diff --git a/Solutions/CiscoUmbrella/Data/Solution_CiscoUmbrella.json b/Solutions/CiscoUmbrella/Data/Solution_CiscoUmbrella.json index 3ab071d1eb2..9abde05b6f9 100644 --- a/Solutions/CiscoUmbrella/Data/Solution_CiscoUmbrella.json +++ b/Solutions/CiscoUmbrella/Data/Solution_CiscoUmbrella.json @@ -2,7 +2,7 @@ "Name": "CiscoUmbrella", "Author": "Microsoft - support@microsoft.com", "Logo": "", - "Description": "The [Cisco Umbrella](https://umbrella.cisco.com/) solution for Microsoft Sentinel enables you to ingest [Cisco Umbrella events](https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning) stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)", + "Description": "The [Cisco Umbrella](https://umbrella.cisco.com/) solution for Microsoft Sentinel enables you to ingest [Cisco Umbrella events](https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning) stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API.", "Data Connectors": [ "Data Connectors/CiscoUmbrella_API_FunctionApp.json" ], @@ -37,18 +37,14 @@ "Parsers/Cisco_Umbrella.yaml" ], "Playbooks": [ - "Playbooks/CiscoUmbrellaEnforcementAPIConnector/azuredeploy.json", - "Playbooks/CiscoUmbrellaInvestigateAPIConnector/azuredeploy.json", - "Playbooks/CiscoUmbrellaManagementAPIConnector/azuredeploy.json", - "Playbooks/CiscoUmbrellaNetworkDeviceManagementAPIConnector/azuredeploy.json", - "Playbooks/Playbooks/CiscoUmbrella-AddIpToDestinationList/azuredeploy.json", - "Playbooks/Playbooks/CiscoUmbrella-AssignPolicyToIdentity/azuredeploy.json", - "Playbooks/Playbooks/CiscoUmbrella-BlockDomain/azuredeploy.json", - "Playbooks/Playbooks/CiscoUmbrella-GetDomainInfo/azuredeploy.json" + "Playbooks/CustomConnector/EnforcementAPICustomConnector/azuredeploy.json", + "Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-BlockDomain/azuredeploy.json", + "Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/azuredeploy.json", + "Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/azuredeploy.json", + "Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/azuredeploy.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CiscoUmbrella", - "Version": "3.0.1", + "Version": "3.0.3", "Metadata": "SolutionMetadata.json", - "TemplateSpec": true, - "Is1Pconnector": false -} + "TemplateSpec": true +} \ No newline at end of file diff --git a/Solutions/CiscoUmbrella/Package/3.0.3.zip b/Solutions/CiscoUmbrella/Package/3.0.3.zip new file mode 100644 index 00000000000..cb4d4c433e4 Binary files /dev/null and b/Solutions/CiscoUmbrella/Package/3.0.3.zip differ diff --git a/Solutions/CiscoUmbrella/Package/createUiDefinition.json b/Solutions/CiscoUmbrella/Package/createUiDefinition.json index 879fa666de3..c5708e72051 100644 --- a/Solutions/CiscoUmbrella/Package/createUiDefinition.json +++ b/Solutions/CiscoUmbrella/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CiscoUmbrella/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Cisco Umbrella](https://umbrella.cisco.com/) solution for Microsoft Sentinel enables you to ingest [Cisco Umbrella events](https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning) stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10, **Custom Azure Logic Apps Connectors:** 4, **Playbooks:** 4\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CiscoUmbrella/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Cisco Umbrella](https://umbrella.cisco.com/) solution for Microsoft Sentinel enables you to ingest [Cisco Umbrella events](https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning) stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 4\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/CiscoUmbrella/Package/mainTemplate.json b/Solutions/CiscoUmbrella/Package/mainTemplate.json index b25cb36997f..5c0fd4f1934 100644 --- a/Solutions/CiscoUmbrella/Package/mainTemplate.json +++ b/Solutions/CiscoUmbrella/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "CiscoUmbrella", - "_solutionVersion": "3.0.2", + "_solutionVersion": "3.0.3", "solutionId": "azuresentinel.azure-sentinel-solution-ciscoumbrella", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "CiscoUmbrellaDataConnector", @@ -187,68 +187,47 @@ "parserVersion1": "1.0.0", "parserContentId1": "Cisco_Umbrella-Parser" }, - "CiscoUmbrellaEnforcementAPIConnector": "CiscoUmbrellaEnforcementAPIConnector", - "_CiscoUmbrellaEnforcementAPIConnector": "[variables('CiscoUmbrellaEnforcementAPIConnector')]", + "EnforcementAPICustomConnector": "EnforcementAPICustomConnector", + "_EnforcementAPICustomConnector": "[variables('EnforcementAPICustomConnector')]", "TemplateEmptyArray": "[json('[]')]", "blanks": "[replace('b', 'b', '')]", "playbookVersion1": "1.0", - "playbookContentId1": "CiscoUmbrellaEnforcementAPIConnector", + "playbookContentId1": "EnforcementAPICustomConnector", "_playbookContentId1": "[variables('playbookContentId1')]", "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-lc-',uniquestring(variables('_playbookContentId1'))))]", "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','lc','-', uniqueString(concat(variables('_solutionId'),'-','LogicAppsCustomConnector','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", - "CiscoUmbrellaInvestigateAPIConnector": "CiscoUmbrellaInvestigateAPIConnector", - "_CiscoUmbrellaInvestigateAPIConnector": "[variables('CiscoUmbrellaInvestigateAPIConnector')]", + "CiscoUmbrella-BlockDomain": "CiscoUmbrella-BlockDomain", + "_CiscoUmbrella-BlockDomain": "[variables('CiscoUmbrella-BlockDomain')]", "playbookVersion2": "1.0", - "playbookContentId2": "CiscoUmbrellaInvestigateAPIConnector", + "playbookContentId2": "CiscoUmbrella-BlockDomain", "_playbookContentId2": "[variables('playbookContentId2')]", - "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-lc-',uniquestring(variables('_playbookContentId2'))))]", - "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','lc','-', uniqueString(concat(variables('_solutionId'),'-','LogicAppsCustomConnector','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", - "CiscoUmbrellaManagementAPIConnector": "CiscoUmbrellaManagementAPIConnector", - "_CiscoUmbrellaManagementAPIConnector": "[variables('CiscoUmbrellaManagementAPIConnector')]", + "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", + "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]", + "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", + "CiscoUmbrella-AddIpToDestinationList": "CiscoUmbrella-AddIpToDestinationList", + "_CiscoUmbrella-AddIpToDestinationList": "[variables('CiscoUmbrella-AddIpToDestinationList')]", "playbookVersion3": "1.0", - "playbookContentId3": "CiscoUmbrellaManagementAPIConnector", + "playbookContentId3": "CiscoUmbrella-AddIpToDestinationList", "_playbookContentId3": "[variables('playbookContentId3')]", - "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-lc-',uniquestring(variables('_playbookContentId3'))))]", - "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','lc','-', uniqueString(concat(variables('_solutionId'),'-','LogicAppsCustomConnector','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", - "CiscoUmbrellaNetworkDeviceManagementAPIConnector": "CiscoUmbrellaNetworkDeviceManagementAPIConnector", - "_CiscoUmbrellaNetworkDeviceManagementAPIConnector": "[variables('CiscoUmbrellaNetworkDeviceManagementAPIConnector')]", + "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", + "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", + "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", + "CiscoUmbrella-AssignPolicyToIdentity": "CiscoUmbrella-AssignPolicyToIdentity", + "_CiscoUmbrella-AssignPolicyToIdentity": "[variables('CiscoUmbrella-AssignPolicyToIdentity')]", "playbookVersion4": "1.0", - "playbookContentId4": "CiscoUmbrellaNetworkDeviceManagementAPIConnector", + "playbookContentId4": "CiscoUmbrella-AssignPolicyToIdentity", "_playbookContentId4": "[variables('playbookContentId4')]", - "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-lc-',uniquestring(variables('_playbookContentId4'))))]", - "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','lc','-', uniqueString(concat(variables('_solutionId'),'-','LogicAppsCustomConnector','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]", - "CiscoUmbrella-AddIpToDestinationList": "CiscoUmbrella-AddIpToDestinationList", - "_CiscoUmbrella-AddIpToDestinationList": "[variables('CiscoUmbrella-AddIpToDestinationList')]", + "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]", + "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]", + "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]", + "CiscoUmbrella-GetDomainInfo": "CiscoUmbrella-GetDomainInfo", + "_CiscoUmbrella-GetDomainInfo": "[variables('CiscoUmbrella-GetDomainInfo')]", "playbookVersion5": "1.0", - "playbookContentId5": "CiscoUmbrella-AddIpToDestinationList", + "playbookContentId5": "CiscoUmbrella-GetDomainInfo", "_playbookContentId5": "[variables('playbookContentId5')]", "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]", "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]", "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]", - "CiscoUmbrella-AssignPolicyToIdentity": "CiscoUmbrella-AssignPolicyToIdentity", - "_CiscoUmbrella-AssignPolicyToIdentity": "[variables('CiscoUmbrella-AssignPolicyToIdentity')]", - "playbookVersion6": "1.0", - "playbookContentId6": "CiscoUmbrella-AssignPolicyToIdentity", - "_playbookContentId6": "[variables('playbookContentId6')]", - "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]", - "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]", - "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]", - "CiscoUmbrella-BlockDomain": "CiscoUmbrella-BlockDomain", - "_CiscoUmbrella-BlockDomain": "[variables('CiscoUmbrella-BlockDomain')]", - "playbookVersion7": "1.0", - "playbookContentId7": "CiscoUmbrella-BlockDomain", - "_playbookContentId7": "[variables('playbookContentId7')]", - "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]", - "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]", - "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]", - "CiscoUmbrella-GetDomainInfo": "CiscoUmbrella-GetDomainInfo", - "_CiscoUmbrella-GetDomainInfo": "[variables('CiscoUmbrella-GetDomainInfo')]", - "playbookVersion8": "1.0", - "playbookContentId8": "CiscoUmbrella-GetDomainInfo", - "_playbookContentId8": "[variables('playbookContentId8')]", - "playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]", - "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]", - "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]", "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ @@ -261,7 +240,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrella data connector with template version 3.0.2", + "description": "CiscoUmbrella data connector with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -754,7 +733,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrella Workbook with template version 3.0.2", + "description": "CiscoUmbrella Workbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -854,7 +833,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaConnectionNon-CorporatePrivateNetwork_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CiscoUmbrellaConnectionNon-CorporatePrivateNetwork_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -901,8 +880,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } ] } @@ -960,7 +939,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaConnectionToUnpopularWebsiteDetected_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CiscoUmbrellaConnectionToUnpopularWebsiteDetected_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -1010,8 +989,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "UrlOriginal", - "identifier": "Url" + "identifier": "Url", + "columnName": "UrlOriginal" } ] }, @@ -1019,8 +998,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } ] } @@ -1078,7 +1057,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaCryptoMinerUserAgentDetected_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CiscoUmbrellaCryptoMinerUserAgentDetected_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -1130,8 +1109,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "UrlOriginal", - "identifier": "Url" + "identifier": "Url", + "columnName": "UrlOriginal" } ] }, @@ -1139,8 +1118,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } ] } @@ -1198,7 +1177,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaEmptyUserAgentDetected_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CiscoUmbrellaEmptyUserAgentDetected_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -1246,8 +1225,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "UrlOriginal", - "identifier": "Url" + "identifier": "Url", + "columnName": "UrlOriginal" } ] }, @@ -1255,8 +1234,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } ] } @@ -1314,7 +1293,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaHackToolUserAgentDetected_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CiscoUmbrellaHackToolUserAgentDetected_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -1369,8 +1348,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "UrlOriginal", - "identifier": "Url" + "identifier": "Url", + "columnName": "UrlOriginal" } ] }, @@ -1378,8 +1357,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } ] } @@ -1437,7 +1416,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaPowershellUserAgentDetected_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CiscoUmbrellaPowershellUserAgentDetected_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -1489,8 +1468,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "UrlOriginal", - "identifier": "Url" + "identifier": "Url", + "columnName": "UrlOriginal" } ] }, @@ -1498,8 +1477,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } ] } @@ -1557,7 +1536,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaRareUserAgentDetected_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CiscoUmbrellaRareUserAgentDetected_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -1607,8 +1586,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "UrlOriginal", - "identifier": "Url" + "identifier": "Url", + "columnName": "UrlOriginal" } ] }, @@ -1616,8 +1595,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } ] } @@ -1675,7 +1654,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1725,8 +1704,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "UrlOriginal", - "identifier": "Url" + "identifier": "Url", + "columnName": "UrlOriginal" } ] }, @@ -1734,8 +1713,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } ] } @@ -1793,7 +1772,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaRequestBlocklistedFileType_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CiscoUmbrellaRequestBlocklistedFileType_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -1840,8 +1819,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "UrlOriginal", - "identifier": "Url" + "identifier": "Url", + "columnName": "UrlOriginal" } ] }, @@ -1849,8 +1828,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } ] } @@ -1908,7 +1887,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaURIContainsIPAddress_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CiscoUmbrellaURIContainsIPAddress_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -1955,8 +1934,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "UrlOriginal", - "identifier": "Url" + "identifier": "Url", + "columnName": "UrlOriginal" } ] }, @@ -1964,8 +1943,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } ] } @@ -2023,7 +2002,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaAnomalousFQDNsforDomain_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CiscoUmbrellaAnomalousFQDNsforDomain_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -2108,7 +2087,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaBlockedUserAgents_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CiscoUmbrellaBlockedUserAgents_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -2193,7 +2172,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaDNSErrors_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CiscoUmbrellaDNSErrors_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -2278,7 +2257,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaDNSRequestsUunreliableCategory_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CiscoUmbrellaDNSRequestsUunreliableCategory_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -2363,7 +2342,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaHighCountsOfTheSameBytesInSize_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CiscoUmbrellaHighCountsOfTheSameBytesInSize_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -2448,7 +2427,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaHighValuesOfUploadedData_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CiscoUmbrellaHighValuesOfUploadedData_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -2533,7 +2512,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaPossibleConnectionC2_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CiscoUmbrellaPossibleConnectionC2_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -2618,7 +2597,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaPossibleDataExfiltration_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CiscoUmbrellaPossibleDataExfiltration_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -2703,7 +2682,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaProxyAllowedUnreliableCategory_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CiscoUmbrellaProxyAllowedUnreliableCategory_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -2788,7 +2767,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaRequestsUncategorizedURI_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CiscoUmbrellaRequestsUncategorizedURI_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -2873,7 +2852,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cisco_Umbrella Data Parser with template version 3.0.2", + "description": "Cisco_Umbrella Data Parser with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -3005,7 +2984,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaEnforcementAPIConnector Playbook with template version 3.0.2", + "description": "EnforcementAPICustomConnector Playbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -3025,7 +3004,7 @@ "operationId-DeleteDomainById": "DeleteDomainById", "_operationId-DeleteDomainById": "[[variables('operationId-DeleteDomainById')]", "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "playbookContentId1": "CiscoUmbrellaEnforcementAPIConnector", + "playbookContentId1": "EnforcementAPICustomConnector", "playbookId1": "[[resourceId('Microsoft.Web/customApis', parameters('customApis_CiscoUmbrellaEnforcementAPI_name'))]", "workspace-name": "[parameters('workspace')]", "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" @@ -3351,7 +3330,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId1')]", "contentKind": "LogicAppsCustomConnector", - "displayName": "CiscoUmbrellaEnforcementAPIConnector", + "displayName": "EnforcementAPICustomConnector", "contentProductId": "[variables('_playbookcontentProductId1')]", "id": "[variables('_playbookcontentProductId1')]", "version": "[variables('playbookVersion1')]" @@ -3366,422 +3345,260 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaInvestigateAPIConnector Playbook with template version 3.0.2", + "description": "CiscoUmbrella-BlockDomain Playbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", "parameters": { - "customApis_CiscoUmbrellaInvestigateAPIConnector_name": { - "defaultValue": "CiscoUmbrellaInvestigateAPI", + "PlaybookName": { + "defaultValue": "CiscoUmbrella-BlockDomain", + "type": "String" + }, + "customApis_ciscoumbrellaenforcement_name": { + "defaultValue": "CiscoUmbrellaEnforcementAPI", "type": "String" } }, "variables": { - "operationId-GetDomainSecurityData": "GetDomainSecurityData", - "_operationId-GetDomainSecurityData": "[[variables('operationId-GetDomainSecurityData')]", - "operationId-GetDomainRiskScore": "GetDomainRiskScore", - "_operationId-GetDomainRiskScore": "[[variables('operationId-GetDomainRiskScore')]", - "operationId-GetDomainStatusAndCategorization": "GetDomainStatusAndCategorization", - "_operationId-GetDomainStatusAndCategorization": "[[variables('operationId-GetDomainStatusAndCategorization')]", - "operationId-GetCoOccurrencesForDomain": "GetCoOccurrencesForDomain", - "_operationId-GetCoOccurrencesForDomain": "[[variables('operationId-GetCoOccurrencesForDomain')]", - "operationId-GetRelatedDomains": "GetRelatedDomains", - "_operationId-GetRelatedDomains": "[[variables('operationId-GetRelatedDomains')]", + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "CiscoUmbrellaEnforcementAPIConnectionName": "[[concat('ciscoumbrellaenforcement-connection-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellaenforcement_name'))]", + "_connection-2": "[[variables('connection-2')]", "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "playbookContentId2": "CiscoUmbrellaInvestigateAPIConnector", - "playbookId2": "[[resourceId('Microsoft.Web/customApis', parameters('customApis_CiscoUmbrellaInvestigateAPIConnector_name'))]", "workspace-name": "[parameters('workspace')]", "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" }, "resources": [ { - "type": "Microsoft.Web/customApis", + "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", - "name": "[[parameters('customApis_CiscoUmbrellaInvestigateAPIConnector_name')]", + "name": "[[variables('AzureSentinelConnectionName')]", "location": "[[variables('workspace-location-inline')]", "properties": { - "connectionParameters": { - "api_key": { - "type": "securestring", - "uiDefinition": { - "displayName": "API Key", - "description": "The API Key for this api", - "tooltip": "Provide your API Key in format: Bearer YOUR_API_KEY", - "constraints": { - "tabIndex": 2, - "clearText": false, - "required": "true" - } - } - } - }, - "brandColor": "#FFFFFF", - "description": "Connector for Cisco Umbrella Investigate API", - "displayName": "[[parameters('customApis_CiscoUmbrellaInvestigateAPIConnector_name')]", - "iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAMAAABiM0N1AAABdFBMVEUAAAAA//8AgP8Aqv8AgL8AmcwAmeYAotEAldUAn98AntsAodkAnNYAn9cIotgIntoHoNsHnNwHodcHndgGotoGoNsGnNYGn9cFn9sEoNgEndkEoNoEntsEntgEoNsEn9gDn9kDoNoDn9gDoNgDn9kFn9gFntgFn9kFn9oFoNoFn9gEn9kEoNkEn9oEoNgEn9kEntkEoNoEoNkEn9kEn9kEntkEoNgEntgEn9kEn9oEntoEn9gEoNgEntkEn9kEoNkEn9oEn9oEntgDn9kDn9gDoNkDn9kFn9oFn9gFn9kFntkFn9oEn9kEntoEn9gEoNkEn9kEoNkEn9oEn9gEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEntkEn9kEn9kEn9kEn9oDn9kFn9kEoNkEn9kEn9kEn9kEn9kEn9oEn9kEn9kEn9kEn9kEoNkEn9kEn9gEn9kEn9kEn9kEn9kEn9kEoNkEn9kEn9kEn9kEn9n///940Z2XAAAAenRSTlMAAQIDBAUKCwwQFRsfICEiIyQmJykrLC04Ozw+P0JGSEpTVVtdaGlqbW5wcnN1dnh5e35/gIGDhIeIiYqLjI2Oj5CRkpibnKSlp6mqsLGys7q7v8DCxMfKz9DS1NXW19jZ2t7g4+To6u3u7/Dx8vP09fb3+Pn6+/z9/h6/P2sAAAABYktHRHtP0rX8AAACB0lEQVRYw+2WaVPTYBRGb9SK4oI7dd+tAiqCra1FqKIoKu4bUFQQtJY2SUna2vPr/VCSafKmpONkHMfJ86m5OXOmN3Pfm4jEiRMnTtQZKadCkfWRHkTrlMKRcg8iIALkvxRlKsM+yq10RTLVW6qohuETuZWuSA1zi7+r/uiKBLb4z4jyxt0wUd5Ih4jyRlps7DCRjRUisrG26khpoOsdIDqR5bRmUvPhTsVFan7EKdjYMq5n2zdHK/5H6lRcJF31IU4hZ2TjNfJHolL4Qi71tLMv/xyOAInzV3LgftE0vjz1zMnRZz/qa28GAgg5PrtmrTw8onqG6oBvPQzqAJxQCe1eC4C68jExBKroOWA2NkUe4rZzwVWvZ78NzGeuZJc6RWW4qCUG+xXicBMac4X3gLXXI5oCHu0QkW2dogpcCCSmYeOkiKSACY+oCN93KofyHbReJgOIJWi/e17DgkdkwJx6uk83AWa2K4QJZ9rLE99rXQ8UyblvADcUwoCzIiJyB6pKa30B+yZx/iMsK0QR8iIi2gdY9IgKwEzC/7BFRPp+saEQD8A6JSLXgYJ3rG1g/mZq4mun6NKx/j2jsKIQh5rQfJF/CzQO9jCQm6VJlRh3B3LMP9rX7G6ihd0qoeXaR6SV05TDtm9y0dQ/z3aKXi1X9U9ju4IIST5ZtVYfJ+NlFydOnKjyG0KNPhWovN8UAAAAAElFTkSuQmCC", - "backendService": { - "serviceUrl": "https://investigate.api.umbrella.com" - }, - "apiType": "Rest", - "swagger": { - "swagger": "2.0", - "info": { - "title": "Default title", - "description": "Connector for Cisco Umbrella Investigate API", - "version": "1.0" - }, - "host": "investigate.api.umbrella.com", - "basePath": "/", - "schemes": [ - "https" - ], - "consumes": "[variables('TemplateEmptyArray')]", - "produces": "[variables('TemplateEmptyArray')]", - "paths": { - "/security/name/{Domain}": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "object", - "properties": { - "dga_score": { - "type": "integer", - "format": "int32", - "description": "Domain Generation Algorithm. This score is generated based on the likeliness of the domain name being generated by an algorithm rather than a human. This algorithm is designed to identify domains which have been created using an automated randomization strategy, which is a common evasion technique in malware kits or botnets. This score ranges from -100 (suspicious) to 0 (benign)." - }, - "perplexity": { - "type": "number", - "format": "float", - "description": "A second score on the likeliness of the name to be algorithmically generated, on a scale from 0 to 100. This score is to be used in conjunction with DGA." - }, - "entropy": { - "type": "number", - "format": "float", - "description": "The number of bits required to encode the domain name, as a score. This score is to be used in conjunction with DGA and Perplexity." - }, - "securerank2": { - "type": "number", - "format": "float", - "description": "Suspicious rank for a domain that reviews based on the lookup behavior of client IP for the domain. Securerank is designed to identify hostnames requested by known infected clients but never requested by clean clients, assuming these domains are more likely to be bad. Scores returned range from -100 (suspicious) to 100 (benign)." - }, - "pagerank": { - "type": "number", - "format": "float", - "description": "Popularity according to Google's pagerank algorithm" - }, - "asn_score": { - "type": "number", - "format": "float", - "description": "ASN reputation score, ranges from -100 to 0 with -100 being very suspicious." - }, - "prefix_score": { - "type": "number", - "format": "float", - "description": "Prefix ranks domains given their IP prefixes (an IP prefix is the first three octets in an IP address) and the reputation score of these prefixes. Ranges from -100 to 0, -100 being very suspicious." - }, - "rip_score": { - "type": "number", - "format": "float", - "description": "RIP ranks domains given their IP addresses and the reputation score of these IP addresses. Ranges from -100 to 0, -100 being very suspicious." - }, - "popularity": { - "type": "integer", - "format": "int32", - "description": "The number of unique client IPs visiting this site, relative to the all requests to all sites. A score of how many different client/unique IPs go to this domain compared to others." - }, - "fastflux": { - "type": "boolean", - "description": "fastflux", - "x-ms-visibility": "internal" - }, - "geodiversity": { - "type": "array", - "description": "array of geodiversity tuples", - "x-ms-summary": "geodiversity array", - "items": { - "x-ms-summary": "geodiversity tuple", - "description": "Tuple [\"country code\", \"score\"]. A score representing the number of queries from clients visiting the domain, broken down by country. Score is a non-normalized ratio between 0 and 1.", - "type": "array" - } - }, - "geodiversity_normalized": { - "type": "array", - "description": "array of geodiversity_normalized tuples", - "x-ms-summary": "geodiversity_normalized array", - "items": { - "x-ms-summary": "geodiversity_normalized tuple", - "description": "Tuple [\"country code\", \"score\"]. A score representing the amount of queries for clients visiting the domain, broken down by country. Score is a normalized ratio between 0 and 1.", - "type": "array" - } - }, - "tld_geodiversity": { - "type": "array", - "description": "array of tld_geodiversity tuples", - "x-ms-summary": "tld_geodiversity array", - "items": { - "x-ms-summary": "tld_geodiversity tuple", - "description": "Tuple [\"country code\", \"score\"]. A score that represents the TLD country code geodiversity as a percentage of clients visiting the domain. Occurs most often with domains that have a ccTLD. Score is normalized ratio between 0 and 1.", - "type": "array" - } - }, - "geoscore": { - "type": "integer", - "format": "int32", - "description": "A score that represents how far the different physical locations serving this name are from each other." - }, - "ks_test": { - "type": "integer", - "format": "int32", - "description": "Kolmogorov–Smirnov test on geodiversity. 0 means that the client traffic matches what is expected for this TLD." - }, - "attack": { - "type": "string", - "description": "The name of any known attacks associated with this domain. Returns blank if no known threat associated with domain." - }, - "threat_type": { - "type": "string", - "description": "The type of the known attack, such as botnet or APT. Returns blank if no known threat associated with domain." - }, - "found": { - "type": "boolean", - "description": "Returns true if results available. Returns blank if no known threat associated with domain." - } - } - } - } + "displayName": "[[variables('AzureSentinelConnectionName')]", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('CiscoUmbrellaEnforcementAPIConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('CiscoUmbrellaEnforcementAPIConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaEnforcementAPIConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{outputs('Create_logo')}CiscoUmbrella-BlockDomain
\nThe following domains have been added to Cisco Umbrella block destination list:
\n@{body('Create_HTML_table')}

" }, - "summary": "Get domain security data", - "description": "Security Information for a Domain", - "operationId": "[[variables('_operationId-GetDomainSecurityData')]", - "parameters": [ - { - "name": "Domain", - "in": "path", - "required": true, - "type": "string" + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Create_logo": [ + "Succeeded" ] - } + }, + "type": "ApiConnection" }, - "/domains/risk-score/{DomainName}": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "object", - "properties": { - "indicators": { - "type": "array", - "x-ms-summary": "indicators", - "description": "array of indicator objects", - "items": { - "x-ms-summary": "indicator", - "description": "indicator object", - "type": "object", - "properties": { - "indicator": { - "type": "string", - "description": "indicator name", - "title": "name" - }, - "normalized_score": { - "type": "integer", - "format": "int32", - "description": "indicator normalized score" - }, - "score": { - "type": "boolean", - "description": "indicator score" - } - } - } - }, - "risk_score": { - "type": "integer", - "format": "int32", - "description": "risk score" - } - } - } - } - }, - "summary": "Get Risk score for a domain", - "description": "Get Risk score for a domain", - "operationId": "[[variables('_operationId-GetDomainRiskScore')]", - "parameters": [ + "Create_HTML_table": { + "inputs": { + "columns": [ { - "name": "DomainName", - "in": "path", - "required": true, - "type": "string" + "header": "Domain", + "value": "@item()" } + ], + "format": "HTML", + "from": "@variables('blocked_domains')" + }, + "runAfter": { + "For_each_URL": [ + "Succeeded" ] - } + }, + "type": "Table" }, - "/domains/categorization/{Domain}": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "object", - "additionalProperties": { - "type": "object", - "description": "Domain object", - "title": "Domain object", - "x-ms-summary": "Domain object", - "properties": { - "status": { - "type": "integer", - "format": "int32", - "description": "The status will be \"-1\" if the domain is believed to be malicious, \"1\" if the domain is believed to be benign, \"0\" if it hasn't been classified yet." - }, - "security_categories": { - "type": "array", - "items": { - "type": "string" - }, - "description": "The Umbrella security category, or categories, that match this domain or that this domain is associated with. If none match, the return will be blank." - }, - "content_categories": { - "type": "array", - "items": { - "type": "string" - }, - "description": "The Umbrella content category or categories that match this domain. If none match, the return will be blank." - } - } - } - } - } - }, - "summary": "Get Domain Status and Categorization", - "description": "Get Domain Status and Categorization", - "operationId": "[[variables('_operationId-GetDomainStatusAndCategorization')]", - "parameters": [ - { - "name": "Domain", - "in": "path", - "required": true, - "type": "string" - }, - { - "name": "showLabels", - "in": "query", - "required": true, - "type": "string", - "default": 1, - "x-ms-visibility": "internal" - } + "Create_logo": { + "inputs": "", + "runAfter": { + "Create_HTML_table": [ + "Succeeded" ] - } + }, + "type": "Compose" }, - "/recommendations/name/{Domain}": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "object", - "properties": { - "pfs2": { - "type": "array", - "x-ms-summary": "pfs2 array", - "description": "Array of [domain name, scores] tuples. The values range between 0 and 1 and should not exceed 1. All co-occurences of requests from client IPs are returned for the previous seven days whether the co-occurence is suspicious or not.", - "items": { - "x-ms-summary": "pfs2 tuple", - "description": "[[domain name, scores] tuple. The values range between 0 and 1 and should not exceed 1. All co-occurences of requests from client IPs are returned for the previous seven days whether the co-occurence is suspicious or not.", - "type": "array" - } - }, - "found": { - "type": "boolean", - "description": "Returns true if results available. Nothing is returned if no results available." - } - } - } + "Entities_-_Get_URLs": { + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, - "summary": "Get Co-Occurrences for a Domain", - "description": "Get Co-Occurrences for a Domain", - "operationId": "[[variables('_operationId-GetCoOccurrencesForDomain')]", - "parameters": [ - { - "name": "Domain", - "in": "path", - "required": true, - "type": "string" - } + "method": "post", + "path": "/entities/url" + }, + "runAfter": { + "Initialize_variable_blocked_domains": [ + "Succeeded" ] - } + }, + "type": "ApiConnection" }, - "/links/name/{Domain}": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "object", - "properties": { - "tb1": { - "type": "array", - "x-ms-summary": "tb1 array", - "description": "Array of [domain name, scores] tuples where score is the number of client IP requests to the site around the same time as the site being looked up. This is a score reflecting the number of client IPs looking up related sites within 60 seconds of the original request.", - "items": { - "x-ms-summary": "tb1 tuple", - "description": "[[domain name, scores] tuples where score is the number of client IP requests to the site around the same time as the site being looked up. This is a score reflecting the number of client IPs looking up related sites within 60 seconds of the original request.", - "type": "array" - } - }, - "found": { - "type": "boolean", - "description": "Returns true if results available. Nothing is returned if no results available." - } + "For_each_URL": { + "actions": { + "Append_domain_to_blocked_domains_variable": { + "inputs": { + "name": "blocked_domains", + "value": "@outputs('Get_Domain_from_URL')" + }, + "runAfter": { + "Block_domain": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable" + }, + "Block_domain": { + "inputs": { + "body": [ + { + "alertTime": "@{utcNow()}", + "deviceId": "azuresentinel", + "deviceVersion": "13.7a", + "dstDomain": "@{outputs('Get_Domain_from_URL')}", + "dstUrl": "@{outputs('Get_Domain_from_URL')}", + "eventTime": "@{utcNow()}", + "protocolVersion": "1.0a", + "providerName": "Security Platform" } - } - } + ], + "headers": { + "Accept": "application/json" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['ciscoumbrellaenforcement']['connectionId']" + } + }, + "method": "post", + "path": "/1.0/events" + }, + "runAfter": { + "Get_Domain_from_URL": [ + "Succeeded" + ] + }, + "type": "ApiConnection" }, - "summary": "Get a list of domain names requested the same time as a specified domain", - "description": "Get a list of domain names requested the same time as a specified domain", - "operationId": "[[variables('_operationId-GetRelatedDomains')]", - "parameters": [ + "Get_Domain_from_URL": { + "inputs": "@split(replace(replace(items('For_each_URL')?['Url'],'http://',''), 'https://', ''), '/')[0]", + "type": "Compose" + } + }, + "foreach": "@body('Entities_-_Get_URLs')?['URLs']", + "runAfter": { + "Entities_-_Get_URLs": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Initialize_variable_blocked_domains": { + "inputs": { + "variables": [ { - "name": "Domain", - "in": "path", - "required": true, - "type": "string" + "name": "blocked_domains", + "type": "array" } ] - } + }, + "type": "InitializeVariable" } }, - "securityDefinitions": { - "API Key": { - "type": "apiKey", - "in": "header", - "name": "Authorization" + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" } }, - "security": [ - { - "API Key": "[variables('TemplateEmptyArray')]" + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + }, + "type": "ApiConnectionWebhook" } - ], - "tags": "[variables('TemplateEmptyArray')]" + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "id": "[[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]" + }, + "ciscoumbrellaenforcement": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaEnforcementAPIConnectionName'))]", + "connectionName": "[[variables('CiscoUmbrellaEnforcementAPIConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellaenforcement_name'))]" + } + } + } } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('LogicAppsCustomConnector-', last(split(variables('playbookId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", "properties": { - "parentId": "[[variables('playbookId2')]", + "parentId": "[variables('playbookId2')]", "contentId": "[variables('_playbookContentId2')]", - "kind": "LogicAppsCustomConnector", + "kind": "Playbook", "version": "[variables('playbookVersion2')]", "source": { "kind": "Solution", @@ -3797,10 +3614,46 @@ "name": "Microsoft Corporation", "email": "support@microsoft.com", "link": "https://support.microsoft.com/" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_EnforcementAPICustomConnector')]", + "version": "[variables('playbookVersion1')]" + } + ] } } } - ] + ], + "metadata": { + "title": "CiscoUmbrella-BlockDomain", + "description": "This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident.", + "prerequisites": [ + "1. ServiceNow Instance URL, Username, and password.", + "2. Access and authorization to enable API connectors", + "3. Teams Group ID, Channel ID and Alert details where the messages are to be posted in." + ], + "lastUpdateTime": "2021-06-29T10:00:00Z", + "entities": [ + "Account", + "Url", + "Host" + ], + "tags": [ + "Sync", + "Notification", + "Teams Response" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", @@ -3808,8 +3661,8 @@ "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId2')]", - "contentKind": "LogicAppsCustomConnector", - "displayName": "CiscoUmbrellaInvestigateAPIConnector", + "contentKind": "Playbook", + "displayName": "CiscoUmbrella-BlockDomain", "contentProductId": "[variables('_playbookcontentProductId2')]", "id": "[variables('_playbookcontentProductId2')]", "version": "[variables('playbookVersion2')]" @@ -3824,1331 +3677,206 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrellaManagementAPIConnector Playbook with template version 3.0.2", + "description": "CiscoUmbrella-AddIpToDestinationList Playbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", "parameters": { - "customApis_CiscoUmbrellaManagementAPI_name": { - "defaultValue": "CiscoUmbrellaManagementAPI", - "type": "String" + "PlaybookName": { + "defaultValue": "CiscoUmbrella-AddIpToDestinationList", + "type": "string" + }, + "TeamsGroupId": { + "defaultValue": "TeamsGroupIds", + "type": "string", + "metadata": { + "description": "Id of the Teams Group where the adaptive card will be posted." + } + }, + "TeamsChannelId": { + "defaultValue": "TeamsChannelId", + "type": "string", + "metadata": { + "description": "Id of the Teams Channel where the adaptive card will be posted." + } + }, + "Keyvault name": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Enter the Key vault name where CiscoUmbrella Secrets are stored" + } + }, + "Umbrella API ClientId Key Name": { + "type": "string", + "metadata": { + "description": "Enter CiscoUmbrella ClientId Key Name from Key vault" + } + }, + "Umbrella API Secret Key Name": { + "type": "securestring", + "metadata": { + "description": "Enter CiscoUmbrella Secret Key Name from Key vault" + } + }, + "Host End Point": { + "type": "string", + "defaultValue": "api.umbrella.com", + "metadata": { + "description": "Enter Host End Point(hostname) without http:// or https://" + } } }, "variables": { - "operationId-RetrieveAllDestinationLists": "RetrieveAllDestinationLists", - "_operationId-RetrieveAllDestinationLists": "[[variables('operationId-RetrieveAllDestinationLists')]", - "operationId-CreateDestinationList": "CreateDestinationList", - "_operationId-CreateDestinationList": "[[variables('operationId-CreateDestinationList')]", - "operationId-GetDestinationList": "GetDestinationList", - "_operationId-GetDestinationList": "[[variables('operationId-GetDestinationList')]", - "operationId-GetDestinationsList": "GetDestinationsList", - "_operationId-GetDestinationsList": "[[variables('operationId-GetDestinationsList')]", - "operationId-AddDestinations": "AddDestinations", - "_operationId-AddDestinations": "[[variables('operationId-AddDestinations')]", - "operationId-DeleteDestinations": "DeleteDestinations", - "_operationId-DeleteDestinations": "[[variables('operationId-DeleteDestinations')]", + "MicrosoftSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "TeamsConnectionName": "[[concat('teams-', parameters('PlaybookName'))]", + "KeyvaultConnectionName": "[[concat('Keyvault-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]", + "_connection-3": "[[variables('connection-3')]", + "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/keyvault')]", + "_connection-4": "[[variables('connection-4')]", "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "playbookContentId3": "CiscoUmbrellaManagementAPIConnector", - "playbookId3": "[[resourceId('Microsoft.Web/customApis', parameters('customApis_CiscoUmbrellaManagementAPI_name'))]", "workspace-name": "[parameters('workspace')]", "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" }, "resources": [ { - "type": "Microsoft.Web/customApis", - "apiVersion": "2016-06-01", - "name": "[[parameters('customApis_CiscoUmbrellaManagementAPI_name')]", - "location": "[[variables('workspace-location-inline')]", "properties": { - "connectionParameters": { - "username": { - "type": "securestring", - "uiDefinition": { - "displayName": "Key", - "description": "The Key for this api", - "tooltip": "Provide the Key", - "constraints": { - "tabIndex": 2, - "clearText": true, - "required": "true" - } + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "Umbrella API ClientId Key Name": { + "type": "string", + "defaultValue": "[[parameters('Umbrella API ClientId Key Name')]" + }, + "Umbrella API Secret Key Name": { + "type": "securestring", + "defaultValue": "[[parameters('Umbrella API Secret Key Name')]" + }, + "Host End Point": { + "type": "string", + "defaultValue": "[[parameters('Host End Point')]" } }, - "password": { - "type": "securestring", - "uiDefinition": { - "displayName": "Secret", - "description": "The Secret for this api", - "tooltip": "Provide the Secret", - "constraints": { - "tabIndex": 3, - "clearText": false, - "required": "true" + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "path": "/incident-creation" } } - } - }, - "brandColor": "#FFFFFF", - "description": "Connector for Cisco Umbrella Management API", - "displayName": "[[parameters('customApis_CiscoUmbrellaManagementAPI_name')]", - "iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAMAAABiM0N1AAABdFBMVEUAAAAA//8AgP8Aqv8AgL8AmcwAmeYAotEAldUAn98AntsAodkAnNYAn9cIotgIntoHoNsHnNwHodcHndgGotoGoNsGnNYGn9cFn9sEoNgEndkEoNoEntsEntgEoNsEn9gDn9kDoNoDn9gDoNgDn9kFn9gFntgFn9kFn9oFoNoFn9gEn9kEoNkEn9oEoNgEn9kEntkEoNoEoNkEn9kEn9kEntkEoNgEntgEn9kEn9oEntoEn9gEoNgEntkEn9kEoNkEn9oEn9oEntgDn9kDn9gDoNkDn9kFn9oFn9gFn9kFntkFn9oEn9kEntoEn9gEoNkEn9kEoNkEn9oEn9gEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEntkEn9kEn9kEn9kEn9oDn9kFn9kEoNkEn9kEn9kEn9kEn9kEn9oEn9kEn9kEn9kEn9kEoNkEn9kEn9gEn9kEn9kEn9kEn9kEn9kEoNkEn9kEn9kEn9kEn9n///940Z2XAAAAenRSTlMAAQIDBAUKCwwQFRsfICEiIyQmJykrLC04Ozw+P0JGSEpTVVtdaGlqbW5wcnN1dnh5e35/gIGDhIeIiYqLjI2Oj5CRkpibnKSlp6mqsLGys7q7v8DCxMfKz9DS1NXW19jZ2t7g4+To6u3u7/Dx8vP09fb3+Pn6+/z9/h6/P2sAAAABYktHRHtP0rX8AAACB0lEQVRYw+2WaVPTYBRGb9SK4oI7dd+tAiqCra1FqKIoKu4bUFQQtJY2SUna2vPr/VCSafKmpONkHMfJ86m5OXOmN3Pfm4jEiRMnTtQZKadCkfWRHkTrlMKRcg8iIALkvxRlKsM+yq10RTLVW6qohuETuZWuSA1zi7+r/uiKBLb4z4jyxt0wUd5Ih4jyRlps7DCRjRUisrG26khpoOsdIDqR5bRmUvPhTsVFan7EKdjYMq5n2zdHK/5H6lRcJF31IU4hZ2TjNfJHolL4Qi71tLMv/xyOAInzV3LgftE0vjz1zMnRZz/qa28GAgg5PrtmrTw8onqG6oBvPQzqAJxQCe1eC4C68jExBKroOWA2NkUe4rZzwVWvZ78NzGeuZJc6RWW4qCUG+xXicBMac4X3gLXXI5oCHu0QkW2dogpcCCSmYeOkiKSACY+oCN93KofyHbReJgOIJWi/e17DgkdkwJx6uk83AWa2K4QJZ9rLE99rXQ8UyblvADcUwoCzIiJyB6pKa30B+yZx/iMsK0QR8iIi2gdY9IgKwEzC/7BFRPp+saEQD8A6JSLXgYJ3rG1g/mZq4mun6NKx/j2jsKIQh5rQfJF/CzQO9jCQm6VJlRh3B3LMP9rX7G6ihd0qoeXaR6SV05TDtm9y0dQ/z3aKXi1X9U9ju4IIST5ZtVYfJ+NlFydOnKjyG0KNPhWovN8UAAAAAElFTkSuQmCC", - "backendService": { - "serviceUrl": "https://management.api.umbrella.com" - }, - "apiType": "Rest", - "swagger": { - "swagger": "2.0", - "info": { - "title": "Default title", - "description": "Connector for Cisco Umbrella Management API", - "version": "1.0" - }, - "host": "management.api.umbrella.com", - "basePath": "/", - "schemes": [ - "https" - ], - "consumes": "[variables('TemplateEmptyArray')]", - "produces": "[variables('TemplateEmptyArray')]", - "paths": { - "/v1/organizations/{organizationId}/destinationlists": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "object", - "properties": { - "status": { - "type": "object", - "x-ms-summary": "Response status", - "x-ms-visibility": "internal", - "description": "Response status object", - "properties": { - "code": { - "type": "integer", - "format": "int32", - "description": "code" - }, - "text": { - "type": "string", - "description": "text" - } - } - }, - "meta": { - "type": "object", - "x-ms-visibility": "internal", - "properties": { - "page": { - "type": "integer", - "format": "int32", - "description": "page" - }, - "limit": { - "type": "integer", - "format": "int32", - "description": "limit" - }, - "total": { - "type": "integer", - "format": "int32", - "description": "total" - } - }, - "description": "meta" - }, - "data": { - "x-ms-summary": "Array of Destionation list objects", - "description": "Array of Destionation list objects", - "type": "array", - "items": { - "type": "object", - "x-ms-summary": "Destionation list", - "description": "Destionation list object", - "properties": { - "id": { - "type": "integer", - "format": "int32", - "description": "Unique id of the destination list." - }, - "organizationId": { - "type": "integer", - "format": "int32", - "description": "organizationId" - }, - "access": { - "type": "string", - "description": "Access can be allow or block. It defines destinationlist type." - }, - "isGlobal": { - "type": "boolean", - "description": "isGlobal can be true or false. There will be only one default destination list of type allow or block for an organization." - }, - "name": { - "type": "string", - "description": "Name of the destination list." - }, - "thirdpartyCategoryId": { - "type": "string", - "description": "Destionation list thirdpartyCategoryId" - }, - "createdAt": { - "type": "string", - "description": "Creation date." - }, - "modifiedAt": { - "type": "string", - "description": "Last modified date." - }, - "isMspDefault": { - "type": "boolean", - "description": "Destionation list isMspDefault" - }, - "markedForDeletion": { - "type": "boolean", - "description": "Destionation list markedForDeletion" - }, - "bundleTypeId": { - "type": "integer", - "format": "int32", - "description": "Destionation list bundleTypeId" - }, - "meta": { - "type": "object", - "description": "Destionation list meta info object", - "properties": { - "destinationCount": { - "type": "integer", - "format": "int32", - "description": "Total number of destinations in a destination list." - }, - "domainCount": { - "type": "integer", - "format": "int32", - "description": "Total number of domains in a destination list. Domains are part of total destinations in a destination lists." - }, - "urlCount": { - "type": "integer", - "format": "int32", - "description": "Total number of Urls in a destination list. Urls are part of total destinations in a destination lists." - }, - "ipv4Count": { - "type": "integer", - "format": "int32", - "description": "Total number of Ip's in a destination list. Ip's are part of total destinations in a destination lists." - }, - "applicationCount": { - "type": "integer", - "format": "int32", - "description": "Total number of applications in a destination list." - } - } - } - } - } - } - } - } - } - }, - "summary": "Retrieve all destination lists", - "operationId": "[[variables('_operationId-RetrieveAllDestinationLists')]", - "description": "Retrieve all destination lists of organization", - "parameters": [ - { - "name": "organizationId", - "in": "path", - "required": true, - "type": "integer", - "description": "[variables('blanks')]", - "format": "int32" - } - ] - }, - "post": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "object", - "properties": { - "id": { - "type": "integer", - "format": "int32", - "description": "Unique id of the destination list." - }, - "organizationId": { - "type": "integer", - "format": "int32", - "description": "organizationId" - }, - "access": { - "type": "string", - "description": "Access can be allow or block. It defines destinationlist type." - }, - "isGlobal": { - "type": "boolean", - "description": "isGlobal can be true or false. There will be only one default destination list of type allow or block for an organization." - }, - "name": { - "type": "string", - "description": "Name of the destination list." - }, - "thirdpartyCategoryId": { - "type": "string", - "description": "Destionation list thirdpartyCategoryId" - }, - "createdAt": { - "type": "string", - "description": "Creation date." - }, - "modifiedAt": { - "type": "string", - "description": "Last modified date." - }, - "isMspDefault": { - "type": "boolean", - "description": "Destionation list isMspDefault" - }, - "markedForDeletion": { - "type": "boolean", - "description": "Destionation list markedForDeletion" - }, - "bundleTypeId": { - "type": "integer", - "format": "int32", - "description": "Destionation list bundleTypeId" - }, - "meta": { - "type": "object", - "description": "Destionation list meta info object", - "properties": { - "destinationCount": { - "type": "integer", - "format": "int32", - "description": "Total number of destinations in a destination list." - }, - "domainCount": { - "type": "integer", - "format": "int32", - "description": "Total number of domains in a destination list. Domains are part of total destinations in a destination lists." - }, - "urlCount": { - "type": "integer", - "format": "int32", - "description": "Total number of Urls in a destination list. Urls are part of total destinations in a destination lists." - }, - "ipv4Count": { - "type": "integer", - "format": "int32", - "description": "Total number of Ip's in a destination list. Ip's are part of total destinations in a destination lists." - }, - "applicationCount": { - "type": "integer", - "format": "int32", - "description": "Total number of applications in a destination list." - } - } - } - } - } - } - }, - "summary": "Create destination list", - "operationId": "[[variables('_operationId-CreateDestinationList')]", - "description": "Create destination list", - "parameters": [ - { - "name": "organizationId", - "in": "path", - "required": true, - "type": "string" - }, - { - "name": "body", - "in": "body", - "required": true, - "schema": { - "type": "object", - "properties": { - "destinations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "type": { - "type": "string", - "description": "Type can be DOMAIN, URL, IPV4", - "title": "type", - "enum": [ - "DOMAIN", - "URL", - "IPV4" - ] - }, - "destination": { - "type": "string", - "description": "Destination can be domain, url, ip", - "title": "destination" - }, - "comment": { - "type": "string", - "description": "[variables('blanks')]", - "title": "comment" - } - }, - "required": [ - "destination", - "type" - ] - }, - "description": "destinations" - }, - "access": { - "type": "string", - "description": "Access can be allow or block. It defines destinationlist type.", - "title": "access", - "enum": [ - "allow", - "block" - ] - }, - "isGlobal": { - "type": "boolean", - "description": "isGlobal can be true or false. There will be only one default destination list of type allow or block for an organization.", - "title": "isGlobal", - "enum": [ - "", - true, - false - ] - }, - "name": { - "type": "string", - "description": "[variables('blanks')]", - "title": "name" - } - }, - "required": [ - "access", - "destinations", - "isGlobal", - "name" - ] - } - } - ] - } - }, - "/v1/organizations/{organizationId}/destinationlists/{destinationListId}": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "object", - "properties": { - "status": { - "type": "object", - "x-ms-summary": "Response status", - "x-ms-visibility": "internal", - "description": "Response status object", - "properties": { - "code": { - "type": "integer", - "format": "int32", - "description": "code" - }, - "text": { - "type": "string", - "description": "text" - } - } - }, - "data": { - "type": "object", - "x-ms-summary": "Destionation list", - "description": "Destionation list object", - "properties": { - "id": { - "type": "integer", - "format": "int32", - "description": "Unique id of the destination list." - }, - "organizationId": { - "type": "integer", - "format": "int32", - "description": "organizationId" - }, - "access": { - "type": "string", - "description": "Access can be allow or block. It defines destinationlist type." - }, - "isGlobal": { - "type": "boolean", - "description": "isGlobal can be true or false. There will be only one default destination list of type allow or block for an organization." - }, - "name": { - "type": "string", - "description": "Name of the destination list." - }, - "thirdpartyCategoryId": { - "type": "string", - "description": "Destionation list thirdpartyCategoryId" - }, - "createdAt": { - "type": "string", - "description": "Creation date." - }, - "modifiedAt": { - "type": "string", - "description": "Last modified date." - }, - "isMspDefault": { - "type": "boolean", - "description": "Destionation list isMspDefault" - }, - "markedForDeletion": { - "type": "boolean", - "description": "Destionation list markedForDeletion" - }, - "bundleTypeId": { - "type": "integer", - "format": "int32", - "description": "Destionation list bundleTypeId" - }, - "meta": { - "type": "object", - "description": "Destionation list meta info object", - "properties": { - "destinationCount": { - "type": "integer", - "format": "int32", - "description": "Total number of destinations in a destination list." - }, - "domainCount": { - "type": "integer", - "format": "int32", - "description": "Total number of domains in a destination list. Domains are part of total destinations in a destination lists." - }, - "urlCount": { - "type": "integer", - "format": "int32", - "description": "Total number of Urls in a destination list. Urls are part of total destinations in a destination lists." - }, - "ipv4Count": { - "type": "integer", - "format": "int32", - "description": "Total number of Ip's in a destination list. Ip's are part of total destinations in a destination lists." - }, - "applicationCount": { - "type": "integer", - "format": "int32", - "description": "Total number of applications in a destination list." - } - } - } - } - } - } - } - } - }, - "summary": "Get a destination list", - "operationId": "[[variables('_operationId-GetDestinationList')]", - "description": "Get a destination list by id", - "parameters": [ - { - "name": "organizationId", - "in": "path", - "required": true, - "type": "string" - }, - { - "name": "destinationListId", - "in": "path", - "required": true, - "type": "string" - } - ] - } - }, - "/v1/organizations/{organizationId}/destinationlists/{destinationListId}/destinations": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "object", - "properties": { - "status": { - "x-ms-visibility": "internal", - "type": "object", - "properties": { - "code": { - "type": "integer", - "format": "int32", - "description": "code" - }, - "text": { - "type": "string", - "description": "text" - } - }, - "description": "status" - }, - "meta": { - "type": "object", - "x-ms-visibility": "internal", - "properties": { - "page": { - "type": "integer", - "format": "int32", - "description": "page" - }, - "limit": { - "type": "integer", - "format": "int32", - "description": "limit" - }, - "total": { - "type": "integer", - "format": "int32", - "description": "total" - } - }, - "description": "meta" - }, - "data": { - "type": "array", - "x-ms-summary": "Destinations", - "description": "array of Destination objects", - "items": { - "type": "object", - "x-ms-summary": "Destination", - "description": "Destination object", - "properties": { - "id": { - "type": "string", - "description": "Unique id of the destination" - }, - "destination": { - "type": "string", - "x-ms-summary": "value", - "description": "Destination value" - }, - "type": { - "type": "string", - "description": "Type can be DOMAIN, URL, IPV4" - }, - "comment": { - "type": "string", - "description": "Destination comment" - }, - "createdAt": { - "type": "string", - "description": "Creation date of destination" - } - } - } - } - } - } - } - }, - "summary": "Get list of destinations related to destination list", - "operationId": "[[variables('_operationId-GetDestinationsList')]", - "parameters": [ - { - "name": "organizationId", - "in": "path", - "required": true, - "type": "string" - }, - { - "name": "destinationListId", - "in": "path", - "required": true, - "type": "string" - } - ], - "description": "Get list of destinations related to destination list" - }, - "post": { - "responses": { - "default": { - "description": "default" - } - }, - "summary": "Add list of destinations to destination list", - "description": "Add list of destinations to destination list", - "operationId": "[[variables('_operationId-AddDestinations')]", - "parameters": [ - { - "name": "organizationId", - "in": "path", - "required": true, - "type": "string" - }, - { - "name": "destinationListId", - "in": "path", - "required": true, - "type": "string" - }, - { - "name": "body", - "in": "body", - "required": true, - "schema": { - "type": "array", - "items": { - "type": "object", - "properties": { - "destination": { - "type": "string", - "description": "name of the destination", - "title": "destination" - }, - "comment": { - "type": "string", - "description": "comment for destination", - "title": "comment" - } - }, - "required": [ - "destination" - ] - }, - "required": [ - "items" - ] - } - } - ] - } - }, - "/v1/organizations/{organizationId}/destinationlists/{destinationListId}/destinations/remove": { - "delete": { - "responses": { - "default": { - "description": "default" - } - }, - "summary": "Delete list of destinations from destination list", - "operationId": "[[variables('_operationId-DeleteDestinations')]", - "parameters": [ - { - "name": "organizationId", - "in": "path", - "required": true, - "type": "string" - }, - { - "name": "destinationListId", - "in": "path", - "required": true, - "type": "string" - }, - { - "name": "body", - "in": "body", - "required": true, - "schema": { - "type": "array", - "items": { - "type": "integer", - "format": "int32", - "description": "Destination id" - } - } - } - ], - "description": "Delete list of destinations from destination list" - } - } - }, - "securityDefinitions": { - "basic_auth": { - "type": "basic" - } - }, - "security": [ - { - "basic_auth": "[variables('TemplateEmptyArray')]" - } - ], - "tags": "[variables('TemplateEmptyArray')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('LogicAppsCustomConnector-', last(split(variables('playbookId3'),'/'))))]", - "properties": { - "parentId": "[[variables('playbookId3')]", - "contentId": "[variables('_playbookContentId3')]", - "kind": "LogicAppsCustomConnector", - "version": "[variables('playbookVersion3')]", - "source": { - "kind": "Solution", - "name": "CiscoUmbrella", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId3')]", - "contentKind": "LogicAppsCustomConnector", - "displayName": "CiscoUmbrellaManagementAPIConnector", - "contentProductId": "[variables('_playbookcontentProductId3')]", - "id": "[variables('_playbookcontentProductId3')]", - "version": "[variables('playbookVersion3')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CiscoUmbrellaNetworkDeviceManagementAPIConnector Playbook with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion4')]", - "parameters": { - "customApis_CiscoUmbrellaNetworkDeviceManagementAPI_name": { - "defaultValue": "CiscoUmbrellaNetworkDeviceManagementAPI", - "type": "String" - } - }, - "variables": { - "operationId-GetOrganizationId": "GetOrganizationId", - "_operationId-GetOrganizationId": "[[variables('operationId-GetOrganizationId')]", - "operationId-ListAllPoliciesOnDevice": "ListAllPoliciesOnDevice", - "_operationId-ListAllPoliciesOnDevice": "[[variables('operationId-ListAllPoliciesOnDevice')]", - "operationId-DeleteIdentityFromPolicy": "DeleteIdentityFromPolicy", - "_operationId-DeleteIdentityFromPolicy": "[[variables('operationId-DeleteIdentityFromPolicy')]", - "operationId-AssignPolicyToIdentity": "AssignPolicyToIdentity", - "_operationId-AssignPolicyToIdentity": "[[variables('operationId-AssignPolicyToIdentity')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "playbookContentId4": "CiscoUmbrellaNetworkDeviceManagementAPIConnector", - "playbookId4": "[[resourceId('Microsoft.Web/customApis', parameters('customApis_CiscoUmbrellaNetworkDeviceManagementAPI_name'))]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "type": "Microsoft.Web/customApis", - "apiVersion": "2016-06-01", - "name": "[[parameters('customApis_CiscoUmbrellaNetworkDeviceManagementAPI_name')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "connectionParameters": { - "username": { - "type": "securestring", - "uiDefinition": { - "displayName": "Key", - "description": "The Key for this api", - "tooltip": "Provide the Key", - "constraints": { - "tabIndex": 2, - "clearText": true, - "required": "true" - } - } - }, - "password": { - "type": "securestring", - "uiDefinition": { - "displayName": "Secret", - "description": "The Secret for this api", - "tooltip": "Provide the Secret", - "constraints": { - "tabIndex": 3, - "clearText": false, - "required": "true" - } - } - } - }, - "brandColor": "#FFFFFF", - "description": "Connector for Cisco Umbrella Network Device Management API", - "displayName": "[[parameters('customApis_CiscoUmbrellaNetworkDeviceManagementAPI_name')]", - "iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAMAAABiM0N1AAABdFBMVEUAAAAA//8AgP8Aqv8AgL8AmcwAmeYAotEAldUAn98AntsAodkAnNYAn9cIotgIntoHoNsHnNwHodcHndgGotoGoNsGnNYGn9cFn9sEoNgEndkEoNoEntsEntgEoNsEn9gDn9kDoNoDn9gDoNgDn9kFn9gFntgFn9kFn9oFoNoFn9gEn9kEoNkEn9oEoNgEn9kEntkEoNoEoNkEn9kEn9kEntkEoNgEntgEn9kEn9oEntoEn9gEoNgEntkEn9kEoNkEn9oEn9oEntgDn9kDn9gDoNkDn9kFn9oFn9gFn9kFntkFn9oEn9kEntoEn9gEoNkEn9kEoNkEn9oEn9gEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEntkEn9kEn9kEn9kEn9oDn9kFn9kEoNkEn9kEn9kEn9kEn9kEn9oEn9kEn9kEn9kEn9kEoNkEn9kEn9gEn9kEn9kEn9kEn9kEn9kEoNkEn9kEn9kEn9kEn9n///940Z2XAAAAenRSTlMAAQIDBAUKCwwQFRsfICEiIyQmJykrLC04Ozw+P0JGSEpTVVtdaGlqbW5wcnN1dnh5e35/gIGDhIeIiYqLjI2Oj5CRkpibnKSlp6mqsLGys7q7v8DCxMfKz9DS1NXW19jZ2t7g4+To6u3u7/Dx8vP09fb3+Pn6+/z9/h6/P2sAAAABYktHRHtP0rX8AAACB0lEQVRYw+2WaVPTYBRGb9SK4oI7dd+tAiqCra1FqKIoKu4bUFQQtJY2SUna2vPr/VCSafKmpONkHMfJ86m5OXOmN3Pfm4jEiRMnTtQZKadCkfWRHkTrlMKRcg8iIALkvxRlKsM+yq10RTLVW6qohuETuZWuSA1zi7+r/uiKBLb4z4jyxt0wUd5Ih4jyRlps7DCRjRUisrG26khpoOsdIDqR5bRmUvPhTsVFan7EKdjYMq5n2zdHK/5H6lRcJF31IU4hZ2TjNfJHolL4Qi71tLMv/xyOAInzV3LgftE0vjz1zMnRZz/qa28GAgg5PrtmrTw8onqG6oBvPQzqAJxQCe1eC4C68jExBKroOWA2NkUe4rZzwVWvZ78NzGeuZJc6RWW4qCUG+xXicBMac4X3gLXXI5oCHu0QkW2dogpcCCSmYeOkiKSACY+oCN93KofyHbReJgOIJWi/e17DgkdkwJx6uk83AWa2K4QJZ9rLE99rXQ8UyblvADcUwoCzIiJyB6pKa30B+yZx/iMsK0QR8iIi2gdY9IgKwEzC/7BFRPp+saEQD8A6JSLXgYJ3rG1g/mZq4mun6NKx/j2jsKIQh5rQfJF/CzQO9jCQm6VJlRh3B3LMP9rX7G6ihd0qoeXaR6SV05TDtm9y0dQ/z3aKXi1X9U9ju4IIST5ZtVYfJ+NlFydOnKjyG0KNPhWovN8UAAAAAElFTkSuQmCC", - "backendService": { - "serviceUrl": "https://management.api.umbrella.com" - }, - "apiType": "Rest", - "swagger": { - "swagger": "2.0", - "info": { - "title": "CiscoUmbrellaNetworkDeviceManagementAPIConnector", - "version": "1.0", - "description": "Connector for Cisco Umbrella Network Device Management API" - }, - "host": "management.api.umbrella.com", - "basePath": "/", - "schemes": [ - "https" - ], - "paths": { - "/v1/organizations": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "array", - "items": { - "type": "object", - "x-ms-summary": "Organization", - "description": "Organization object", - "properties": { - "organizationId": { - "type": "integer", - "format": "int32", - "description": "Organization Id", - "title": "Id" - }, - "name": { - "type": "string", - "description": "Organization name", - "title": "name" - } - } - } - } - } - }, - "summary": "Get organization id", - "description": "Get organization id", - "operationId": "[[variables('_operationId-GetOrganizationId')]", - "parameters": "[variables('TemplateEmptyArray')]" - } - }, - "/v1/organizations/{organizationId}/networkdevices/{originId}/policies": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "array", - "items": { - "type": "object", - "x-ms-summary": "Policy", - "description": "Policy object", - "properties": { - "policyId": { - "type": "integer", - "format": "int32", - "description": "Policy Id", - "title": "Id" - }, - "name": { - "type": "string", - "description": "Policy name", - "title": "name" - }, - "priority": { - "type": "integer", - "format": "int32", - "description": "Policy priority" - }, - "isAppliedDirectly": { - "type": "boolean", - "description": "Policy is Applied Directly" - }, - "isDefault": { - "type": "boolean", - "description": "Policy is Default" - }, - "createdAt": { - "type": "string", - "description": "Policy creation date" - } - } - } - } - } - }, - "summary": "List all policies of a network device", - "description": "List all policies of a network device", - "operationId": "[[variables('_operationId-ListAllPoliciesOnDevice')]", - "parameters": [ - { - "name": "organizationId", - "in": "path", - "required": true, - "type": "string", - "description": "Organization Id" - }, - { - "name": "originId", - "in": "path", - "required": true, - "type": "string", - "description": "Device Id" - } - ] - } - }, - "/v1/organizations/{organizationId}/policies/{policyId}/identities/{originId}": { - "delete": { - "responses": { - "default": { - "description": "default" - } - }, - "summary": "Delete an identity from a policy", - "description": "Delete an identity from a policy", - "operationId": "[[variables('_operationId-DeleteIdentityFromPolicy')]", - "parameters": [ - { - "name": "organizationId", - "in": "path", - "required": true, - "type": "string", - "description": "Organization Id" - }, - { - "name": "policyId", - "in": "path", - "required": true, - "type": "string", - "description": "Policy Id" - }, - { - "name": "originId", - "in": "path", - "required": true, - "type": "string", - "description": "Identity Id" - } - ] - }, - "put": { - "responses": { - "default": { - "description": "default" - } - }, - "summary": "Assign a policy to an identity", - "description": "Assign a policy to an identity", - "operationId": "[[variables('_operationId-AssignPolicyToIdentity')]", - "parameters": [ - { - "name": "organizationId", - "in": "path", - "required": true, - "type": "string", - "description": "Organization Id" - }, - { - "name": "policyId", - "in": "path", - "required": true, - "type": "string", - "description": "Policy Id" - }, - { - "name": "originId", - "in": "path", - "required": true, - "type": "string", - "description": "Identity Id" - } - ] - } - } - }, - "securityDefinitions": { - "basic_auth": { - "type": "basic" - } - }, - "security": [ - { - "basic_auth": "[variables('TemplateEmptyArray')]" - } - ], - "tags": "[variables('TemplateEmptyArray')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('LogicAppsCustomConnector-', last(split(variables('playbookId4'),'/'))))]", - "properties": { - "parentId": "[[variables('playbookId4')]", - "contentId": "[variables('_playbookContentId4')]", - "kind": "LogicAppsCustomConnector", - "version": "[variables('playbookVersion4')]", - "source": { - "kind": "Solution", - "name": "CiscoUmbrella", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId4')]", - "contentKind": "LogicAppsCustomConnector", - "displayName": "CiscoUmbrellaNetworkDeviceManagementAPIConnector", - "contentProductId": "[variables('_playbookcontentProductId4')]", - "id": "[variables('_playbookcontentProductId4')]", - "version": "[variables('playbookVersion4')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CiscoUmbrella-AddIpToDestinationList Playbook with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion5')]", - "parameters": { - "PlaybookName": { - "defaultValue": "CiscoUmbrella-AddIpToDestinationList", - "type": "String" - }, - "CiscoUmbrellaOrganizationId": { - "type": "Int", - "defaultValue": 0, - "metadata": { - "description": "Organization id in Cisco Umbrella." - } - }, - "TeamsGroupId": { - "defaultValue": "TeamsGroupIds", - "type": "String", - "metadata": { - "description": "Id of the Teams Group where the adaptive card will be posted." - } - }, - "TeamsChannelId": { - "defaultValue": "TeamsChannelId", - "type": "String", - "metadata": { - "description": "Id of the Teams Channel where the adaptive card will be posted." - } - }, - "customApis_ciscoumbrellamanagement_name": { - "defaultValue": "CiscoUmbrellaManagementAPI", - "type": "String" - } - }, - "variables": { - "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", - "TeamsConnectionName": "[[concat('teams-', parameters('PlaybookName'))]", - "CiscoUmbrellaManagementAPIConnectionName": "[[concat('ciscoumbrellamanagement-connection-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellamanagement_name'))]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "displayName": "[[variables('AzureSentinelConnectionName')]", - "api": { - "id": "[[variables('_connection-1')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('CiscoUmbrellaManagementAPIConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('CiscoUmbrellaManagementAPIConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('TeamsConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "displayName": "[[variables('TeamsConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaManagementAPIConnectionName'))]" - ], - "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + }, "actions": { "Append_to_array_variable": { - "inputs": { - "name": "dest_lists_array", - "value": { - "title": "Ignore", - "value": 0 - } - }, "runAfter": { "Initialize_variable_dest_lists_array": [ "Succeeded" ] }, - "type": "AppendToArrayVariable" - }, - "Entities_-_Get_IPs": { + "type": "AppendToArrayVariable", "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/ip" - }, - "runAfter": { - "Append_to_array_variable": [ - "Succeeded" - ] - }, - "type": "ApiConnection" + "name": "dest_lists_array", + "value": { + "title": "Ignore", + "value": 0 + } + } }, "For_each_IP": { + "foreach": "@body('Entities_-_Get_IPs')?['IPs']", "actions": { "Add_IP_to_destination_list": { "actions": { - "Add_list_of_destinations_to_destination_list": { - "inputs": { - "body": [ - { - "destination": "@{outputs('Get_IP')}" - } - ], - "host": { - "connection": { - "name": "@parameters('$connections')['ciscoumbrellamanagement']['connectionId']" - } - }, - "method": "post", - "path": "/v1/organizations/@{encodeURIComponent(variables('organization_id'))}/destinationlists/@{encodeURIComponent(body('Post_adaptive_card_and_wait_for_a_response')['data']['action_choices'])}/destinations" - }, - "type": "ApiConnection" - }, "Compose": { - "inputs": "@body('Filter_array')[0]['title']", "runAfter": { "Filter_array": [ "Succeeded" ] }, - "type": "Compose" + "type": "Compose", + "inputs": "@body('Filter_array')[0]['title']" }, "Filter_array": { - "inputs": { - "from": "@variables('dest_lists_array')", - "where": "@equals(string(item()['value']), body('Post_adaptive_card_and_wait_for_a_response')['data']['action_choices'])" - }, "runAfter": { "Set_variable_3": [ "Skipped" ] }, - "type": "Query" + "type": "Query", + "inputs": { + "from": "@variables('dest_lists_array')", + "where": "@equals(string(item()['value']), body('Post_adaptive_card_and_wait_for_a_response')['data']['action_choices'])" + } }, "Set_variable": { - "inputs": { - "name": "action_message", - "value": "IP @{outputs('Get_IP')} added to \"@{outputs('Compose')}\" destination list." - }, "runAfter": { "Compose": [ "Succeeded" ] }, - "type": "SetVariable" - }, - "Set_variable_3": { + "type": "SetVariable", "inputs": { "name": "action_message", - "value": "IP @{outputs('Get_IP')} was not added to \"\" destination lists due to Csico Umbrella API error." - }, + "value": "IP @{outputs('Get_IP')} added to \"@{outputs('Compose')}\" destination list." + } + }, + "Set_variable_3": { "runAfter": { - "Add_list_of_destinations_to_destination_list": [ + "HTTP_-_Add_list_of_destinations_to_destination_list": [ "TimedOut", "Failed" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "action_message", + "value": "IP @{outputs('Get_IP')} was not added to \"\" destination lists due to Cisco Umbrella API error." + } + }, + "HTTP_-_Add_list_of_destinations_to_destination_list": { + "type": "Http", + "inputs": { + "uri": "https://@{parameters('Host End Point')}/policies/v2/destinationlists/@{encodeURIComponent(body('Post_adaptive_card_and_wait_for_a_response')['data']['action_choices'])}/destinations", + "method": "POST", + "headers": { + "Content-Type": "application/json", + "Accept": "application/json", + "Authorization": "Bearer @{body('Parse_JSON_-_Parse_Login_Response')?['access_token']}" + }, + "body": [ + { + "destination": "@{outputs('Get_IP')}" + } + ] + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } } }, + "runAfter": { + "Post_adaptive_card_and_wait_for_a_response": [ + "Succeeded" + ] + }, "expression": { "and": [ { @@ -5175,35 +3903,31 @@ } ] }, + "type": "If" + }, + "Add_comment_to_incident_(V3)": { "runAfter": { - "Post_adaptive_card_and_wait_for_a_response": [ + "Get_Cisco_logo": [ "Succeeded" ] }, - "type": "If" - }, - "Add_comment_to_incident_(V3)": { + "type": "ApiConnection", "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{outputs('Get_Cisco_logo')}CiscoUmbrella-AddIpToDestinationList
\nActions taken:
\n@{variables('action_message')}
\n@{variables('status_message')}
\n@{variables('severity_message')}

" - }, "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{outputs('Get_Cisco_logo')}CiscoUmbrella-AddIpToDestinationList
\nActions taken:
\n@{variables('action_message')}
\n@{variables('status_message')}
\n@{variables('severity_message')}

" + }, "path": "/Incidents/Comment" - }, - "runAfter": { - "Get_Cisco_logo": [ - "Succeeded" - ] - }, - "type": "ApiConnection" + } }, "Create_body_for_adaptive_card": { + "type": "Compose", "inputs": { "$schema": "http://adaptivecards.io/schemas/adaptive-card.json", "actions": [ @@ -5250,7 +3974,7 @@ }, { "id": "PollQuestionAction", - "text": "Select the Cisco Umbrella destination list to add IP @{item()['address']} to.", + "text": "Select the Cisco Umbrella destination list to add IP to.", "type": "TextBlock" }, { @@ -5333,231 +4057,226 @@ ], "type": "AdaptiveCard", "version": "1.0" - }, - "type": "Compose" + } }, "Get_Cisco_logo": { - "inputs": "", "runAfter": { "Update_status": [ "Succeeded" ] }, - "type": "Compose" + "type": "Compose", + "inputs": "" }, - "Get_IP": { - "inputs": "@item()['address']", + "Post_adaptive_card_and_wait_for_a_response": { "runAfter": { - "Set_variable_16": [ + "Get_IP": [ "Succeeded" ] }, - "type": "Compose" - }, - "Post_adaptive_card_and_wait_for_a_response": { + "type": "ApiConnectionWebhook", "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, "body": { + "notificationUrl": "@{listCallbackUrl()}", "body": { "messageBody": "@{outputs('Create_body_for_adaptive_card')}", + "updateMessage": "Thanks for your response!", "recipient": { - "channelId": "@variables('TeamsChannelId')", - "groupId": "@variables('TeamsGroupId')" - }, - "updateMessage": "Thanks for your response!" - }, - "notificationUrl": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['teams']['connectionId']" + "groupId": "@variables('TeamsGroupId')", + "channelId": "@variables('TeamsChannelId')" + } } }, "path": "/v1.0/teams/conversation/gatherinput/poster/Flow bot/location/@{encodeURIComponent('Channel')}/$subscriptions" - }, - "runAfter": { - "Get_IP": [ - "Succeeded" - ] - }, - "type": "ApiConnectionWebhook" + } }, "Set_variable_14": { - "inputs": { - "name": "action_message", - "value": "\"\"" - }, "runAfter": { "Create_body_for_adaptive_card": [ "Succeeded" ] }, - "type": "SetVariable" - }, - "Set_variable_15": { + "type": "SetVariable", "inputs": { - "name": "severity_message", + "name": "action_message", "value": "\"\"" - }, + } + }, + "Set_variable_15": { "runAfter": { "Set_variable_14": [ "Succeeded" ] }, - "type": "SetVariable" - }, - "Set_variable_16": { + "type": "SetVariable", "inputs": { - "name": "status_message", + "name": "severity_message", "value": "\"\"" - }, + } + }, + "Set_variable_16": { "runAfter": { "Set_variable_15": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "status_message", + "value": "\"\"" + } }, "Update_severity": { "actions": { "Switch": { "cases": { "high_severity": { + "case": "high", "actions": { "Set_variable_2": { - "inputs": { - "name": "severity_message", - "value": "Incident severity was changed to \"High\"." - }, "runAfter": { "Update_incident_high_severity": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "severity_message", + "value": "Incident severity was changed to \"High\"." + } }, "Update_incident_high_severity": { + "type": "ApiConnection", "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "severity": "High" - }, "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "severity": "High" + }, "path": "/Incidents" - }, - "type": "ApiConnection" + } } - }, - "case": "high" + } }, "informational_severity": { + "case": "informational", "actions": { "Set_variable_4": { - "inputs": { - "name": "severity_message", - "value": "Incident severity was changed to \"Informational\"." - }, "runAfter": { "Update_incident_informational_severity": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "severity_message", + "value": "Incident severity was changed to \"Informational\"." + } }, "Update_incident_informational_severity": { + "type": "ApiConnection", "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "severity": "Informational" - }, "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "severity": "Informational" + }, "path": "/Incidents" - }, - "type": "ApiConnection" + } } - }, - "case": "informational" + } }, "low_severity": { + "case": "low", "actions": { "Set_variable_5": { - "inputs": { - "name": "severity_message", - "value": "Incident severity was changed to \"Low\"." - }, "runAfter": { "Update_incident_low_severity": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "severity_message", + "value": "Incident severity was changed to \"Low\"." + } }, "Update_incident_low_severity": { + "type": "ApiConnection", "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "severity": "Low" - }, "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "severity": "Low" + }, "path": "/Incidents" - }, - "type": "ApiConnection" + } } - }, - "case": "low" + } }, "medium_severity": { + "case": "medium", "actions": { "Set_variable_6": { - "inputs": { - "name": "severity_message", - "value": "Incident severity was changed to \"Medium\"." - }, "runAfter": { "Update_incident_medium_severity": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "severity_message", + "value": "Incident severity was changed to \"Medium\"." + } }, "Update_incident_medium_severity": { + "type": "ApiConnection", "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "severity": "Medium" - }, "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "severity": "Medium" + }, "path": "/Incidents" - }, - "type": "ApiConnection" + } } - }, - "case": "medium" + } } }, "expression": "@body('Post_adaptive_card_and_wait_for_a_response')['data']['severity_choices']", "type": "Switch" } }, + "runAfter": { + "Add_IP_to_destination_list": [ + "Succeeded" + ] + }, "expression": { "and": [ { @@ -5576,11 +4295,6 @@ } ] }, - "runAfter": { - "Add_IP_to_destination_list": [ - "Succeeded" - ] - }, "type": "If" }, "Update_status": { @@ -5588,256 +4302,261 @@ "Switch_2": { "cases": { "Case": { + "case": "new", "actions": { "Set_variable_7": { - "inputs": { - "name": "status_message", - "value": "Incident status was changed to \"New\"." - }, "runAfter": { "Update_incident": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "status_message", + "value": "Incident status was changed to \"New\"." + } }, "Update_incident": { + "type": "ApiConnection", "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "status": "New" - }, "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "status": "New" + }, "path": "/Incidents" - }, - "type": "ApiConnection" + } } - }, - "case": "new" + } }, "Case_2": { + "case": "active", "actions": { "Set_variable_8": { - "inputs": { - "name": "status_message", - "value": "Incident status was changed to \"Active\"." - }, "runAfter": { "Update_incident_2": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "status_message", + "value": "Incident status was changed to \"Active\"." + } }, "Update_incident_2": { + "type": "ApiConnection", "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "status": "Active" - }, "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "status": "Active" + }, "path": "/Incidents" - }, - "type": "ApiConnection" + } } - }, - "case": "active" + } }, "Case_3": { + "case": "close_tp", "actions": { "Set_variable_9": { - "inputs": { - "name": "status_message", - "value": "Incident status was changed to \"Closed: True Positive - suspicious activity\"." - }, "runAfter": { "Update_incident_3": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "status_message", + "value": "Incident status was changed to \"Closed: True Positive - suspicious activity\"." + } }, "Update_incident_3": { + "type": "ApiConnection", "inputs": { - "body": { - "classification": { - "ClassificationAndReason": "TruePositive - SuspiciousActivity" - }, - "incidentArmId": "@triggerBody()?['object']?['id']", - "status": "Closed" - }, "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "status": "Closed", + "classification": { + "ClassificationAndReason": "TruePositive - SuspiciousActivity" + } + }, "path": "/Incidents" - }, - "type": "ApiConnection" + } } - }, - "case": "close_tp" + } }, "Case_4": { + "case": "close_bp", "actions": { "Set_variable_10": { - "inputs": { - "name": "status_message", - "value": "Incident status was changed to \"Closed: Benign Positive - suspicious but expected\"." - }, "runAfter": { "Update_incident_4": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "status_message", + "value": "Incident status was changed to \"Closed: Benign Positive - suspicious but expected\"." + } }, "Update_incident_4": { + "type": "ApiConnection", "inputs": { - "body": { - "classification": { - "ClassificationAndReason": "BenignPositive - SuspiciousButExpected" - }, - "incidentArmId": "@triggerBody()?['object']?['id']", - "status": "Closed" - }, "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "status": "Closed", + "classification": { + "ClassificationAndReason": "BenignPositive - SuspiciousButExpected" + } + }, "path": "/Incidents" - }, - "type": "ApiConnection" + } } - }, - "case": "close_bp" + } }, "Case_5": { + "case": "close_fp_incorrect_logic", "actions": { "Set_variable_11": { - "inputs": { - "name": "status_message", - "value": "Incident status was changed to \"Closed: False Positive - incorrect alert logic\"." - }, "runAfter": { "Update_incident_5": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "status_message", + "value": "Incident status was changed to \"Closed: False Positive - incorrect alert logic\"." + } }, "Update_incident_5": { + "type": "ApiConnection", "inputs": { - "body": { - "classification": { - "ClassificationAndReason": "FalsePositive - IncorrectAlertLogic" - }, - "incidentArmId": "@triggerBody()?['object']?['id']", - "status": "Closed" - }, "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "status": "Closed", + "classification": { + "ClassificationAndReason": "FalsePositive - IncorrectAlertLogic" + } + }, "path": "/Incidents" - }, - "type": "ApiConnection" + } } - }, - "case": "close_fp_incorrect_logic" + } }, "Case_6": { + "case": "close_fp_inaccurate_data", "actions": { "Set_variable_12": { - "inputs": { - "name": "status_message", - "value": "Incident status was changed to \"Closed: False Positive - inaccurate data\"." - }, "runAfter": { "Update_incident_6": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "status_message", + "value": "Incident status was changed to \"Closed: False Positive - inaccurate data\"." + } }, "Update_incident_6": { + "type": "ApiConnection", "inputs": { - "body": { - "classification": { - "ClassificationAndReason": "FalsePositive - InaccurateData" - }, - "incidentArmId": "@triggerBody()?['object']?['id']", - "status": "Closed" - }, "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "status": "Closed", + "classification": { + "ClassificationAndReason": "FalsePositive - InaccurateData" + } + }, "path": "/Incidents" - }, - "type": "ApiConnection" + } } - }, - "case": "close_fp_inaccurate_data" + } }, "Case_7": { + "case": "close_undetermined", "actions": { "Set_variable_13": { - "inputs": { - "name": "status_message", - "value": "Incident status was changed to \"Closed: Undetermined\"." - }, "runAfter": { "Update_incident_7": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "status_message", + "value": "Incident status was changed to \"Closed: Undetermined\"." + } }, "Update_incident_7": { + "type": "ApiConnection", "inputs": { - "body": { - "classification": { - "ClassificationAndReason": "Undetermined" - }, - "incidentArmId": "@triggerBody()?['object']?['id']", - "status": "Closed" - }, "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "status": "Closed", + "classification": { + "ClassificationAndReason": "Undetermined" + } + }, "path": "/Incidents" - }, - "type": "ApiConnection" + } } - }, - "case": "close_undetermined" + } } }, "expression": "@body('Post_adaptive_card_and_wait_for_a_response')['data']['status_choices']", "type": "Switch" } }, + "runAfter": { + "Update_severity": [ + "Succeeded" + ] + }, "expression": { "and": [ { @@ -5856,15 +4575,18 @@ } ] }, + "type": "If" + }, + "Get_IP": { "runAfter": { - "Update_severity": [ + "Set_variable_16": [ "Succeeded" ] }, - "type": "If" + "type": "Compose", + "inputs": "@item()['address']" } }, - "foreach": "@body('Entities_-_Get_IPs')?['IPs']", "runAfter": { "Entities_-_Get_IPs": [ "Succeeded" @@ -5873,21 +4595,27 @@ "type": "Foreach" }, "Get_list_of_destinations_lists_for_Teams_adaptive_card": { + "runAfter": { + "Parse_JSON_-_Parse_destination_lists": [ + "Succeeded" + ] + }, + "type": "Select", "inputs": { - "from": "@body('Retrieve_all_destination_lists')?['data']", + "from": "@body('Parse_JSON_-_Parse_destination_lists')?['data']", "select": { "title": "@item()['name']", "value": "@item()['id']" } - }, + } + }, + "Initialize_variable_TeamsChannelId": { "runAfter": { - "Retrieve_all_destination_lists": [ + "Initialize_variable_TeamsGroupId": [ "Succeeded" ] }, - "type": "Select" - }, - "Initialize_variable_TeamsChannelId": { + "type": "InitializeVariable", "inputs": { "variables": [ { @@ -5896,15 +4624,10 @@ "value": "[[parameters('TeamsChannelId')]" } ] - }, - "runAfter": { - "Initialize_variable_TeamsGroupId": [ - "Succeeded" - ] - }, - "type": "InitializeVariable" + } }, "Initialize_variable_TeamsGroupId": { + "type": "InitializeVariable", "inputs": { "variables": [ { @@ -5913,15 +4636,15 @@ "value": "[[parameters('TeamsGroupId')]" } ] - }, + } + }, + "Initialize_variable_action_message": { "runAfter": { - "Initialize_variable_organization_id": [ + "Initialize_variable_TeamsChannelId": [ "Succeeded" ] }, - "type": "InitializeVariable" - }, - "Initialize_variable_action_message": { + "type": "InitializeVariable", "inputs": { "variables": [ { @@ -5929,15 +4652,15 @@ "type": "string" } ] - }, + } + }, + "Initialize_variable_dest_lists_array": { "runAfter": { - "Initialize_variable_TeamsChannelId": [ + "Get_list_of_destinations_lists_for_Teams_adaptive_card": [ "Succeeded" ] }, - "type": "InitializeVariable" - }, - "Initialize_variable_dest_lists_array": { + "type": "InitializeVariable", "inputs": { "variables": [ { @@ -5946,27 +4669,15 @@ "value": "@body('Get_list_of_destinations_lists_for_Teams_adaptive_card')" } ] - }, + } + }, + "Initialize_variable_severity_message": { "runAfter": { - "Get_list_of_destinations_lists_for_Teams_adaptive_card": [ + "Initialize_variable_action_message": [ "Succeeded" ] }, - "type": "InitializeVariable" - }, - "Initialize_variable_organization_id": { - "inputs": { - "variables": [ - { - "name": "organization_id", - "type": "integer", - "value": "[[parameters('CiscoUmbrellaOrganizationId')]" - } - ] - }, - "type": "InitializeVariable" - }, - "Initialize_variable_severity_message": { + "type": "InitializeVariable", "inputs": { "variables": [ { @@ -5974,15 +4685,15 @@ "type": "string" } ] - }, + } + }, + "Initialize_variable_status_message": { "runAfter": { - "Initialize_variable_action_message": [ + "Initialize_variable_severity_message": [ "Succeeded" ] }, - "type": "InitializeVariable" - }, - "Initialize_variable_status_message": { + "type": "InitializeVariable", "inputs": { "variables": [ { @@ -5990,90 +4701,374 @@ "type": "string" } ] - }, + } + }, + "Get_Client_Id": { "runAfter": { - "Initialize_variable_severity_message": [ + "Initialize_variable_status_message": [ "Succeeded" ] }, - "type": "InitializeVariable" + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent(parameters('Umbrella API ClientId Key Name'))}/value" + }, + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } }, - "Retrieve_all_destination_lists": { + "Get_Secret": { + "runAfter": { + "Get_Client_Id": [ + "Succeeded" + ] + }, + "type": "ApiConnection", "inputs": { "host": { "connection": { - "name": "@parameters('$connections')['ciscoumbrellamanagement']['connectionId']" + "name": "@parameters('$connections')['keyvault']['connectionId']" } }, "method": "get", - "path": "/v1/organizations/@{encodeURIComponent(variables('organization_id'))}/destinationlists" + "path": "/secrets/@{encodeURIComponent(parameters('Umbrella API Secret Key Name'))}/value" }, + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } + }, + "HTTP_-_Generate_Login_Token": { "runAfter": { - "Initialize_variable_status_message": [ + "Get_Secret": [ "Succeeded" ] }, - "type": "ApiConnection" - } - }, - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "type": "Http", "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" + "uri": "https://@{parameters('Host End Point')}/auth/v2/token", + "method": "POST", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "authentication": { + "type": "Basic", + "username": "@{body('Get_Client_Id')?['value']}", + "password": "@{body('Get_Secret')?['value']}" + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" }, + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } + }, + "Parse_JSON_-_Parse_Login_Response": { + "runAfter": { + "HTTP_-_Generate_Login_Token": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_Generate_Login_Token')", + "schema": { + "type": "object", + "properties": { + "token_type": { + "type": "string" + }, + "access_token": { + "type": "string" + }, + "expires_in": { + "type": "integer" + } + } + } + } + }, + "HTTP_-_Retrieve_all_destination_lists": { + "runAfter": { + "Parse_JSON_-_Parse_Login_Response": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "uri": "https://@{parameters('Host End Point')}/policies/v2/destinationlists", + "method": "GET", + "headers": { + "Content-Type": "application-json", + "Authorization": "Bearer @{body('Parse_JSON_-_Parse_Login_Response')?['access_token']}" + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } + }, + "Parse_JSON_-_Parse_destination_lists": { + "runAfter": { + "HTTP_-_Retrieve_all_destination_lists": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_Retrieve_all_destination_lists')", + "schema": { + "type": "object", + "properties": { + "status": { + "type": "object", + "properties": { + "code": { + "type": "integer" + }, + "text": { + "type": "string" + } + } + }, + "meta": { + "type": "object", + "properties": { + "page": { + "type": "integer" + }, + "limit": { + "type": "integer" + }, + "total": { + "type": "integer" + } + } + }, + "data": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "integer" + }, + "organizationId": { + "type": "integer" + }, + "access": { + "type": "string" + }, + "isGlobal": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "createdAt": { + "type": "integer" + }, + "modifiedAt": { + "type": "integer" + }, + "isMspDefault": { + "type": "boolean" + }, + "markedForDeletion": { + "type": "boolean" + }, + "bundleTypeId": { + "type": "integer" + }, + "meta": { + "type": "object", + "properties": { + "domainCount": { + "type": "integer" + }, + "urlCount": { + "type": "integer" + }, + "ipv4Count": { + "type": "integer" + }, + "applicationCount": { + "type": "integer" + }, + "destinationCount": { + "type": "integer" + } + } + } + }, + "required": [ + "id", + "organizationId", + "access", + "isGlobal", + "name", + "thirdpartyCategoryId", + "createdAt", + "modifiedAt", + "isMspDefault", + "markedForDeletion", + "bundleTypeId", + "meta" + ] + } + } + } + } + } + }, + "Entities_-_Get_IPs": { + "runAfter": { + "Append_to_array_variable": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, - "path": "/incident-creation" + "method": "post", + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "path": "/entities/ip" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "microsoftsentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } }, - "type": "ApiConnectionWebhook" + "teams": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", + "connectionName": "[[variables('TeamsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]" + }, + "keyvault": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", + "connectionName": "[[variables('KeyvaultConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/keyvault')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } } } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "CiscoUmbrella-AddIpToDestinationList", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('TeamsConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('TeamsConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('KeyvaultConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('KeyvaultConnectionName')]", + "parameterValueType": "Alternative", + "alternativeParameterValues": { + "vaultName": "[[parameters('keyvault name')]" }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionName": "[[variables('AzureSentinelConnectionName')]", - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "id": "[[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]" - }, - "teams": { - "connectionName": "[[variables('TeamsConnectionName')]", - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", - "id": "[[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/teams')]" - }, - "ciscoumbrellamanagement": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaManagementAPIConnectionName'))]", - "connectionName": "[[variables('CiscoUmbrellaManagementAPIConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellamanagement_name'))]" - } - } - } + "nonSecretParameterValues": { + "vaultName": "[[parameters('keyvault name')]" + }, + "api": { + "id": "[[variables('_connection-4')]" } - }, - "tags": { - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", "properties": { - "parentId": "[variables('playbookId5')]", - "contentId": "[variables('_playbookContentId5')]", + "parentId": "[variables('playbookId3')]", + "contentId": "[variables('_playbookContentId3')]", "kind": "Playbook", - "version": "[variables('playbookVersion5')]", + "version": "[variables('playbookVersion3')]", "source": { "kind": "Solution", "name": "CiscoUmbrella", @@ -6088,35 +5083,26 @@ "name": "Microsoft Corporation", "email": "support@microsoft.com", "link": "https://support.microsoft.com/" - }, - "dependencies": { - "criteria": [ - { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_CiscoUmbrellaManagementAPIConnector')]", - "version": "[variables('playbookVersion3')]" - } - ] } } } ], "metadata": { "title": "CiscoUmbrella-AddIpToDestinationList", - "description": "This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident.", + "description": "This playbook creates a team notification and once acted on team notification it adds the IP to Cisco Umbrella's destination list and also add's comment to incident. For more details, click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/readme.md#summary).", "prerequisites": [ - "1. ServiceNow Instance URL, Username, and password.", - "2. Access and authorization to enable API connectors", - "3. Teams Group ID, Channel ID and Alert details where the messages are to be posted in." + "1. Login to Cisco Umbrella dashboard and navigating to Admin-->API Keys. Create New API Key if not already created and select the appropriate 'Key Scope' with Read/Write permission. Store 'Api Key' and 'Key Secret' to a safe place. This 'Api Key' is a 'Client Id' and 'Key Secret' is a 'Secret' used for this Playbook.", + "2. Store the 'Api Key' and 'Key Secret' from previous step to Key vault Secrets.", + "3. To send notification to Microsoft Teams, Teams group id and channel id is needed at the time of playbook creation." ], - "lastUpdateTime": "2021-06-29T10:00:00Z", + "postDeployment": [ + "For more details on Post Deployment Instructions, click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/readme.md#post-deployment-instructions)." + ], + "lastUpdateTime": "2024-12-16T10:00:00Z", "entities": [ - "Account", - "Url", - "Host" + "IP" ], "tags": [ - "Sync", "Notification", "Teams Response" ], @@ -6134,142 +5120,166 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId5')]", + "contentId": "[variables('_playbookContentId3')]", "contentKind": "Playbook", "displayName": "CiscoUmbrella-AddIpToDestinationList", - "contentProductId": "[variables('_playbookcontentProductId5')]", - "id": "[variables('_playbookcontentProductId5')]", - "version": "[variables('playbookVersion5')]" + "contentProductId": "[variables('_playbookcontentProductId3')]", + "id": "[variables('_playbookcontentProductId3')]", + "version": "[variables('playbookVersion3')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName6')]", + "name": "[variables('playbookTemplateSpecName4')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrella-AssignPolicyToIdentity Playbook with template version 3.0.2", + "description": "CiscoUmbrella-AssignPolicyToIdentity Playbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion6')]", + "contentVersion": "[variables('playbookVersion4')]", "parameters": { "PlaybookName": { "defaultValue": "CiscoUmbrella-AssignPolicyToIdentity", - "type": "String" + "type": "string" }, - "PolicyId": { + "CiscoUmbrellaOrganizationId": { + "type": "string", "defaultValue": "", - "type": "String" + "metadata": { + "description": "Organization Id from Cisco Umbrella." + } }, - "customApis_ciscoumbrellanetworkdevicemanagement_name": { - "defaultValue": "CiscoUmbrellaNetworkDeviceManagementAPI", - "type": "String" + "CiscoUmbrellaPolicyId": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Policy Id from Cisco Umbrella." + } + }, + "Keyvault name": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Enter the Key vault name where CiscoUmbrella Secrets are stored" + } + }, + "Umbrella API ClientId Key Name": { + "type": "string", + "metadata": { + "description": "Enter CiscoUmbrella ClientId Key Name from Key vault" + } + }, + "Umbrella API Secret Key Name": { + "type": "securestring", + "metadata": { + "description": "Enter CiscoUmbrella Secret Key Name from Key vault" + } + }, + "Host End Point": { + "type": "string", + "defaultValue": "api.umbrella.com", + "metadata": { + "description": "Enter Host End Point(hostname) without http:// or https://" + } } }, "variables": { - "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", - "CiscoUmbrellaNetworkDeviceManagementAPIConnectionName": "[[concat('ciscoumbrellanetworkdevice-connection-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellanetworkdevicemanagement_name'))]", + "MicrosoftSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "KeyvaultConnectionName": "[[concat('Keyvault-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/keyvault')]", + "_connection-3": "[[variables('connection-3')]", "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", "workspace-name": "[parameters('workspace')]", "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" }, "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "displayName": "[[variables('AzureSentinelConnectionName')]", - "api": { - "id": "[[variables('_connection-1')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('CiscoUmbrellaNetworkDeviceManagementAPIConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('CiscoUmbrellaNetworkDeviceManagementAPIConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaNetworkDeviceManagementAPIConnectionName'))]" - ], "properties": { + "provisioningState": "Succeeded", "state": "Enabled", "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "actions": { - "Add_comment_to_incident_(V3)": { + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "Umbrella API ClientId Key Name": { + "type": "string", + "defaultValue": "[[parameters('Umbrella API ClientId Key Name')]" + }, + "Umbrella API Secret Key Name": { + "type": "securestring", + "defaultValue": "[[parameters('Umbrella API Secret Key Name')]" + }, + "Host End Point": { + "type": "string", + "defaultValue": "[[parameters('Host End Point')]" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "type": "ApiConnectionWebhook", "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{outputs('Create_logo')} CiscoUmbrella-AssignPolicyToIdentity
\nThe following origin ids were assigned to policy @{variables('policyId')} for organization @{variables('organizationId')}:
\n@{body('Create_HTML_table_with_updated_origin_IDs')}
\nThe following origin ids were not assigned because of errors:
\n@{body('Create_HTML_table_with_not_updated_origin_IDs')}

" - }, "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, - "method": "post", - "path": "/Incidents/Comment" - }, + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Add_comment_to_incident_(V3)": { "runAfter": { "Create_logo": [ "Succeeded" ] }, - "type": "ApiConnection" - }, - "Create_HTML_table_with_not_updated_origin_IDs": { + "type": "ApiConnection", "inputs": { - "columns": [ - { - "header": "originId", - "value": "@item()" + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } - ], - "format": "HTML", - "from": "@variables('not_updated_oridinIds_array')" - }, + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{outputs('Create_logo')} CiscoUmbrella-AssignPolicyToIdentity
\nThe following origin ids were assigned to policy @{variables('policyId')} for organization @{variables('organizationId')}:
\n@{body('Create_HTML_table_with_updated_origin_IDs')}
\nThe following origin ids were not assigned because of errors:
\n@{body('Create_HTML_table_with_not_updated_origin_IDs')}

" + }, + "path": "/Incidents/Comment" + } + }, + "Create_HTML_table_with_not_updated_origin_IDs": { "runAfter": { "Create_HTML_table_with_updated_origin_IDs": [ "Succeeded" ] }, - "type": "Table" - }, - "Create_HTML_table_with_updated_origin_IDs": { + "type": "Table", "inputs": { + "from": "@variables('not_updated_oridinIds_array')", + "format": "HTML", "columns": [ { "header": "originId", "value": "@item()" } - ], - "format": "HTML", - "from": "@variables('updated_oridinIds_array')" - }, + ] + } + }, + "Create_HTML_table_with_updated_origin_IDs": { "runAfter": { "For_each_originId_assign_policy_to_originId": [ "Succeeded", @@ -6278,29 +5288,41 @@ "TimedOut" ] }, - "type": "Table" + "type": "Table", + "inputs": { + "from": "@variables('updated_oridinIds_array')", + "format": "HTML", + "columns": [ + { + "header": "originId", + "value": "@item()" + } + ] + } }, "Create_logo": { - "inputs": "", "runAfter": { "Create_HTML_table_with_not_updated_origin_IDs": [ "Succeeded" ] }, - "type": "Compose" + "type": "Compose", + "inputs": "" }, "For_each_alert_in_incident": { + "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", "actions": { "For_each_originId": { + "foreach": "@body('Parse_alert_custom_details')?['originId']", "actions": { "Add_unique_originId_to_OriginId_array": { "actions": { "Append_to_array_variable": { + "type": "AppendToArrayVariable", "inputs": { "name": "originId_array", "value": "@items('For_each_originId')" - }, - "type": "AppendToArrayVariable" + } } }, "expression": { @@ -6318,7 +5340,6 @@ "type": "If" } }, - "foreach": "@body('Parse_alert_custom_details')?['originId']", "runAfter": { "Parse_alert_custom_details": [ "Succeeded" @@ -6327,6 +5348,7 @@ "type": "Foreach" }, "Parse_alert_custom_details": { + "type": "ParseJson", "inputs": { "content": "@items('For_each_alert_in_incident')?['properties']?['additionalData']?['Custom Details']", "schema": { @@ -6340,59 +5362,61 @@ }, "type": "object" } - }, - "type": "ParseJson" + } } }, - "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", "runAfter": { - "Set_value_for_organizationId_variable": [ + "Parse_JSON_-_Parse_Login_Response": [ "Succeeded" ] }, "type": "Foreach" }, "For_each_originId_assign_policy_to_originId": { + "foreach": "@variables('originId_array')", "actions": { "Append_originId_to_not_updated_originIds_array_variable_in_case_of_error": { - "inputs": { - "name": "not_updated_oridinIds_array", - "value": "@items('For_each_originId_assign_policy_to_originId')" - }, "runAfter": { - "Assign_a_policy_to_an_identity": [ + "HTTP_-_Assign_a_policy_to_an_identity": [ "Failed", "TimedOut" ] }, - "type": "AppendToArrayVariable" - }, - "Append_originId_to_updated_originIds_array_variable": { + "type": "AppendToArrayVariable", "inputs": { - "name": "updated_oridinIds_array", + "name": "not_updated_oridinIds_array", "value": "@items('For_each_originId_assign_policy_to_originId')" - }, + } + }, + "Append_originId_to_updated_originIds_array_variable": { "runAfter": { "Append_originId_to_not_updated_originIds_array_variable_in_case_of_error": [ "Skipped" ] }, - "type": "AppendToArrayVariable" + "type": "AppendToArrayVariable", + "inputs": { + "name": "updated_oridinIds_array", + "value": "@items('For_each_originId_assign_policy_to_originId')" + } }, - "Assign_a_policy_to_an_identity": { + "HTTP_-_Assign_a_policy_to_an_identity": { + "type": "Http", "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['ciscoumbrellanetworkdevicemanagement']['connectionId']" - } - }, - "method": "put", - "path": "/v1/organizations/@{encodeURIComponent(variables('organizationId'))}/policies/@{encodeURIComponent(variables('policyId'))}/identities/@{encodeURIComponent(items('For_each_originId_assign_policy_to_originId'))}" + "uri": "https://@{parameters('Host End Point')}/deployments/v2/policies/@{encodeURIComponent(variables('policyId'))}/identities/@{encodeURIComponent(items('For_each_originId_assign_policy_to_originId'))}", + "method": "PUT", + "headers": { + "Content-Type": "application-json", + "Authorization": "Bearer @{body('Parse_JSON_-_Parse_Login_Response')?['access_token']}" + } }, - "type": "ApiConnection" + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } } }, - "foreach": "@variables('originId_array')", "runAfter": { "For_each_alert_in_incident": [ "Succeeded" @@ -6400,497 +5424,278 @@ }, "type": "Foreach" }, - "Get_organization_id": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['ciscoumbrellanetworkdevicemanagement']['connectionId']" - } - }, - "method": "get", - "path": "/v1/organizations" - }, - "runAfter": { - "Initialize_variable_not_updated_oridinIds_array": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, "Initialize_variable_not_updated_oridinIds_array": { - "inputs": { - "variables": [ - { - "name": "not_updated_oridinIds_array", - "type": "array" - } - ] - }, "runAfter": { - "Initialize_variable_updated_oridinIds_array": [ - "Succeeded" - ] - }, - "type": "InitializeVariable" - }, - "Initialize_variable_organizationId": { - "inputs": { - "variables": [ - { - "name": "organizationId", - "type": "string" - } + "Initialize_variable_updated_oridinIds_array": [ + "Succeeded" ] }, - "type": "InitializeVariable" - }, - "Initialize_variable_originId_array": { + "type": "InitializeVariable", "inputs": { "variables": [ { - "name": "originId_array", + "name": "not_updated_oridinIds_array", "type": "array" } ] - }, - "runAfter": { - "Initialize_variable_policyId": [ - "Succeeded" - ] - }, - "type": "InitializeVariable" + } }, - "Initialize_variable_policyId": { + "Initialize_variable_organizationId": { + "type": "InitializeVariable", "inputs": { "variables": [ { - "name": "policyId", + "name": "organizationId", "type": "string", - "value": "[[parameters('PolicyId')]" + "value": "[[parameters('CiscoUmbrellaOrganizationId')]" } ] - }, + } + }, + "Initialize_variable_originId_array": { "runAfter": { - "Initialize_variable_organizationId": [ + "Initialize_variable_policyId": [ "Succeeded" ] }, - "type": "InitializeVariable" - }, - "Initialize_variable_updated_oridinIds_array": { + "type": "InitializeVariable", "inputs": { "variables": [ { - "name": "updated_oridinIds_array", + "name": "originId_array", "type": "array" } ] - }, - "runAfter": { - "Initialize_variable_originId_array": [ - "Succeeded" - ] - }, - "type": "InitializeVariable" + } }, - "Set_value_for_organizationId_variable": { - "inputs": { - "name": "organizationId", - "value": "@{body('Get_organization_id')[0]['organizationId']}" - }, + "Initialize_variable_policyId": { "runAfter": { - "Get_organization_id": [ + "Initialize_variable_organizationId": [ "Succeeded" ] }, - "type": "SetVariable" - } - }, - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "type": "InitializeVariable", "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "variables": [ + { + "name": "policyId", + "type": "string", + "value": "[[parameters('CiscoUmbrellaPolicyId')]" } - }, - "path": "/incident-creation" - }, - "type": "ApiConnectionWebhook" - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionName": "[[variables('AzureSentinelConnectionName')]", - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "id": "[[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]" - }, - "ciscoumbrellanetworkdevicemanagement": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaNetworkDeviceManagementAPIConnectionName'))]", - "connectionName": "[[variables('CiscoUmbrellaNetworkDeviceManagementAPIConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellanetworkdevicemanagement_name'))]" + ] } - } - } - } - }, - "tags": { - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId6')]", - "contentId": "[variables('_playbookContentId6')]", - "kind": "Playbook", - "version": "[variables('playbookVersion6')]", - "source": { - "kind": "Solution", - "name": "CiscoUmbrella", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - }, - "dependencies": { - "criteria": [ - { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_CiscoUmbrellaNetworkDeviceManagementAPIConnector')]", - "version": "[variables('playbookVersion4')]" - } - ] - } - } - } - ], - "metadata": { - "title": "CiscoUmbrella-AssignPolicyToIdentity", - "description": "This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident.", - "prerequisites": [ - "1. ServiceNow Instance URL, Username, and password.", - "2. Access and authorization to enable API connectors", - "3. Teams Group ID, Channel ID and Alert details where the messages are to be posted in." - ], - "lastUpdateTime": "2021-06-29T10:00:00Z", - "entities": [ - "Account", - "Url", - "Host" - ], - "tags": [ - "Sync", - "Notification", - "Teams Response" - ], - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId6')]", - "contentKind": "Playbook", - "displayName": "CiscoUmbrella-AssignPolicyToIdentity", - "contentProductId": "[variables('_playbookcontentProductId6')]", - "id": "[variables('_playbookcontentProductId6')]", - "version": "[variables('playbookVersion6')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName7')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CiscoUmbrella-BlockDomain Playbook with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion7')]", - "parameters": { - "PlaybookName": { - "defaultValue": "CiscoUmbrella-BlockDomain", - "type": "String" - }, - "customApis_ciscoumbrellaenforcement_name": { - "defaultValue": "CiscoUmbrellaEnforcementAPI", - "type": "String" - } - }, - "variables": { - "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", - "CiscoUmbrellaEnforcementAPIConnectionName": "[[concat('ciscoumbrellaenforcement-connection-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellaenforcement_name'))]", - "_connection-2": "[[variables('connection-2')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "displayName": "[[variables('AzureSentinelConnectionName')]", - "api": { - "id": "[[variables('_connection-1')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('CiscoUmbrellaEnforcementAPIConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('CiscoUmbrellaEnforcementAPIConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaEnforcementAPIConnectionName'))]" - ], - "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "actions": { - "Add_comment_to_incident_(V3)": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{outputs('Create_logo')}CiscoUmbrella-BlockDomain
\nThe following domains have been added to Cisco Umbrella block destination list:
\n@{body('Create_HTML_table')}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, + }, + "Initialize_variable_updated_oridinIds_array": { "runAfter": { - "Create_logo": [ + "Initialize_variable_originId_array": [ "Succeeded" ] }, - "type": "ApiConnection" - }, - "Create_HTML_table": { + "type": "InitializeVariable", "inputs": { - "columns": [ + "variables": [ { - "header": "Domain", - "value": "@item()" + "name": "updated_oridinIds_array", + "type": "array" } - ], - "format": "HTML", - "from": "@variables('blocked_domains')" - }, + ] + } + }, + "Get_Client_Id": { "runAfter": { - "For_each_URL": [ + "Initialize_variable_not_updated_oridinIds_array": [ "Succeeded" ] }, - "type": "Table" + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent(parameters('Umbrella API ClientId Key Name'))}/value" + }, + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } }, - "Create_logo": { - "inputs": "", + "Get_Secret": { "runAfter": { - "Create_HTML_table": [ + "Get_Client_Id": [ "Succeeded" ] }, - "type": "Compose" - }, - "Entities_-_Get_URLs": { + "type": "ApiConnection", "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['keyvault']['connectionId']" } }, - "method": "post", - "path": "/entities/url" + "method": "get", + "path": "/secrets/@{encodeURIComponent(parameters('Umbrella API Secret Key Name'))}/value" }, + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } + }, + "HTTP_-_Generate_Login_Token": { "runAfter": { - "Initialize_variable_blocked_domains": [ + "Get_Secret": [ "Succeeded" ] }, - "type": "ApiConnection" - }, - "For_each_URL": { - "actions": { - "Append_domain_to_blocked_domains_variable": { - "inputs": { - "name": "blocked_domains", - "value": "@outputs('Get_Domain_from_URL')" - }, - "runAfter": { - "Block_domain": [ - "Succeeded" - ] - }, - "type": "AppendToArrayVariable" - }, - "Block_domain": { - "inputs": { - "body": [ - { - "alertTime": "@{utcNow()}", - "deviceId": "azuresentinel", - "deviceVersion": "13.7a", - "dstDomain": "@{outputs('Get_Domain_from_URL')}", - "dstUrl": "@{outputs('Get_Domain_from_URL')}", - "eventTime": "@{utcNow()}", - "protocolVersion": "1.0a", - "providerName": "Security Platform" - } - ], - "headers": { - "Accept": "application/json" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['ciscoumbrellaenforcement']['connectionId']" - } - }, - "method": "post", - "path": "/1.0/events" - }, - "runAfter": { - "Get_Domain_from_URL": [ - "Succeeded" - ] - }, - "type": "ApiConnection" + "type": "Http", + "inputs": { + "uri": "https://@{parameters('Host End Point')}/auth/v2/token", + "method": "POST", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" }, - "Get_Domain_from_URL": { - "inputs": "@split(replace(replace(items('For_each_URL')?['Url'],'http://',''), 'https://', ''), '/')[0]", - "type": "Compose" + "authentication": { + "type": "Basic", + "username": "@{body('Get_Client_Id')?['value']}", + "password": "@{body('Get_Secret')?['value']}" } }, - "foreach": "@body('Entities_-_Get_URLs')?['URLs']", + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + }, + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } + }, + "Parse_JSON_-_Parse_Login_Response": { "runAfter": { - "Entities_-_Get_URLs": [ + "HTTP_-_Generate_Login_Token": [ "Succeeded" ] }, - "type": "Foreach" - }, - "Initialize_variable_blocked_domains": { - "inputs": { - "variables": [ - { - "name": "blocked_domains", - "type": "array" - } - ] - }, - "type": "InitializeVariable" - } - }, - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "type": "ParseJson", "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "content": "@body('HTTP_-_Generate_Login_Token')", + "schema": { + "type": "object", + "properties": { + "token_type": { + "type": "string" + }, + "access_token": { + "type": "string" + }, + "expires_in": { + "type": "integer" + } } - }, - "path": "/incident-creation" - }, - "type": "ApiConnectionWebhook" + } + } } } }, "parameters": { "$connections": { "value": { - "azuresentinel": { - "connectionName": "[[variables('AzureSentinelConnectionName')]", - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "id": "[[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]" + "microsoftsentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } }, - "ciscoumbrellaenforcement": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaEnforcementAPIConnectionName'))]", - "connectionName": "[[variables('CiscoUmbrellaEnforcementAPIConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellaenforcement_name'))]" + "keyvault": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", + "connectionName": "[[variables('KeyvaultConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/keyvault')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } } } } } }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, "tags": { + "hidden-SentinelTemplateName": "CiscoUmbrella-AssignPolicyToIdentity", + "hidden-SentinelTemplateVersion": "1.0", "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('KeyvaultConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('KeyvaultConnectionName')]", + "parameterValueType": "Alternative", + "alternativeParameterValues": { + "vaultName": "[[parameters('keyvault name')]" + }, + "nonSecretParameterValues": { + "vaultName": "[[parameters('keyvault name')]" + }, + "api": { + "id": "[[variables('_connection-3')]" + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", "properties": { - "parentId": "[variables('playbookId7')]", - "contentId": "[variables('_playbookContentId7')]", + "parentId": "[variables('playbookId4')]", + "contentId": "[variables('_playbookContentId4')]", "kind": "Playbook", - "version": "[variables('playbookVersion7')]", + "version": "[variables('playbookVersion4')]", "source": { "kind": "Solution", "name": "CiscoUmbrella", @@ -6905,37 +5710,24 @@ "name": "Microsoft Corporation", "email": "support@microsoft.com", "link": "https://support.microsoft.com/" - }, - "dependencies": { - "criteria": [ - { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_CiscoUmbrellaEnforcementAPIConnector')]", - "version": "[variables('playbookVersion1')]" - } - ] } } } ], "metadata": { - "title": "CiscoUmbrella-BlockDomain", - "description": "This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident.", + "title": "CiscoUmbrella-AssignPolicyToIdentity", + "description": "This playbook provides an automated way to associate an identity to an existing policy in Cisco Umbrella. For more details, click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/readme.md#summary).", "prerequisites": [ - "1. ServiceNow Instance URL, Username, and password.", - "2. Access and authorization to enable API connectors", - "3. Teams Group ID, Channel ID and Alert details where the messages are to be posted in." + "1. Login to Cisco Umbrella dashboard and navigating to Admin-->API Keys. Create New API Key if not already created and select the appropriate 'Key Scope' with Read/Write permission. Store 'Api Key' and 'Key Secret' to a safe place. This 'Api Key' is a 'Client Id' and 'Key Secret' is a 'Secret' used for this Playbook.", + "2. Store the 'Api Key' and 'Key Secret' from previous step to Key vault Secrets.", + "3. To obtain the Organization ID and Policy ID, press F12 or right-click on the page and select 'Inspect' in your browser on the Cisco Umbrella dashboard page. Then, navigate to the 'Policies' section and click on the 'All Policies' tab. Now open the 'Network' tab and search with 'policy'. Open the 'Response' tab of the request to get the Policy ID and Organization ID. For more details click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/readme.md#Prerequisites)" ], - "lastUpdateTime": "2021-06-29T10:00:00Z", - "entities": [ - "Account", - "Url", - "Host" + "postDeployment": [ + "For more details on Post Deployment Instructions, click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/readme.md#post-deployment-instructions)." ], + "lastUpdateTime": "2024-12-18T10:00:00Z", "tags": [ - "Sync", - "Notification", - "Teams Response" + "Notification" ], "releaseNotes": { "version": "1.0", @@ -6951,288 +5743,459 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId7')]", + "contentId": "[variables('_playbookContentId4')]", "contentKind": "Playbook", - "displayName": "CiscoUmbrella-BlockDomain", - "contentProductId": "[variables('_playbookcontentProductId7')]", - "id": "[variables('_playbookcontentProductId7')]", - "version": "[variables('playbookVersion7')]" + "displayName": "CiscoUmbrella-AssignPolicyToIdentity", + "contentProductId": "[variables('_playbookcontentProductId4')]", + "id": "[variables('_playbookcontentProductId4')]", + "version": "[variables('playbookVersion4')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName8')]", + "name": "[variables('playbookTemplateSpecName5')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoUmbrella-GetDomainInfo Playbook with template version 3.0.2", + "description": "CiscoUmbrella-GetDomainInfo Playbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion8')]", + "contentVersion": "[variables('playbookVersion5')]", "parameters": { "PlaybookName": { "defaultValue": "CiscoUmbrella-GetDomainInfo", - "type": "String" + "type": "string" }, - "customApis_ciscoumbrellainvestigate_name": { - "defaultValue": "CiscoUmbrellaInvestigateAPI", - "type": "String" + "Keyvault name": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Enter the Key vault name where CiscoUmbrella Secrets are stored" + } + }, + "Umbrella API ClientId Key Name": { + "type": "string", + "metadata": { + "description": "Enter CiscoUmbrella ClientId Key Name from Key vault" + } + }, + "Umbrella API Secret Key Name": { + "type": "securestring", + "metadata": { + "description": "Enter CiscoUmbrella Secret Key Name from Key vault" + } + }, + "Host End Point": { + "type": "string", + "defaultValue": "api.umbrella.com", + "metadata": { + "description": "Enter Host End Point(hostname) without http:// or https://" + } } }, "variables": { - "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", - "CiscoUmbrellaInvestigateAPIConnectionName": "[[concat('ciscoumbrellainvestigate-connection-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellainvestigate_name'))]", + "MicrosoftSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "KeyvaultConnectionName": "[[concat('Keyvault-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/keyvault')]", + "_connection-3": "[[variables('connection-3')]", "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", "workspace-name": "[parameters('workspace')]", "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" }, "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "displayName": "[[variables('AzureSentinelConnectionName')]", - "api": { - "id": "[[variables('_connection-1')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('CiscoUmbrellaInvestigateAPIConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('CiscoUmbrellaInvestigateAPIConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaInvestigateAPIConnectionName'))]" - ], "properties": { + "provisioningState": "Succeeded", "state": "Enabled", "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "Umbrella API ClientId Key Name": { + "type": "string", + "defaultValue": "[[parameters('Umbrella API ClientId Key Name')]" + }, + "Umbrella API Secret Key Name": { + "type": "securestring", + "defaultValue": "[[parameters('Umbrella API Secret Key Name')]" + }, + "Host End Point": { + "type": "string", + "defaultValue": "[[parameters('Host End Point')]" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "path": "/incident-creation" + } + } + }, "actions": { "Entities_-_Get_URLs": { + "type": "ApiConnection", "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, "method": "post", + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", "path": "/entities/url" - }, - "type": "ApiConnection" + } }, "For_each_URL": { + "foreach": "@body('Entities_-_Get_URLs')?['URLs']", "actions": { "Add_comment_to_incident_(V3)": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{outputs('Get_logo')} CiscoUmbrella-GetDomainInfo
\nRisk score for domain @{outputs('Get_domain_from_URL')} is  @{body('Get_Risk_score_for_a_domain')?['risk_score']}.
\nRisk score indicators:
\n@{body('Create_HTML_table_with_security_indicators')}
\n
\n

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, "runAfter": { "Create_HTML_table_with_security_indicators": [ "Succeeded" ] }, - "type": "ApiConnection" - }, - "Add_comment_to_incident_(V3)_2": { + "type": "ApiConnection", "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{outputs('Get_logo')} CiscoUmbrella-GetDomainInfo
\nSecurity data for @{outputs('Get_domain_from_URL')} (part 1) :
\ndga_score: @{body('Get_domain_security_data')?['dga_score']}
\nDomain Generation Algorithm. This score is generated based on the likeliness of the domain name being generated by an algorithm rather than a human. This algorithm is designed to identify domains which have been created using an automated randomization strategy, which is a common evasion technique in malware kits or botnets. This score ranges from -100 (suspicious) to 0 (benign).
\nperplexity: @{body('Get_domain_security_data')?['perplexity']}
\nA second score on the likeliness of the name to be algorithmically generated, on a scale from 0 to 100. This score is to be used in conjunction with DGA.
\nentropy: @{body('Get_domain_security_data')?['entropy']}
\nThe number of bits required to encode the domain name, as a score. This score is to be used in conjunction with DGA and Perplexity.
\nsecurerank2: @{body('Get_domain_security_data')?['securerank2']}
\nSuspicious rank for a domain that reviews based on the lookup behavior of client IP for the domain. Securerank is designed to identify hostnames requested by known infected clients but never requested by clean clients, assuming these domains are more likely to be bad. Scores returned range from -100 (suspicious) to 100 (benign).
\n

" - }, "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{outputs('Get_logo')} CiscoUmbrella-GetDomainInfo
Risk score for domain @{outputs('Get_domain_from_URL')} is @{body('HTTP_-_Get_Risk_score_for_a_domain')?['risk_score']}.
Risk score indicators:
@{body('Create_HTML_table_with_security_indicators')}


" + }, "path": "/Incidents/Comment" - }, + } + }, + "Add_comment_to_incident_(V3)_2": { "runAfter": { "Add_comment_to_incident_(V3)": [ "Succeeded" ] }, - "type": "ApiConnection" - }, - "Add_comment_to_incident_(V3)_3": { + "type": "ApiConnection", "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{outputs('Get_logo')} CiscoUmbrella-GetDomainInfo
\nSecurity data for @{outputs('Get_domain_from_URL')} (part 2):
\npagerank: @{body('Get_domain_security_data')?['pagerank']}
\nPopularity according to Google's pagerank algorithm.
\nasn_score: @{body('Get_domain_security_data')?['asn_score']}
\nASN reputation score, ranges from -100 to 0 with -100 being very suspicious.
\nprefix_score: @{body('Get_domain_security_data')?['prefix_score']}
\nPrefix ranks domains given their IP prefixes (first three octets in IP) and the reputation score of these prefixes. Ranges from -100 to 0, -100 being very suspicious.
\nrip_score: @{body('Get_domain_security_data')?['rip_score']}
\nRIP ranks domains given their IP addresses and the reputation score of these IP addresses. Ranges from -100 to 0, -100 being very suspicious.
\npopularity: @{body('Get_domain_security_data')?['popularity']}
\nThe number of unique client IPs visiting this site, relative to the all requests to all sites.
\ngeoscore: @{body('Get_domain_security_data')?['geoscore']}
\nA score that represents how far the different physical locations serving this name are from each other.
\nks_test: @{body('Get_domain_security_data')?['ks_test']}
\nKolmogorov–Smirnov test on geodiversity. 0 means that the client traffic matches what is expected for this TLD.
\nattack: @{body('Get_domain_security_data')?['attack']}
\nThe name of any known attacks associated with this domain.
\nthreat_type: @{body('Get_domain_security_data')?['threat_type']}
\nThe type of the known attack.

" - }, "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{outputs('Get_logo')} CiscoUmbrella-GetDomainInfo
Security data for @{outputs('Get_domain_from_URL')} (part 1) :
dga_score: @{body('HTTP_-_Get_domain_security_data')?['dga_score']}
Domain Generation Algorithm. This score is generated based on the likeliness of the domain name being generated by an algorithm rather than a human. This algorithm is designed to identify domains which have been created using an automated randomization strategy, which is a common evasion technique in malware kits or botnets. This score ranges from -100 (suspicious) to 0 (benign).
perplexity: @{body('HTTP_-_Get_domain_security_data')?['perplexity']}
A second score on the likeliness of the name to be algorithmically generated, on a scale from 0 to 100. This score is to be used in conjunction with DGA.
entropy: @{body('HTTP_-_Get_domain_security_data')?['entropy']}
The number of bits required to encode the domain name, as a score. This score is to be used in conjunction with DGA and Perplexity.
securerank2: @{body('HTTP_-_Get_domain_security_data')?['securerank2']}
Suspicious rank for a domain that reviews based on the lookup behavior of client IP for the domain. Securerank is designed to identify hostnames requested by known infected clients but never requested by clean clients, assuming these domains are more likely to be bad. Scores returned range from -100 (suspicious) to 100 (benign).

" + }, "path": "/Incidents/Comment" - }, - "runAfter": { - "Add_comment_to_incident_(V3)_2": [ - "Succeeded" - ] - }, - "type": "ApiConnection" + } }, - "Create_HTML_table_with_security_indicators": { - "inputs": { - "format": "HTML", - "from": "@body('Get_Risk_score_for_a_domain')?['indicators']" - }, + "Add_comment_to_incident_(V3)_3": { "runAfter": { - "Get_logo": [ + "Add_comment_to_incident_(V3)_2": [ "Succeeded" ] }, - "type": "Table" - }, - "Get_Risk_score_for_a_domain": { + "type": "ApiConnection", "inputs": { "host": { "connection": { - "name": "@parameters('$connections')['ciscoumbrellainvestigate']['connectionId']" + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" } }, - "method": "get", - "path": "/domains/risk-score/@{encodeURIComponent(outputs('Get_domain_from_URL'))}" - }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{outputs('Get_logo')} CiscoUmbrella-GetDomainInfo
Security data for @{outputs('Get_domain_from_URL')} (part 2):
pagerank: @{body('HTTP_-_Get_domain_security_data')?['pagerank']}
Popularity according to Google's pagerank algorithm.
asn_score: @{body('HTTP_-_Get_domain_security_data')?['asn_score']}
ASN reputation score, ranges from -100 to 0 with -100 being very suspicious.
prefix_score: @{body('HTTP_-_Get_domain_security_data')?['prefix_score']}
Prefix ranks domains given their IP prefixes (first three octets in IP) and the reputation score of these prefixes. Ranges from -100 to 0, -100 being very suspicious.
rip_score: @{body('HTTP_-_Get_domain_security_data')?['rip_score']}
RIP ranks domains given their IP addresses and the reputation score of these IP addresses. Ranges from -100 to 0, -100 being very suspicious.
popularity: @{body('HTTP_-_Get_domain_security_data')?['popularity']}
The number of unique client IPs visiting this site, relative to the all requests to all sites.
geoscore: @{body('HTTP_-_Get_domain_security_data')?['geoscore']}
A score that represents how far the different physical locations serving this name are from each other.
ks_test: @{body('HTTP_-_Get_domain_security_data')?['ks_test']}
Kolmogorov–Smirnov test on geodiversity. 0 means that the client traffic matches what is expected for this TLD.
attack: @{body('HTTP_-_Get_domain_security_data')?['attack']}
The name of any known attacks associated with this domain.
threat_type: @{body('HTTP_-_Get_domain_security_data')?['threat_type']}
The type of the known attack.

" + }, + "path": "/Incidents/Comment" + } + }, + "Create_HTML_table_with_security_indicators": { "runAfter": { - "Get_domain_security_data": [ + "Get_logo": [ "Succeeded" ] }, - "type": "ApiConnection" + "type": "Table", + "inputs": { + "from": "@body('HTTP_-_Get_Risk_score_for_a_domain')?['indicators']", + "format": "HTML" + } }, "Get_domain_from_URL": { - "inputs": "@split(replace(replace(item()?['Url'],'http://',''), 'https://', ''), '/')[0]", - "type": "Compose" + "type": "Compose", + "inputs": "@split(replace(replace(item()?['Url'],'http://',''), 'https://', ''), '/')[0]" }, - "Get_domain_security_data": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['ciscoumbrellainvestigate']['connectionId']" - } - }, - "method": "get", - "path": "/security/name/@{encodeURIComponent(outputs('Get_domain_from_URL'))}" + "Get_logo": { + "runAfter": { + "HTTP_-_Get_Risk_score_for_a_domain": [ + "Succeeded" + ] }, + "type": "Compose", + "inputs": "" + }, + "HTTP_-_Get_domain_security_data": { "runAfter": { "Get_domain_from_URL": [ "Succeeded" ] }, - "type": "ApiConnection" + "type": "Http", + "inputs": { + "uri": "https://@{parameters('Host End Point')}/investigate/v2/security/name/@{encodeURIComponent(outputs('Get_domain_from_URL'))}", + "method": "GET", + "headers": { + "Authorization": "Bearer @{body('Parse_JSON')?['access_token']}" + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } }, - "Get_logo": { - "inputs": "", + "HTTP_-_Get_Risk_score_for_a_domain": { "runAfter": { - "Get_Risk_score_for_a_domain": [ + "HTTP_-_Get_domain_security_data": [ "Succeeded" ] }, - "type": "Compose" + "type": "Http", + "inputs": { + "uri": "https://@{parameters('Host End Point')}/investigate/v2/domains/risk-score/@{encodeURIComponent(outputs('Get_domain_from_URL'))}", + "method": "GET", + "headers": { + "Authorization": "Bearer @{body('Parse_JSON')?['access_token']}" + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } } }, - "foreach": "@body('Entities_-_Get_URLs')?['URLs']", "runAfter": { - "Entities_-_Get_URLs": [ + "Parse_JSON": [ "Succeeded" ] }, "type": "Foreach" - } - }, - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + }, + "Get_Client_Id": { + "runAfter": { + "Entities_-_Get_URLs": [ + "Succeeded" + ] + }, + "type": "ApiConnection", "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } }, + "method": "get", + "path": "/secrets/@{encodeURIComponent(parameters('Umbrella API ClientId Key Name'))}/value" + }, + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } + }, + "Get_Secret": { + "runAfter": { + "Get_Client_Id": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { "host": { "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "@parameters('$connections')['keyvault']['connectionId']" } }, - "path": "/incident-creation" + "method": "get", + "path": "/secrets/@{encodeURIComponent(parameters('Umbrella API Secret Key Name'))}/value" }, - "type": "ApiConnectionWebhook" + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } + }, + "HTTP_-_Generate_Login_Token": { + "runAfter": { + "Get_Secret": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "uri": "https://@{parameters('Host End Point')}/auth/v2/token", + "method": "POST", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "authentication": { + "type": "Basic", + "username": "@{body('Get_Client_Id')?['value']}", + "password": "@{body('Get_Secret')?['value']}" + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + }, + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } + }, + "Parse_JSON": { + "runAfter": { + "HTTP_-_Generate_Login_Token": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_Generate_Login_Token')", + "schema": { + "type": "object", + "properties": { + "token_type": { + "type": "string" + }, + "access_token": { + "type": "string" + }, + "expires_in": { + "type": "integer" + } + } + } + } } } }, "parameters": { "$connections": { "value": { - "azuresentinel": { - "connectionName": "[[variables('AzureSentinelConnectionName')]", - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "id": "[[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]" + "microsoftsentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } }, - "ciscoumbrellainvestigate": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaInvestigateAPIConnectionName'))]", - "connectionName": "[[variables('CiscoUmbrellaInvestigateAPIConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellainvestigate_name'))]" + "keyvault": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", + "connectionName": "[[variables('KeyvaultConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/keyvault')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } } } } } }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, "tags": { + "hidden-SentinelTemplateName": "CiscoUmbrella-GetDomainInfo", + "hidden-SentinelTemplateVersion": "1.0", "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('KeyvaultConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('KeyvaultConnectionName')]", + "parameterValueType": "Alternative", + "alternativeParameterValues": { + "vaultName": "[[parameters('keyvault name')]" + }, + "nonSecretParameterValues": { + "vaultName": "[[parameters('keyvault name')]" + }, + "api": { + "id": "[[variables('_connection-3')]" + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", "properties": { - "parentId": "[variables('playbookId8')]", - "contentId": "[variables('_playbookContentId8')]", + "parentId": "[variables('playbookId5')]", + "contentId": "[variables('_playbookContentId5')]", "kind": "Playbook", - "version": "[variables('playbookVersion8')]", + "version": "[variables('playbookVersion5')]", "source": { "kind": "Solution", "name": "CiscoUmbrella", @@ -7247,37 +6210,26 @@ "name": "Microsoft Corporation", "email": "support@microsoft.com", "link": "https://support.microsoft.com/" - }, - "dependencies": { - "criteria": [ - { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_CiscoUmbrellaInvestigateAPIConnector')]", - "version": "[variables('playbookVersion2')]" - } - ] } } } ], "metadata": { "title": "CiscoUmbrella-GetDomainInfo", - "description": "This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident.", + "description": "This playbook is used to get Security Information about a particular domain. It provides details such as security scores, reputation and other security-related metadata that can help assess if the domain is associated with malicious activity, phishing attempts, or other threats. This playbook also helps to assess the risk associated with a domain name and return a risk score that helps determine if the domain is considered suspicious or potentially malicious. This details are added to incident as a comment. For more details, click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/readme.md#summary).", "prerequisites": [ - "1. ServiceNow Instance URL, Username, and password.", - "2. Access and authorization to enable API connectors", - "3. Teams Group ID, Channel ID and Alert details where the messages are to be posted in." + "1. Login to Cisco Umbrella dashboard and navigating to Admin-->API Keys. Create New API Key if not already created and select the appropriate 'Key Scope' with Read/Write permission. Store 'Api Key' and 'Key Secret' to a safe place. This 'Api Key' is a 'Client Id' and 'Key Secret' is a 'Secret' used for this Playbook.", + "2. Store the 'Api Key' and 'Key Secret' from previous step to Key vault Secrets." ], - "lastUpdateTime": "2021-06-29T10:00:00Z", + "postDeployment": [ + "For more details on Post Deployment Instructions, click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/readme.md#post-deployment-instructions)." + ], + "lastUpdateTime": "2024-12-20T10:00:00Z", "entities": [ - "Account", - "Url", - "Host" + "URL" ], "tags": [ - "Sync", - "Notification", - "Teams Response" + "Notification" ], "releaseNotes": { "version": "1.0", @@ -7293,12 +6245,12 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId8')]", + "contentId": "[variables('_playbookContentId5')]", "contentKind": "Playbook", "displayName": "CiscoUmbrella-GetDomainInfo", - "contentProductId": "[variables('_playbookcontentProductId8')]", - "id": "[variables('_playbookcontentProductId8')]", - "version": "[variables('playbookVersion8')]" + "contentProductId": "[variables('_playbookcontentProductId5')]", + "id": "[variables('_playbookcontentProductId5')]", + "version": "[variables('playbookVersion5')]" } }, { @@ -7306,12 +6258,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.2", + "version": "3.0.3", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "CiscoUmbrella", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Cisco Umbrella solution for Microsoft Sentinel enables you to ingest Cisco Umbrella events stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10, Custom Azure Logic Apps Connectors: 4, Playbooks: 4

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Cisco Umbrella solution for Microsoft Sentinel enables you to ingest Cisco Umbrella events stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API.

\n

Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10, Custom Azure Logic Apps Connectors: 1, Playbooks: 4

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -7453,43 +6405,28 @@ }, { "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_CiscoUmbrellaEnforcementAPIConnector')]", + "contentId": "[variables('_EnforcementAPICustomConnector')]", "version": "[variables('playbookVersion1')]" }, { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_CiscoUmbrellaInvestigateAPIConnector')]", + "kind": "Playbook", + "contentId": "[variables('_CiscoUmbrella-BlockDomain')]", "version": "[variables('playbookVersion2')]" }, - { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_CiscoUmbrellaManagementAPIConnector')]", - "version": "[variables('playbookVersion3')]" - }, - { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_CiscoUmbrellaNetworkDeviceManagementAPIConnector')]", - "version": "[variables('playbookVersion4')]" - }, { "kind": "Playbook", "contentId": "[variables('_CiscoUmbrella-AddIpToDestinationList')]", - "version": "[variables('playbookVersion5')]" + "version": "[variables('playbookVersion3')]" }, { "kind": "Playbook", "contentId": "[variables('_CiscoUmbrella-AssignPolicyToIdentity')]", - "version": "[variables('playbookVersion6')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_CiscoUmbrella-BlockDomain')]", - "version": "[variables('playbookVersion7')]" + "version": "[variables('playbookVersion4')]" }, { "kind": "Playbook", "contentId": "[variables('_CiscoUmbrella-GetDomainInfo')]", - "version": "[variables('playbookVersion8')]" + "version": "[variables('playbookVersion5')]" } ] }, diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaInvestigateAPIConnector/azuredeploy.json b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaInvestigateAPIConnector/azuredeploy.json deleted file mode 100644 index 00e68ab3449..00000000000 --- a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaInvestigateAPIConnector/azuredeploy.json +++ /dev/null @@ -1,401 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "customApis_CiscoUmbrellaInvestigateAPIConnector_name": { - "defaultValue": "CiscoUmbrellaInvestigateAPI", - "type": "String" - } - }, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Web/customApis", - "apiVersion": "2016-06-01", - "name": "[parameters('customApis_CiscoUmbrellaInvestigateAPIConnector_name')]", - "location": "[resourceGroup().location]", - "properties": { - "connectionParameters": { - "api_key": { - "type": "securestring", - "uiDefinition": { - "displayName": "API Key", - "description": "The API Key for this api", - "tooltip": "Provide your API Key in format: Bearer YOUR_API_KEY", - "constraints": { - "tabIndex": 2, - "clearText": false, - "required": "true" - } - } - } - }, - "brandColor": "#FFFFFF", - "description": "Connector for Cisco Umbrella Investigate API", - "displayName": "[parameters('customApis_CiscoUmbrellaInvestigateAPIConnector_name')]", - "iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAMAAABiM0N1AAABdFBMVEUAAAAA//8AgP8Aqv8AgL8AmcwAmeYAotEAldUAn98AntsAodkAnNYAn9cIotgIntoHoNsHnNwHodcHndgGotoGoNsGnNYGn9cFn9sEoNgEndkEoNoEntsEntgEoNsEn9gDn9kDoNoDn9gDoNgDn9kFn9gFntgFn9kFn9oFoNoFn9gEn9kEoNkEn9oEoNgEn9kEntkEoNoEoNkEn9kEn9kEntkEoNgEntgEn9kEn9oEntoEn9gEoNgEntkEn9kEoNkEn9oEn9oEntgDn9kDn9gDoNkDn9kFn9oFn9gFn9kFntkFn9oEn9kEntoEn9gEoNkEn9kEoNkEn9oEn9gEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEntkEn9kEn9kEn9kEn9oDn9kFn9kEoNkEn9kEn9kEn9kEn9kEn9oEn9kEn9kEn9kEn9kEoNkEn9kEn9gEn9kEn9kEn9kEn9kEn9kEoNkEn9kEn9kEn9kEn9n///940Z2XAAAAenRSTlMAAQIDBAUKCwwQFRsfICEiIyQmJykrLC04Ozw+P0JGSEpTVVtdaGlqbW5wcnN1dnh5e35/gIGDhIeIiYqLjI2Oj5CRkpibnKSlp6mqsLGys7q7v8DCxMfKz9DS1NXW19jZ2t7g4+To6u3u7/Dx8vP09fb3+Pn6+/z9/h6/P2sAAAABYktHRHtP0rX8AAACB0lEQVRYw+2WaVPTYBRGb9SK4oI7dd+tAiqCra1FqKIoKu4bUFQQtJY2SUna2vPr/VCSafKmpONkHMfJ86m5OXOmN3Pfm4jEiRMnTtQZKadCkfWRHkTrlMKRcg8iIALkvxRlKsM+yq10RTLVW6qohuETuZWuSA1zi7+r/uiKBLb4z4jyxt0wUd5Ih4jyRlps7DCRjRUisrG26khpoOsdIDqR5bRmUvPhTsVFan7EKdjYMq5n2zdHK/5H6lRcJF31IU4hZ2TjNfJHolL4Qi71tLMv/xyOAInzV3LgftE0vjz1zMnRZz/qa28GAgg5PrtmrTw8onqG6oBvPQzqAJxQCe1eC4C68jExBKroOWA2NkUe4rZzwVWvZ78NzGeuZJc6RWW4qCUG+xXicBMac4X3gLXXI5oCHu0QkW2dogpcCCSmYeOkiKSACY+oCN93KofyHbReJgOIJWi/e17DgkdkwJx6uk83AWa2K4QJZ9rLE99rXQ8UyblvADcUwoCzIiJyB6pKa30B+yZx/iMsK0QR8iIi2gdY9IgKwEzC/7BFRPp+saEQD8A6JSLXgYJ3rG1g/mZq4mun6NKx/j2jsKIQh5rQfJF/CzQO9jCQm6VJlRh3B3LMP9rX7G6ihd0qoeXaR6SV05TDtm9y0dQ/z3aKXi1X9U9ju4IIST5ZtVYfJ+NlFydOnKjyG0KNPhWovN8UAAAAAElFTkSuQmCC", - "backendService": { - "serviceUrl": "https://investigate.api.umbrella.com" - }, - "apiType": "Rest", - "swagger": { - "swagger": "2.0", - "info": { - "title": "Default title", - "description": "Connector for Cisco Umbrella Investigate API", - "version": "1.0" - }, - "host": "investigate.api.umbrella.com", - "basePath": "/", - "schemes": [ - "https" - ], - "consumes": [], - "produces": [], - "paths": { - "/security/name/{Domain}": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "object", - "properties": { - "dga_score": { - "type": "integer", - "format": "int32", - "description": "Domain Generation Algorithm. This score is generated based on the likeliness of the domain name being generated by an algorithm rather than a human. This algorithm is designed to identify domains which have been created using an automated randomization strategy, which is a common evasion technique in malware kits or botnets. This score ranges from -100 (suspicious) to 0 (benign)." - }, - "perplexity": { - "type": "number", - "format": "float", - "description": "A second score on the likeliness of the name to be algorithmically generated, on a scale from 0 to 100. This score is to be used in conjunction with DGA." - }, - "entropy": { - "type": "number", - "format": "float", - "description": "The number of bits required to encode the domain name, as a score. This score is to be used in conjunction with DGA and Perplexity." - }, - "securerank2": { - "type": "number", - "format": "float", - "description": "Suspicious rank for a domain that reviews based on the lookup behavior of client IP for the domain. Securerank is designed to identify hostnames requested by known infected clients but never requested by clean clients, assuming these domains are more likely to be bad. Scores returned range from -100 (suspicious) to 100 (benign)." - }, - "pagerank": { - "type": "number", - "format": "float", - "description": "Popularity according to Google's pagerank algorithm" - }, - "asn_score": { - "type": "number", - "format": "float", - "description": "ASN reputation score, ranges from -100 to 0 with -100 being very suspicious." - }, - "prefix_score": { - "type": "number", - "format": "float", - "description": "Prefix ranks domains given their IP prefixes (an IP prefix is the first three octets in an IP address) and the reputation score of these prefixes. Ranges from -100 to 0, -100 being very suspicious." - }, - "rip_score": { - "type": "number", - "format": "float", - "description": "RIP ranks domains given their IP addresses and the reputation score of these IP addresses. Ranges from -100 to 0, -100 being very suspicious." - }, - "popularity": { - "type": "integer", - "format": "int32", - "description": "The number of unique client IPs visiting this site, relative to the all requests to all sites. A score of how many different client/unique IPs go to this domain compared to others." - }, - "fastflux": { - "type": "boolean", - "description": "fastflux", - "x-ms-visibility": "internal" - }, - "geodiversity": { - "type": "array", - "description": "array of geodiversity tuples", - "x-ms-summary": "geodiversity array", - "items": { - "x-ms-summary": "geodiversity tuple", - "description": "Tuple [\"country code\", \"score\"]. A score representing the number of queries from clients visiting the domain, broken down by country. Score is a non-normalized ratio between 0 and 1.", - "type": "array", - "items": {} - } - }, - "geodiversity_normalized": { - "type": "array", - "description": "array of geodiversity_normalized tuples", - "x-ms-summary": "geodiversity_normalized array", - "items": { - "x-ms-summary": "geodiversity_normalized tuple", - "description": "Tuple [\"country code\", \"score\"]. A score representing the amount of queries for clients visiting the domain, broken down by country. Score is a normalized ratio between 0 and 1.", - "type": "array", - "items": {} - } - }, - "tld_geodiversity": { - "type": "array", - "description": "array of tld_geodiversity tuples", - "x-ms-summary": "tld_geodiversity array", - "items": { - "x-ms-summary": "tld_geodiversity tuple", - "description": "Tuple [\"country code\", \"score\"]. A score that represents the TLD country code geodiversity as a percentage of clients visiting the domain. Occurs most often with domains that have a ccTLD. Score is normalized ratio between 0 and 1.", - "type": "array", - "items": {} - } - }, - "geoscore": { - "type": "integer", - "format": "int32", - "description": "A score that represents how far the different physical locations serving this name are from each other." - }, - "ks_test": { - "type": "integer", - "format": "int32", - "description": "Kolmogorov–Smirnov test on geodiversity. 0 means that the client traffic matches what is expected for this TLD." - }, - "attack": { - "type": "string", - "description": "The name of any known attacks associated with this domain. Returns blank if no known threat associated with domain." - }, - "threat_type": { - "type": "string", - "description": "The type of the known attack, such as botnet or APT. Returns blank if no known threat associated with domain." - }, - "found": { - "type": "boolean", - "description": "Returns true if results available. Returns blank if no known threat associated with domain." - } - } - } - } - }, - "summary": "Get domain security data", - "description": "Security Information for a Domain", - "operationId": "GetDomainSecurityData", - "parameters": [ - { - "name": "Domain", - "in": "path", - "required": true, - "type": "string" - } - ] - } - }, - "/domains/risk-score/{DomainName}": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "object", - "properties": { - "indicators": { - "type": "array", - "x-ms-summary": "indicators", - "description": "array of indicator objects", - "items": { - "x-ms-summary": "indicator", - "description": "indicator object", - "type": "object", - "properties": { - "indicator": { - "type": "string", - "description": "indicator name", - "title": "name" - }, - "normalized_score": { - "type": "integer", - "format": "int32", - "description": "indicator normalized score" - }, - "score": { - "type": "boolean", - "description": "indicator score" - } - } - } - }, - "risk_score": { - "type": "integer", - "format": "int32", - "description": "risk score" - } - } - } - } - }, - "summary": "Get Risk score for a domain", - "description": "Get Risk score for a domain", - "operationId": "GetDomainRiskScore", - "parameters": [ - { - "name": "DomainName", - "in": "path", - "required": true, - "type": "string" - } - ] - } - }, - "/domains/categorization/{Domain}": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "object", - "additionalProperties": { - "type": "object", - "description": "Domain object", - "title": "Domain object", - "x-ms-summary": "Domain object", - "properties": { - "status": { - "type": "integer", - "format": "int32", - "description": "The status will be \"-1\" if the domain is believed to be malicious, \"1\" if the domain is believed to be benign, \"0\" if it hasn't been classified yet." - }, - "security_categories": { - "type": "array", - "items": { - "type": "string" - }, - "description": "The Umbrella security category, or categories, that match this domain or that this domain is associated with. If none match, the return will be blank." - }, - "content_categories": { - "type": "array", - "items": { - "type": "string" - }, - "description": "The Umbrella content category or categories that match this domain. If none match, the return will be blank." - } - } - } - } - } - }, - "summary": "Get Domain Status and Categorization", - "description": "Get Domain Status and Categorization", - "operationId": "GetDomainStatusAndCategorization", - "parameters": [ - { - "name": "Domain", - "in": "path", - "required": true, - "type": "string" - }, - { - "name": "showLabels", - "in": "query", - "required": true, - "type": "string", - "default": 1, - "x-ms-visibility": "internal" - } - ] - } - }, - "/recommendations/name/{Domain}": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "object", - "properties": { - "pfs2": { - "type": "array", - "x-ms-summary": "pfs2 array", - "description": "Array of [domain name, scores] tuples. The values range between 0 and 1 and should not exceed 1. All co-occurences of requests from client IPs are returned for the previous seven days whether the co-occurence is suspicious or not.", - "items": { - "x-ms-summary": "pfs2 tuple", - "description": "[domain name, scores] tuple. The values range between 0 and 1 and should not exceed 1. All co-occurences of requests from client IPs are returned for the previous seven days whether the co-occurence is suspicious or not.", - "type": "array", - "items": {} - } - }, - "found": { - "type": "boolean", - "description": "Returns true if results available. Nothing is returned if no results available." - } - } - } - } - }, - "summary": "Get Co-Occurrences for a Domain", - "description": "Get Co-Occurrences for a Domain", - "operationId": "GetCoOccurrencesForDomain", - "parameters": [ - { - "name": "Domain", - "in": "path", - "required": true, - "type": "string" - } - ] - } - }, - "/links/name/{Domain}": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "object", - "properties": { - "tb1": { - "type": "array", - "x-ms-summary": "tb1 array", - "description": "Array of [domain name, scores] tuples where score is the number of client IP requests to the site around the same time as the site being looked up. This is a score reflecting the number of client IPs looking up related sites within 60 seconds of the original request.", - "items": { - "x-ms-summary": "tb1 tuple", - "description": "[domain name, scores] tuples where score is the number of client IP requests to the site around the same time as the site being looked up. This is a score reflecting the number of client IPs looking up related sites within 60 seconds of the original request.", - "type": "array", - "items": {} - } - }, - "found": { - "type": "boolean", - "description": "Returns true if results available. Nothing is returned if no results available." - } - } - } - } - }, - "summary": "Get a list of domain names requested the same time as a specified domain", - "description": "Get a list of domain names requested the same time as a specified domain", - "operationId": "GetRelatedDomains", - "parameters": [ - { - "name": "Domain", - "in": "path", - "required": true, - "type": "string" - } - ] - } - } - }, - "definitions": {}, - "parameters": {}, - "responses": {}, - "securityDefinitions": { - "API Key": { - "type": "apiKey", - "in": "header", - "name": "Authorization" - } - }, - "security": [ - { - "API Key": [] - } - ], - "tags": [] - } - } - } - ] -} \ No newline at end of file diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaInvestigateAPIConnector/readme.md b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaInvestigateAPIConnector/readme.md deleted file mode 100644 index eb485b10235..00000000000 --- a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaInvestigateAPIConnector/readme.md +++ /dev/null @@ -1,32 +0,0 @@ -# Cisco Umbrella Investigate API Logic Apps Custom connector - -This Custom Connector is used for connection to Cisco Umbrella Investigate API. - -### Authentication methods supported by this connector - -* API Key authentication - -### Prerequisites in Cisco Umbrella - -To get Cisco Umbrella Investigate API credentials follow the instructions: - -1. Login to your Cisco Umbrella dashboard. -2. Navigate to Investigate > API Keys. -3. To create your first API access token, click Create New Token. -4. Give the token a name, then click Create. - -## Actions supported by Cisco Umbrella Investigate API custom connector - -| **Component** | **Description** | -| --------- | -------------- | -| **Get domain security data** | The security information API method contains multiple scores or security features, each of which can be used to determine relevant datapoints to build insight on the reputation or security risk posed by the site. | -| **Get risk score for a domain** | The Umbrella Investigate Risk Score is based on an analysis of the lexical characteristics of the domain name and patterns in queries and requests to the domain. The score is scaled from 0 to 100, with 100 being the highest risk and 0 being no risk at all. Periodically Umbrella updates this score based on additional inputs. A domain blocked by Umbrella receives the score of 100. | -| **Get domain status and categorization** | Returns the domain status which is the quickest and easiest way to know whether a domain has been flagged as malicious by the Cisco Security Labs team (score of -1 for status). If the domain is believed to be safe (score of 1), or if it has yet to be given a status (score of 0). This method also returns the security categories and content categories of a domain. | -| **Get co-occurrences for a domain** | This API method returns a list of co-occurences for the specified domain. A co-occurrence is when two or more domains are accessed by the same users within a small period of time. | -| **Get Related Domains** | This API method returns a list of domain names that have been frequently requested during a defined period of time (up to 60 seconds before or after) as the given domain name, but are not frequently associated with other domain names. | - -### Deployment instructions - -1. To deploy Custom Connector, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. - -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooks%2FCiscoUmbrellaInvestigateAPIConnector%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooks%2FCiscoUmbrellaInvestigateAPIConnector%2Fazuredeploy.json) \ No newline at end of file diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaManagementAPIConnector/azuredeploy.json b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaManagementAPIConnector/azuredeploy.json deleted file mode 100644 index a5ebb0e766f..00000000000 --- a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaManagementAPIConnector/azuredeploy.json +++ /dev/null @@ -1,747 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "customApis_CiscoUmbrellaManagementAPI_name": { - "defaultValue": "CiscoUmbrellaManagementAPI", - "type": "String" - } - }, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Web/customApis", - "apiVersion": "2016-06-01", - "name": "[parameters('customApis_CiscoUmbrellaManagementAPI_name')]", - "location": "[resourceGroup().location]", - "properties": { - "connectionParameters": { - "username": { - "type": "securestring", - "uiDefinition": { - "displayName": "Key", - "description": "The Key for this api", - "tooltip": "Provide the Key", - "constraints": { - "tabIndex": 2, - "clearText": true, - "required": "true" - } - } - }, - "password": { - "type": "securestring", - "uiDefinition": { - "displayName": "Secret", - "description": "The Secret for this api", - "tooltip": "Provide the Secret", - "constraints": { - "tabIndex": 3, - "clearText": false, - "required": "true" - } - } - } - }, - "brandColor": "#FFFFFF", - "description": "Connector for Cisco Umbrella Management API", - "displayName": "[parameters('customApis_CiscoUmbrellaManagementAPI_name')]", - "iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAMAAABiM0N1AAABdFBMVEUAAAAA//8AgP8Aqv8AgL8AmcwAmeYAotEAldUAn98AntsAodkAnNYAn9cIotgIntoHoNsHnNwHodcHndgGotoGoNsGnNYGn9cFn9sEoNgEndkEoNoEntsEntgEoNsEn9gDn9kDoNoDn9gDoNgDn9kFn9gFntgFn9kFn9oFoNoFn9gEn9kEoNkEn9oEoNgEn9kEntkEoNoEoNkEn9kEn9kEntkEoNgEntgEn9kEn9oEntoEn9gEoNgEntkEn9kEoNkEn9oEn9oEntgDn9kDn9gDoNkDn9kFn9oFn9gFn9kFntkFn9oEn9kEntoEn9gEoNkEn9kEoNkEn9oEn9gEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEntkEn9kEn9kEn9kEn9oDn9kFn9kEoNkEn9kEn9kEn9kEn9kEn9oEn9kEn9kEn9kEn9kEoNkEn9kEn9gEn9kEn9kEn9kEn9kEn9kEoNkEn9kEn9kEn9kEn9n///940Z2XAAAAenRSTlMAAQIDBAUKCwwQFRsfICEiIyQmJykrLC04Ozw+P0JGSEpTVVtdaGlqbW5wcnN1dnh5e35/gIGDhIeIiYqLjI2Oj5CRkpibnKSlp6mqsLGys7q7v8DCxMfKz9DS1NXW19jZ2t7g4+To6u3u7/Dx8vP09fb3+Pn6+/z9/h6/P2sAAAABYktHRHtP0rX8AAACB0lEQVRYw+2WaVPTYBRGb9SK4oI7dd+tAiqCra1FqKIoKu4bUFQQtJY2SUna2vPr/VCSafKmpONkHMfJ86m5OXOmN3Pfm4jEiRMnTtQZKadCkfWRHkTrlMKRcg8iIALkvxRlKsM+yq10RTLVW6qohuETuZWuSA1zi7+r/uiKBLb4z4jyxt0wUd5Ih4jyRlps7DCRjRUisrG26khpoOsdIDqR5bRmUvPhTsVFan7EKdjYMq5n2zdHK/5H6lRcJF31IU4hZ2TjNfJHolL4Qi71tLMv/xyOAInzV3LgftE0vjz1zMnRZz/qa28GAgg5PrtmrTw8onqG6oBvPQzqAJxQCe1eC4C68jExBKroOWA2NkUe4rZzwVWvZ78NzGeuZJc6RWW4qCUG+xXicBMac4X3gLXXI5oCHu0QkW2dogpcCCSmYeOkiKSACY+oCN93KofyHbReJgOIJWi/e17DgkdkwJx6uk83AWa2K4QJZ9rLE99rXQ8UyblvADcUwoCzIiJyB6pKa30B+yZx/iMsK0QR8iIi2gdY9IgKwEzC/7BFRPp+saEQD8A6JSLXgYJ3rG1g/mZq4mun6NKx/j2jsKIQh5rQfJF/CzQO9jCQm6VJlRh3B3LMP9rX7G6ihd0qoeXaR6SV05TDtm9y0dQ/z3aKXi1X9U9ju4IIST5ZtVYfJ+NlFydOnKjyG0KNPhWovN8UAAAAAElFTkSuQmCC", - "backendService": { - "serviceUrl": "https://management.api.umbrella.com" - }, - "apiType": "Rest", - "swagger": { - "swagger": "2.0", - "info": { - "title": "Default title", - "description": "Connector for Cisco Umbrella Management API", - "version": "1.0" - }, - "host": "management.api.umbrella.com", - "basePath": "/", - "schemes": [ - "https" - ], - "consumes": [], - "produces": [], - "paths": { - "/v1/organizations/{organizationId}/destinationlists": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "object", - "properties": { - "status": { - "type": "object", - "x-ms-summary": "Response status", - "x-ms-visibility": "internal", - "description": "Response status object", - "properties": { - "code": { - "type": "integer", - "format": "int32", - "description": "code" - }, - "text": { - "type": "string", - "description": "text" - } - } - }, - "meta": { - "type": "object", - "x-ms-visibility": "internal", - "properties": { - "page": { - "type": "integer", - "format": "int32", - "description": "page" - }, - "limit": { - "type": "integer", - "format": "int32", - "description": "limit" - }, - "total": { - "type": "integer", - "format": "int32", - "description": "total" - } - }, - "description": "meta" - }, - "data": { - "x-ms-summary": "Array of Destionation list objects", - "description": "Array of Destionation list objects", - "type": "array", - "items": { - "type": "object", - "x-ms-summary": "Destionation list", - "description": "Destionation list object", - "properties": { - "id": { - "type": "integer", - "format": "int32", - "description": "Unique id of the destination list." - }, - "organizationId": { - "type": "integer", - "format": "int32", - "description": "organizationId" - }, - "access": { - "type": "string", - "description": "Access can be allow or block. It defines destinationlist type." - }, - "isGlobal": { - "type": "boolean", - "description": "isGlobal can be true or false. There will be only one default destination list of type allow or block for an organization." - }, - "name": { - "type": "string", - "description": "Name of the destination list." - }, - "thirdpartyCategoryId": { - "type": "string", - "description": "Destionation list thirdpartyCategoryId" - }, - "createdAt": { - "type": "string", - "description": "Creation date." - }, - "modifiedAt": { - "type": "string", - "description": "Last modified date." - }, - "isMspDefault": { - "type": "boolean", - "description": "Destionation list isMspDefault" - }, - "markedForDeletion": { - "type": "boolean", - "description": "Destionation list markedForDeletion" - }, - "bundleTypeId": { - "type": "integer", - "format": "int32", - "description": "Destionation list bundleTypeId" - }, - "meta": { - "type": "object", - "description": "Destionation list meta info object", - "properties": { - "destinationCount": { - "type": "integer", - "format": "int32", - "description": "Total number of destinations in a destination list." - }, - "domainCount": { - "type": "integer", - "format": "int32", - "description": "Total number of domains in a destination list. Domains are part of total destinations in a destination lists." - }, - "urlCount": { - "type": "integer", - "format": "int32", - "description": "Total number of Urls in a destination list. Urls are part of total destinations in a destination lists." - }, - "ipv4Count": { - "type": "integer", - "format": "int32", - "description": "Total number of Ip's in a destination list. Ip's are part of total destinations in a destination lists." - }, - "applicationCount": { - "type": "integer", - "format": "int32", - "description": "Total number of applications in a destination list." - } - } - } - } - } - } - } - } - } - }, - "summary": "Retrieve all destination lists", - "operationId": "RetrieveAllDestinationLists", - "description": "Retrieve all destination lists of organization", - "parameters": [ - { - "name": "organizationId", - "in": "path", - "required": true, - "type": "integer", - "description": "", - "format": "int32" - } - ] - }, - "post": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "object", - "properties": { - "id": { - "type": "integer", - "format": "int32", - "description": "Unique id of the destination list." - }, - "organizationId": { - "type": "integer", - "format": "int32", - "description": "organizationId" - }, - "access": { - "type": "string", - "description": "Access can be allow or block. It defines destinationlist type." - }, - "isGlobal": { - "type": "boolean", - "description": "isGlobal can be true or false. There will be only one default destination list of type allow or block for an organization." - }, - "name": { - "type": "string", - "description": "Name of the destination list." - }, - "thirdpartyCategoryId": { - "type": "string", - "description": "Destionation list thirdpartyCategoryId" - }, - "createdAt": { - "type": "string", - "description": "Creation date." - }, - "modifiedAt": { - "type": "string", - "description": "Last modified date." - }, - "isMspDefault": { - "type": "boolean", - "description": "Destionation list isMspDefault" - }, - "markedForDeletion": { - "type": "boolean", - "description": "Destionation list markedForDeletion" - }, - "bundleTypeId": { - "type": "integer", - "format": "int32", - "description": "Destionation list bundleTypeId" - }, - "meta": { - "type": "object", - "description": "Destionation list meta info object", - "properties": { - "destinationCount": { - "type": "integer", - "format": "int32", - "description": "Total number of destinations in a destination list." - }, - "domainCount": { - "type": "integer", - "format": "int32", - "description": "Total number of domains in a destination list. Domains are part of total destinations in a destination lists." - }, - "urlCount": { - "type": "integer", - "format": "int32", - "description": "Total number of Urls in a destination list. Urls are part of total destinations in a destination lists." - }, - "ipv4Count": { - "type": "integer", - "format": "int32", - "description": "Total number of Ip's in a destination list. Ip's are part of total destinations in a destination lists." - }, - "applicationCount": { - "type": "integer", - "format": "int32", - "description": "Total number of applications in a destination list." - } - } - } - } - } - } - }, - "summary": "Create destination list", - "operationId": "CreateDestinationList", - "description": "Create destination list", - "parameters": [ - { - "name": "organizationId", - "in": "path", - "required": true, - "type": "string" - }, - { - "name": "body", - "in": "body", - "required": true, - "schema": { - "type": "object", - "properties": { - "destinations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "type": { - "type": "string", - "description": "Type can be DOMAIN, URL, IPV4", - "title": "type", - "enum": [ - "DOMAIN", - "URL", - "IPV4" - ] - }, - "destination": { - "type": "string", - "description": "Destination can be domain, url, ip", - "title": "destination" - }, - "comment": { - "type": "string", - "description": "", - "title": "comment" - } - }, - "required": [ - "destination", - "type" - ] - }, - "description": "destinations" - }, - "access": { - "type": "string", - "description": "Access can be allow or block. It defines destinationlist type.", - "title": "access", - "enum": [ - "allow", - "block" - ] - }, - "isGlobal": { - "type": "boolean", - "description": "isGlobal can be true or false. There will be only one default destination list of type allow or block for an organization.", - "title": "isGlobal", - "enum": [ - "", - true, - false - ] - }, - "name": { - "type": "string", - "description": "", - "title": "name" - } - }, - "required": [ - "access", - "destinations", - "isGlobal", - "name" - ] - } - } - ] - } - }, - "/v1/organizations/{organizationId}/destinationlists/{destinationListId}": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "object", - "properties": { - "status": { - "type": "object", - "x-ms-summary": "Response status", - "x-ms-visibility": "internal", - "description": "Response status object", - "properties": { - "code": { - "type": "integer", - "format": "int32", - "description": "code" - }, - "text": { - "type": "string", - "description": "text" - } - } - }, - "data": { - "type": "object", - "x-ms-summary": "Destionation list", - "description": "Destionation list object", - "properties": { - "id": { - "type": "integer", - "format": "int32", - "description": "Unique id of the destination list." - }, - "organizationId": { - "type": "integer", - "format": "int32", - "description": "organizationId" - }, - "access": { - "type": "string", - "description": "Access can be allow or block. It defines destinationlist type." - }, - "isGlobal": { - "type": "boolean", - "description": "isGlobal can be true or false. There will be only one default destination list of type allow or block for an organization." - }, - "name": { - "type": "string", - "description": "Name of the destination list." - }, - "thirdpartyCategoryId": { - "type": "string", - "description": "Destionation list thirdpartyCategoryId" - }, - "createdAt": { - "type": "string", - "description": "Creation date." - }, - "modifiedAt": { - "type": "string", - "description": "Last modified date." - }, - "isMspDefault": { - "type": "boolean", - "description": "Destionation list isMspDefault" - }, - "markedForDeletion": { - "type": "boolean", - "description": "Destionation list markedForDeletion" - }, - "bundleTypeId": { - "type": "integer", - "format": "int32", - "description": "Destionation list bundleTypeId" - }, - "meta": { - "type": "object", - "description": "Destionation list meta info object", - "properties": { - "destinationCount": { - "type": "integer", - "format": "int32", - "description": "Total number of destinations in a destination list." - }, - "domainCount": { - "type": "integer", - "format": "int32", - "description": "Total number of domains in a destination list. Domains are part of total destinations in a destination lists." - }, - "urlCount": { - "type": "integer", - "format": "int32", - "description": "Total number of Urls in a destination list. Urls are part of total destinations in a destination lists." - }, - "ipv4Count": { - "type": "integer", - "format": "int32", - "description": "Total number of Ip's in a destination list. Ip's are part of total destinations in a destination lists." - }, - "applicationCount": { - "type": "integer", - "format": "int32", - "description": "Total number of applications in a destination list." - } - } - } - } - } - } - } - } - }, - "summary": "Get a destination list", - "operationId": "GetDestinationList", - "description": "Get a destination list by id", - "parameters": [ - { - "name": "organizationId", - "in": "path", - "required": true, - "type": "string" - }, - { - "name": "destinationListId", - "in": "path", - "required": true, - "type": "string" - } - ] - } - }, - "/v1/organizations/{organizationId}/destinationlists/{destinationListId}/destinations": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "object", - "properties": { - "status": { - "x-ms-visibility": "internal", - "type": "object", - "properties": { - "code": { - "type": "integer", - "format": "int32", - "description": "code" - }, - "text": { - "type": "string", - "description": "text" - } - }, - "description": "status" - }, - "meta": { - "type": "object", - "x-ms-visibility": "internal", - "properties": { - "page": { - "type": "integer", - "format": "int32", - "description": "page" - }, - "limit": { - "type": "integer", - "format": "int32", - "description": "limit" - }, - "total": { - "type": "integer", - "format": "int32", - "description": "total" - } - }, - "description": "meta" - }, - "data": { - "type": "array", - "x-ms-summary": "Destinations", - "description": "array of Destination objects", - "items": { - "type": "object", - "x-ms-summary": "Destination", - "description": "Destination object", - "properties": { - "id": { - "type": "string", - "description": "Unique id of the destination" - }, - "destination": { - "type": "string", - "x-ms-summary": "value", - "description": "Destination value" - }, - "type": { - "type": "string", - "description": "Type can be DOMAIN, URL, IPV4" - }, - "comment": { - "type": "string", - "description": "Destination comment" - }, - "createdAt": { - "type": "string", - "description": "Creation date of destination" - } - } - } - } - } - } - } - }, - "summary": "Get list of destinations related to destination list", - "operationId": "GetDestinationsList", - "parameters": [ - { - "name": "organizationId", - "in": "path", - "required": true, - "type": "string" - }, - { - "name": "destinationListId", - "in": "path", - "required": true, - "type": "string" - } - ], - "description": "Get list of destinations related to destination list" - }, - "post": { - "responses": { - "default": { - "description": "default", - "schema": {} - } - }, - "summary": "Add list of destinations to destination list", - "description": "Add list of destinations to destination list", - "operationId": "AddDestinations", - "parameters": [ - { - "name": "organizationId", - "in": "path", - "required": true, - "type": "string" - }, - { - "name": "destinationListId", - "in": "path", - "required": true, - "type": "string" - }, - { - "name": "body", - "in": "body", - "required": true, - "schema": { - "type": "array", - "items": { - "type": "object", - "properties": { - "destination": { - "type": "string", - "description": "name of the destination", - "title": "destination" - }, - "comment": { - "type": "string", - "description": "comment for destination", - "title": "comment" - } - }, - "required": [ - "destination" - ] - }, - "required": [ - "items" - ] - } - } - ] - } - }, - "/v1/organizations/{organizationId}/destinationlists/{destinationListId}/destinations/remove": { - "delete": { - "responses": { - "default": { - "description": "default", - "schema": {} - } - }, - "summary": "Delete list of destinations from destination list", - "operationId": "DeleteDestinations", - "parameters": [ - { - "name": "organizationId", - "in": "path", - "required": true, - "type": "string" - }, - { - "name": "destinationListId", - "in": "path", - "required": true, - "type": "string" - }, - { - "name": "body", - "in": "body", - "required": true, - "schema": { - "type": "array", - "items": { - "type": "integer", - "format": "int32", - "description": "Destination id" - } - } - } - ], - "description": "Delete list of destinations from destination list" - } - } - }, - "definitions": {}, - "parameters": {}, - "responses": {}, - "securityDefinitions": { - "basic_auth": { - "type": "basic" - } - }, - "security": [ - { - "basic_auth": [] - } - ], - "tags": [] - } - } - } - ] -} \ No newline at end of file diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaManagementAPIConnector/readme.md b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaManagementAPIConnector/readme.md deleted file mode 100644 index 87a8d55f946..00000000000 --- a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaManagementAPIConnector/readme.md +++ /dev/null @@ -1,34 +0,0 @@ -# Cisco Umbrella Management API Logic Apps Custom connector - -This Custom Connector is used for connection to Cisco Umbrella Management API. - -### Authentication methods supported by this connector - -* Basic authentication - -### Prerequisites in Cisco Umbrella - -To get Cisco Umbrella Management API credentials, follow the instructions: - -1. Log in to your Cisco Umbrella dashboard. -2. Navigate to Admin > API Keys, and click Create; or in a management console (Multi-org, MSP, or MSSP), navigate to Settings > API Keys, and click Add. -3. Select Umbrella Management and click Create. -4. Expand Umbrella Management, copy Your Key and Your Secret. -5. Click *To keep it secure, ...* checkbox, and then click Close. - -## Actions supported by Cisco Umbrella Management API custom connector - -| **Component** | **Description** | -| --------- | -------------- | -| **Retrieve all destination lists** | Retrieve all destination lists of organization | -| **Create a destination list** | Create a destination list | -| **Get a destination list** | Return destination list | -| **Get list of destinations related to destination list** | Get list of destinations related to destination list | -| **Add list of destinations to destination list** | Add list of destinations to destination list | -| **Delete list of destinations from destination list** | Delete list of destinations from destination list | - -### Deployment instructions - -1. To deploy Custom Connector, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. - -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooks%2FCiscoUmbrellaManagementAPIConnector%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooks%2FCiscoUmbrellaManagementAPIConnector%2Fazuredeploy.json) \ No newline at end of file diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaNetworkDeviceManagementAPIConnector/azuredeploy.json b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaNetworkDeviceManagementAPIConnector/azuredeploy.json deleted file mode 100644 index c8a9af33570..00000000000 --- a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaNetworkDeviceManagementAPIConnector/azuredeploy.json +++ /dev/null @@ -1,256 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "customApis_CiscoUmbrellaNetworkDeviceManagementAPI_name": { - "defaultValue": "CiscoUmbrellaNetworkDeviceManagementAPI", - "type": "String" - } - }, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Web/customApis", - "apiVersion": "2016-06-01", - "name": "[parameters('customApis_CiscoUmbrellaNetworkDeviceManagementAPI_name')]", - "location": "[resourceGroup().location]", - "properties": { - "connectionParameters": { - "username": { - "type": "securestring", - "uiDefinition": { - "displayName": "Key", - "description": "The Key for this api", - "tooltip": "Provide the Key", - "constraints": { - "tabIndex": 2, - "clearText": true, - "required": "true" - } - } - }, - "password": { - "type": "securestring", - "uiDefinition": { - "displayName": "Secret", - "description": "The Secret for this api", - "tooltip": "Provide the Secret", - "constraints": { - "tabIndex": 3, - "clearText": false, - "required": "true" - } - } - } - }, - "brandColor": "#FFFFFF", - "description": "Connector for Cisco Umbrella Network Device Management API", - "displayName": "[parameters('customApis_CiscoUmbrellaNetworkDeviceManagementAPI_name')]", - "iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAMAAABiM0N1AAABdFBMVEUAAAAA//8AgP8Aqv8AgL8AmcwAmeYAotEAldUAn98AntsAodkAnNYAn9cIotgIntoHoNsHnNwHodcHndgGotoGoNsGnNYGn9cFn9sEoNgEndkEoNoEntsEntgEoNsEn9gDn9kDoNoDn9gDoNgDn9kFn9gFntgFn9kFn9oFoNoFn9gEn9kEoNkEn9oEoNgEn9kEntkEoNoEoNkEn9kEn9kEntkEoNgEntgEn9kEn9oEntoEn9gEoNgEntkEn9kEoNkEn9oEn9oEntgDn9kDn9gDoNkDn9kFn9oFn9gFn9kFntkFn9oEn9kEntoEn9gEoNkEn9kEoNkEn9oEn9gEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEntkEn9kEn9kEn9kEn9oDn9kFn9kEoNkEn9kEn9kEn9kEn9kEn9oEn9kEn9kEn9kEn9kEoNkEn9kEn9gEn9kEn9kEn9kEn9kEn9kEoNkEn9kEn9kEn9kEn9n///940Z2XAAAAenRSTlMAAQIDBAUKCwwQFRsfICEiIyQmJykrLC04Ozw+P0JGSEpTVVtdaGlqbW5wcnN1dnh5e35/gIGDhIeIiYqLjI2Oj5CRkpibnKSlp6mqsLGys7q7v8DCxMfKz9DS1NXW19jZ2t7g4+To6u3u7/Dx8vP09fb3+Pn6+/z9/h6/P2sAAAABYktHRHtP0rX8AAACB0lEQVRYw+2WaVPTYBRGb9SK4oI7dd+tAiqCra1FqKIoKu4bUFQQtJY2SUna2vPr/VCSafKmpONkHMfJ86m5OXOmN3Pfm4jEiRMnTtQZKadCkfWRHkTrlMKRcg8iIALkvxRlKsM+yq10RTLVW6qohuETuZWuSA1zi7+r/uiKBLb4z4jyxt0wUd5Ih4jyRlps7DCRjRUisrG26khpoOsdIDqR5bRmUvPhTsVFan7EKdjYMq5n2zdHK/5H6lRcJF31IU4hZ2TjNfJHolL4Qi71tLMv/xyOAInzV3LgftE0vjz1zMnRZz/qa28GAgg5PrtmrTw8onqG6oBvPQzqAJxQCe1eC4C68jExBKroOWA2NkUe4rZzwVWvZ78NzGeuZJc6RWW4qCUG+xXicBMac4X3gLXXI5oCHu0QkW2dogpcCCSmYeOkiKSACY+oCN93KofyHbReJgOIJWi/e17DgkdkwJx6uk83AWa2K4QJZ9rLE99rXQ8UyblvADcUwoCzIiJyB6pKa30B+yZx/iMsK0QR8iIi2gdY9IgKwEzC/7BFRPp+saEQD8A6JSLXgYJ3rG1g/mZq4mun6NKx/j2jsKIQh5rQfJF/CzQO9jCQm6VJlRh3B3LMP9rX7G6ihd0qoeXaR6SV05TDtm9y0dQ/z3aKXi1X9U9ju4IIST5ZtVYfJ+NlFydOnKjyG0KNPhWovN8UAAAAAElFTkSuQmCC", - "backendService": { - "serviceUrl": "https://management.api.umbrella.com" - }, - "apiType": "Rest", - "swagger": { - "swagger": "2.0", - "info": { - "title": "CiscoUmbrellaNetworkDeviceManagementAPIConnector", - "version": "1.0", - "description": "Connector for Cisco Umbrella Network Device Management API" - }, - "host": "management.api.umbrella.com", - "basePath": "/", - "schemes": [ - "https" - ], - "paths": { - "/v1/organizations": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "array", - "items": { - "type": "object", - "x-ms-summary": "Organization", - "description": "Organization object", - "properties": { - "organizationId": { - "type": "integer", - "format": "int32", - "description": "Organization Id", - "title": "Id" - }, - "name": { - "type": "string", - "description": "Organization name", - "title": "name" - } - } - } - } - } - }, - "summary": "Get organization id", - "description": "Get organization id", - "operationId": "GetOrganizationId", - "parameters": [] - } - }, - "/v1/organizations/{organizationId}/networkdevices/{originId}/policies": { - "get": { - "responses": { - "default": { - "description": "default", - "schema": { - "type": "array", - "items": { - "type": "object", - "x-ms-summary": "Policy", - "description": "Policy object", - "properties": { - "policyId": { - "type": "integer", - "format": "int32", - "description": "Policy Id", - "title": "Id" - }, - "name": { - "type": "string", - "description": "Policy name", - "title": "name" - }, - "priority": { - "type": "integer", - "format": "int32", - "description": "Policy priority" - }, - "isAppliedDirectly": { - "type": "boolean", - "description": "Policy is Applied Directly" - }, - "isDefault": { - "type": "boolean", - "description": "Policy is Default" - }, - "createdAt": { - "type": "string", - "description": "Policy creation date" - } - } - } - } - } - }, - "summary": "List all policies of a network device", - "description": "List all policies of a network device", - "operationId": "ListAllPoliciesOnDevice", - "parameters": [ - { - "name": "organizationId", - "in": "path", - "required": true, - "type": "string", - "description": "Organization Id" - }, - { - "name": "originId", - "in": "path", - "required": true, - "type": "string", - "description": "Device Id" - } - ] - } - }, - "/v1/organizations/{organizationId}/policies/{policyId}/identities/{originId}": { - "delete": { - "responses": { - "default": { - "description": "default", - "schema": {} - } - }, - "summary": "Delete an identity from a policy", - "description": "Delete an identity from a policy", - "operationId": "DeleteIdentityFromPolicy", - "parameters": [ - { - "name": "organizationId", - "in": "path", - "required": true, - "type": "string", - "description": "Organization Id" - }, - { - "name": "policyId", - "in": "path", - "required": true, - "type": "string", - "description": "Policy Id" - }, - { - "name": "originId", - "in": "path", - "required": true, - "type": "string", - "description": "Identity Id" - } - ] - }, - "put": { - "responses": { - "default": { - "description": "default", - "schema": {} - } - }, - "summary": "Assign a policy to an identity", - "description": "Assign a policy to an identity", - "operationId": "AssignPolicyToIdentity", - "parameters": [ - { - "name": "organizationId", - "in": "path", - "required": true, - "type": "string", - "description": "Organization Id" - }, - { - "name": "policyId", - "in": "path", - "required": true, - "type": "string", - "description": "Policy Id" - }, - { - "name": "originId", - "in": "path", - "required": true, - "type": "string", - "description": "Identity Id" - } - ] - } - } - }, - "definitions": {}, - "parameters": {}, - "responses": {}, - "securityDefinitions": { - "basic_auth": { - "type": "basic" - } - }, - "security": [ - { - "basic_auth": [] - } - ], - "tags": [] - } - } - } - ] -} \ No newline at end of file diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaNetworkDeviceManagementAPIConnector/readme.md b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaNetworkDeviceManagementAPIConnector/readme.md deleted file mode 100644 index 77e9ed4f5c5..00000000000 --- a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaNetworkDeviceManagementAPIConnector/readme.md +++ /dev/null @@ -1,33 +0,0 @@ -# Cisco Umbrella Network Device Management API Logic Apps Custom connector - -This Custom Connector is used for connection to Cisco Umbrella Network Device Management API. - -### Authentication methods supported by this connector - -* Basic authentication - -### Prerequisites in Cisco Umbrella - -To get Cisco Umbrella Network Device Management API credentials, follow the instructions: - -1. Log in to your Cisco Umbrella dashboard. -2. Navigate to Admin > API Keys and click Create. -3. Select Umbrella Network Devices and click Create. -4. Expand Umbrella Network Devices, copy Your Key and Your Secret. -5. Click *To keep it secure, ...* checkbox, and then click Close. - -## Actions supported by Cisco Umbrella Network Device Management API custom connector - -| **Component** | **Description** | -| --------- | -------------- | -| **Get organization id** | Get your organization id and name. | -| **List all policies of a network device** | List DNS and web policies associated with a network device. | -| **Assign a policy to an identity** | Add an Identity to a directly applied DNS or web policy. | -| **Delete an identity from a policy** | Remove an Identity from a directly applied DNS or web policy. | - - -### Deployment instructions - -1. To deploy Custom Connector, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. - -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooks%2FCiscoUmbrellaNetworkDeviceManagementAPIConnector%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooks%2FCiscoUmbrellaNetworkDeviceManagementAPIConnector%2Fazuredeploy.json) \ No newline at end of file diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/Images/commentOnIncident.png b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/Images/commentOnIncident.png new file mode 100644 index 00000000000..b4eb1a2b51f Binary files /dev/null and b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/Images/commentOnIncident.png differ diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/Images/playbook_screenshot.png b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/Images/playbook_screenshot.png new file mode 100644 index 00000000000..8acc329e59a Binary files /dev/null and b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/Images/playbook_screenshot.png differ diff --git a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AddIpToDestinationList/teams_screenshot.png b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/Images/teams_screenshot.png similarity index 100% rename from Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AddIpToDestinationList/teams_screenshot.png rename to Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/Images/teams_screenshot.png diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/azuredeploy.json b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/azuredeploy.json new file mode 100644 index 00000000000..0b74c79b89e --- /dev/null +++ b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/azuredeploy.json @@ -0,0 +1,1339 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "CiscoUmbrella-AddIpToDestinationList", + "description": "This playbook creates a team notification and once acted on team notification it adds the IP to Cisco Umbrella's destination list and also add's comment to incident. For more details, click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/readme.md#summary).", + "prerequisites": [ + "1. Login to Cisco Umbrella dashboard and navigating to Admin-->API Keys. Create New API Key if not already created and select the appropriate 'Key Scope' with Read/Write permission. Store 'Api Key' and 'Key Secret' to a safe place. This 'Api Key' is a 'Client Id' and 'Key Secret' is a 'Secret' used for this Playbook.", + "2. Store the 'Api Key' and 'Key Secret' from previous step to Key vault Secrets.", + "3. To send notification to Microsoft Teams, Teams group id and channel id is needed at the time of playbook creation." + ], + "postDeployment": [ + "For more details on Post Deployment Instructions, click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/readme.md#post-deployment-instructions)." + ], + "lastUpdateTime": "2024-12-16T10:00:00.000Z", + "entities": [ + "IP" + ], + "tags": [ + "Notification", + "Teams Response" + ], + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Microsoft" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "CiscoUmbrella-AddIpToDestinationList", + "type": "string" + }, + "TeamsGroupId": { + "defaultValue": "TeamsGroupIds", + "type": "string", + "metadata": { + "description": "Id of the Teams Group where the adaptive card will be posted." + } + }, + "TeamsChannelId": { + "defaultValue": "TeamsChannelId", + "type": "string", + "metadata": { + "description": "Id of the Teams Channel where the adaptive card will be posted." + } + }, + "Keyvault name": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Enter the Key vault name where CiscoUmbrella Secrets are stored" + } + }, + "Umbrella API ClientId Key Name": { + "type": "string", + "metadata": { + "description": "Enter CiscoUmbrella ClientId Key Name from Key vault" + } + }, + "Umbrella API Secret Key Name": { + "type": "securestring", + "metadata": { + "description": "Enter CiscoUmbrella Secret Key Name from Key vault" + } + }, + "Host End Point": { + "type": "string", + "defaultValue": "api.umbrella.com", + "metadata": { + "description": "Enter Host End Point(hostname) without http:// or https://" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]", + "TeamsConnectionName": "[concat('teams-', parameters('PlaybookName'))]", + "KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + }, + "Umbrella API ClientId Key Name": { + "type": "string", + "defaultValue": "[parameters('Umbrella API ClientId Key Name')]" + }, + "Umbrella API Secret Key Name": { + "type": "securestring", + "defaultValue": "[parameters('Umbrella API Secret Key Name')]" + }, + "Host End Point": { + "type": "string", + "defaultValue": "[parameters('Host End Point')]" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Append_to_array_variable": { + "runAfter": { + "Initialize_variable_dest_lists_array": ["Succeeded"] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "dest_lists_array", + "value": { + "title": "Ignore", + "value": 0 + } + } + }, + "For_each_IP": { + "foreach": "@body('Entities_-_Get_IPs')?['IPs']", + "actions": { + "Add_IP_to_destination_list": { + "actions": { + "Compose": { + "runAfter": { + "Filter_array": ["Succeeded"] + }, + "type": "Compose", + "inputs": "@body('Filter_array')[0]['title']" + }, + "Filter_array": { + "runAfter": { + "Set_variable_3": ["Skipped"] + }, + "type": "Query", + "inputs": { + "from": "@variables('dest_lists_array')", + "where": "@equals(string(item()['value']), body('Post_adaptive_card_and_wait_for_a_response')['data']['action_choices'])" + } + }, + "Set_variable": { + "runAfter": { + "Compose": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "action_message", + "value": "IP @{outputs('Get_IP')} added to \"@{outputs('Compose')}\" destination list." + } + }, + "Set_variable_3": { + "runAfter": { + "HTTP_-_Add_list_of_destinations_to_destination_list": [ + "TimedOut", + "Failed" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "action_message", + "value": "IP @{outputs('Get_IP')} was not added to \"\" destination lists due to Cisco Umbrella API error." + } + }, + "HTTP_-_Add_list_of_destinations_to_destination_list": { + "type": "Http", + "inputs": { + "uri": "https://@{parameters('Host End Point')}/policies/v2/destinationlists/@{encodeURIComponent(body('Post_adaptive_card_and_wait_for_a_response')['data']['action_choices'])}/destinations", + "method": "POST", + "headers": { + "Content-Type": "application/json", + "Accept": "application/json", + "Authorization": "Bearer @{body('Parse_JSON_-_Parse_Login_Response')?['access_token']}" + }, + "body": [ + { + "destination": "@{outputs('Get_IP')}" + } + ] + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } + } + }, + "runAfter": { + "Post_adaptive_card_and_wait_for_a_response": ["Succeeded"] + }, + "else": { + "actions": {} + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Post_adaptive_card_and_wait_for_a_response')?['data']", + "@null" + ] + } + }, + { + "not": { + "equals": [ + "@body('Post_adaptive_card_and_wait_for_a_response')?['data']?['action_choices']", + "@'0'" + ] + } + }, + { + "contains": [ + "@body('Post_adaptive_card_and_wait_for_a_response')?['data']", + "action_choices" + ] + } + ] + }, + "type": "If" + }, + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Get_Cisco_logo": ["Succeeded"] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{outputs('Get_Cisco_logo')}CiscoUmbrella-AddIpToDestinationList
\nActions taken:
\n@{variables('action_message')}
\n@{variables('status_message')}
\n@{variables('severity_message')}

" + }, + "path": "/Incidents/Comment" + } + }, + "Create_body_for_adaptive_card": { + "type": "Compose", + "inputs": { + "$schema": "http://adaptivecards.io/schemas/adaptive-card.json", + "actions": [ + { + "id": "btnSubmit", + "title": "Submit", + "type": "Action.Submit" + }, + { + "id": "btnIgnore", + "title": "Ignore", + "type": "Action.Submit" + } + ], + "body": [ + { + "size": "large", + "text": "Suspicious IP - Microsoft Sentinel", + "type": "TextBlock", + "weight": "bolder", + "wrap": true + }, + { + "text": " Incident No : @{triggerBody()?['object']?['properties']?['incidentNumber']} ", + "type": "TextBlock", + "weight": "Bolder", + "wrap": true + }, + { + "text": "@{triggerBody()?['object']?['properties']?['description']}", + "type": "TextBlock", + "wrap": true + }, + { + "text": "For more details check the incident:", + "type": "TextBlock", + "weight": "Bolder", + "wrap": true + }, + { + "text": "[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})", + "type": "TextBlock", + "wrap": true + }, + { + "id": "PollQuestionAction", + "text": "Select the Cisco Umbrella destination list to add IP to.", + "type": "TextBlock" + }, + { + "choices": "@variables('dest_lists_array')", + "id": "action_choices", + "placeholder": "Select from these choices", + "style": "compact", + "type": "Input.ChoiceSet" + }, + { + "id": "PollQuestionSeverity", + "text": "Select incident severity", + "type": "TextBlock" + }, + { + "choices": [ + { + "title": "High", + "value": "high" + }, + { + "title": "Medium", + "value": "medium" + }, + { + "title": "Low", + "value": "low" + }, + { + "title": "Informational", + "value": "informational" + } + ], + "id": "severity_choices", + "placeholder": "Select from these choices", + "style": "compact", + "type": "Input.ChoiceSet" + }, + { + "id": "PollQuestionStatus", + "text": "Select incident status", + "type": "TextBlock" + }, + { + "choices": [ + { + "title": "New", + "value": "new" + }, + { + "title": "Active", + "value": "active" + }, + { + "title": "Closed: True Positive - suspicious activity", + "value": "close_tp" + }, + { + "title": "Closed: Benign Positive - suspicious but expected", + "value": "close_bp" + }, + { + "title": "Closed: False Positive - incorrect alert logic", + "value": "close_fp_incorrect_logic" + }, + { + "title": "Closed: False Positive - inaccurate data", + "value": "close_fp_inaccurate_data" + }, + { + "title": "Closed: Undetermined", + "value": "close_undetermined" + } + ], + "id": "status_choices", + "placeholder": "Select from these choices", + "style": "compact", + "type": "Input.ChoiceSet" + } + ], + "type": "AdaptiveCard", + "version": "1.0" + } + }, + "Get_Cisco_logo": { + "runAfter": { + "Update_status": ["Succeeded"] + }, + "type": "Compose", + "inputs": "" + }, + "Post_adaptive_card_and_wait_for_a_response": { + "runAfter": { + "Get_IP": ["Succeeded"] + }, + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, + "body": { + "notificationUrl": "@{listCallbackUrl()}", + "body": { + "messageBody": "@{outputs('Create_body_for_adaptive_card')}", + "updateMessage": "Thanks for your response!", + "recipient": { + "groupId": "@variables('TeamsGroupId')", + "channelId": "@variables('TeamsChannelId')" + } + } + }, + "path": "/v1.0/teams/conversation/gatherinput/poster/Flow bot/location/@{encodeURIComponent('Channel')}/$subscriptions" + } + }, + "Set_variable_14": { + "runAfter": { + "Create_body_for_adaptive_card": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "action_message", + "value": "\"\"" + } + }, + "Set_variable_15": { + "runAfter": { + "Set_variable_14": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "severity_message", + "value": "\"\"" + } + }, + "Set_variable_16": { + "runAfter": { + "Set_variable_15": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "status_message", + "value": "\"\"" + } + }, + "Update_severity": { + "actions": { + "Switch": { + "cases": { + "high_severity": { + "case": "high", + "actions": { + "Set_variable_2": { + "runAfter": { + "Update_incident_high_severity": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "severity_message", + "value": "Incident severity was changed to \"High\"." + } + }, + "Update_incident_high_severity": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "severity": "High" + }, + "path": "/Incidents" + } + } + } + }, + "informational_severity": { + "case": "informational", + "actions": { + "Set_variable_4": { + "runAfter": { + "Update_incident_informational_severity": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "severity_message", + "value": "Incident severity was changed to \"Informational\"." + } + }, + "Update_incident_informational_severity": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "severity": "Informational" + }, + "path": "/Incidents" + } + } + } + }, + "low_severity": { + "case": "low", + "actions": { + "Set_variable_5": { + "runAfter": { + "Update_incident_low_severity": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "severity_message", + "value": "Incident severity was changed to \"Low\"." + } + }, + "Update_incident_low_severity": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "severity": "Low" + }, + "path": "/Incidents" + } + } + } + }, + "medium_severity": { + "case": "medium", + "actions": { + "Set_variable_6": { + "runAfter": { + "Update_incident_medium_severity": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "severity_message", + "value": "Incident severity was changed to \"Medium\"." + } + }, + "Update_incident_medium_severity": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "severity": "Medium" + }, + "path": "/Incidents" + } + } + } + } + }, + "default": { + "actions": {} + }, + "expression": "@body('Post_adaptive_card_and_wait_for_a_response')['data']['severity_choices']", + "type": "Switch" + } + }, + "runAfter": { + "Add_IP_to_destination_list": ["Succeeded"] + }, + "else": { + "actions": {} + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Post_adaptive_card_and_wait_for_a_response')?['data']", + "@null" + ] + } + }, + { + "contains": [ + "@body('Post_adaptive_card_and_wait_for_a_response')?['data']", + "severity_choices" + ] + } + ] + }, + "type": "If" + }, + "Update_status": { + "actions": { + "Switch_2": { + "cases": { + "Case": { + "case": "new", + "actions": { + "Set_variable_7": { + "runAfter": { + "Update_incident": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "status_message", + "value": "Incident status was changed to \"New\"." + } + }, + "Update_incident": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "status": "New" + }, + "path": "/Incidents" + } + } + } + }, + "Case_2": { + "case": "active", + "actions": { + "Set_variable_8": { + "runAfter": { + "Update_incident_2": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "status_message", + "value": "Incident status was changed to \"Active\"." + } + }, + "Update_incident_2": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "status": "Active" + }, + "path": "/Incidents" + } + } + } + }, + "Case_3": { + "case": "close_tp", + "actions": { + "Set_variable_9": { + "runAfter": { + "Update_incident_3": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "status_message", + "value": "Incident status was changed to \"Closed: True Positive - suspicious activity\"." + } + }, + "Update_incident_3": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "status": "Closed", + "classification": { + "ClassificationAndReason": "TruePositive - SuspiciousActivity" + } + }, + "path": "/Incidents" + } + } + } + }, + "Case_4": { + "case": "close_bp", + "actions": { + "Set_variable_10": { + "runAfter": { + "Update_incident_4": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "status_message", + "value": "Incident status was changed to \"Closed: Benign Positive - suspicious but expected\"." + } + }, + "Update_incident_4": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "status": "Closed", + "classification": { + "ClassificationAndReason": "BenignPositive - SuspiciousButExpected" + } + }, + "path": "/Incidents" + } + } + } + }, + "Case_5": { + "case": "close_fp_incorrect_logic", + "actions": { + "Set_variable_11": { + "runAfter": { + "Update_incident_5": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "status_message", + "value": "Incident status was changed to \"Closed: False Positive - incorrect alert logic\"." + } + }, + "Update_incident_5": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "status": "Closed", + "classification": { + "ClassificationAndReason": "FalsePositive - IncorrectAlertLogic" + } + }, + "path": "/Incidents" + } + } + } + }, + "Case_6": { + "case": "close_fp_inaccurate_data", + "actions": { + "Set_variable_12": { + "runAfter": { + "Update_incident_6": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "status_message", + "value": "Incident status was changed to \"Closed: False Positive - inaccurate data\"." + } + }, + "Update_incident_6": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "status": "Closed", + "classification": { + "ClassificationAndReason": "FalsePositive - InaccurateData" + } + }, + "path": "/Incidents" + } + } + } + }, + "Case_7": { + "case": "close_undetermined", + "actions": { + "Set_variable_13": { + "runAfter": { + "Update_incident_7": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "status_message", + "value": "Incident status was changed to \"Closed: Undetermined\"." + } + }, + "Update_incident_7": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "put", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "status": "Closed", + "classification": { + "ClassificationAndReason": "Undetermined" + } + }, + "path": "/Incidents" + } + } + } + } + }, + "default": { + "actions": {} + }, + "expression": "@body('Post_adaptive_card_and_wait_for_a_response')['data']['status_choices']", + "type": "Switch" + } + }, + "runAfter": { + "Update_severity": ["Succeeded"] + }, + "else": { + "actions": {} + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Post_adaptive_card_and_wait_for_a_response')?['data']", + "@null" + ] + } + }, + { + "contains": [ + "@body('Post_adaptive_card_and_wait_for_a_response')?['data']", + "status_choices" + ] + } + ] + }, + "type": "If" + }, + "Get_IP": { + "runAfter": { + "Set_variable_16": ["Succeeded"] + }, + "type": "Compose", + "inputs": "@item()['address']" + } + }, + "runAfter": { + "Entities_-_Get_IPs": ["Succeeded"] + }, + "type": "Foreach" + }, + "Get_list_of_destinations_lists_for_Teams_adaptive_card": { + "runAfter": { + "Parse_JSON_-_Parse_destination_lists": ["Succeeded"] + }, + "type": "Select", + "inputs": { + "from": "@body('Parse_JSON_-_Parse_destination_lists')?['data']", + "select": { + "title": "@item()['name']", + "value": "@item()['id']" + } + } + }, + "Initialize_variable_TeamsChannelId": { + "runAfter": { + "Initialize_variable_TeamsGroupId": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "TeamsChannelId", + "type": "string", + "value": "[parameters('TeamsChannelId')]" + } + ] + } + }, + "Initialize_variable_TeamsGroupId": { + "runAfter": {}, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "TeamsGroupId", + "type": "string", + "value": "[parameters('TeamsGroupId')]" + } + ] + } + }, + "Initialize_variable_action_message": { + "runAfter": { + "Initialize_variable_TeamsChannelId": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "action_message", + "type": "string" + } + ] + } + }, + "Initialize_variable_dest_lists_array": { + "runAfter": { + "Get_list_of_destinations_lists_for_Teams_adaptive_card": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "dest_lists_array", + "type": "array", + "value": "@body('Get_list_of_destinations_lists_for_Teams_adaptive_card')" + } + ] + } + }, + "Initialize_variable_severity_message": { + "runAfter": { + "Initialize_variable_action_message": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "severity_message", + "type": "string" + } + ] + } + }, + "Initialize_variable_status_message": { + "runAfter": { + "Initialize_variable_severity_message": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "status_message", + "type": "string" + } + ] + } + }, + "Get_Client_Id": { + "runAfter": { + "Initialize_variable_status_message": ["Succeeded"] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent(parameters('Umbrella API ClientId Key Name'))}/value" + }, + "runtimeConfiguration": { + "secureData": { + "properties": ["inputs", "outputs"] + } + } + }, + "Get_Secret": { + "runAfter": { + "Get_Client_Id": ["Succeeded"] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent(parameters('Umbrella API Secret Key Name'))}/value" + }, + "runtimeConfiguration": { + "secureData": { + "properties": ["inputs", "outputs"] + } + } + }, + "HTTP_-_Generate_Login_Token": { + "runAfter": { + "Get_Secret": ["Succeeded"] + }, + "type": "Http", + "inputs": { + "uri": "https://@{parameters('Host End Point')}/auth/v2/token", + "method": "POST", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "authentication": { + "type": "Basic", + "username": "@{body('Get_Client_Id')?['value']}", + "password": "@{body('Get_Secret')?['value']}" + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + }, + "secureData": { + "properties": ["inputs", "outputs"] + } + } + }, + "Parse_JSON_-_Parse_Login_Response": { + "runAfter": { + "HTTP_-_Generate_Login_Token": ["Succeeded"] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_Generate_Login_Token')", + "schema": { + "type": "object", + "properties": { + "token_type": { + "type": "string" + }, + "access_token": { + "type": "string" + }, + "expires_in": { + "type": "integer" + } + } + } + } + }, + "HTTP_-_Retrieve_all_destination_lists": { + "runAfter": { + "Parse_JSON_-_Parse_Login_Response": ["Succeeded"] + }, + "type": "Http", + "inputs": { + "uri": "https://@{parameters('Host End Point')}/policies/v2/destinationlists", + "method": "GET", + "headers": { + "Content-Type": "application-json", + "Authorization": "Bearer @{body('Parse_JSON_-_Parse_Login_Response')?['access_token']}" + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } + }, + "Parse_JSON_-_Parse_destination_lists": { + "runAfter": { + "HTTP_-_Retrieve_all_destination_lists": ["Succeeded"] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_Retrieve_all_destination_lists')", + "schema": { + "type": "object", + "properties": { + "status": { + "type": "object", + "properties": { + "code": { + "type": "integer" + }, + "text": { + "type": "string" + } + } + }, + "meta": { + "type": "object", + "properties": { + "page": { + "type": "integer" + }, + "limit": { + "type": "integer" + }, + "total": { + "type": "integer" + } + } + }, + "data": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "integer" + }, + "organizationId": { + "type": "integer" + }, + "access": { + "type": "string" + }, + "isGlobal": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "thirdpartyCategoryId": {}, + "createdAt": { + "type": "integer" + }, + "modifiedAt": { + "type": "integer" + }, + "isMspDefault": { + "type": "boolean" + }, + "markedForDeletion": { + "type": "boolean" + }, + "bundleTypeId": { + "type": "integer" + }, + "meta": { + "type": "object", + "properties": { + "domainCount": { + "type": "integer" + }, + "urlCount": { + "type": "integer" + }, + "ipv4Count": { + "type": "integer" + }, + "applicationCount": { + "type": "integer" + }, + "destinationCount": { + "type": "integer" + } + } + } + }, + "required": [ + "id", + "organizationId", + "access", + "isGlobal", + "name", + "thirdpartyCategoryId", + "createdAt", + "modifiedAt", + "isMspDefault", + "markedForDeletion", + "bundleTypeId", + "meta" + ] + } + } + } + } + } + }, + "Entities_-_Get_IPs": { + "runAfter": { + "Append_to_array_variable": ["Succeeded"] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "path": "/entities/ip" + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "microsoftsentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "teams": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", + "connectionName": "[variables('TeamsConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/teams')]" + }, + "keyvault": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", + "connectionName": "[variables('KeyvaultConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "CiscoUmbrella-AddIpToDestinationList", + "hidden-SentinelTemplateVersion": "1.0" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('MicrosoftSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('TeamsConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('TeamsConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/teams')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('KeyvaultConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('KeyvaultConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "alternativeParameterValues": { + "vaultName": "[parameters('keyvault name')]" + }, + "nonSecretParameterValues": { + "vaultName": "[parameters('keyvault name')]" + }, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]" + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/readme.md b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/readme.md new file mode 100644 index 00000000000..7e8aec9b12b --- /dev/null +++ b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/readme.md @@ -0,0 +1,81 @@ +# CiscoUmbrella-AddIpToDestinationList + +## Summary + +When a new sentinel incident is created, this playbook gets triggered and performs the following actions: + +
+ +1. Sends an adaptive card to the Teams channel where the analyst can choose an action to be taken. + +
+ +2. Adds an IP to the destination list chosen in the adaptive card. +3. Changes incident status and severity depending on the action chosen in the adaptive card. +4. Adds comment to the incident with information about the actions taken. + +
+ +### Prerequisites + +1. Login to Cisco Umbrella dashboard and navigating to Admin-->API Keys. Create New API Key if not already created and select the appropriate "Key Scope" with Read/Write permission. Store "Api Key" and "Key Secret" to a safe place. This "Api Key" is a "Client Id" and "Key Secret" is a "Secret" used for this Playbook. +2. Store the "Api Key" and "Key Secret" from previous step to Key vault Secrets. +3. To send notification to Microsoft Teams, Teams group id and channel id is needed at the time of playbook creation. + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Playbook Name: Enter the playbook name here + * Teams Group Id: Id of the Teams Group where the adaptive card will be posted + * Teams Channel Id: Id of the Teams Channel where the adaptive card will be posted + * Keyvault name: Name of the key vault where secrets are stored. + * Umbrella API Client Id Key Name: Name of the Secrets field from Keyvault where Cisco Umbrella "API Key" value is stored. + * Umbrella API Secret Key Name: Name of the Secrets field from Keyvault where Cisco Umbrella "Key Secret" value is stored. + * Host End Point: Default is "api.umbrella.com" and is used for any API call to Cisco Umbrella REST API's. + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooksk%2FCiscoUmbrellaPlaybooks%2FCiscoUmbrella-AddIpToDestinationList%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooks%2FCiscoUmbrellaPlaybooks%2FCiscoUmbrella-AddIpToDestinationList%2Fazuredeploy.json) + +### Post-Deployment instructions + +#### a. Authorize connections + +Once deployment is complete, authorize each connection. + +1. Click the Microsoft Sentinel connection resource +2. Click edit API connection +3. Click Authorize +4. Sign in +5. Click Save +6. Repeat steps for other connections + +#### b. Configurations in Sentinel + +1. In Microsoft sentinel, analytical rules should be configured to trigger an incident with a malicious IP. In the *Entity mapping* section of the analytics rule creation workflow, malicious IP should be mapped to **Address** identifier of the **IP** entity type. Check the [documentation](https://docs.microsoft.com/azure/sentinel/map-data-fields-to-entities) to learn more about mapping entities. +2. Configure the automation rules to trigger the playbook. + +#### c. Assign Playbook Microsoft Sentinel Responder Role +1. Select the Playbook (Logic App) resource +2. Click on Identity Blade +3. Choose System assigned tab +4. Click on Azure role assignments +5. Click on Add role assignments +6. Select Scope - Resource group +7. Select Subscription - where Playbook has been created +8. Select Resource group - where Playbook has been created +9. Select Role - Microsoft Sentinel Responder +10. Click Save (It takes 3-5 minutes to show the added role.) + +#### d. Assign access policy on key vault for Playbook to fetch the secret key +1. Select the Key vault resource where you have stored the secret +2. Click on Access policies Blade +3. Click on Create +4. Under Secret permissions column , Select Get , List from "Secret Management Operations" +5. Click next to go to Principal tab and choose your deployed playbook name +6. Click Next leave application tab as it is . +7. Click Review and create +8. Click Create + +# References + - [Cisco Umbrella API Documentation](https://developer.cisco.com/docs/cloud-security/authentication/#authentication) + - [Rest API Request And Response Sample](https://developer.cisco.com/docs/cloud-security/destination-lists/#destination-lists) \ No newline at end of file diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/Images/commentOnIncident.png b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/Images/commentOnIncident.png new file mode 100644 index 00000000000..7701658e8a9 Binary files /dev/null and b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/Images/commentOnIncident.png differ diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/Images/orgIdAndPolicyId.png b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/Images/orgIdAndPolicyId.png new file mode 100644 index 00000000000..65f44ff77a4 Binary files /dev/null and b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/Images/orgIdAndPolicyId.png differ diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/Images/playbook_screenshot_new.png b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/Images/playbook_screenshot_new.png new file mode 100644 index 00000000000..314e7999a90 Binary files /dev/null and b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/Images/playbook_screenshot_new.png differ diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/azuredeploy.json b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/azuredeploy.json new file mode 100644 index 00000000000..9652bb2f7ba --- /dev/null +++ b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/azuredeploy.json @@ -0,0 +1,537 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "CiscoUmbrella-AssignPolicyToIdentity", + "description": "This playbook provides an automated way to associate an identity to an existing policy in Cisco Umbrella. For more details, click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/readme.md#summary).", + "prerequisites": [ + "1. Login to Cisco Umbrella dashboard and navigating to Admin-->API Keys. Create New API Key if not already created and select the appropriate 'Key Scope' with Read/Write permission. Store 'Api Key' and 'Key Secret' to a safe place. This 'Api Key' is a 'Client Id' and 'Key Secret' is a 'Secret' used for this Playbook.", + "2. Store the 'Api Key' and 'Key Secret' from previous step to Key vault Secrets.", + "3. To obtain the Organization ID and Policy ID, press F12 or right-click on the page and select 'Inspect' in your browser on the Cisco Umbrella dashboard page. Then, navigate to the 'Policies' section and click on the 'All Policies' tab. Now open the 'Network' tab and search with 'policy'. Open the 'Response' tab of the request to get the Policy ID and Organization ID. For more details click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/readme.md#Prerequisites)" + ], + "postDeployment": [ + "For more details on Post Deployment Instructions, click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/readme.md#post-deployment-instructions)." + ], + "lastUpdateTime": "2024-12-18T10:00:00.000Z", + "entities": [], + "tags": [ + "Notification" + ], + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Microsoft" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "CiscoUmbrella-AssignPolicyToIdentity", + "type": "string" + }, + "CiscoUmbrellaOrganizationId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Organization Id from Cisco Umbrella." + } + }, + "CiscoUmbrellaPolicyId": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Policy Id from Cisco Umbrella." + } + }, + "Keyvault name": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Enter the Key vault name where CiscoUmbrella Secrets are stored" + } + }, + "Umbrella API ClientId Key Name": { + "type": "string", + "metadata": { + "description": "Enter CiscoUmbrella ClientId Key Name from Key vault" + } + }, + "Umbrella API Secret Key Name": { + "type": "securestring", + "metadata": { + "description": "Enter CiscoUmbrella Secret Key Name from Key vault" + } + }, + "Host End Point": { + "type": "string", + "defaultValue": "api.umbrella.com", + "metadata": { + "description": "Enter Host End Point(hostname) without http:// or https://" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]", + "KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + }, + "Umbrella API ClientId Key Name": { + "type": "string", + "defaultValue": "[parameters('Umbrella API ClientId Key Name')]" + }, + "Umbrella API Secret Key Name": { + "type": "securestring", + "defaultValue": "[parameters('Umbrella API Secret Key Name')]" + }, + "Host End Point": { + "type": "string", + "defaultValue": "[parameters('Host End Point')]" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Create_logo": ["Succeeded"] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{outputs('Create_logo')} CiscoUmbrella-AssignPolicyToIdentity
\nThe following origin ids were assigned to policy @{variables('policyId')} for organization @{variables('organizationId')}:
\n@{body('Create_HTML_table_with_updated_origin_IDs')}
\nThe following origin ids were not assigned because of errors:
\n@{body('Create_HTML_table_with_not_updated_origin_IDs')}

" + }, + "path": "/Incidents/Comment" + } + }, + "Create_HTML_table_with_not_updated_origin_IDs": { + "runAfter": { + "Create_HTML_table_with_updated_origin_IDs": ["Succeeded"] + }, + "type": "Table", + "inputs": { + "from": "@variables('not_updated_oridinIds_array')", + "format": "HTML", + "columns": [ + { + "header": "originId", + "value": "@item()" + } + ] + } + }, + "Create_HTML_table_with_updated_origin_IDs": { + "runAfter": { + "For_each_originId_assign_policy_to_originId": [ + "Succeeded", + "Failed", + "Skipped", + "TimedOut" + ] + }, + "type": "Table", + "inputs": { + "from": "@variables('updated_oridinIds_array')", + "format": "HTML", + "columns": [ + { + "header": "originId", + "value": "@item()" + } + ] + } + }, + "Create_logo": { + "runAfter": { + "Create_HTML_table_with_not_updated_origin_IDs": ["Succeeded"] + }, + "type": "Compose", + "inputs": "" + }, + "For_each_alert_in_incident": { + "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", + "actions": { + "For_each_originId": { + "foreach": "@body('Parse_alert_custom_details')?['originId']", + "actions": { + "Add_unique_originId_to_OriginId_array": { + "actions": { + "Append_to_array_variable": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "originId_array", + "value": "@items('For_each_originId')" + } + } + }, + "else": { + "actions": {} + }, + "expression": { + "and": [ + { + "not": { + "contains": [ + "@variables('originId_array')", + "@items('For_each_originId')" + ] + } + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Parse_alert_custom_details": ["Succeeded"] + }, + "type": "Foreach" + }, + "Parse_alert_custom_details": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each_alert_in_incident')?['properties']?['additionalData']?['Custom Details']", + "schema": { + "properties": { + "originId": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "Parse_JSON_-_Parse_Login_Response": ["Succeeded"] + }, + "type": "Foreach" + }, + "For_each_originId_assign_policy_to_originId": { + "foreach": "@variables('originId_array')", + "actions": { + "Append_originId_to_not_updated_originIds_array_variable_in_case_of_error": { + "runAfter": { + "HTTP_-_Assign_a_policy_to_an_identity": [ + "Failed", + "TimedOut" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "not_updated_oridinIds_array", + "value": "@items('For_each_originId_assign_policy_to_originId')" + } + }, + "Append_originId_to_updated_originIds_array_variable": { + "runAfter": { + "Append_originId_to_not_updated_originIds_array_variable_in_case_of_error": [ + "Skipped" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "updated_oridinIds_array", + "value": "@items('For_each_originId_assign_policy_to_originId')" + } + }, + "HTTP_-_Assign_a_policy_to_an_identity": { + "type": "Http", + "inputs": { + "uri": "https://@{parameters('Host End Point')}/deployments/v2/policies/@{encodeURIComponent(variables('policyId'))}/identities/@{encodeURIComponent(items('For_each_originId_assign_policy_to_originId'))}", + "method": "PUT", + "headers": { + "Content-Type": "application-json", + "Authorization": "Bearer @{body('Parse_JSON_-_Parse_Login_Response')?['access_token']}" + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } + } + }, + "runAfter": { + "For_each_alert_in_incident": ["Succeeded"] + }, + "type": "Foreach" + }, + "Initialize_variable_not_updated_oridinIds_array": { + "runAfter": { + "Initialize_variable_updated_oridinIds_array": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "not_updated_oridinIds_array", + "type": "array" + } + ] + } + }, + "Initialize_variable_organizationId": { + "runAfter": {}, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "organizationId", + "type": "string", + "value": "[parameters('CiscoUmbrellaOrganizationId')]" + } + ] + } + }, + "Initialize_variable_originId_array": { + "runAfter": { + "Initialize_variable_policyId": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "originId_array", + "type": "array" + } + ] + } + }, + "Initialize_variable_policyId": { + "runAfter": { + "Initialize_variable_organizationId": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "policyId", + "type": "string", + "value": "[parameters('CiscoUmbrellaPolicyId')]" + } + ] + } + }, + "Initialize_variable_updated_oridinIds_array": { + "runAfter": { + "Initialize_variable_originId_array": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "updated_oridinIds_array", + "type": "array" + } + ] + } + }, + "Get_Client_Id": { + "runAfter": { + "Initialize_variable_not_updated_oridinIds_array": ["Succeeded"] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent(parameters('Umbrella API ClientId Key Name'))}/value" + }, + "runtimeConfiguration": { + "secureData": { + "properties": ["inputs", "outputs"] + } + } + }, + "Get_Secret": { + "runAfter": { + "Get_Client_Id": ["Succeeded"] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent(parameters('Umbrella API Secret Key Name'))}/value" + }, + "runtimeConfiguration": { + "secureData": { + "properties": ["inputs", "outputs"] + } + } + }, + "HTTP_-_Generate_Login_Token": { + "runAfter": { + "Get_Secret": ["Succeeded"] + }, + "type": "Http", + "inputs": { + "uri": "https://@{parameters('Host End Point')}/auth/v2/token", + "method": "POST", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "authentication": { + "type": "Basic", + "username": "@{body('Get_Client_Id')?['value']}", + "password": "@{body('Get_Secret')?['value']}" + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + }, + "secureData": { + "properties": ["inputs", "outputs"] + } + } + }, + "Parse_JSON_-_Parse_Login_Response": { + "runAfter": { + "HTTP_-_Generate_Login_Token": ["Succeeded"] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_Generate_Login_Token')", + "schema": { + "type": "object", + "properties": { + "token_type": { + "type": "string" + }, + "access_token": { + "type": "string" + }, + "expires_in": { + "type": "integer" + } + } + } + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "microsoftsentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "keyvault": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", + "connectionName": "[variables('KeyvaultConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "CiscoUmbrella-AssignPolicyToIdentity", + "hidden-SentinelTemplateVersion": "1.0" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('MicrosoftSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('KeyvaultConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('KeyvaultConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "alternativeParameterValues": { + "vaultName": "[parameters('keyvault name')]" + }, + "nonSecretParameterValues": { + "vaultName": "[parameters('keyvault name')]" + }, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]" + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/readme.md b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/readme.md new file mode 100644 index 00000000000..d8bd2b9fe22 --- /dev/null +++ b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/readme.md @@ -0,0 +1,80 @@ +# CiscoUmbrella-AssignPolicyToIdentity + +## Summary + +When a new sentinel incident is created, this playbook gets triggered and performs the following actions + +
+ +1. Assigns a new DNS or web policy (*PolicyId* is provided on the playbook deployment step) to an identity (*originId* of the identity provided in the alert custom entities). +2. Adds comment to the incident with information about the assigned policies. + +
+ +### Prerequisites + +1. Login to Cisco Umbrella dashboard and navigating to Admin-->API Keys. Create New API Key if not already created and select the appropriate "Key Scope" with Read/Write permission. Store "Api Key" and "Key Secret" to a safe place. This "Api Key" is a "Client Id" and "Key Secret" is a "Secret" used for this Playbook. +2. Store the "Api Key" and "Key Secret" from previous step to Key vault Secrets. +3. To obtain the Organization ID and Policy ID, press F12 or right-click on the page and select 'Inspect' in your browser on the Cisco Umbrella dashboard page. Then, navigate to the 'Policies' section and click on the 'All Policies' tab. Now open the 'Network' tab and search with 'policy'. Open the 'Response' tab of the request to get the Policy ID and Organization ID as shown in the screenshot below. + + > **NOTE:** The **ID** and **OrganizationID** values in the screenshot below are for illustration purposes only and are not intended for actual use. + +
+ +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Playbook Name: Enter the playbook name here. + * Cisco Umbrella Organization Id: Organization id in Cisco Umbrella. + * Cisco Umbrella Policy Id: ID of the DNS or web policy to act upon. + * Keyvault name: Name of the key vault where secrets are stored. + * Umbrella API Client Id Key Name: Name of the Secrets field from Keyvault where Cisco Umbrella "API Key" value is stored. + * Umbrella API Secret Key Name: Name of the Secrets field from Keyvault where Cisco Umbrella "Key Secret" value is stored. + * Host End Point: Default is "api.umbrella.com" and is used for any API call to Cisco Umbrella REST API's. + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooksk%2FCiscoUmbrellaPlaybooks%2FCiscoUmbrella-AssignPolicyToIdentity%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooks%2FCiscoUmbrellaPlaybooks%2FCiscoUmbrella-AssignPolicyToIdentity%2Fazuredeploy.json) + +### Post-Deployment instructions + +#### a. Authorize connections + +Once deployment is complete, authorize each connection. + +1. Click the Microsoft Sentinel connection resource +2. Click edit API connection +3. Click Authorize +4. Sign in +5. Click Save +6. Repeat steps for Cisco Umbrella Network Device Management connector API Connection. Provide your key and the secret for authorizing. + +#### b. Configurations in Sentinel + +1. In Microsoft sentinel, analytical rules should be configured to trigger an incident. An incident should have the *originId* custom entity. OriginId is an Umbrella-wide unique identifier for this traffic source (origin). It can be obtained from the corresponding field in Cisco Umbrella logs. Check the [documentation](https://docs.microsoft.com/azure/sentinel/surface-custom-details-in-alerts) to learn more about adding custom entities to incidents. +2. Configure the automation rules to trigger the playbook. + +#### c. Assign Playbook Microsoft Sentinel Responder Role +1. Select the Playbook (Logic App) resource +2. Click on Identity Blade +3. Choose System assigned tab +4. Click on Azure role assignments +5. Click on Add role assignments +6. Select Scope - Resource group +7. Select Subscription - where Playbook has been created +8. Select Resource group - where Playbook has been created +9. Select Role - Microsoft Sentinel Responder +10. Click Save (It takes 3-5 minutes to show the added role.) + +#### d. Assign access policy on key vault for Playbook to fetch the secret key +1. Select the Key vault resource where you have stored the secret +2. Click on Access policies Blade +3. Click on Create +4. Under Secret permissions column , Select Get , List from "Secret Management Operations" +5. Click next to go to Principal tab and choose your deployed playbook name +6. Click Next leave application tab as it is . +7. Click Review and create +8. Click Create + +# References + - [Cisco Umbrella API Documentation](https://developer.cisco.com/docs/cloud-security/authentication/#authentication) + - [Rest API Request And Response Sample](https://developer.cisco.com/docs/cloud-security/policies/#add-identity-to-policy) \ No newline at end of file diff --git a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-BlockDomain/playbook_screenshot.png b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-BlockDomain/Images/playbook_screenshot.png similarity index 100% rename from Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-BlockDomain/playbook_screenshot.png rename to Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-BlockDomain/Images/playbook_screenshot.png diff --git a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-BlockDomain/azuredeploy.json b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-BlockDomain/azuredeploy.json similarity index 100% rename from Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-BlockDomain/azuredeploy.json rename to Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-BlockDomain/azuredeploy.json diff --git a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-BlockDomain/readme.md b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-BlockDomain/readme.md similarity index 90% rename from Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-BlockDomain/readme.md rename to Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-BlockDomain/readme.md index fd24ee321bd..0fe96e72746 100644 --- a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-BlockDomain/readme.md +++ b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-BlockDomain/readme.md @@ -18,7 +18,7 @@ When a new sentinel incident is created, this playbook gets triggered and perfor ### Deployment instructions 1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. -2. Fill in the required paramteres: +2. Fill in the required parameters: * Playbook Name: Enter the playbook name here [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooksk%2FPlaybooks%2FCiscoUmbrella-BlockDomain%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooks%2FPlaybooks%2FCiscoUmbrella-BlockDomain%2Fazuredeploy.json) @@ -38,5 +38,5 @@ Once deployment is complete, authorize each connection. #### b. Configurations in Sentinel -1. In Microsoft sentinel, analytical rules should be configured to trigger an incident with a malicious URL. In the *Entity maping* section of the analytics rule creation workflow, malicious URL should be mapped to **Url** identitfier of the **URL** entity type. Check the [documentation](https://docs.microsoft.com/azure/sentinel/map-data-fields-to-entities) to learn more about mapping entities. +1. In Microsoft sentinel, analytical rules should be configured to trigger an incident with a malicious URL. In the *Entity mapping* section of the analytics rule creation workflow, malicious URL should be mapped to **Url** identifier of the **URL** entity type. Check the [documentation](https://docs.microsoft.com/azure/sentinel/map-data-fields-to-entities) to learn more about mapping entities. 2. Configure the automation rules to trigger the playbook. diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/Images/playbook_screenshot1.png b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/Images/playbook_screenshot1.png new file mode 100644 index 00000000000..c27a4e7b660 Binary files /dev/null and b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/Images/playbook_screenshot1.png differ diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/Images/playbook_screenshot2.png b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/Images/playbook_screenshot2.png new file mode 100644 index 00000000000..ab937b29067 Binary files /dev/null and b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/Images/playbook_screenshot2.png differ diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/Images/playbook_screenshot3.png b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/Images/playbook_screenshot3.png new file mode 100644 index 00000000000..faf33cc67e7 Binary files /dev/null and b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/Images/playbook_screenshot3.png differ diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/Images/playbook_screenshot_new.png b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/Images/playbook_screenshot_new.png new file mode 100644 index 00000000000..bc3fad751bf Binary files /dev/null and b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/Images/playbook_screenshot_new.png differ diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/azuredeploy.json b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/azuredeploy.json new file mode 100644 index 00000000000..b10b63550af --- /dev/null +++ b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/azuredeploy.json @@ -0,0 +1,449 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "CiscoUmbrella-GetDomainInfo", + "description": "This playbook is used to get Security Information about a particular domain. It provides details such as security scores, reputation and other security-related metadata that can help assess if the domain is associated with malicious activity, phishing attempts, or other threats. This playbook also helps to assess the risk associated with a domain name and return a risk score that helps determine if the domain is considered suspicious or potentially malicious. This details are added to incident as a comment. For more details, click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/readme.md#summary).", + "prerequisites": [ + "1. Login to Cisco Umbrella dashboard and navigating to Admin-->API Keys. Create New API Key if not already created and select the appropriate 'Key Scope' with Read/Write permission. Store 'Api Key' and 'Key Secret' to a safe place. This 'Api Key' is a 'Client Id' and 'Key Secret' is a 'Secret' used for this Playbook.", + "2. Store the 'Api Key' and 'Key Secret' from previous step to Key vault Secrets." + ], + "postDeployment": [ + "For more details on Post Deployment Instructions, click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/readme.md#post-deployment-instructions)." + ], + "lastUpdateTime": "2024-12-20T10:00:00.000Z", + "entities": [ + "URL" + ], + "tags": [ + "Notification" + ], + "support": { + "tier": "Microsoft" + }, + "author": { + "name": "Microsoft" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "CiscoUmbrella-GetDomainInfo", + "type": "string" + }, + "Keyvault name": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Enter the Key vault name where CiscoUmbrella Secrets are stored" + } + }, + "Umbrella API ClientId Key Name": { + "type": "string", + "metadata": { + "description": "Enter CiscoUmbrella ClientId Key Name from Key vault" + } + }, + "Umbrella API Secret Key Name": { + "type": "securestring", + "metadata": { + "description": "Enter CiscoUmbrella Secret Key Name from Key vault" + } + }, + "Host End Point": { + "type": "string", + "defaultValue": "api.umbrella.com", + "metadata": { + "description": "Enter Host End Point(hostname) without http:// or https://" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]", + "KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + }, + "Umbrella API ClientId Key Name": { + "type": "string", + "defaultValue": "[parameters('Umbrella API ClientId Key Name')]" + }, + "Umbrella API Secret Key Name": { + "type": "securestring", + "defaultValue": "[parameters('Umbrella API Secret Key Name')]" + }, + "Host End Point": { + "type": "string", + "defaultValue": "[parameters('Host End Point')]" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Entities_-_Get_URLs": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "path": "/entities/url" + } + }, + "For_each_URL": { + "foreach": "@body('Entities_-_Get_URLs')?['URLs']", + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Create_HTML_table_with_security_indicators": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{outputs('Get_logo')} CiscoUmbrella-GetDomainInfo
Risk score for domain @{outputs('Get_domain_from_URL')} is @{body('HTTP_-_Get_Risk_score_for_a_domain')?['risk_score']}.
Risk score indicators:
@{body('Create_HTML_table_with_security_indicators')}


" + }, + "path": "/Incidents/Comment" + } + }, + "Add_comment_to_incident_(V3)_2": { + "runAfter": { + "Add_comment_to_incident_(V3)": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{outputs('Get_logo')} CiscoUmbrella-GetDomainInfo
Security data for @{outputs('Get_domain_from_URL')} (part 1) :
dga_score: @{body('HTTP_-_Get_domain_security_data')?['dga_score']}
Domain Generation Algorithm. This score is generated based on the likeliness of the domain name being generated by an algorithm rather than a human. This algorithm is designed to identify domains which have been created using an automated randomization strategy, which is a common evasion technique in malware kits or botnets. This score ranges from -100 (suspicious) to 0 (benign).
perplexity: @{body('HTTP_-_Get_domain_security_data')?['perplexity']}
A second score on the likeliness of the name to be algorithmically generated, on a scale from 0 to 100. This score is to be used in conjunction with DGA.
entropy: @{body('HTTP_-_Get_domain_security_data')?['entropy']}
The number of bits required to encode the domain name, as a score. This score is to be used in conjunction with DGA and Perplexity.
securerank2: @{body('HTTP_-_Get_domain_security_data')?['securerank2']}
Suspicious rank for a domain that reviews based on the lookup behavior of client IP for the domain. Securerank is designed to identify hostnames requested by known infected clients but never requested by clean clients, assuming these domains are more likely to be bad. Scores returned range from -100 (suspicious) to 100 (benign).

" + }, + "path": "/Incidents/Comment" + } + }, + "Add_comment_to_incident_(V3)_3": { + "runAfter": { + "Add_comment_to_incident_(V3)_2": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftsentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{outputs('Get_logo')} CiscoUmbrella-GetDomainInfo
Security data for @{outputs('Get_domain_from_URL')} (part 2):
pagerank: @{body('HTTP_-_Get_domain_security_data')?['pagerank']}
Popularity according to Google's pagerank algorithm.
asn_score: @{body('HTTP_-_Get_domain_security_data')?['asn_score']}
ASN reputation score, ranges from -100 to 0 with -100 being very suspicious.
prefix_score: @{body('HTTP_-_Get_domain_security_data')?['prefix_score']}
Prefix ranks domains given their IP prefixes (first three octets in IP) and the reputation score of these prefixes. Ranges from -100 to 0, -100 being very suspicious.
rip_score: @{body('HTTP_-_Get_domain_security_data')?['rip_score']}
RIP ranks domains given their IP addresses and the reputation score of these IP addresses. Ranges from -100 to 0, -100 being very suspicious.
popularity: @{body('HTTP_-_Get_domain_security_data')?['popularity']}
The number of unique client IPs visiting this site, relative to the all requests to all sites.
geoscore: @{body('HTTP_-_Get_domain_security_data')?['geoscore']}
A score that represents how far the different physical locations serving this name are from each other.
ks_test: @{body('HTTP_-_Get_domain_security_data')?['ks_test']}
Kolmogorov–Smirnov test on geodiversity. 0 means that the client traffic matches what is expected for this TLD.
attack: @{body('HTTP_-_Get_domain_security_data')?['attack']}
The name of any known attacks associated with this domain.
threat_type: @{body('HTTP_-_Get_domain_security_data')?['threat_type']}
The type of the known attack.

" + }, + "path": "/Incidents/Comment" + } + }, + "Create_HTML_table_with_security_indicators": { + "runAfter": { + "Get_logo": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "from": "@body('HTTP_-_Get_Risk_score_for_a_domain')?['indicators']", + "format": "HTML" + } + }, + "Get_domain_from_URL": { + "type": "Compose", + "inputs": "@split(replace(replace(item()?['Url'],'http://',''), 'https://', ''), '/')[0]" + }, + "Get_logo": { + "runAfter": { + "HTTP_-_Get_Risk_score_for_a_domain": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "" + }, + "HTTP_-_Get_domain_security_data": { + "runAfter": { + "Get_domain_from_URL": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "uri": "https://@{parameters('Host End Point')}/investigate/v2/security/name/@{encodeURIComponent(outputs('Get_domain_from_URL'))}", + "method": "GET", + "headers": { + "Authorization": "Bearer @{body('Parse_JSON')?['access_token']}" + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } + }, + "HTTP_-_Get_Risk_score_for_a_domain": { + "runAfter": { + "HTTP_-_Get_domain_security_data": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "uri": "https://@{parameters('Host End Point')}/investigate/v2/domains/risk-score/@{encodeURIComponent(outputs('Get_domain_from_URL'))}", + "method": "GET", + "headers": { + "Authorization": "Bearer @{body('Parse_JSON')?['access_token']}" + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } + } + }, + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_Client_Id": { + "runAfter": { + "Entities_-_Get_URLs": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent(parameters('Umbrella API ClientId Key Name'))}/value" + }, + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } + }, + "Get_Secret": { + "runAfter": { + "Get_Client_Id": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent(parameters('Umbrella API Secret Key Name'))}/value" + }, + "runtimeConfiguration": { + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } + }, + "HTTP_-_Generate_Login_Token": { + "runAfter": { + "Get_Secret": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "uri": "https://@{parameters('Host End Point')}/auth/v2/token", + "method": "POST", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "authentication": { + "type": "Basic", + "username": "@{body('Get_Client_Id')?['value']}", + "password": "@{body('Get_Secret')?['value']}" + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + }, + "secureData": { + "properties": [ + "inputs", + "outputs" + ] + } + } + }, + "Parse_JSON": { + "runAfter": { + "HTTP_-_Generate_Login_Token": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_Generate_Login_Token')", + "schema": { + "type": "object", + "properties": { + "token_type": { + "type": "string" + }, + "access_token": { + "type": "string" + }, + "expires_in": { + "type": "integer" + } + } + } + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "microsoftsentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "keyvault": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", + "connectionName": "[variables('KeyvaultConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "CiscoUmbrella-GetDomainInfo", + "hidden-SentinelTemplateVersion": "1.0" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('MicrosoftSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('KeyvaultConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('KeyvaultConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "alternativeParameterValues": { + "vaultName": "[parameters('keyvault name')]" + }, + "nonSecretParameterValues": { + "vaultName": "[parameters('keyvault name')]" + }, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]" + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/readme.md b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/readme.md new file mode 100644 index 00000000000..85cdeabc997 --- /dev/null +++ b/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/readme.md @@ -0,0 +1,78 @@ +# CiscoUmbrella-GetDomainInfo + +## Summary + +When a new sentinel incident is created, this playbook gets triggered and performs the following actions + +
+ +1. Get domains from URL entities in the incident. +2. Enriches incident with security information about domains using [Cisco Umbrella Investigate API](https://developer.cisco.com/docs/cloud-security/investigate-investigate/#investigate). + +
+ +
+ +
+ +### Prerequisites + +1. Login to Cisco Umbrella dashboard and navigating to Admin-->API Keys. Create New API Key if not already created and select the appropriate "Key Scope" with Read/Write permission. Store "Api Key" and "Key Secret" to a safe place. This "Api Key" is a "Client Id" and "Key Secret" is a "Secret" used for this Playbook. +2. Store the "Api Key" and "Key Secret" from previous step to Key vault Secrets. + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Playbook Name: Enter the playbook name here + * Keyvault name: Name of the key vault where secrets are stored. + * Umbrella API Client Id Key Name: Name of the Secrets field from Keyvault where Cisco Umbrella "API Key" value is stored. + * Umbrella API Secret Key Name: Name of the Secrets field from Keyvault where Cisco Umbrella "Key Secret" value is stored. + * Host End Point: Default is "api.umbrella.com" and is used for any API call to Cisco Umbrella REST API's. + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooksk%2FCiscoUmbrellaPlaybooks%2FCiscoUmbrella-GetDomainInfo%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooks%2FCiscoUmbrellaPlaybooks%2FCiscoUmbrella-GetDomainInfo%2Fazuredeploy.json) + +### Post-Deployment instructions + +#### a. Authorize connections + +Once deployment is complete, authorize each connection. + +1. Click the Microsoft Sentinel connection resource +2. Click edit API connection +3. Click Authorize +4. Sign in +5. Click Save +6. Repeat steps for Cisco Umbrella Investigate connector API Connection. For authorizing, provide your API key in the following format: "Bearer YOUR_API_KEY". + +#### b. Configurations in Sentinel + +1. In Microsoft sentinel, analytical rules should be configured to trigger an incident. In the *Entity mapping* section of the analytics rule creation workflow, malicious URL should be mapped to **Url** identifier of the **URL** entity type. Check the [documentation](https://docs.microsoft.com/azure/sentinel/map-data-fields-to-entities) to learn more about mapping entities. +2. Configure the automation rules to trigger the playbook. + +#### c. Assign Playbook Microsoft Sentinel Responder Role +1. Select the Playbook (Logic App) resource +2. Click on Identity Blade +3. Choose System assigned tab +4. Click on Azure role assignments +5. Click on Add role assignments +6. Select Scope - Resource group +7. Select Subscription - where Playbook has been created +8. Select Resource group - where Playbook has been created +9. Select Role - Microsoft Sentinel Responder +10. Click Save (It takes 3-5 minutes to show the added role.) + +#### d. Assign access policy on key vault for Playbook to fetch the secret key +1. Select the Key vault resource where you have stored the secret +2. Click on Access policies Blade +3. Click on Create +4. Under Secret permissions column , Select Get , List from "Secret Management Operations" +5. Click next to go to Principal tab and choose your deployed playbook name +6. Click Next leave application tab as it is . +7. Click Review and create +8. Click Create + +# References + - [Cisco Umbrella API Documentation](https://developer.cisco.com/docs/cloud-security/authentication/#authentication) + - [Rest API Request And Response Sample to Get Security Score Information for Domain](https://developer.cisco.com/docs/cloud-security/secure-access-api-guides-request-and-response-samples-investigate-investigate/#get-security-score-information-for-domain) + - [Rest API Request And Response Sample to Get Risk Score for Domain](https://developer.cisco.com/docs/cloud-security/secure-access-api-guides-request-and-response-samples-investigate-investigate/#get-risk-score-for-domain) \ No newline at end of file diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaEnforcementAPIConnector/azuredeploy.json b/Solutions/CiscoUmbrella/Playbooks/CustomConnector/EnforcementAPICustomConnector/azuredeploy.json similarity index 100% rename from Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaEnforcementAPIConnector/azuredeploy.json rename to Solutions/CiscoUmbrella/Playbooks/CustomConnector/EnforcementAPICustomConnector/azuredeploy.json diff --git a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaEnforcementAPIConnector/readme.md b/Solutions/CiscoUmbrella/Playbooks/CustomConnector/EnforcementAPICustomConnector/readme.md similarity index 78% rename from Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaEnforcementAPIConnector/readme.md rename to Solutions/CiscoUmbrella/Playbooks/CustomConnector/EnforcementAPICustomConnector/readme.md index 48a46518613..8db5b9290a1 100644 --- a/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaEnforcementAPIConnector/readme.md +++ b/Solutions/CiscoUmbrella/Playbooks/CustomConnector/EnforcementAPICustomConnector/readme.md @@ -28,4 +28,4 @@ To get Cisco Umbrella Enforcement API credentials, follow the instructions: 1. To deploy Custom Connector, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooks%2FCiscoUmbrellaEnforcementAPIConnector%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooks%2FCiscoUmbrellaEnforcementAPIConnector%2Fazuredeploy.json) \ No newline at end of file +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooks%2FCustomConnector%2FEnforcementAPICustomConnector%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooks%2FCustomConnector%2FEnforcementAPICustomConnector%2Fazuredeploy.json) \ No newline at end of file diff --git a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AddIpToDestinationList/azuredeploy.json b/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AddIpToDestinationList/azuredeploy.json deleted file mode 100644 index 6950c94c9ca..00000000000 --- a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AddIpToDestinationList/azuredeploy.json +++ /dev/null @@ -1,1160 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "title": "CiscoUmbrella-AddIpToDestinationList", - "description": "This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident.", - "prerequisites": [ - "1. ServiceNow Instance URL, Username, and password.", - "2. Access and authorization to enable API connectors", - "3. Teams Group ID, Channel ID and Alert details where the messages are to be posted in." - ], - "lastUpdateTime": "2021-06-29T10:00:00.000Z", - "entities": [ - "Account", - "Url", - "Host" - ], - "tags": [ - "Sync", - "Notification", - "Teams Response" - ], - "support": { - "tier": "community" - }, - "author": { - "name": "Jing Nghik" - } - }, - "parameters": { - "PlaybookName": { - "defaultValue": "CiscoUmbrella-AddIpToDestinationList", - "type": "String" - }, - "CiscoUmbrellaOrganizationId": { - "type": "Int", - "defaultValue": 0, - "metadata": { - "description": "Organization id in Cisco Umbrella." - } - }, - "TeamsGroupId": { - "defaultValue": "TeamsGroupIds", - "type": "String", - "metadata": { - "description": "Id of the Teams Group where the adaptive card will be posted." - } - }, - "TeamsChannelId": { - "defaultValue": "TeamsChannelId", - "type": "String", - "metadata": { - "description": "Id of the Teams Channel where the adaptive card will be posted." - } - }, - "customApis_ciscoumbrellamanagement_name": { - "defaultValue": "CiscoUmbrellaManagementAPI", - "type": "String" - } - }, - "variables": { - "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]", - "TeamsConnectionName": "[concat('teams-', parameters('PlaybookName'))]", - "CiscoUmbrellaManagementAPIConnectionName": "[concat('ciscoumbrellamanagement-connection-', parameters('PlaybookName'))]" - }, - "resources": [ - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('AzureSentinelConnectionName')]", - "location": "[resourceGroup().location]", - "properties": { - "displayName": "[variables('AzureSentinelConnectionName')]", - "customParameterValues": {}, - "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('CiscoUmbrellaManagementAPIConnectionName')]", - "location": "[resourceGroup().location]", - "kind": "V1", - "properties": { - "displayName": "[variables('CiscoUmbrellaManagementAPIConnectionName')]", - "customParameterValues": {}, - "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellamanagement_name'))]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('TeamsConnectionName')]", - "location": "[resourceGroup().location]", - "properties": { - "displayName": "[variables('TeamsConnectionName')]", - "customParameterValues": {}, - "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/teams')]" - } - } - }, - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[parameters('PlaybookName')]", - "location": "[resourceGroup().location]", - "dependsOn": [ - "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaManagementAPIConnectionName'))]" - ], - "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "actions": { - "Append_to_array_variable": { - "inputs": { - "name": "dest_lists_array", - "value": { - "title": "Ignore", - "value": 0 - } - }, - "runAfter": { - "Initialize_variable_dest_lists_array": [ - "Succeeded" - ] - }, - "type": "AppendToArrayVariable" - }, - "Entities_-_Get_IPs": { - "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/ip" - }, - "runAfter": { - "Append_to_array_variable": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "For_each_IP": { - "actions": { - "Add_IP_to_destination_list": { - "actions": { - "Add_list_of_destinations_to_destination_list": { - "inputs": { - "body": [ - { - "destination": "@{outputs('Get_IP')}" - } - ], - "host": { - "connection": { - "name": "@parameters('$connections')['ciscoumbrellamanagement']['connectionId']" - } - }, - "method": "post", - "path": "/v1/organizations/@{encodeURIComponent(variables('organization_id'))}/destinationlists/@{encodeURIComponent(body('Post_adaptive_card_and_wait_for_a_response')['data']['action_choices'])}/destinations" - }, - "runAfter": {}, - "type": "ApiConnection" - }, - "Compose": { - "inputs": "@body('Filter_array')[0]['title']", - "runAfter": { - "Filter_array": [ - "Succeeded" - ] - }, - "type": "Compose" - }, - "Filter_array": { - "inputs": { - "from": "@variables('dest_lists_array')", - "where": "@equals(string(item()['value']), body('Post_adaptive_card_and_wait_for_a_response')['data']['action_choices'])" - }, - "runAfter": { - "Set_variable_3": [ - "Skipped" - ] - }, - "type": "Query" - }, - "Set_variable": { - "inputs": { - "name": "action_message", - "value": "IP @{outputs('Get_IP')} added to \"@{outputs('Compose')}\" destination list." - }, - "runAfter": { - "Compose": [ - "Succeeded" - ] - }, - "type": "SetVariable" - }, - "Set_variable_3": { - "inputs": { - "name": "action_message", - "value": "IP @{outputs('Get_IP')} was not added to \"\" destination lists due to Csico Umbrella API error." - }, - "runAfter": { - "Add_list_of_destinations_to_destination_list": [ - "TimedOut", - "Failed" - ] - }, - "type": "SetVariable" - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@body('Post_adaptive_card_and_wait_for_a_response')?['data']", - "@null" - ] - } - }, - { - "not": { - "equals": [ - "@body('Post_adaptive_card_and_wait_for_a_response')?['data']?['action_choices']", - "@'0'" - ] - } - }, - { - "contains": [ - "@body('Post_adaptive_card_and_wait_for_a_response')?['data']", - "action_choices" - ] - } - ] - }, - "runAfter": { - "Post_adaptive_card_and_wait_for_a_response": [ - "Succeeded" - ] - }, - "type": "If" - }, - "Add_comment_to_incident_(V3)": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{outputs('Get_Cisco_logo')}CiscoUmbrella-AddIpToDestinationList
\nActions taken:
\n@{variables('action_message')}
\n@{variables('status_message')}
\n@{variables('severity_message')}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Get_Cisco_logo": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Create_body_for_adaptive_card": { - "inputs": { - "$schema": "http://adaptivecards.io/schemas/adaptive-card.json", - "actions": [ - { - "id": "btnSubmit", - "title": "Submit", - "type": "Action.Submit" - }, - { - "id": "btnIgnore", - "title": "Ignore", - "type": "Action.Submit" - } - ], - "body": [ - { - "size": "large", - "text": "Suspicious IP - Microsoft Sentinel", - "type": "TextBlock", - "weight": "bolder", - "wrap": true - }, - { - "text": " Incident No : @{triggerBody()?['object']?['properties']?['incidentNumber']} ", - "type": "TextBlock", - "weight": "Bolder", - "wrap": true - }, - { - "text": "@{triggerBody()?['object']?['properties']?['description']}", - "type": "TextBlock", - "wrap": true - }, - { - "text": "For more details check the incident:", - "type": "TextBlock", - "weight": "Bolder", - "wrap": true - }, - { - "text": "[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})", - "type": "TextBlock", - "wrap": true - }, - { - "id": "PollQuestionAction", - "text": "Select the Cisco Umbrella destination list to add IP @{item()['address']} to.", - "type": "TextBlock" - }, - { - "choices": "@variables('dest_lists_array')", - "id": "action_choices", - "placeholder": "Select from these choices", - "style": "compact", - "type": "Input.ChoiceSet" - }, - { - "id": "PollQuestionSeverity", - "text": "Select incident severity", - "type": "TextBlock" - }, - { - "choices": [ - { - "title": "High", - "value": "high" - }, - { - "title": "Medium", - "value": "medium" - }, - { - "title": "Low", - "value": "low" - }, - { - "title": "Informational", - "value": "informational" - } - ], - "id": "severity_choices", - "placeholder": "Select from these choices", - "style": "compact", - "type": "Input.ChoiceSet" - }, - { - "id": "PollQuestionStatus", - "text": "Select incident status", - "type": "TextBlock" - }, - { - "choices": [ - { - "title": "New", - "value": "new" - }, - { - "title": "Active", - "value": "active" - }, - { - "title": "Closed: True Positive - suspicious activity", - "value": "close_tp" - }, - { - "title": "Closed: Benign Positive - suspicious but expected", - "value": "close_bp" - }, - { - "title": "Closed: False Positive - incorrect alert logic", - "value": "close_fp_incorrect_logic" - }, - { - "title": "Closed: False Positive - inaccurate data", - "value": "close_fp_inaccurate_data" - }, - { - "title": "Closed: Undetermined", - "value": "close_undetermined" - } - ], - "id": "status_choices", - "placeholder": "Select from these choices", - "style": "compact", - "type": "Input.ChoiceSet" - } - ], - "type": "AdaptiveCard", - "version": "1.0" - }, - "runAfter": {}, - "type": "Compose" - }, - "Get_Cisco_logo": { - "inputs": "", - "runAfter": { - "Update_status": [ - "Succeeded" - ] - }, - "type": "Compose" - }, - "Get_IP": { - "inputs": "@item()['address']", - "runAfter": { - "Set_variable_16": [ - "Succeeded" - ] - }, - "type": "Compose" - }, - "Post_adaptive_card_and_wait_for_a_response": { - "inputs": { - "body": { - "body": { - "messageBody": "@{outputs('Create_body_for_adaptive_card')}", - "recipient": { - "channelId": "@variables('TeamsChannelId')", - "groupId": "@variables('TeamsGroupId')" - }, - "updateMessage": "Thanks for your response!" - }, - "notificationUrl": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['teams']['connectionId']" - } - }, - "path": "/v1.0/teams/conversation/gatherinput/poster/Flow bot/location/@{encodeURIComponent('Channel')}/$subscriptions" - }, - "runAfter": { - "Get_IP": [ - "Succeeded" - ] - }, - "type": "ApiConnectionWebhook" - }, - "Set_variable_14": { - "inputs": { - "name": "action_message", - "value": "\"\"" - }, - "runAfter": { - "Create_body_for_adaptive_card": [ - "Succeeded" - ] - }, - "type": "SetVariable" - }, - "Set_variable_15": { - "inputs": { - "name": "severity_message", - "value": "\"\"" - }, - "runAfter": { - "Set_variable_14": [ - "Succeeded" - ] - }, - "type": "SetVariable" - }, - "Set_variable_16": { - "inputs": { - "name": "status_message", - "value": "\"\"" - }, - "runAfter": { - "Set_variable_15": [ - "Succeeded" - ] - }, - "type": "SetVariable" - }, - "Update_severity": { - "actions": { - "Switch": { - "cases": { - "high_severity": { - "actions": { - "Set_variable_2": { - "inputs": { - "name": "severity_message", - "value": "Incident severity was changed to \"High\"." - }, - "runAfter": { - "Update_incident_high_severity": [ - "Succeeded" - ] - }, - "type": "SetVariable" - }, - "Update_incident_high_severity": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "severity": "High" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Incidents" - }, - "runAfter": {}, - "type": "ApiConnection" - } - }, - "case": "high" - }, - "informational_severity": { - "actions": { - "Set_variable_4": { - "inputs": { - "name": "severity_message", - "value": "Incident severity was changed to \"Informational\"." - }, - "runAfter": { - "Update_incident_informational_severity": [ - "Succeeded" - ] - }, - "type": "SetVariable" - }, - "Update_incident_informational_severity": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "severity": "Informational" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Incidents" - }, - "runAfter": {}, - "type": "ApiConnection" - } - }, - "case": "informational" - }, - "low_severity": { - "actions": { - "Set_variable_5": { - "inputs": { - "name": "severity_message", - "value": "Incident severity was changed to \"Low\"." - }, - "runAfter": { - "Update_incident_low_severity": [ - "Succeeded" - ] - }, - "type": "SetVariable" - }, - "Update_incident_low_severity": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "severity": "Low" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Incidents" - }, - "runAfter": {}, - "type": "ApiConnection" - } - }, - "case": "low" - }, - "medium_severity": { - "actions": { - "Set_variable_6": { - "inputs": { - "name": "severity_message", - "value": "Incident severity was changed to \"Medium\"." - }, - "runAfter": { - "Update_incident_medium_severity": [ - "Succeeded" - ] - }, - "type": "SetVariable" - }, - "Update_incident_medium_severity": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "severity": "Medium" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Incidents" - }, - "runAfter": {}, - "type": "ApiConnection" - } - }, - "case": "medium" - } - }, - "default": { - "actions": {} - }, - "expression": "@body('Post_adaptive_card_and_wait_for_a_response')['data']['severity_choices']", - "runAfter": {}, - "type": "Switch" - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@body('Post_adaptive_card_and_wait_for_a_response')?['data']", - "@null" - ] - } - }, - { - "contains": [ - "@body('Post_adaptive_card_and_wait_for_a_response')?['data']", - "severity_choices" - ] - } - ] - }, - "runAfter": { - "Add_IP_to_destination_list": [ - "Succeeded" - ] - }, - "type": "If" - }, - "Update_status": { - "actions": { - "Switch_2": { - "cases": { - "Case": { - "actions": { - "Set_variable_7": { - "inputs": { - "name": "status_message", - "value": "Incident status was changed to \"New\"." - }, - "runAfter": { - "Update_incident": [ - "Succeeded" - ] - }, - "type": "SetVariable" - }, - "Update_incident": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "status": "New" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Incidents" - }, - "runAfter": {}, - "type": "ApiConnection" - } - }, - "case": "new" - }, - "Case_2": { - "actions": { - "Set_variable_8": { - "inputs": { - "name": "status_message", - "value": "Incident status was changed to \"Active\"." - }, - "runAfter": { - "Update_incident_2": [ - "Succeeded" - ] - }, - "type": "SetVariable" - }, - "Update_incident_2": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "status": "Active" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Incidents" - }, - "runAfter": {}, - "type": "ApiConnection" - } - }, - "case": "active" - }, - "Case_3": { - "actions": { - "Set_variable_9": { - "inputs": { - "name": "status_message", - "value": "Incident status was changed to \"Closed: True Positive - suspicious activity\"." - }, - "runAfter": { - "Update_incident_3": [ - "Succeeded" - ] - }, - "type": "SetVariable" - }, - "Update_incident_3": { - "inputs": { - "body": { - "classification": { - "ClassificationAndReason": "TruePositive - SuspiciousActivity" - }, - "incidentArmId": "@triggerBody()?['object']?['id']", - "status": "Closed" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Incidents" - }, - "runAfter": {}, - "type": "ApiConnection" - } - }, - "case": "close_tp" - }, - "Case_4": { - "actions": { - "Set_variable_10": { - "inputs": { - "name": "status_message", - "value": "Incident status was changed to \"Closed: Benign Positive - suspicious but expected\"." - }, - "runAfter": { - "Update_incident_4": [ - "Succeeded" - ] - }, - "type": "SetVariable" - }, - "Update_incident_4": { - "inputs": { - "body": { - "classification": { - "ClassificationAndReason": "BenignPositive - SuspiciousButExpected" - }, - "incidentArmId": "@triggerBody()?['object']?['id']", - "status": "Closed" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Incidents" - }, - "runAfter": {}, - "type": "ApiConnection" - } - }, - "case": "close_bp" - }, - "Case_5": { - "actions": { - "Set_variable_11": { - "inputs": { - "name": "status_message", - "value": "Incident status was changed to \"Closed: False Positive - incorrect alert logic\"." - }, - "runAfter": { - "Update_incident_5": [ - "Succeeded" - ] - }, - "type": "SetVariable" - }, - "Update_incident_5": { - "inputs": { - "body": { - "classification": { - "ClassificationAndReason": "FalsePositive - IncorrectAlertLogic" - }, - "incidentArmId": "@triggerBody()?['object']?['id']", - "status": "Closed" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Incidents" - }, - "runAfter": {}, - "type": "ApiConnection" - } - }, - "case": "close_fp_incorrect_logic" - }, - "Case_6": { - "actions": { - "Set_variable_12": { - "inputs": { - "name": "status_message", - "value": "Incident status was changed to \"Closed: False Positive - inaccurate data\"." - }, - "runAfter": { - "Update_incident_6": [ - "Succeeded" - ] - }, - "type": "SetVariable" - }, - "Update_incident_6": { - "inputs": { - "body": { - "classification": { - "ClassificationAndReason": "FalsePositive - InaccurateData" - }, - "incidentArmId": "@triggerBody()?['object']?['id']", - "status": "Closed" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Incidents" - }, - "runAfter": {}, - "type": "ApiConnection" - } - }, - "case": "close_fp_inaccurate_data" - }, - "Case_7": { - "actions": { - "Set_variable_13": { - "inputs": { - "name": "status_message", - "value": "Incident status was changed to \"Closed: Undetermined\"." - }, - "runAfter": { - "Update_incident_7": [ - "Succeeded" - ] - }, - "type": "SetVariable" - }, - "Update_incident_7": { - "inputs": { - "body": { - "classification": { - "ClassificationAndReason": "Undetermined" - }, - "incidentArmId": "@triggerBody()?['object']?['id']", - "status": "Closed" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Incidents" - }, - "runAfter": {}, - "type": "ApiConnection" - } - }, - "case": "close_undetermined" - } - }, - "default": { - "actions": {} - }, - "expression": "@body('Post_adaptive_card_and_wait_for_a_response')['data']['status_choices']", - "runAfter": {}, - "type": "Switch" - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@body('Post_adaptive_card_and_wait_for_a_response')?['data']", - "@null" - ] - } - }, - { - "contains": [ - "@body('Post_adaptive_card_and_wait_for_a_response')?['data']", - "status_choices" - ] - } - ] - }, - "runAfter": { - "Update_severity": [ - "Succeeded" - ] - }, - "type": "If" - } - }, - "foreach": "@body('Entities_-_Get_IPs')?['IPs']", - "runAfter": { - "Entities_-_Get_IPs": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Get_list_of_destinations_lists_for_Teams_adaptive_card": { - "inputs": { - "from": "@body('Retrieve_all_destination_lists')?['data']", - "select": { - "title": "@item()['name']", - "value": "@item()['id']" - } - }, - "runAfter": { - "Retrieve_all_destination_lists": [ - "Succeeded" - ] - }, - "type": "Select" - }, - "Initialize_variable_TeamsChannelId": { - "inputs": { - "variables": [ - { - "name": "TeamsChannelId", - "type": "string", - "value": "[parameters('TeamsChannelId')]" - } - ] - }, - "runAfter": { - "Initialize_variable_TeamsGroupId": [ - "Succeeded" - ] - }, - "type": "InitializeVariable" - }, - "Initialize_variable_TeamsGroupId": { - "inputs": { - "variables": [ - { - "name": "TeamsGroupId", - "type": "string", - "value": "[parameters('TeamsGroupId')]" - } - ] - }, - "runAfter": { - "Initialize_variable_organization_id": [ - "Succeeded" - ] - }, - "type": "InitializeVariable" - }, - "Initialize_variable_action_message": { - "inputs": { - "variables": [ - { - "name": "action_message", - "type": "string" - } - ] - }, - "runAfter": { - "Initialize_variable_TeamsChannelId": [ - "Succeeded" - ] - }, - "type": "InitializeVariable" - }, - "Initialize_variable_dest_lists_array": { - "inputs": { - "variables": [ - { - "name": "dest_lists_array", - "type": "array", - "value": "@body('Get_list_of_destinations_lists_for_Teams_adaptive_card')" - } - ] - }, - "runAfter": { - "Get_list_of_destinations_lists_for_Teams_adaptive_card": [ - "Succeeded" - ] - }, - "type": "InitializeVariable" - }, - "Initialize_variable_organization_id": { - "inputs": { - "variables": [ - { - "name": "organization_id", - "type": "integer", - "value": "[parameters('CiscoUmbrellaOrganizationId')]" - } - ] - }, - "runAfter": {}, - "type": "InitializeVariable" - }, - "Initialize_variable_severity_message": { - "inputs": { - "variables": [ - { - "name": "severity_message", - "type": "string" - } - ] - }, - "runAfter": { - "Initialize_variable_action_message": [ - "Succeeded" - ] - }, - "type": "InitializeVariable" - }, - "Initialize_variable_status_message": { - "inputs": { - "variables": [ - { - "name": "status_message", - "type": "string" - } - ] - }, - "runAfter": { - "Initialize_variable_severity_message": [ - "Succeeded" - ] - }, - "type": "InitializeVariable" - }, - "Retrieve_all_destination_lists": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['ciscoumbrellamanagement']['connectionId']" - } - }, - "method": "get", - "path": "/v1/organizations/@{encodeURIComponent(variables('organization_id'))}/destinationlists" - }, - "runAfter": { - "Initialize_variable_status_message": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - } - }, - "contentVersion": "1.0.0.0", - "outputs": {}, - "parameters": { - "$connections": { - "defaultValue": {}, - "type": "Object" - } - }, - "triggers": { - "When_Azure_Sentinel_incident_creation_rule_was_triggered": { - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - }, - "type": "ApiConnectionWebhook" - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionName": "[variables('AzureSentinelConnectionName')]", - "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "id": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/azuresentinel')]" - }, - "teams": { - "connectionName": "[variables('TeamsConnectionName')]", - "connectionId": "[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", - "id": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/teams')]" - }, - "ciscoumbrellamanagement": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaManagementAPIConnectionName'))]", - "connectionName": "[variables('CiscoUmbrellaManagementAPIConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellamanagement_name'))]" - } - } - } - } - } - } - ] -} \ No newline at end of file diff --git a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AddIpToDestinationList/playbook_screenshot.png b/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AddIpToDestinationList/playbook_screenshot.png deleted file mode 100644 index 0764b6763d4..00000000000 Binary files a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AddIpToDestinationList/playbook_screenshot.png and /dev/null differ diff --git a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AddIpToDestinationList/readme.md b/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AddIpToDestinationList/readme.md deleted file mode 100644 index 1ff4ec9ed67..00000000000 --- a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AddIpToDestinationList/readme.md +++ /dev/null @@ -1,51 +0,0 @@ -# CiscoUmbrella-AddIpToDestinationList - -## Summary - -When a new sentinel incident is created, this playbook gets triggered and performs the following actions: - -1. Sends an adaptive card to the Teams channel where the analyst can choose an action to be taken. - -
- -2. Adds an IP to the destination list chosen in the adaptive card. -3. Changes incident status and severity depending on the action chosen in the adaptive card. -4. Adds comment to the incident with information about the actions taken. - -
- -### Prerequisites - -1. Prior to the deployment of this playbook, Cisco Umbrella Management API Connector needs to be deployed under the same subscription. -2. Obtain Cisco Umbrella Management API credentials. Refer to Cisco Umbrella Management API Custom Connector documentation. -3. Obtain Teams group id and channel id. -4. Obtain Cisco Umbrella Organiztion Id. - -### Deployment instructions - -1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. -2. Fill in the required paramteres: - * Playbook Name: Enter the playbook name here - * Teams Group Id: Id of the Teams Group where the adaptive card will be posted - * Teams Channel Id: Id of the Teams Channel where the adaptive card will be posted - * Cisco Umbrella Organization Id: Organization id in Cisco Umbrella - -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooksk%2FPlaybooks%2FCiscoUmbrella-AddIpToDestinationList%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooks%2FPlaybooks%2FCiscoUmbrella-AddIpToDestinationList%2Fazuredeploy.json) - -### Post-Deployment instructions - -#### a. Authorize connections - -Once deployment is complete, authorize each connection. - -1. Click the Microsoft Sentinel connection resource -2. Click edit API connection -3. Click Authorize -4. Sign in -5. Click Save -6. Repeat steps for other connections - -#### b. Configurations in Sentinel - -1. In Microsoft sentinel, analytical rules should be configured to trigger an incident with a malicious IP. In the *Entity maping* section of the analytics rule creation workflow, malicious IP should be mapped to **Address** identitfier of the **IP** entity type. Check the [documentation](https://docs.microsoft.com/azure/sentinel/map-data-fields-to-entities) to learn more about mapping entities. -2. Configure the automation rules to trigger the playbook. diff --git a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AssignPolicyToIdentity/azuredeploy.json b/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AssignPolicyToIdentity/azuredeploy.json deleted file mode 100644 index 47e998f4ffa..00000000000 --- a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AssignPolicyToIdentity/azuredeploy.json +++ /dev/null @@ -1,425 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "title": "CiscoUmbrella-AssignPolicyToIdentity", - "description": "This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident.", - "prerequisites": [ - "1. ServiceNow Instance URL, Username, and password.", - "2. Access and authorization to enable API connectors", - "3. Teams Group ID, Channel ID and Alert details where the messages are to be posted in." - ], - "lastUpdateTime": "2021-06-29T10:00:00.000Z", - "entities": [ - "Account", - "Url", - "Host" - ], - "tags": [ - "Sync", - "Notification", - "Teams Response" - ], - "support": { - "tier": "community" - }, - "author": { - "name": "Jing Nghik" - } - }, - "parameters": { - "PlaybookName": { - "defaultValue": "CiscoUmbrella-AssignPolicyToIdentity", - "type": "String" - }, - "PolicyId": { - "defaultValue": "", - "type": "String" - }, - "customApis_ciscoumbrellanetworkdevicemanagement_name": { - "defaultValue": "CiscoUmbrellaNetworkDeviceManagementAPI", - "type": "String" - } - }, - "variables": { - "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]", - "CiscoUmbrellaNetworkDeviceManagementAPIConnectionName": "[concat('ciscoumbrellanetworkdevice-connection-', parameters('PlaybookName'))]" - }, - "resources": [ - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('AzureSentinelConnectionName')]", - "location": "[resourceGroup().location]", - "properties": { - "displayName": "[variables('AzureSentinelConnectionName')]", - "customParameterValues": {}, - "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('CiscoUmbrellaNetworkDeviceManagementAPIConnectionName')]", - "location": "[resourceGroup().location]", - "kind": "V1", - "properties": { - "displayName": "[variables('CiscoUmbrellaNetworkDeviceManagementAPIConnectionName')]", - "customParameterValues": {}, - "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellanetworkdevicemanagement_name'))]" - } - } - }, - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[parameters('PlaybookName')]", - "location": "[resourceGroup().location]", - "dependsOn": [ - "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaNetworkDeviceManagementAPIConnectionName'))]" - ], - "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "actions": { - "Add_comment_to_incident_(V3)": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{outputs('Create_logo')} CiscoUmbrella-AssignPolicyToIdentity
\nThe following origin ids were assigned to policy @{variables('policyId')} for organization @{variables('organizationId')}:
\n@{body('Create_HTML_table_with_updated_origin_IDs')}
\nThe following origin ids were not assigned because of errors:
\n@{body('Create_HTML_table_with_not_updated_origin_IDs')}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Create_logo": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Create_HTML_table_with_not_updated_origin_IDs": { - "inputs": { - "columns": [ - { - "header": "originId", - "value": "@item()" - } - ], - "format": "HTML", - "from": "@variables('not_updated_oridinIds_array')" - }, - "runAfter": { - "Create_HTML_table_with_updated_origin_IDs": [ - "Succeeded" - ] - }, - "type": "Table" - }, - "Create_HTML_table_with_updated_origin_IDs": { - "inputs": { - "columns": [ - { - "header": "originId", - "value": "@item()" - } - ], - "format": "HTML", - "from": "@variables('updated_oridinIds_array')" - }, - "runAfter": { - "For_each_originId_assign_policy_to_originId": [ - "Succeeded", - "Failed", - "Skipped", - "TimedOut" - ] - }, - "type": "Table" - }, - "Create_logo": { - "inputs": "", - "runAfter": { - "Create_HTML_table_with_not_updated_origin_IDs": [ - "Succeeded" - ] - }, - "type": "Compose" - }, - "For_each_alert_in_incident": { - "actions": { - "For_each_originId": { - "actions": { - "Add_unique_originId_to_OriginId_array": { - "actions": { - "Append_to_array_variable": { - "inputs": { - "name": "originId_array", - "value": "@items('For_each_originId')" - }, - "runAfter": {}, - "type": "AppendToArrayVariable" - } - }, - "expression": { - "and": [ - { - "not": { - "contains": [ - "@variables('originId_array')", - "@items('For_each_originId')" - ] - } - } - ] - }, - "runAfter": {}, - "type": "If" - } - }, - "foreach": "@body('Parse_alert_custom_details')?['originId']", - "runAfter": { - "Parse_alert_custom_details": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Parse_alert_custom_details": { - "inputs": { - "content": "@items('For_each_alert_in_incident')?['properties']?['additionalData']?['Custom Details']", - "schema": { - "properties": { - "originId": { - "items": { - "type": "string" - }, - "type": "array" - } - }, - "type": "object" - } - }, - "runAfter": {}, - "type": "ParseJson" - } - }, - "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", - "runAfter": { - "Set_value_for_organizationId_variable": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "For_each_originId_assign_policy_to_originId": { - "actions": { - "Append_originId_to_not_updated_originIds_array_variable_in_case_of_error": { - "inputs": { - "name": "not_updated_oridinIds_array", - "value": "@items('For_each_originId_assign_policy_to_originId')" - }, - "runAfter": { - "Assign_a_policy_to_an_identity": [ - "Failed", - "TimedOut" - ] - }, - "type": "AppendToArrayVariable" - }, - "Append_originId_to_updated_originIds_array_variable": { - "inputs": { - "name": "updated_oridinIds_array", - "value": "@items('For_each_originId_assign_policy_to_originId')" - }, - "runAfter": { - "Append_originId_to_not_updated_originIds_array_variable_in_case_of_error": [ - "Skipped" - ] - }, - "type": "AppendToArrayVariable" - }, - "Assign_a_policy_to_an_identity": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['ciscoumbrellanetworkdevicemanagement']['connectionId']" - } - }, - "method": "put", - "path": "/v1/organizations/@{encodeURIComponent(variables('organizationId'))}/policies/@{encodeURIComponent(variables('policyId'))}/identities/@{encodeURIComponent(items('For_each_originId_assign_policy_to_originId'))}" - }, - "runAfter": {}, - "type": "ApiConnection" - } - }, - "foreach": "@variables('originId_array')", - "runAfter": { - "For_each_alert_in_incident": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Get_organization_id": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['ciscoumbrellanetworkdevicemanagement']['connectionId']" - } - }, - "method": "get", - "path": "/v1/organizations" - }, - "runAfter": { - "Initialize_variable_not_updated_oridinIds_array": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Initialize_variable_not_updated_oridinIds_array": { - "inputs": { - "variables": [ - { - "name": "not_updated_oridinIds_array", - "type": "array" - } - ] - }, - "runAfter": { - "Initialize_variable_updated_oridinIds_array": [ - "Succeeded" - ] - }, - "type": "InitializeVariable" - }, - "Initialize_variable_organizationId": { - "inputs": { - "variables": [ - { - "name": "organizationId", - "type": "string" - } - ] - }, - "runAfter": {}, - "type": "InitializeVariable" - }, - "Initialize_variable_originId_array": { - "inputs": { - "variables": [ - { - "name": "originId_array", - "type": "array" - } - ] - }, - "runAfter": { - "Initialize_variable_policyId": [ - "Succeeded" - ] - }, - "type": "InitializeVariable" - }, - "Initialize_variable_policyId": { - "inputs": { - "variables": [ - { - "name": "policyId", - "type": "string", - "value": "[parameters('PolicyId')]" - } - ] - }, - "runAfter": { - "Initialize_variable_organizationId": [ - "Succeeded" - ] - }, - "type": "InitializeVariable" - }, - "Initialize_variable_updated_oridinIds_array": { - "inputs": { - "variables": [ - { - "name": "updated_oridinIds_array", - "type": "array" - } - ] - }, - "runAfter": { - "Initialize_variable_originId_array": [ - "Succeeded" - ] - }, - "type": "InitializeVariable" - }, - "Set_value_for_organizationId_variable": { - "inputs": { - "name": "organizationId", - "value": "@{body('Get_organization_id')[0]['organizationId']}" - }, - "runAfter": { - "Get_organization_id": [ - "Succeeded" - ] - }, - "type": "SetVariable" - } - }, - "contentVersion": "1.0.0.0", - "outputs": {}, - "parameters": { - "$connections": { - "defaultValue": {}, - "type": "Object" - } - }, - "triggers": { - "When_Azure_Sentinel_incident_creation_rule_was_triggered": { - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - }, - "type": "ApiConnectionWebhook" - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionName": "[variables('AzureSentinelConnectionName')]", - "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "id": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/azuresentinel')]" - }, - "ciscoumbrellanetworkdevicemanagement": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaNetworkDeviceManagementAPIConnectionName'))]", - "connectionName": "[variables('CiscoUmbrellaNetworkDeviceManagementAPIConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellanetworkdevicemanagement_name'))]" - } - } - } - } - } - } - ] -} \ No newline at end of file diff --git a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AssignPolicyToIdentity/playbook_screenshot.png b/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AssignPolicyToIdentity/playbook_screenshot.png deleted file mode 100644 index 6389c3c7971..00000000000 Binary files a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AssignPolicyToIdentity/playbook_screenshot.png and /dev/null differ diff --git a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AssignPolicyToIdentity/readme.md b/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AssignPolicyToIdentity/readme.md deleted file mode 100644 index 40d535f0d9d..00000000000 --- a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AssignPolicyToIdentity/readme.md +++ /dev/null @@ -1,42 +0,0 @@ -# CiscoUmbrella-AssignPolicyToIdentity - -## Summary - -When a new sentinel incident is created, this playbook gets triggered and performs the following actions - -1. Assigns a new DNS or web policy (*PolicyId* is provided on the playbook deplyment step) to an identity (*originId* of the identity provided in the alert custom entities). -2. Adds comment to the incident with information about the assigned policies. - -
- -### Prerequisites - -1. Prior to the deployment of this playbook, Cisco Umbrella Network Device Management Connector needs to be deployed under the same subscription. -2. Obtain Cisco Umbrella API credentials. Refer to Cisco Umbrella Network Device Management Custom Connector documentation. - -### Deployment instructions - -1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. -2. Fill in the required paramteres: - * Playbook Name: Enter the playbook name here - * PolicyId: ID of the DNS or web policy to act upon - -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooksk%2FPlaybooks%2FCiscoUmbrella-AssignPolicyToIdentity%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooks%2FPlaybooks%2FCiscoUmbrella-AssignPolicyToIdentity%2Fazuredeploy.json) - -### Post-Deployment instructions - -#### a. Authorize connections - -Once deployment is complete, authorize each connection. - -1. Click the Microsoft Sentinel connection resource -2. Click edit API connection -3. Click Authorize -4. Sign in -5. Click Save -6. Repeat steps for Cisco Umbrella Network Device Management connector API Connection. Provide your key and the secret for authorizing. - -#### b. Configurations in Sentinel - -1. In Microsoft sentinel, analytical rules should be configured to trigger an incident. An incident should have the *originId* custom entity. OriginId is an Umbrella-wide unique identifier for this traffic source (origin). It can be obtained from the corresponding field in Cisco Umbrella logs. Check the [documentation](https://docs.microsoft.com/azure/sentinel/surface-custom-details-in-alerts) to learn more about adding custom entities to incidents. -2. Configure the automation rules to trigger the playbook. diff --git a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-GetDomainInfo/azuredeploy.json b/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-GetDomainInfo/azuredeploy.json deleted file mode 100644 index 41c740b85ad..00000000000 --- a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-GetDomainInfo/azuredeploy.json +++ /dev/null @@ -1,279 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "title": "CiscoUmbrella-GetDomainInfo", - "description": "This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident.", - "prerequisites": [ - "1. ServiceNow Instance URL, Username, and password.", - "2. Access and authorization to enable API connectors", - "3. Teams Group ID, Channel ID and Alert details where the messages are to be posted in." - ], - "lastUpdateTime": "2021-06-29T10:00:00.000Z", - "entities": [ - "Account", - "Url", - "Host" - ], - "tags": [ - "Sync", - "Notification", - "Teams Response" - ], - "support": { - "tier": "community" - }, - "author": { - "name": "Jing Nghik" - } - }, - "parameters": { - "PlaybookName": { - "defaultValue": "CiscoUmbrella-GetDomainInfo", - "type": "String" - }, - "customApis_ciscoumbrellainvestigate_name": { - "defaultValue": "CiscoUmbrellaInvestigateAPI", - "type": "String" - } - }, - "variables": { - "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]", - "CiscoUmbrellaInvestigateAPIConnectionName": "[concat('ciscoumbrellainvestigate-connection-', parameters('PlaybookName'))]" - }, - "resources": [ - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('AzureSentinelConnectionName')]", - "location": "[resourceGroup().location]", - "properties": { - "displayName": "[variables('AzureSentinelConnectionName')]", - "customParameterValues": {}, - "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('CiscoUmbrellaInvestigateAPIConnectionName')]", - "location": "[resourceGroup().location]", - "kind": "V1", - "properties": { - "displayName": "[variables('CiscoUmbrellaInvestigateAPIConnectionName')]", - "customParameterValues": {}, - "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellainvestigate_name'))]" - } - } - }, - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[parameters('PlaybookName')]", - "location": "[resourceGroup().location]", - "dependsOn": [ - "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaInvestigateAPIConnectionName'))]" - ], - "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "actions": { - "Entities_-_Get_URLs": { - "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/url" - }, - "runAfter": {}, - "type": "ApiConnection" - }, - "For_each_URL": { - "actions": { - "Add_comment_to_incident_(V3)": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{outputs('Get_logo')} CiscoUmbrella-GetDomainInfo
\nRisk score for domain @{outputs('Get_domain_from_URL')} is  @{body('Get_Risk_score_for_a_domain')?['risk_score']}.
\nRisk score indicators:
\n@{body('Create_HTML_table_with_security_indicators')}
\n
\n

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Create_HTML_table_with_security_indicators": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Add_comment_to_incident_(V3)_2": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{outputs('Get_logo')} CiscoUmbrella-GetDomainInfo
\nSecurity data for @{outputs('Get_domain_from_URL')} (part 1) :
\ndga_score: @{body('Get_domain_security_data')?['dga_score']}
\nDomain Generation Algorithm. This score is generated based on the likeliness of the domain name being generated by an algorithm rather than a human. This algorithm is designed to identify domains which have been created using an automated randomization strategy, which is a common evasion technique in malware kits or botnets. This score ranges from -100 (suspicious) to 0 (benign).
\nperplexity: @{body('Get_domain_security_data')?['perplexity']}
\nA second score on the likeliness of the name to be algorithmically generated, on a scale from 0 to 100. This score is to be used in conjunction with DGA.
\nentropy: @{body('Get_domain_security_data')?['entropy']}
\nThe number of bits required to encode the domain name, as a score. This score is to be used in conjunction with DGA and Perplexity.
\nsecurerank2: @{body('Get_domain_security_data')?['securerank2']}
\nSuspicious rank for a domain that reviews based on the lookup behavior of client IP for the domain. Securerank is designed to identify hostnames requested by known infected clients but never requested by clean clients, assuming these domains are more likely to be bad. Scores returned range from -100 (suspicious) to 100 (benign).
\n

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Add_comment_to_incident_(V3)": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Add_comment_to_incident_(V3)_3": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{outputs('Get_logo')} CiscoUmbrella-GetDomainInfo
\nSecurity data for @{outputs('Get_domain_from_URL')} (part 2):
\npagerank: @{body('Get_domain_security_data')?['pagerank']}
\nPopularity according to Google's pagerank algorithm.
\nasn_score: @{body('Get_domain_security_data')?['asn_score']}
\nASN reputation score, ranges from -100 to 0 with -100 being very suspicious.
\nprefix_score: @{body('Get_domain_security_data')?['prefix_score']}
\nPrefix ranks domains given their IP prefixes (first three octets in IP) and the reputation score of these prefixes. Ranges from -100 to 0, -100 being very suspicious.
\nrip_score: @{body('Get_domain_security_data')?['rip_score']}
\nRIP ranks domains given their IP addresses and the reputation score of these IP addresses. Ranges from -100 to 0, -100 being very suspicious.
\npopularity: @{body('Get_domain_security_data')?['popularity']}
\nThe number of unique client IPs visiting this site, relative to the all requests to all sites.
\ngeoscore: @{body('Get_domain_security_data')?['geoscore']}
\nA score that represents how far the different physical locations serving this name are from each other.
\nks_test: @{body('Get_domain_security_data')?['ks_test']}
\nKolmogorov–Smirnov test on geodiversity. 0 means that the client traffic matches what is expected for this TLD.
\nattack: @{body('Get_domain_security_data')?['attack']}
\nThe name of any known attacks associated with this domain.
\nthreat_type: @{body('Get_domain_security_data')?['threat_type']}
\nThe type of the known attack.

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Add_comment_to_incident_(V3)_2": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Create_HTML_table_with_security_indicators": { - "inputs": { - "format": "HTML", - "from": "@body('Get_Risk_score_for_a_domain')?['indicators']" - }, - "runAfter": { - "Get_logo": [ - "Succeeded" - ] - }, - "type": "Table" - }, - "Get_Risk_score_for_a_domain": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['ciscoumbrellainvestigate']['connectionId']" - } - }, - "method": "get", - "path": "/domains/risk-score/@{encodeURIComponent(outputs('Get_domain_from_URL'))}" - }, - "runAfter": { - "Get_domain_security_data": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Get_domain_from_URL": { - "inputs": "@split(replace(replace(item()?['Url'],'http://',''), 'https://', ''), '/')[0]", - "runAfter": {}, - "type": "Compose" - }, - "Get_domain_security_data": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['ciscoumbrellainvestigate']['connectionId']" - } - }, - "method": "get", - "path": "/security/name/@{encodeURIComponent(outputs('Get_domain_from_URL'))}" - }, - "runAfter": { - "Get_domain_from_URL": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Get_logo": { - "inputs": "", - "runAfter": { - "Get_Risk_score_for_a_domain": [ - "Succeeded" - ] - }, - "type": "Compose" - } - }, - "foreach": "@body('Entities_-_Get_URLs')?['URLs']", - "runAfter": { - "Entities_-_Get_URLs": [ - "Succeeded" - ] - }, - "type": "Foreach" - } - }, - "contentVersion": "1.0.0.0", - "outputs": {}, - "parameters": { - "$connections": { - "defaultValue": {}, - "type": "Object" - } - }, - "triggers": { - "When_Azure_Sentinel_incident_creation_rule_was_triggered": { - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - }, - "type": "ApiConnectionWebhook" - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionName": "[variables('AzureSentinelConnectionName')]", - "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "id": "[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/azuresentinel')]" - }, - "ciscoumbrellainvestigate": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaInvestigateAPIConnectionName'))]", - "connectionName": "[variables('CiscoUmbrellaInvestigateAPIConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellainvestigate_name'))]" - } - } - } - } - } - } - ] -} \ No newline at end of file diff --git a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-GetDomainInfo/playbook_screenshot.png b/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-GetDomainInfo/playbook_screenshot.png deleted file mode 100644 index 9d319359c53..00000000000 Binary files a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-GetDomainInfo/playbook_screenshot.png and /dev/null differ diff --git a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-GetDomainInfo/readme.md b/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-GetDomainInfo/readme.md deleted file mode 100644 index e45a5269b2d..00000000000 --- a/Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-GetDomainInfo/readme.md +++ /dev/null @@ -1,41 +0,0 @@ -# CiscoUmbrella-GetDomainInfo - -## Summary - -When a new sentinel incident is created, this playbook gets triggered and performs the following actions - -1. Obtains domains from URL entities in the incident. -2. Enriches incident with security information about domains using [Cisco Umbrella Investigate API](https://developer.cisco.com/docs/cloud-security/#!investigate-overview). - -
- -### Prerequisites - -1. Prior to the deployment of this playbook, Cisco Umbrella Investigate API Connector needs to be deployed under the same subscription. -2. Obtain Cisco Umbrella API credentials. Refer to Cisco Umbrella Investigate API Custom Connector documentation. - -### Deployment instructions - -1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. -2. Fill in the required paramteres: - * Playbook Name: Enter the playbook name here - -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooksk%2FPlaybooks%2FCiscoUmbrella-GetDomainInfo%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooks%2FPlaybooks%2FCiscoUmbrella-GetDomainInfo%2Fazuredeploy.json) - -### Post-Deployment instructions - -#### a. Authorize connections - -Once deployment is complete, authorize each connection. - -1. Click the Microsoft Sentinel connection resource -2. Click edit API connection -3. Click Authorize -4. Sign in -5. Click Save -6. Repeat steps for Cisco Umbrella Investigate connector API Connection. For authorizing, provide your API key in the following format: "Bearer YOUR_API_KEY". - -#### b. Configurations in Sentinel - -1. In Microsoft sentinel, analytical rules should be configured to trigger an incident. In the *Entity maping* section of the analytics rule creation workflow, malicious URL should be mapped to **Url** identitfier of the **URL** entity type. Check the [documentation](https://docs.microsoft.com/azure/sentinel/map-data-fields-to-entities) to learn more about mapping entities. -2. Configure the automation rules to trigger the playbook. diff --git a/Solutions/CiscoUmbrella/Playbooks/readme.md b/Solutions/CiscoUmbrella/Playbooks/readme.md deleted file mode 100644 index 965fac166bc..00000000000 --- a/Solutions/CiscoUmbrella/Playbooks/readme.md +++ /dev/null @@ -1,98 +0,0 @@ -# Cisco Umbrella Logic Apps connector and playbook templates - -drawing
- -## Table of Contents - -1. [Overview](#overview) -1. [Custom Connectors + 4 Playbook templates deployment](#deployall) -1. [Authentication](#importantnotes) -1. [Prerequisites](#prerequisites) -1. [Deployment](#deployment) -1. [Post-Deployment Steps](#postdeployment) -1. [References](#references) -1. [Known issues and limitations](#limitations) - - - -# Overview - -Cisco Umbrella is a Cloud driven Secure Internet Gateway that provides protection from Internet based threats, for users wherever they go. - - - -## Custom Connectors + 4 Playbook templates deployment - -This package includes: - -* [Logic Apps custom connector for Cisco Umbrella Enforcement API](./CiscoUmbrellaEnforcementAPIConnector) -* [Logic Apps custom connector for Cisco Umbrella Investigate API](./CiscoUmbrellaInvestigateAPIConnector) -* [Logic Apps custom connector for Cisco Umbrella Management API](./CiscoUmbrellaManagementAPIConnector) -* [Logic Apps custom connector for Cisco Umbrella Network Device Management API](./CiscoUmbrellaNetworkDeviceManagementAPIConnector) - -* These three playbook templates leverage Cisco Umbrella custom connectors: - * [Response – assign policy to identity](./Playbooks/CiscoUmbrella-AssignPolicyToIdentity) - assigns a new DNS or a web policy (provided on the playbook deplyment step) to an identity. - * [Response - block domain](./Playbooks/CiscoUmbrella-BlockDomain) - add domains to a customer's domain lists. - * [Enrichment - add security info about domain to incident](./Playbooks/CiscoUmbrella-GetDomainInfo) - collects security information about domains and post it as an incident comment. - * [Response - add IP to destination list](./Playbooks/CiscoUmbrella-AddIpToDestinationList) - sends an adaptive card to the Teams channel where the analyst can select the destionation list to add IP to. - -You can choose to deploy the whole package: connectors + all three playbook templates, or each one seperately from its specific folder. - -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooks%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCiscoUmbrella%2FPlaybooks%2Fazuredeploy.json) - -# Cisco Umbrella connectors documentation - - - -## Authentication - -Each Logic Apps Custom Connector uses different type of authentication. Check documentation for each connector. - - - -### Prerequisites in Cisco Umbrella - -Each Logic Apps Custom Connector requires different type of credentials. Check documentation for each connector. - - - -### Deployment instructions - -1. To deploy Custom Connectors and Playbooks, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. -2. Fill in the required parameters for deploying Custom Connectors and Playbooks - -| Parameters | Description | -|----------------|--------------| -|**For Playbooks**| -|**CiscoUmbrella-AssignPolicyToIdentity Playbook Name** | Enter the playbook name here (e.g. CiscoUmbrella-AssignPolicyToIdentity)| -|**CiscoUmbrella-BlockDomain Playbook Name** | Enter the playbook name here (e.g. CiscoUmbrella-BlockDomain)| -|**CiscoUmbrella-GetDomainInfo Playbook Name** | Enter the playbook name here (e.g. CiscoUmbrella-GetDomainInfo)| -|**CiscoUmbrella-AddIpToDestinationList_Playbook_Name** | Enter the playbook name here (e.g. CiscoUmbrella-AddIpToDestinationList)| -|**PolicyId** | ID of the DNS or web policy to use in CiscoUmbrella-AssignPolicyToIdentity playbook| -|**CiscoUmbrellaOrganizationId** | Organization id in Cisco Umbrella for CiscoUmbrella-AddIpToDestinationList playbook| -|**TeamsGroupId** | Id of the Teams Group where the adaptive card will be posted for CiscoUmbrella-AddIpToDestinationList playbook| -|**TeamsChannelId** | Id of the Teams Channel where the adaptive card will be posted for CiscoUmbrella-AddIpToDestinationList playbook| - -
- - -### Post-Deployment instructions - -#### a. Authorize connections - -Once deployment is complete, authorize each connection. - -1. Click the Microsoft Sentinel connection resource -2. Click edit API connection -3. Click Authorize -4. Sign in -5. Click Save -6. Repeat steps for CiscoUmbrella connector API Connection - -#### b. Configurations in Sentinel - -Each Playbook requires a different type of configuration. Check documentation for each Playbook. - - - -## Known Issues and Limitations diff --git a/Solutions/CiscoUmbrella/ReleaseNotes.md b/Solutions/CiscoUmbrella/ReleaseNotes.md index 0ef7a4b39e4..e73a5aacfa4 100644 --- a/Solutions/CiscoUmbrella/ReleaseNotes.md +++ b/Solutions/CiscoUmbrella/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-------------------------------------------------------------| +| 3.0.3 | 30-12-2024 | Update Playbooks **AddIpToDestination**, **AssignPolicyToIdentity**, **GetDomainInfo** as v1 version of CiscoUmbrella APIs are deprecated and Urls are also changed for this. **Cisco Umbrella Enforcement API has not been deprecated**. Repackage of solution. | | 3.0.2 | 20-09-2024 | Update **Analytic rules** for Entity mapping and missing TTP and Updated the python runtime version to 3.11 | | 3.0.1 | 03-05-2024 | Added Deploy to Azure Government button in **Data connector**
Fixed **Parser** issue for Parser name and ParentID mismatch| | 3.0.0 | 28-09-2023 | Updated **Data Connector** with step by step guidelines |