Microsoft-Defender-for-Cloud/Workflow automation
Fernanda Vela 785c03d72d
Update ReadMe.md
2024-11-06 14:22:30 -08:00
..
Activity log Alerts for DDoS
Add-HostNameTagEC2Arc
Add-PathAACPolicy
Ask-Remove-MalwareBlob
Assign-MDCRecommendationsbyAzureActivity
AttackPath-Sentinel-Incident-Enrich
Audit Workflow Automation via policy
AzureSiteRecovery-RansomwareProtection
Block-Suspicious-DNS-Activity
BlockBruteforceAttack
BlockSqlBruteforceAttack
Configure Workflow Automation in scale via policy
Configure-MDE
ContainerImageScanning_Notification
Create-ExemptionsByResourceTag
Create-MDEDeviceTagArc
Create-MDEDeviceTagAzure
Create-SNOWCRfromASCRec
Create-SNOWIncfromASCAlert
Create-SNOWVulnIncident
Defender for API
Delete Blob LogicApp Defender for Storage Update ReadMe.md 2024-11-06 14:18:29 -08:00
Disable-AAD-Account-Revoke-Tokens
Enable-ASCJITVM
Enable-MDETVM
Enable-NSG-OnSubnet
Export-ASCDataToEventHub
Export-ASCRecommendationsToCSV
Export-ComplianceData
Extend-AlertSuppressionRulesAboutToExpire
Install-VulnAssesmentAgent
Isolate-ASCAlertAzureVM
Isolate-MDATPMachineAlert
Move Malicious Blob FunctionApp Defender for Storage Update ReadMe.md 2024-11-06 14:22:30 -08:00
Notify-ASCAlertsAzureResource
Notify-ASCAlertsbyAzureActivity
Notify-ASCRecommendationsAzureResource
Notify-ASCRecommendationsResourceTag
Notify-ASCRecommendationsbyAzureActivity
Notify-AverageTimeGraph-TimeIndicators
Notify-AzDefenderAlertIPEntity-GreyNoiseCommunity
Notify-MDCRecommendationChangeActivity
Notify-NewAttackPath
Notify-ResourceExemption
Notify-SQLVulnerabilityReport
Notify-StaleResources
Open-DevOpsTaskAlert
Open-DevOpsTaskRecommendation
Open-JIRA-Ticket
Open-JIRAIssueAlert
Post-SlackMessage
Post-SlackMessageAlert
Post-TeamsMessage
Post-TeamsMessageAlert
Protect Azure VM Backup from Ransomware
Regulatory Compliance
Remove-KeyVault-AccessPolicies-RBACPermissions
Remove-MalwareBlob
Request-ResourceExemption
Run-MDATPAntivirus
Secure Storage Remediation
Send-O365EmailRecommendation
Send-WeeklyComplianceReport
SubscriptionManagement
Sync-AzureVMTags-MDEDeviceTags
Upgrade Pricing Tier
images
CODEOWNERS
README.md

README.md

Workflow automation in Microsoft Defender for Cloud

This folder contains sample security playbooks for security automation, orchestration and response (SOAR)

These playbooks can be easily integrated with Azure Security Center using Workflow Automation feature. Learn more>

Each folder contains a security playbook ARM template that uses Microsoft Security Center triggers.

After selecting a playbook, in the Azure portal:

  1. Search for deploy a custom template
  2. Click build your own template in the editor
  3. Paste the contents from the GitHub playbook
  4. Click Save
  5. Fill in needed data and click purchase

Once deployment is complete, you will need to authorize each connection.

  1. Click the Azure Security Center connection resource
  2. Click edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
  6. Repeat steps for other connections
  • For Azure Log Analytics Data Collector, you will need to add the workspace ID and Key You can now edit the playbook in Logic apps.

Contribute Logic App Playbooks

Instructions for templatizing a playbook

Option 1: Azure Logic App/Playbook ARM Template Generator

  1. Download tool and run the PowerShell script
    Download

  2. Extract the folder and open "Playbook_ARM_Template_Generator.ps1" either in Visual Studio Code/Windows PowerShell/PowerShell Core

    Note
    The script runs from the user's machine. You must allow PowerShell script execution. To do so, run the following command:

    Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass  
    
  3. Script prompts you to enter your Azure Tenant Id

  4. You are prompted to authenticate with credentials, once the user is authenticated, you will be prompted to choose

    • Subscription
    • Playbooks
  5. After selecting playbooks, script prompts to select location on your local drive to save ARM Template. ARM Template gets generated under <<PlaybookName>> folder

Option 2: Manual

Once you have created a playbook that you want to export to share, go to the Logic App resource in Azure.

Note: this is the generic instructions there may be other steps depending how complex or what connectors are used for the playbook.

  1. Click Export Template from the resource menu
  2. Copy the contents of the template
  3. Using VS code, create a new JSON file
  4. Paste the code into the new file
  5. In the parameters section, you can remove all parameters and add the following. You might need to add additional parameters if your logic app has items in the workflow that need to be changed, like API key.
    "parameters": {
        "PlaybookName": {
            "defaultValue": "PlaybookName",
            "type": "string"
        },
        "UserName": {
            "defaultValue": "<username>@<domain>",
            "type": "string"
        }
    },
  • You need a playbook name and username that will be used for the connections.
  1. In the variables section, you will need to create a variable for each connection the playbook is using like,
    "variables": {
        "AzureADConnectionName": "[concat('azuread-', parameters('PlaybookName'))]",
        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
    },
  • The variables will be the connection names. Here we are creating a connection name using the connection (AzureAD) and "-" and the playbook name.
  1. Next, you will need to add resources to be created for each connection.
   "resources": [
        {
            "type": "Microsoft.Web/connections",
            "apiVersion": "2016-06-01",
            "name": "[variables('AzureADConnectionName')]",
            "location": "[resourceGroup().location]",
            "properties": {
                "displayName": "[parameters('UserName')]",
                "customParameterValues": {},
                "api": {
                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
                }
            }
        },
  • The name is using the variable we created. The location is using the resource group that was selected as part of the deployment. The displayname is using the Username parameter. Lastly, you can build the string for the id using strings plus properties of the subscription and resource group. Repeat for each connection needed.
  1. You will need to add a dependsOn section to the Microsoft.Logic/workflows resource. This will ensure the connection resources are created before the workflow.
 "dependsOn": [
                "[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
                "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
            ],

  1. In the Microsoft.Logic/workflows resource under paramters / $connections, there will be a value for each connection. You will need to update each like the following.
"parameters": {
                    "$connections": {
                        "value": {
                            "azuread": {
                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
                                "connectionName": "[variables('AzureADConnectionName')]",
                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
                            },
                            "azuresentinel": {
                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
                                "connectionName": "[variables('AzureSentinelConnectionName')]",
                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
                            }
                        }
                    }
                }

  • The connectionId will use a string and variable. The Connection name is the variable. The id is the string we used early for the id when creating the resource.
  1. Save the JSON and contribute to the repository.

Questions

You can submit any questions or requests here. Please also refer to our Wiki, as it will provide you with further information.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.