concat('Azureblob-', parameters('PlaybookName'))]",
"MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureblob')]",
"_connection-2": "[[variables('connection-2')]",
"connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"_connection-3": "[[variables('connection-3')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"type": "Object"
},
"PlaybookName": {
"type": "string",
"defaultValue": "[[parameters('PlaybookName')]"
}
},
"staticResults": {
"Delete_blob_(V2)0": {
"status": "Succeeded",
"outputs": {
"statusCode": "OK"
}
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"For_each": {
"foreach": "@body('Lists_blobs_(V2)')?['value']",
"actions": {
"Delete_blob_(V2)": {
"type": "ApiConnection",
"inputs": {
"headers": {
"SkipDeleteIfFileNotFoundOnServer": false
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureblob']['connectionId']"
}
},
"method": "delete",
"path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/files/@{encodeURIComponent(encodeURIComponent(items('For_each')?['Path']))}"
},
"runtimeConfiguration": {
"staticResult": {
"staticResultOptions": "Disabled",
"name": "Delete_blob_(V2)0"
}
}
}
},
"runAfter": {
"Lists_blobs_(V2)": [
"Succeeded"
]
},
"type": "Foreach"
},
"Initialize_Description": {
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "description",
"type": "string",
"value": "@triggerBody()?['object']?['properties']?['description']"
}
]
}
},
"Initialize_variable": {
"runAfter": {
"Initialize_Description": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "heliosID",
"type": "string",
"value": "@{split(variables('description'), 'Helios ID: ')[1]}"
}
]
}
},
"Lists_blobs_(V2)": {
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azureblob']['connectionId']"
}
},
"method": "get",
"path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/foldersV2/@{encodeURIComponent(encodeURIComponent('/cohesity-extra-parameters/',variables('heliosID'),'/'))}",
"queries": {
"useFlatListing": true
}
}
}
}
},
"parameters": {
"$connections": {
"value": {
"azureblob": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureblobConnectionName'))]",
"connectionName": "[[variables('AzureblobConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureblob')]"
},
"azuresentinel": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
},
"name": "[[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[[variables('workspace-location-inline')]",
"identity": {
"type": "SystemAssigned"
},
"tags": {
"hidden-SentinelTemplateName": "Cohesity_Delete_Incident_Blobs",
"hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
"apiVersion": "2017-07-01",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('AzureblobConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('AzureblobConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('AzureblobConnectionName')]",
"api": {
"id": "[[variables('_connection-2')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('MicrosoftSentinelConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('MicrosoftSentinelConnectionName')]",
"parameterValueType": "Alternative",
"api": {
"id": "[[variables('_connection-3')]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]",
"properties": {
"parentId": "[variables('playbookId5')]",
"contentId": "[variables('_playbookContentId5')]",
"kind": "Playbook",
"version": "[variables('playbookVersion5')]",
"source": {
"kind": "Solution",
"name": "CohesitySecurity",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Cohesity",
"email": "[variables('_email')]"
},
"support": {
"tier": "Partner",
"name": "Cohesity",
"email": "support@cohesity.com",
"link": "https://support.cohesity.com/"
}
}
}
],
"metadata": {
"title": "Delete Cohesity incident blobs",
"description": "This playbook deletes the blobs on Azure storage created by an incident that is generated by Cohesity function apps.",
"prerequisites": "Deploy the Cohesity configuration and function apps (see details [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CohesitySecurity/Playbooks/Cohesity_Delete_Incident_Blobs/readme.md)).",
"postDeployment": [
"Authorize all connections."
],
"lastUpdateTime": "2023-01-27T10:57:00Z",
"entities": [
"Malware"
],
"tags": [
"Cleanup"
],
"releaseNotes": {
"version": "1.0",
"title": "[variables('blanks')]",
"notes": [
"Initial version"
]
}
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId5')]",
"contentKind": "Playbook",
"displayName": "My_Cohesity_Delete_Incident_Blobs",
"contentProductId": "[variables('_playbookcontentProductId5')]",
"id": "[variables('_playbookcontentProductId5')]",
"version": "[variables('playbookVersion5')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.0",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "CohesitySecurity",
"publisherDisplayName": "Cohesity",
"descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>This product integrates Cohesity Helios with Microsoft Sentinel to stay updated with the security events from your Cohesity environment and immediately respond to a ransomware attack or an anomaly</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Playbooks:</strong> 5</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
"icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Cohesity-Logo.svg\" width=\"75px\"height=\"75px\">",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
"name": "CohesitySecurity",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Cohesity",
"email": "[variables('_email')]"
},
"support": {
"name": "Cohesity",
"email": "support@cohesity.com",
"tier": "Partner",
"link": "https://support.cohesity.com/"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
},
{
"kind": "Playbook",
"contentId": "[variables('_Cohesity_Send_Incident_Email')]",
"version": "[variables('playbookVersion1')]"
},
{
"kind": "Playbook",
"contentId": "[variables('_Cohesity_Restore_From_Last_Snapshot')]",
"version": "[variables('playbookVersion2')]"
},
{
"kind": "Playbook",
"contentId": "[variables('_Cohesity_Close_Helios_Incident')]",
"version": "[variables('playbookVersion3')]"
},
{
"kind": "Playbook",
"contentId": "[variables('_Cohesity_CreateOrUpdate_ServiceNow_Incident')]",
"version": "[variables('playbookVersion4')]"
},
{
"kind": "Playbook",
"contentId": "[variables('_Cohesity_Delete_Incident_Blobs')]",
"version": "[variables('playbookVersion5')]"
}
]
},
"firstPublishDate": "2022-10-10",
"providers": [
"Cohesity"
],
"categories": {
"domains": [
"Security - Cloud Security",
"Security - Automation (SOAR)"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
}
],
"outputs": {}
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку