@{outputs('Create_logo')}CiscoUmbrella-BlockDomain
\nThe following domains have been added to Cisco Umbrella block destination list:
\n@{body('Create_HTML_table')}
![](\"https://github.com/Azure/Azure-Sentinel/raw/master/Solutions/CiscoUmbrella/Playbooks/cisco-logo.png\"){kind=logo}
",
+ "runAfter": {
+ "Create_HTML_table": [
+ "Succeeded"
]
- }
+ },
+ "type": "Compose"
},
- "/recommendations/name/{Domain}": {
- "get": {
- "responses": {
- "default": {
- "description": "default",
- "schema": {
- "type": "object",
- "properties": {
- "pfs2": {
- "type": "array",
- "x-ms-summary": "pfs2 array",
- "description": "Array of [domain name, scores] tuples. The values range between 0 and 1 and should not exceed 1. All co-occurences of requests from client IPs are returned for the previous seven days whether the co-occurence is suspicious or not.",
- "items": {
- "x-ms-summary": "pfs2 tuple",
- "description": "[[domain name, scores] tuple. The values range between 0 and 1 and should not exceed 1. All co-occurences of requests from client IPs are returned for the previous seven days whether the co-occurence is suspicious or not.",
- "type": "array"
- }
- },
- "found": {
- "type": "boolean",
- "description": "Returns true if results available. Nothing is returned if no results available."
- }
- }
- }
+ "Entities_-_Get_URLs": {
+ "inputs": {
+ "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
- "summary": "Get Co-Occurrences for a Domain",
- "description": "Get Co-Occurrences for a Domain",
- "operationId": "[[variables('_operationId-GetCoOccurrencesForDomain')]",
- "parameters": [
- {
- "name": "Domain",
- "in": "path",
- "required": true,
- "type": "string"
- }
+ "method": "post",
+ "path": "/entities/url"
+ },
+ "runAfter": {
+ "Initialize_variable_blocked_domains": [
+ "Succeeded"
]
- }
+ },
+ "type": "ApiConnection"
},
- "/links/name/{Domain}": {
- "get": {
- "responses": {
- "default": {
- "description": "default",
- "schema": {
- "type": "object",
- "properties": {
- "tb1": {
- "type": "array",
- "x-ms-summary": "tb1 array",
- "description": "Array of [domain name, scores] tuples where score is the number of client IP requests to the site around the same time as the site being looked up. This is a score reflecting the number of client IPs looking up related sites within 60 seconds of the original request.",
- "items": {
- "x-ms-summary": "tb1 tuple",
- "description": "[[domain name, scores] tuples where score is the number of client IP requests to the site around the same time as the site being looked up. This is a score reflecting the number of client IPs looking up related sites within 60 seconds of the original request.",
- "type": "array"
- }
- },
- "found": {
- "type": "boolean",
- "description": "Returns true if results available. Nothing is returned if no results available."
- }
+ "For_each_URL": {
+ "actions": {
+ "Append_domain_to_blocked_domains_variable": {
+ "inputs": {
+ "name": "blocked_domains",
+ "value": "@outputs('Get_Domain_from_URL')"
+ },
+ "runAfter": {
+ "Block_domain": [
+ "Succeeded"
+ ]
+ },
+ "type": "AppendToArrayVariable"
+ },
+ "Block_domain": {
+ "inputs": {
+ "body": [
+ {
+ "alertTime": "@{utcNow()}",
+ "deviceId": "azuresentinel",
+ "deviceVersion": "13.7a",
+ "dstDomain": "@{outputs('Get_Domain_from_URL')}",
+ "dstUrl": "@{outputs('Get_Domain_from_URL')}",
+ "eventTime": "@{utcNow()}",
+ "protocolVersion": "1.0a",
+ "providerName": "Security Platform"
}
- }
- }
+ ],
+ "headers": {
+ "Accept": "application/json"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['ciscoumbrellaenforcement']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/1.0/events"
+ },
+ "runAfter": {
+ "Get_Domain_from_URL": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection"
},
- "summary": "Get a list of domain names requested the same time as a specified domain",
- "description": "Get a list of domain names requested the same time as a specified domain",
- "operationId": "[[variables('_operationId-GetRelatedDomains')]",
- "parameters": [
+ "Get_Domain_from_URL": {
+ "inputs": "@split(replace(replace(items('For_each_URL')?['Url'],'http://',''), 'https://', ''), '/')[0]",
+ "type": "Compose"
+ }
+ },
+ "foreach": "@body('Entities_-_Get_URLs')?['URLs']",
+ "runAfter": {
+ "Entities_-_Get_URLs": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Initialize_variable_blocked_domains": {
+ "inputs": {
+ "variables": [
{
- "name": "Domain",
- "in": "path",
- "required": true,
- "type": "string"
+ "name": "blocked_domains",
+ "type": "array"
}
]
- }
+ },
+ "type": "InitializeVariable"
}
},
- "securityDefinitions": {
- "API Key": {
- "type": "apiKey",
- "in": "header",
- "name": "Authorization"
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "type": "Object"
}
},
- "security": [
- {
- "API Key": "[variables('TemplateEmptyArray')]"
+ "triggers": {
+ "When_Azure_Sentinel_incident_creation_rule_was_triggered": {
+ "inputs": {
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "path": "/incident-creation"
+ },
+ "type": "ApiConnectionWebhook"
}
- ],
- "tags": "[variables('TemplateEmptyArray')]"
+ }
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "connectionName": "[[variables('AzureSentinelConnectionName')]",
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+ "id": "[[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]"
+ },
+ "ciscoumbrellaenforcement": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaEnforcementAPIConnectionName'))]",
+ "connectionName": "[[variables('CiscoUmbrellaEnforcementAPIConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellaenforcement_name'))]"
+ }
+ }
+ }
}
+ },
+ "tags": {
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('LogicAppsCustomConnector-', last(split(variables('playbookId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]",
"properties": {
- "parentId": "[[variables('playbookId2')]",
+ "parentId": "[variables('playbookId2')]",
"contentId": "[variables('_playbookContentId2')]",
- "kind": "LogicAppsCustomConnector",
+ "kind": "Playbook",
"version": "[variables('playbookVersion2')]",
"source": {
"kind": "Solution",
@@ -3797,10 +3614,46 @@
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "kind": "LogicAppsCustomConnector",
+ "contentId": "[variables('_EnforcementAPICustomConnector')]",
+ "version": "[variables('playbookVersion1')]"
+ }
+ ]
}
}
}
- ]
+ ],
+ "metadata": {
+ "title": "CiscoUmbrella-BlockDomain",
+ "description": "This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident.",
+ "prerequisites": [
+ "1. ServiceNow Instance URL, Username, and password.",
+ "2. Access and authorization to enable API connectors",
+ "3. Teams Group ID, Channel ID and Alert details where the messages are to be posted in."
+ ],
+ "lastUpdateTime": "2021-06-29T10:00:00Z",
+ "entities": [
+ "Account",
+ "Url",
+ "Host"
+ ],
+ "tags": [
+ "Sync",
+ "Notification",
+ "Teams Response"
+ ],
+ "releaseNotes": {
+ "version": "1.0",
+ "title": "[variables('blanks')]",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ }
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
@@ -3808,8 +3661,8 @@
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId2')]",
- "contentKind": "LogicAppsCustomConnector",
- "displayName": "CiscoUmbrellaInvestigateAPIConnector",
+ "contentKind": "Playbook",
+ "displayName": "CiscoUmbrella-BlockDomain",
"contentProductId": "[variables('_playbookcontentProductId2')]",
"id": "[variables('_playbookcontentProductId2')]",
"version": "[variables('playbookVersion2')]"
@@ -3824,1331 +3677,206 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoUmbrellaManagementAPIConnector Playbook with template version 3.0.2",
+ "description": "CiscoUmbrella-AddIpToDestinationList Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
"parameters": {
- "customApis_CiscoUmbrellaManagementAPI_name": {
- "defaultValue": "CiscoUmbrellaManagementAPI",
- "type": "String"
+ "PlaybookName": {
+ "defaultValue": "CiscoUmbrella-AddIpToDestinationList",
+ "type": "string"
+ },
+ "TeamsGroupId": {
+ "defaultValue": "TeamsGroupIds",
+ "type": "string",
+ "metadata": {
+ "description": "Id of the Teams Group where the adaptive card will be posted."
+ }
+ },
+ "TeamsChannelId": {
+ "defaultValue": "TeamsChannelId",
+ "type": "string",
+ "metadata": {
+ "description": "Id of the Teams Channel where the adaptive card will be posted."
+ }
+ },
+ "Keyvault name": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Enter the Key vault name where CiscoUmbrella Secrets are stored"
+ }
+ },
+ "Umbrella API ClientId Key Name": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter CiscoUmbrella ClientId Key Name from Key vault"
+ }
+ },
+ "Umbrella API Secret Key Name": {
+ "type": "securestring",
+ "metadata": {
+ "description": "Enter CiscoUmbrella Secret Key Name from Key vault"
+ }
+ },
+ "Host End Point": {
+ "type": "string",
+ "defaultValue": "api.umbrella.com",
+ "metadata": {
+ "description": "Enter Host End Point(hostname) without http:// or https://"
+ }
}
},
"variables": {
- "operationId-RetrieveAllDestinationLists": "RetrieveAllDestinationLists",
- "_operationId-RetrieveAllDestinationLists": "[[variables('operationId-RetrieveAllDestinationLists')]",
- "operationId-CreateDestinationList": "CreateDestinationList",
- "_operationId-CreateDestinationList": "[[variables('operationId-CreateDestinationList')]",
- "operationId-GetDestinationList": "GetDestinationList",
- "_operationId-GetDestinationList": "[[variables('operationId-GetDestinationList')]",
- "operationId-GetDestinationsList": "GetDestinationsList",
- "_operationId-GetDestinationsList": "[[variables('operationId-GetDestinationsList')]",
- "operationId-AddDestinations": "AddDestinations",
- "_operationId-AddDestinations": "[[variables('operationId-AddDestinations')]",
- "operationId-DeleteDestinations": "DeleteDestinations",
- "_operationId-DeleteDestinations": "[[variables('operationId-DeleteDestinations')]",
+ "MicrosoftSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
+ "TeamsConnectionName": "[[concat('teams-', parameters('PlaybookName'))]",
+ "KeyvaultConnectionName": "[[concat('Keyvault-', parameters('PlaybookName'))]",
+ "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+ "_connection-2": "[[variables('connection-2')]",
+ "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]",
+ "_connection-3": "[[variables('connection-3')]",
+ "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/keyvault')]",
+ "_connection-4": "[[variables('connection-4')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
- "playbookContentId3": "CiscoUmbrellaManagementAPIConnector",
- "playbookId3": "[[resourceId('Microsoft.Web/customApis', parameters('customApis_CiscoUmbrellaManagementAPI_name'))]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
- "type": "Microsoft.Web/customApis",
- "apiVersion": "2016-06-01",
- "name": "[[parameters('customApis_CiscoUmbrellaManagementAPI_name')]",
- "location": "[[variables('workspace-location-inline')]",
"properties": {
- "connectionParameters": {
- "username": {
- "type": "securestring",
- "uiDefinition": {
- "displayName": "Key",
- "description": "The Key for this api",
- "tooltip": "Provide the Key",
- "constraints": {
- "tabIndex": 2,
- "clearText": true,
- "required": "true"
- }
+ "provisioningState": "Succeeded",
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "type": "Object"
+ },
+ "Umbrella API ClientId Key Name": {
+ "type": "string",
+ "defaultValue": "[[parameters('Umbrella API ClientId Key Name')]"
+ },
+ "Umbrella API Secret Key Name": {
+ "type": "securestring",
+ "defaultValue": "[[parameters('Umbrella API Secret Key Name')]"
+ },
+ "Host End Point": {
+ "type": "string",
+ "defaultValue": "[[parameters('Host End Point')]"
}
},
- "password": {
- "type": "securestring",
- "uiDefinition": {
- "displayName": "Secret",
- "description": "The Secret for this api",
- "tooltip": "Provide the Secret",
- "constraints": {
- "tabIndex": 3,
- "clearText": false,
- "required": "true"
+ "triggers": {
+ "When_Azure_Sentinel_incident_creation_rule_was_triggered": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+ }
+ },
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "path": "/incident-creation"
}
}
- }
- },
- "brandColor": "#FFFFFF",
- "description": "Connector for Cisco Umbrella Management API",
- "displayName": "[[parameters('customApis_CiscoUmbrellaManagementAPI_name')]",
- "iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAMAAABiM0N1AAABdFBMVEUAAAAA//8AgP8Aqv8AgL8AmcwAmeYAotEAldUAn98AntsAodkAnNYAn9cIotgIntoHoNsHnNwHodcHndgGotoGoNsGnNYGn9cFn9sEoNgEndkEoNoEntsEntgEoNsEn9gDn9kDoNoDn9gDoNgDn9kFn9gFntgFn9kFn9oFoNoFn9gEn9kEoNkEn9oEoNgEn9kEntkEoNoEoNkEn9kEn9kEntkEoNgEntgEn9kEn9oEntoEn9gEoNgEntkEn9kEoNkEn9oEn9oEntgDn9kDn9gDoNkDn9kFn9oFn9gFn9kFntkFn9oEn9kEntoEn9gEoNkEn9kEoNkEn9oEn9gEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEntkEn9kEn9kEn9kEn9oDn9kFn9kEoNkEn9kEn9kEn9kEn9kEn9oEn9kEn9kEn9kEn9kEoNkEn9kEn9gEn9kEn9kEn9kEn9kEn9kEoNkEn9kEn9kEn9kEn9n///940Z2XAAAAenRSTlMAAQIDBAUKCwwQFRsfICEiIyQmJykrLC04Ozw+P0JGSEpTVVtdaGlqbW5wcnN1dnh5e35/gIGDhIeIiYqLjI2Oj5CRkpibnKSlp6mqsLGys7q7v8DCxMfKz9DS1NXW19jZ2t7g4+To6u3u7/Dx8vP09fb3+Pn6+/z9/h6/P2sAAAABYktHRHtP0rX8AAACB0lEQVRYw+2WaVPTYBRGb9SK4oI7dd+tAiqCra1FqKIoKu4bUFQQtJY2SUna2vPr/VCSafKmpONkHMfJ86m5OXOmN3Pfm4jEiRMnTtQZKadCkfWRHkTrlMKRcg8iIALkvxRlKsM+yq10RTLVW6qohuETuZWuSA1zi7+r/uiKBLb4z4jyxt0wUd5Ih4jyRlps7DCRjRUisrG26khpoOsdIDqR5bRmUvPhTsVFan7EKdjYMq5n2zdHK/5H6lRcJF31IU4hZ2TjNfJHolL4Qi71tLMv/xyOAInzV3LgftE0vjz1zMnRZz/qa28GAgg5PrtmrTw8onqG6oBvPQzqAJxQCe1eC4C68jExBKroOWA2NkUe4rZzwVWvZ78NzGeuZJc6RWW4qCUG+xXicBMac4X3gLXXI5oCHu0QkW2dogpcCCSmYeOkiKSACY+oCN93KofyHbReJgOIJWi/e17DgkdkwJx6uk83AWa2K4QJZ9rLE99rXQ8UyblvADcUwoCzIiJyB6pKa30B+yZx/iMsK0QR8iIi2gdY9IgKwEzC/7BFRPp+saEQD8A6JSLXgYJ3rG1g/mZq4mun6NKx/j2jsKIQh5rQfJF/CzQO9jCQm6VJlRh3B3LMP9rX7G6ihd0qoeXaR6SV05TDtm9y0dQ/z3aKXi1X9U9ju4IIST5ZtVYfJ+NlFydOnKjyG0KNPhWovN8UAAAAAElFTkSuQmCC",
- "backendService": {
- "serviceUrl": "https://management.api.umbrella.com"
- },
- "apiType": "Rest",
- "swagger": {
- "swagger": "2.0",
- "info": {
- "title": "Default title",
- "description": "Connector for Cisco Umbrella Management API",
- "version": "1.0"
- },
- "host": "management.api.umbrella.com",
- "basePath": "/",
- "schemes": [
- "https"
- ],
- "consumes": "[variables('TemplateEmptyArray')]",
- "produces": "[variables('TemplateEmptyArray')]",
- "paths": {
- "/v1/organizations/{organizationId}/destinationlists": {
- "get": {
- "responses": {
- "default": {
- "description": "default",
- "schema": {
- "type": "object",
- "properties": {
- "status": {
- "type": "object",
- "x-ms-summary": "Response status",
- "x-ms-visibility": "internal",
- "description": "Response status object",
- "properties": {
- "code": {
- "type": "integer",
- "format": "int32",
- "description": "code"
- },
- "text": {
- "type": "string",
- "description": "text"
- }
- }
- },
- "meta": {
- "type": "object",
- "x-ms-visibility": "internal",
- "properties": {
- "page": {
- "type": "integer",
- "format": "int32",
- "description": "page"
- },
- "limit": {
- "type": "integer",
- "format": "int32",
- "description": "limit"
- },
- "total": {
- "type": "integer",
- "format": "int32",
- "description": "total"
- }
- },
- "description": "meta"
- },
- "data": {
- "x-ms-summary": "Array of Destionation list objects",
- "description": "Array of Destionation list objects",
- "type": "array",
- "items": {
- "type": "object",
- "x-ms-summary": "Destionation list",
- "description": "Destionation list object",
- "properties": {
- "id": {
- "type": "integer",
- "format": "int32",
- "description": "Unique id of the destination list."
- },
- "organizationId": {
- "type": "integer",
- "format": "int32",
- "description": "organizationId"
- },
- "access": {
- "type": "string",
- "description": "Access can be allow or block. It defines destinationlist type."
- },
- "isGlobal": {
- "type": "boolean",
- "description": "isGlobal can be true or false. There will be only one default destination list of type allow or block for an organization."
- },
- "name": {
- "type": "string",
- "description": "Name of the destination list."
- },
- "thirdpartyCategoryId": {
- "type": "string",
- "description": "Destionation list thirdpartyCategoryId"
- },
- "createdAt": {
- "type": "string",
- "description": "Creation date."
- },
- "modifiedAt": {
- "type": "string",
- "description": "Last modified date."
- },
- "isMspDefault": {
- "type": "boolean",
- "description": "Destionation list isMspDefault"
- },
- "markedForDeletion": {
- "type": "boolean",
- "description": "Destionation list markedForDeletion"
- },
- "bundleTypeId": {
- "type": "integer",
- "format": "int32",
- "description": "Destionation list bundleTypeId"
- },
- "meta": {
- "type": "object",
- "description": "Destionation list meta info object",
- "properties": {
- "destinationCount": {
- "type": "integer",
- "format": "int32",
- "description": "Total number of destinations in a destination list."
- },
- "domainCount": {
- "type": "integer",
- "format": "int32",
- "description": "Total number of domains in a destination list. Domains are part of total destinations in a destination lists."
- },
- "urlCount": {
- "type": "integer",
- "format": "int32",
- "description": "Total number of Urls in a destination list. Urls are part of total destinations in a destination lists."
- },
- "ipv4Count": {
- "type": "integer",
- "format": "int32",
- "description": "Total number of Ip's in a destination list. Ip's are part of total destinations in a destination lists."
- },
- "applicationCount": {
- "type": "integer",
- "format": "int32",
- "description": "Total number of applications in a destination list."
- }
- }
- }
- }
- }
- }
- }
- }
- }
- },
- "summary": "Retrieve all destination lists",
- "operationId": "[[variables('_operationId-RetrieveAllDestinationLists')]",
- "description": "Retrieve all destination lists of organization",
- "parameters": [
- {
- "name": "organizationId",
- "in": "path",
- "required": true,
- "type": "integer",
- "description": "[variables('blanks')]",
- "format": "int32"
- }
- ]
- },
- "post": {
- "responses": {
- "default": {
- "description": "default",
- "schema": {
- "type": "object",
- "properties": {
- "id": {
- "type": "integer",
- "format": "int32",
- "description": "Unique id of the destination list."
- },
- "organizationId": {
- "type": "integer",
- "format": "int32",
- "description": "organizationId"
- },
- "access": {
- "type": "string",
- "description": "Access can be allow or block. It defines destinationlist type."
- },
- "isGlobal": {
- "type": "boolean",
- "description": "isGlobal can be true or false. There will be only one default destination list of type allow or block for an organization."
- },
- "name": {
- "type": "string",
- "description": "Name of the destination list."
- },
- "thirdpartyCategoryId": {
- "type": "string",
- "description": "Destionation list thirdpartyCategoryId"
- },
- "createdAt": {
- "type": "string",
- "description": "Creation date."
- },
- "modifiedAt": {
- "type": "string",
- "description": "Last modified date."
- },
- "isMspDefault": {
- "type": "boolean",
- "description": "Destionation list isMspDefault"
- },
- "markedForDeletion": {
- "type": "boolean",
- "description": "Destionation list markedForDeletion"
- },
- "bundleTypeId": {
- "type": "integer",
- "format": "int32",
- "description": "Destionation list bundleTypeId"
- },
- "meta": {
- "type": "object",
- "description": "Destionation list meta info object",
- "properties": {
- "destinationCount": {
- "type": "integer",
- "format": "int32",
- "description": "Total number of destinations in a destination list."
- },
- "domainCount": {
- "type": "integer",
- "format": "int32",
- "description": "Total number of domains in a destination list. Domains are part of total destinations in a destination lists."
- },
- "urlCount": {
- "type": "integer",
- "format": "int32",
- "description": "Total number of Urls in a destination list. Urls are part of total destinations in a destination lists."
- },
- "ipv4Count": {
- "type": "integer",
- "format": "int32",
- "description": "Total number of Ip's in a destination list. Ip's are part of total destinations in a destination lists."
- },
- "applicationCount": {
- "type": "integer",
- "format": "int32",
- "description": "Total number of applications in a destination list."
- }
- }
- }
- }
- }
- }
- },
- "summary": "Create destination list",
- "operationId": "[[variables('_operationId-CreateDestinationList')]",
- "description": "Create destination list",
- "parameters": [
- {
- "name": "organizationId",
- "in": "path",
- "required": true,
- "type": "string"
- },
- {
- "name": "body",
- "in": "body",
- "required": true,
- "schema": {
- "type": "object",
- "properties": {
- "destinations": {
- "type": "array",
- "items": {
- "type": "object",
- "properties": {
- "type": {
- "type": "string",
- "description": "Type can be DOMAIN, URL, IPV4",
- "title": "type",
- "enum": [
- "DOMAIN",
- "URL",
- "IPV4"
- ]
- },
- "destination": {
- "type": "string",
- "description": "Destination can be domain, url, ip",
- "title": "destination"
- },
- "comment": {
- "type": "string",
- "description": "[variables('blanks')]",
- "title": "comment"
- }
- },
- "required": [
- "destination",
- "type"
- ]
- },
- "description": "destinations"
- },
- "access": {
- "type": "string",
- "description": "Access can be allow or block. It defines destinationlist type.",
- "title": "access",
- "enum": [
- "allow",
- "block"
- ]
- },
- "isGlobal": {
- "type": "boolean",
- "description": "isGlobal can be true or false. There will be only one default destination list of type allow or block for an organization.",
- "title": "isGlobal",
- "enum": [
- "",
- true,
- false
- ]
- },
- "name": {
- "type": "string",
- "description": "[variables('blanks')]",
- "title": "name"
- }
- },
- "required": [
- "access",
- "destinations",
- "isGlobal",
- "name"
- ]
- }
- }
- ]
- }
- },
- "/v1/organizations/{organizationId}/destinationlists/{destinationListId}": {
- "get": {
- "responses": {
- "default": {
- "description": "default",
- "schema": {
- "type": "object",
- "properties": {
- "status": {
- "type": "object",
- "x-ms-summary": "Response status",
- "x-ms-visibility": "internal",
- "description": "Response status object",
- "properties": {
- "code": {
- "type": "integer",
- "format": "int32",
- "description": "code"
- },
- "text": {
- "type": "string",
- "description": "text"
- }
- }
- },
- "data": {
- "type": "object",
- "x-ms-summary": "Destionation list",
- "description": "Destionation list object",
- "properties": {
- "id": {
- "type": "integer",
- "format": "int32",
- "description": "Unique id of the destination list."
- },
- "organizationId": {
- "type": "integer",
- "format": "int32",
- "description": "organizationId"
- },
- "access": {
- "type": "string",
- "description": "Access can be allow or block. It defines destinationlist type."
- },
- "isGlobal": {
- "type": "boolean",
- "description": "isGlobal can be true or false. There will be only one default destination list of type allow or block for an organization."
- },
- "name": {
- "type": "string",
- "description": "Name of the destination list."
- },
- "thirdpartyCategoryId": {
- "type": "string",
- "description": "Destionation list thirdpartyCategoryId"
- },
- "createdAt": {
- "type": "string",
- "description": "Creation date."
- },
- "modifiedAt": {
- "type": "string",
- "description": "Last modified date."
- },
- "isMspDefault": {
- "type": "boolean",
- "description": "Destionation list isMspDefault"
- },
- "markedForDeletion": {
- "type": "boolean",
- "description": "Destionation list markedForDeletion"
- },
- "bundleTypeId": {
- "type": "integer",
- "format": "int32",
- "description": "Destionation list bundleTypeId"
- },
- "meta": {
- "type": "object",
- "description": "Destionation list meta info object",
- "properties": {
- "destinationCount": {
- "type": "integer",
- "format": "int32",
- "description": "Total number of destinations in a destination list."
- },
- "domainCount": {
- "type": "integer",
- "format": "int32",
- "description": "Total number of domains in a destination list. Domains are part of total destinations in a destination lists."
- },
- "urlCount": {
- "type": "integer",
- "format": "int32",
- "description": "Total number of Urls in a destination list. Urls are part of total destinations in a destination lists."
- },
- "ipv4Count": {
- "type": "integer",
- "format": "int32",
- "description": "Total number of Ip's in a destination list. Ip's are part of total destinations in a destination lists."
- },
- "applicationCount": {
- "type": "integer",
- "format": "int32",
- "description": "Total number of applications in a destination list."
- }
- }
- }
- }
- }
- }
- }
- }
- },
- "summary": "Get a destination list",
- "operationId": "[[variables('_operationId-GetDestinationList')]",
- "description": "Get a destination list by id",
- "parameters": [
- {
- "name": "organizationId",
- "in": "path",
- "required": true,
- "type": "string"
- },
- {
- "name": "destinationListId",
- "in": "path",
- "required": true,
- "type": "string"
- }
- ]
- }
- },
- "/v1/organizations/{organizationId}/destinationlists/{destinationListId}/destinations": {
- "get": {
- "responses": {
- "default": {
- "description": "default",
- "schema": {
- "type": "object",
- "properties": {
- "status": {
- "x-ms-visibility": "internal",
- "type": "object",
- "properties": {
- "code": {
- "type": "integer",
- "format": "int32",
- "description": "code"
- },
- "text": {
- "type": "string",
- "description": "text"
- }
- },
- "description": "status"
- },
- "meta": {
- "type": "object",
- "x-ms-visibility": "internal",
- "properties": {
- "page": {
- "type": "integer",
- "format": "int32",
- "description": "page"
- },
- "limit": {
- "type": "integer",
- "format": "int32",
- "description": "limit"
- },
- "total": {
- "type": "integer",
- "format": "int32",
- "description": "total"
- }
- },
- "description": "meta"
- },
- "data": {
- "type": "array",
- "x-ms-summary": "Destinations",
- "description": "array of Destination objects",
- "items": {
- "type": "object",
- "x-ms-summary": "Destination",
- "description": "Destination object",
- "properties": {
- "id": {
- "type": "string",
- "description": "Unique id of the destination"
- },
- "destination": {
- "type": "string",
- "x-ms-summary": "value",
- "description": "Destination value"
- },
- "type": {
- "type": "string",
- "description": "Type can be DOMAIN, URL, IPV4"
- },
- "comment": {
- "type": "string",
- "description": "Destination comment"
- },
- "createdAt": {
- "type": "string",
- "description": "Creation date of destination"
- }
- }
- }
- }
- }
- }
- }
- },
- "summary": "Get list of destinations related to destination list",
- "operationId": "[[variables('_operationId-GetDestinationsList')]",
- "parameters": [
- {
- "name": "organizationId",
- "in": "path",
- "required": true,
- "type": "string"
- },
- {
- "name": "destinationListId",
- "in": "path",
- "required": true,
- "type": "string"
- }
- ],
- "description": "Get list of destinations related to destination list"
- },
- "post": {
- "responses": {
- "default": {
- "description": "default"
- }
- },
- "summary": "Add list of destinations to destination list",
- "description": "Add list of destinations to destination list",
- "operationId": "[[variables('_operationId-AddDestinations')]",
- "parameters": [
- {
- "name": "organizationId",
- "in": "path",
- "required": true,
- "type": "string"
- },
- {
- "name": "destinationListId",
- "in": "path",
- "required": true,
- "type": "string"
- },
- {
- "name": "body",
- "in": "body",
- "required": true,
- "schema": {
- "type": "array",
- "items": {
- "type": "object",
- "properties": {
- "destination": {
- "type": "string",
- "description": "name of the destination",
- "title": "destination"
- },
- "comment": {
- "type": "string",
- "description": "comment for destination",
- "title": "comment"
- }
- },
- "required": [
- "destination"
- ]
- },
- "required": [
- "items"
- ]
- }
- }
- ]
- }
- },
- "/v1/organizations/{organizationId}/destinationlists/{destinationListId}/destinations/remove": {
- "delete": {
- "responses": {
- "default": {
- "description": "default"
- }
- },
- "summary": "Delete list of destinations from destination list",
- "operationId": "[[variables('_operationId-DeleteDestinations')]",
- "parameters": [
- {
- "name": "organizationId",
- "in": "path",
- "required": true,
- "type": "string"
- },
- {
- "name": "destinationListId",
- "in": "path",
- "required": true,
- "type": "string"
- },
- {
- "name": "body",
- "in": "body",
- "required": true,
- "schema": {
- "type": "array",
- "items": {
- "type": "integer",
- "format": "int32",
- "description": "Destination id"
- }
- }
- }
- ],
- "description": "Delete list of destinations from destination list"
- }
- }
- },
- "securityDefinitions": {
- "basic_auth": {
- "type": "basic"
- }
- },
- "security": [
- {
- "basic_auth": "[variables('TemplateEmptyArray')]"
- }
- ],
- "tags": "[variables('TemplateEmptyArray')]"
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('LogicAppsCustomConnector-', last(split(variables('playbookId3'),'/'))))]",
- "properties": {
- "parentId": "[[variables('playbookId3')]",
- "contentId": "[variables('_playbookContentId3')]",
- "kind": "LogicAppsCustomConnector",
- "version": "[variables('playbookVersion3')]",
- "source": {
- "kind": "Solution",
- "name": "CiscoUmbrella",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "tier": "Microsoft",
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "link": "https://support.microsoft.com/"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_playbookContentId3')]",
- "contentKind": "LogicAppsCustomConnector",
- "displayName": "CiscoUmbrellaManagementAPIConnector",
- "contentProductId": "[variables('_playbookcontentProductId3')]",
- "id": "[variables('_playbookcontentProductId3')]",
- "version": "[variables('playbookVersion3')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('playbookTemplateSpecName4')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "CiscoUmbrellaNetworkDeviceManagementAPIConnector Playbook with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion4')]",
- "parameters": {
- "customApis_CiscoUmbrellaNetworkDeviceManagementAPI_name": {
- "defaultValue": "CiscoUmbrellaNetworkDeviceManagementAPI",
- "type": "String"
- }
- },
- "variables": {
- "operationId-GetOrganizationId": "GetOrganizationId",
- "_operationId-GetOrganizationId": "[[variables('operationId-GetOrganizationId')]",
- "operationId-ListAllPoliciesOnDevice": "ListAllPoliciesOnDevice",
- "_operationId-ListAllPoliciesOnDevice": "[[variables('operationId-ListAllPoliciesOnDevice')]",
- "operationId-DeleteIdentityFromPolicy": "DeleteIdentityFromPolicy",
- "_operationId-DeleteIdentityFromPolicy": "[[variables('operationId-DeleteIdentityFromPolicy')]",
- "operationId-AssignPolicyToIdentity": "AssignPolicyToIdentity",
- "_operationId-AssignPolicyToIdentity": "[[variables('operationId-AssignPolicyToIdentity')]",
- "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
- "playbookContentId4": "CiscoUmbrellaNetworkDeviceManagementAPIConnector",
- "playbookId4": "[[resourceId('Microsoft.Web/customApis', parameters('customApis_CiscoUmbrellaNetworkDeviceManagementAPI_name'))]",
- "workspace-name": "[parameters('workspace')]",
- "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
- },
- "resources": [
- {
- "type": "Microsoft.Web/customApis",
- "apiVersion": "2016-06-01",
- "name": "[[parameters('customApis_CiscoUmbrellaNetworkDeviceManagementAPI_name')]",
- "location": "[[variables('workspace-location-inline')]",
- "properties": {
- "connectionParameters": {
- "username": {
- "type": "securestring",
- "uiDefinition": {
- "displayName": "Key",
- "description": "The Key for this api",
- "tooltip": "Provide the Key",
- "constraints": {
- "tabIndex": 2,
- "clearText": true,
- "required": "true"
- }
- }
- },
- "password": {
- "type": "securestring",
- "uiDefinition": {
- "displayName": "Secret",
- "description": "The Secret for this api",
- "tooltip": "Provide the Secret",
- "constraints": {
- "tabIndex": 3,
- "clearText": false,
- "required": "true"
- }
- }
- }
- },
- "brandColor": "#FFFFFF",
- "description": "Connector for Cisco Umbrella Network Device Management API",
- "displayName": "[[parameters('customApis_CiscoUmbrellaNetworkDeviceManagementAPI_name')]",
- "iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAMAAABiM0N1AAABdFBMVEUAAAAA//8AgP8Aqv8AgL8AmcwAmeYAotEAldUAn98AntsAodkAnNYAn9cIotgIntoHoNsHnNwHodcHndgGotoGoNsGnNYGn9cFn9sEoNgEndkEoNoEntsEntgEoNsEn9gDn9kDoNoDn9gDoNgDn9kFn9gFntgFn9kFn9oFoNoFn9gEn9kEoNkEn9oEoNgEn9kEntkEoNoEoNkEn9kEn9kEntkEoNgEntgEn9kEn9oEntoEn9gEoNgEntkEn9kEoNkEn9oEn9oEntgDn9kDn9gDoNkDn9kFn9oFn9gFn9kFntkFn9oEn9kEntoEn9gEoNkEn9kEoNkEn9oEn9gEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEntkEn9kEn9kEn9kEn9oDn9kFn9kEoNkEn9kEn9kEn9kEn9kEn9oEn9kEn9kEn9kEn9kEoNkEn9kEn9gEn9kEn9kEn9kEn9kEn9kEoNkEn9kEn9kEn9kEn9n///940Z2XAAAAenRSTlMAAQIDBAUKCwwQFRsfICEiIyQmJykrLC04Ozw+P0JGSEpTVVtdaGlqbW5wcnN1dnh5e35/gIGDhIeIiYqLjI2Oj5CRkpibnKSlp6mqsLGys7q7v8DCxMfKz9DS1NXW19jZ2t7g4+To6u3u7/Dx8vP09fb3+Pn6+/z9/h6/P2sAAAABYktHRHtP0rX8AAACB0lEQVRYw+2WaVPTYBRGb9SK4oI7dd+tAiqCra1FqKIoKu4bUFQQtJY2SUna2vPr/VCSafKmpONkHMfJ86m5OXOmN3Pfm4jEiRMnTtQZKadCkfWRHkTrlMKRcg8iIALkvxRlKsM+yq10RTLVW6qohuETuZWuSA1zi7+r/uiKBLb4z4jyxt0wUd5Ih4jyRlps7DCRjRUisrG26khpoOsdIDqR5bRmUvPhTsVFan7EKdjYMq5n2zdHK/5H6lRcJF31IU4hZ2TjNfJHolL4Qi71tLMv/xyOAInzV3LgftE0vjz1zMnRZz/qa28GAgg5PrtmrTw8onqG6oBvPQzqAJxQCe1eC4C68jExBKroOWA2NkUe4rZzwVWvZ78NzGeuZJc6RWW4qCUG+xXicBMac4X3gLXXI5oCHu0QkW2dogpcCCSmYeOkiKSACY+oCN93KofyHbReJgOIJWi/e17DgkdkwJx6uk83AWa2K4QJZ9rLE99rXQ8UyblvADcUwoCzIiJyB6pKa30B+yZx/iMsK0QR8iIi2gdY9IgKwEzC/7BFRPp+saEQD8A6JSLXgYJ3rG1g/mZq4mun6NKx/j2jsKIQh5rQfJF/CzQO9jCQm6VJlRh3B3LMP9rX7G6ihd0qoeXaR6SV05TDtm9y0dQ/z3aKXi1X9U9ju4IIST5ZtVYfJ+NlFydOnKjyG0KNPhWovN8UAAAAAElFTkSuQmCC",
- "backendService": {
- "serviceUrl": "https://management.api.umbrella.com"
- },
- "apiType": "Rest",
- "swagger": {
- "swagger": "2.0",
- "info": {
- "title": "CiscoUmbrellaNetworkDeviceManagementAPIConnector",
- "version": "1.0",
- "description": "Connector for Cisco Umbrella Network Device Management API"
- },
- "host": "management.api.umbrella.com",
- "basePath": "/",
- "schemes": [
- "https"
- ],
- "paths": {
- "/v1/organizations": {
- "get": {
- "responses": {
- "default": {
- "description": "default",
- "schema": {
- "type": "array",
- "items": {
- "type": "object",
- "x-ms-summary": "Organization",
- "description": "Organization object",
- "properties": {
- "organizationId": {
- "type": "integer",
- "format": "int32",
- "description": "Organization Id",
- "title": "Id"
- },
- "name": {
- "type": "string",
- "description": "Organization name",
- "title": "name"
- }
- }
- }
- }
- }
- },
- "summary": "Get organization id",
- "description": "Get organization id",
- "operationId": "[[variables('_operationId-GetOrganizationId')]",
- "parameters": "[variables('TemplateEmptyArray')]"
- }
- },
- "/v1/organizations/{organizationId}/networkdevices/{originId}/policies": {
- "get": {
- "responses": {
- "default": {
- "description": "default",
- "schema": {
- "type": "array",
- "items": {
- "type": "object",
- "x-ms-summary": "Policy",
- "description": "Policy object",
- "properties": {
- "policyId": {
- "type": "integer",
- "format": "int32",
- "description": "Policy Id",
- "title": "Id"
- },
- "name": {
- "type": "string",
- "description": "Policy name",
- "title": "name"
- },
- "priority": {
- "type": "integer",
- "format": "int32",
- "description": "Policy priority"
- },
- "isAppliedDirectly": {
- "type": "boolean",
- "description": "Policy is Applied Directly"
- },
- "isDefault": {
- "type": "boolean",
- "description": "Policy is Default"
- },
- "createdAt": {
- "type": "string",
- "description": "Policy creation date"
- }
- }
- }
- }
- }
- },
- "summary": "List all policies of a network device",
- "description": "List all policies of a network device",
- "operationId": "[[variables('_operationId-ListAllPoliciesOnDevice')]",
- "parameters": [
- {
- "name": "organizationId",
- "in": "path",
- "required": true,
- "type": "string",
- "description": "Organization Id"
- },
- {
- "name": "originId",
- "in": "path",
- "required": true,
- "type": "string",
- "description": "Device Id"
- }
- ]
- }
- },
- "/v1/organizations/{organizationId}/policies/{policyId}/identities/{originId}": {
- "delete": {
- "responses": {
- "default": {
- "description": "default"
- }
- },
- "summary": "Delete an identity from a policy",
- "description": "Delete an identity from a policy",
- "operationId": "[[variables('_operationId-DeleteIdentityFromPolicy')]",
- "parameters": [
- {
- "name": "organizationId",
- "in": "path",
- "required": true,
- "type": "string",
- "description": "Organization Id"
- },
- {
- "name": "policyId",
- "in": "path",
- "required": true,
- "type": "string",
- "description": "Policy Id"
- },
- {
- "name": "originId",
- "in": "path",
- "required": true,
- "type": "string",
- "description": "Identity Id"
- }
- ]
- },
- "put": {
- "responses": {
- "default": {
- "description": "default"
- }
- },
- "summary": "Assign a policy to an identity",
- "description": "Assign a policy to an identity",
- "operationId": "[[variables('_operationId-AssignPolicyToIdentity')]",
- "parameters": [
- {
- "name": "organizationId",
- "in": "path",
- "required": true,
- "type": "string",
- "description": "Organization Id"
- },
- {
- "name": "policyId",
- "in": "path",
- "required": true,
- "type": "string",
- "description": "Policy Id"
- },
- {
- "name": "originId",
- "in": "path",
- "required": true,
- "type": "string",
- "description": "Identity Id"
- }
- ]
- }
- }
- },
- "securityDefinitions": {
- "basic_auth": {
- "type": "basic"
- }
- },
- "security": [
- {
- "basic_auth": "[variables('TemplateEmptyArray')]"
- }
- ],
- "tags": "[variables('TemplateEmptyArray')]"
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('LogicAppsCustomConnector-', last(split(variables('playbookId4'),'/'))))]",
- "properties": {
- "parentId": "[[variables('playbookId4')]",
- "contentId": "[variables('_playbookContentId4')]",
- "kind": "LogicAppsCustomConnector",
- "version": "[variables('playbookVersion4')]",
- "source": {
- "kind": "Solution",
- "name": "CiscoUmbrella",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "tier": "Microsoft",
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "link": "https://support.microsoft.com/"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_playbookContentId4')]",
- "contentKind": "LogicAppsCustomConnector",
- "displayName": "CiscoUmbrellaNetworkDeviceManagementAPIConnector",
- "contentProductId": "[variables('_playbookcontentProductId4')]",
- "id": "[variables('_playbookcontentProductId4')]",
- "version": "[variables('playbookVersion4')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('playbookTemplateSpecName5')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "CiscoUmbrella-AddIpToDestinationList Playbook with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion5')]",
- "parameters": {
- "PlaybookName": {
- "defaultValue": "CiscoUmbrella-AddIpToDestinationList",
- "type": "String"
- },
- "CiscoUmbrellaOrganizationId": {
- "type": "Int",
- "defaultValue": 0,
- "metadata": {
- "description": "Organization id in Cisco Umbrella."
- }
- },
- "TeamsGroupId": {
- "defaultValue": "TeamsGroupIds",
- "type": "String",
- "metadata": {
- "description": "Id of the Teams Group where the adaptive card will be posted."
- }
- },
- "TeamsChannelId": {
- "defaultValue": "TeamsChannelId",
- "type": "String",
- "metadata": {
- "description": "Id of the Teams Channel where the adaptive card will be posted."
- }
- },
- "customApis_ciscoumbrellamanagement_name": {
- "defaultValue": "CiscoUmbrellaManagementAPI",
- "type": "String"
- }
- },
- "variables": {
- "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
- "TeamsConnectionName": "[[concat('teams-', parameters('PlaybookName'))]",
- "CiscoUmbrellaManagementAPIConnectionName": "[[concat('ciscoumbrellamanagement-connection-', parameters('PlaybookName'))]",
- "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
- "_connection-1": "[[variables('connection-1')]",
- "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellamanagement_name'))]",
- "_connection-2": "[[variables('connection-2')]",
- "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]",
- "_connection-3": "[[variables('connection-3')]",
- "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
- "workspace-name": "[parameters('workspace')]",
- "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
- },
- "resources": [
- {
- "type": "Microsoft.Web/connections",
- "apiVersion": "2016-06-01",
- "name": "[[variables('AzureSentinelConnectionName')]",
- "location": "[[variables('workspace-location-inline')]",
- "properties": {
- "displayName": "[[variables('AzureSentinelConnectionName')]",
- "api": {
- "id": "[[variables('_connection-1')]"
- }
- }
- },
- {
- "type": "Microsoft.Web/connections",
- "apiVersion": "2016-06-01",
- "name": "[[variables('CiscoUmbrellaManagementAPIConnectionName')]",
- "location": "[[variables('workspace-location-inline')]",
- "kind": "V1",
- "properties": {
- "displayName": "[[variables('CiscoUmbrellaManagementAPIConnectionName')]",
- "api": {
- "id": "[[variables('_connection-2')]"
- }
- }
- },
- {
- "type": "Microsoft.Web/connections",
- "apiVersion": "2016-06-01",
- "name": "[[variables('TeamsConnectionName')]",
- "location": "[[variables('workspace-location-inline')]",
- "properties": {
- "displayName": "[[variables('TeamsConnectionName')]",
- "api": {
- "id": "[[variables('_connection-3')]"
- }
- }
- },
- {
- "type": "Microsoft.Logic/workflows",
- "apiVersion": "2017-07-01",
- "name": "[[parameters('PlaybookName')]",
- "location": "[[variables('workspace-location-inline')]",
- "dependsOn": [
- "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
- "[[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaManagementAPIConnectionName'))]"
- ],
- "properties": {
- "state": "Enabled",
- "definition": {
- "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ },
"actions": {
"Append_to_array_variable": {
- "inputs": {
- "name": "dest_lists_array",
- "value": {
- "title": "Ignore",
- "value": 0
- }
- },
"runAfter": {
"Initialize_variable_dest_lists_array": [
"Succeeded"
]
},
- "type": "AppendToArrayVariable"
- },
- "Entities_-_Get_IPs": {
+ "type": "AppendToArrayVariable",
"inputs": {
- "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
- "host": {
- "connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
- }
- },
- "method": "post",
- "path": "/entities/ip"
- },
- "runAfter": {
- "Append_to_array_variable": [
- "Succeeded"
- ]
- },
- "type": "ApiConnection"
+ "name": "dest_lists_array",
+ "value": {
+ "title": "Ignore",
+ "value": 0
+ }
+ }
},
"For_each_IP": {
+ "foreach": "@body('Entities_-_Get_IPs')?['IPs']",
"actions": {
"Add_IP_to_destination_list": {
"actions": {
- "Add_list_of_destinations_to_destination_list": {
- "inputs": {
- "body": [
- {
- "destination": "@{outputs('Get_IP')}"
- }
- ],
- "host": {
- "connection": {
- "name": "@parameters('$connections')['ciscoumbrellamanagement']['connectionId']"
- }
- },
- "method": "post",
- "path": "/v1/organizations/@{encodeURIComponent(variables('organization_id'))}/destinationlists/@{encodeURIComponent(body('Post_adaptive_card_and_wait_for_a_response')['data']['action_choices'])}/destinations"
- },
- "type": "ApiConnection"
- },
"Compose": {
- "inputs": "@body('Filter_array')[0]['title']",
"runAfter": {
"Filter_array": [
"Succeeded"
]
},
- "type": "Compose"
+ "type": "Compose",
+ "inputs": "@body('Filter_array')[0]['title']"
},
"Filter_array": {
- "inputs": {
- "from": "@variables('dest_lists_array')",
- "where": "@equals(string(item()['value']), body('Post_adaptive_card_and_wait_for_a_response')['data']['action_choices'])"
- },
"runAfter": {
"Set_variable_3": [
"Skipped"
]
},
- "type": "Query"
+ "type": "Query",
+ "inputs": {
+ "from": "@variables('dest_lists_array')",
+ "where": "@equals(string(item()['value']), body('Post_adaptive_card_and_wait_for_a_response')['data']['action_choices'])"
+ }
},
"Set_variable": {
- "inputs": {
- "name": "action_message",
- "value": "IP @{outputs('Get_IP')} added to \"@{outputs('Compose')}\" destination list."
- },
"runAfter": {
"Compose": [
"Succeeded"
]
},
- "type": "SetVariable"
- },
- "Set_variable_3": {
+ "type": "SetVariable",
"inputs": {
"name": "action_message",
- "value": "IP @{outputs('Get_IP')} was not added to \"\" destination lists due to Csico Umbrella API error."
- },
+ "value": "IP @{outputs('Get_IP')} added to \"@{outputs('Compose')}\" destination list."
+ }
+ },
+ "Set_variable_3": {
"runAfter": {
- "Add_list_of_destinations_to_destination_list": [
+ "HTTP_-_Add_list_of_destinations_to_destination_list": [
"TimedOut",
"Failed"
]
},
- "type": "SetVariable"
+ "type": "SetVariable",
+ "inputs": {
+ "name": "action_message",
+ "value": "IP @{outputs('Get_IP')} was not added to \"\" destination lists due to Cisco Umbrella API error."
+ }
+ },
+ "HTTP_-_Add_list_of_destinations_to_destination_list": {
+ "type": "Http",
+ "inputs": {
+ "uri": "https://@{parameters('Host End Point')}/policies/v2/destinationlists/@{encodeURIComponent(body('Post_adaptive_card_and_wait_for_a_response')['data']['action_choices'])}/destinations",
+ "method": "POST",
+ "headers": {
+ "Content-Type": "application/json",
+ "Accept": "application/json",
+ "Authorization": "Bearer @{body('Parse_JSON_-_Parse_Login_Response')?['access_token']}"
+ },
+ "body": [
+ {
+ "destination": "@{outputs('Get_IP')}"
+ }
+ ]
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
}
},
+ "runAfter": {
+ "Post_adaptive_card_and_wait_for_a_response": [
+ "Succeeded"
+ ]
+ },
"expression": {
"and": [
{
@@ -5175,35 +3903,31 @@
}
]
},
+ "type": "If"
+ },
+ "Add_comment_to_incident_(V3)": {
"runAfter": {
- "Post_adaptive_card_and_wait_for_a_response": [
+ "Get_Cisco_logo": [
"Succeeded"
]
},
- "type": "If"
- },
- "Add_comment_to_incident_(V3)": {
+ "type": "ApiConnection",
"inputs": {
- "body": {
- "incidentArmId": "@triggerBody()?['object']?['id']",
- "message": "@{outputs('Get_Cisco_logo')}CiscoUmbrella-AddIpToDestinationList
\nActions taken:
\n@{variables('action_message')}
\n@{variables('status_message')}
\n@{variables('severity_message')}
@{outputs('Get_Cisco_logo')}CiscoUmbrella-AddIpToDestinationList
\nActions taken:
\n@{variables('action_message')}
\n@{variables('status_message')}
\n@{variables('severity_message')}
![](\"https://github.com/socprime/Azure-Sentinel/raw/master/Solutions/CiscoUmbrella/Playbooks/cisco-logo.png\"){kind=logo}
",
"runAfter": {
"Update_status": [
"Succeeded"
]
},
- "type": "Compose"
+ "type": "Compose",
+ "inputs": ""
},
- "Get_IP": {
- "inputs": "@item()['address']",
+ "Post_adaptive_card_and_wait_for_a_response": {
"runAfter": {
- "Set_variable_16": [
+ "Get_IP": [
"Succeeded"
]
},
- "type": "Compose"
- },
- "Post_adaptive_card_and_wait_for_a_response": {
+ "type": "ApiConnectionWebhook",
"inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['teams']['connectionId']"
+ }
+ },
"body": {
+ "notificationUrl": "@{listCallbackUrl()}",
"body": {
"messageBody": "@{outputs('Create_body_for_adaptive_card')}",
+ "updateMessage": "Thanks for your response!",
"recipient": {
- "channelId": "@variables('TeamsChannelId')",
- "groupId": "@variables('TeamsGroupId')"
- },
- "updateMessage": "Thanks for your response!"
- },
- "notificationUrl": "@{listCallbackUrl()}"
- },
- "host": {
- "connection": {
- "name": "@parameters('$connections')['teams']['connectionId']"
+ "groupId": "@variables('TeamsGroupId')",
+ "channelId": "@variables('TeamsChannelId')"
+ }
}
},
"path": "/v1.0/teams/conversation/gatherinput/poster/Flow bot/location/@{encodeURIComponent('Channel')}/$subscriptions"
- },
- "runAfter": {
- "Get_IP": [
- "Succeeded"
- ]
- },
- "type": "ApiConnectionWebhook"
+ }
},
"Set_variable_14": {
- "inputs": {
- "name": "action_message",
- "value": "\"\""
- },
"runAfter": {
"Create_body_for_adaptive_card": [
"Succeeded"
]
},
- "type": "SetVariable"
- },
- "Set_variable_15": {
+ "type": "SetVariable",
"inputs": {
- "name": "severity_message",
+ "name": "action_message",
"value": "\"\""
- },
+ }
+ },
+ "Set_variable_15": {
"runAfter": {
"Set_variable_14": [
"Succeeded"
]
},
- "type": "SetVariable"
- },
- "Set_variable_16": {
+ "type": "SetVariable",
"inputs": {
- "name": "status_message",
+ "name": "severity_message",
"value": "\"\""
- },
+ }
+ },
+ "Set_variable_16": {
"runAfter": {
"Set_variable_15": [
"Succeeded"
]
},
- "type": "SetVariable"
+ "type": "SetVariable",
+ "inputs": {
+ "name": "status_message",
+ "value": "\"\""
+ }
},
"Update_severity": {
"actions": {
"Switch": {
"cases": {
"high_severity": {
+ "case": "high",
"actions": {
"Set_variable_2": {
- "inputs": {
- "name": "severity_message",
- "value": "Incident severity was changed to \"High\"."
- },
"runAfter": {
"Update_incident_high_severity": [
"Succeeded"
]
},
- "type": "SetVariable"
+ "type": "SetVariable",
+ "inputs": {
+ "name": "severity_message",
+ "value": "Incident severity was changed to \"High\"."
+ }
},
"Update_incident_high_severity": {
+ "type": "ApiConnection",
"inputs": {
- "body": {
- "incidentArmId": "@triggerBody()?['object']?['id']",
- "severity": "High"
- },
"host": {
"connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "put",
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "severity": "High"
+ },
"path": "/Incidents"
- },
- "type": "ApiConnection"
+ }
}
- },
- "case": "high"
+ }
},
"informational_severity": {
+ "case": "informational",
"actions": {
"Set_variable_4": {
- "inputs": {
- "name": "severity_message",
- "value": "Incident severity was changed to \"Informational\"."
- },
"runAfter": {
"Update_incident_informational_severity": [
"Succeeded"
]
},
- "type": "SetVariable"
+ "type": "SetVariable",
+ "inputs": {
+ "name": "severity_message",
+ "value": "Incident severity was changed to \"Informational\"."
+ }
},
"Update_incident_informational_severity": {
+ "type": "ApiConnection",
"inputs": {
- "body": {
- "incidentArmId": "@triggerBody()?['object']?['id']",
- "severity": "Informational"
- },
"host": {
"connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "put",
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "severity": "Informational"
+ },
"path": "/Incidents"
- },
- "type": "ApiConnection"
+ }
}
- },
- "case": "informational"
+ }
},
"low_severity": {
+ "case": "low",
"actions": {
"Set_variable_5": {
- "inputs": {
- "name": "severity_message",
- "value": "Incident severity was changed to \"Low\"."
- },
"runAfter": {
"Update_incident_low_severity": [
"Succeeded"
]
},
- "type": "SetVariable"
+ "type": "SetVariable",
+ "inputs": {
+ "name": "severity_message",
+ "value": "Incident severity was changed to \"Low\"."
+ }
},
"Update_incident_low_severity": {
+ "type": "ApiConnection",
"inputs": {
- "body": {
- "incidentArmId": "@triggerBody()?['object']?['id']",
- "severity": "Low"
- },
"host": {
"connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "put",
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "severity": "Low"
+ },
"path": "/Incidents"
- },
- "type": "ApiConnection"
+ }
}
- },
- "case": "low"
+ }
},
"medium_severity": {
+ "case": "medium",
"actions": {
"Set_variable_6": {
- "inputs": {
- "name": "severity_message",
- "value": "Incident severity was changed to \"Medium\"."
- },
"runAfter": {
"Update_incident_medium_severity": [
"Succeeded"
]
},
- "type": "SetVariable"
+ "type": "SetVariable",
+ "inputs": {
+ "name": "severity_message",
+ "value": "Incident severity was changed to \"Medium\"."
+ }
},
"Update_incident_medium_severity": {
+ "type": "ApiConnection",
"inputs": {
- "body": {
- "incidentArmId": "@triggerBody()?['object']?['id']",
- "severity": "Medium"
- },
"host": {
"connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "put",
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "severity": "Medium"
+ },
"path": "/Incidents"
- },
- "type": "ApiConnection"
+ }
}
- },
- "case": "medium"
+ }
}
},
"expression": "@body('Post_adaptive_card_and_wait_for_a_response')['data']['severity_choices']",
"type": "Switch"
}
},
+ "runAfter": {
+ "Add_IP_to_destination_list": [
+ "Succeeded"
+ ]
+ },
"expression": {
"and": [
{
@@ -5576,11 +4295,6 @@
}
]
},
- "runAfter": {
- "Add_IP_to_destination_list": [
- "Succeeded"
- ]
- },
"type": "If"
},
"Update_status": {
@@ -5588,256 +4302,261 @@
"Switch_2": {
"cases": {
"Case": {
+ "case": "new",
"actions": {
"Set_variable_7": {
- "inputs": {
- "name": "status_message",
- "value": "Incident status was changed to \"New\"."
- },
"runAfter": {
"Update_incident": [
"Succeeded"
]
},
- "type": "SetVariable"
+ "type": "SetVariable",
+ "inputs": {
+ "name": "status_message",
+ "value": "Incident status was changed to \"New\"."
+ }
},
"Update_incident": {
+ "type": "ApiConnection",
"inputs": {
- "body": {
- "incidentArmId": "@triggerBody()?['object']?['id']",
- "status": "New"
- },
"host": {
"connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "put",
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "status": "New"
+ },
"path": "/Incidents"
- },
- "type": "ApiConnection"
+ }
}
- },
- "case": "new"
+ }
},
"Case_2": {
+ "case": "active",
"actions": {
"Set_variable_8": {
- "inputs": {
- "name": "status_message",
- "value": "Incident status was changed to \"Active\"."
- },
"runAfter": {
"Update_incident_2": [
"Succeeded"
]
},
- "type": "SetVariable"
+ "type": "SetVariable",
+ "inputs": {
+ "name": "status_message",
+ "value": "Incident status was changed to \"Active\"."
+ }
},
"Update_incident_2": {
+ "type": "ApiConnection",
"inputs": {
- "body": {
- "incidentArmId": "@triggerBody()?['object']?['id']",
- "status": "Active"
- },
"host": {
"connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "put",
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "status": "Active"
+ },
"path": "/Incidents"
- },
- "type": "ApiConnection"
+ }
}
- },
- "case": "active"
+ }
},
"Case_3": {
+ "case": "close_tp",
"actions": {
"Set_variable_9": {
- "inputs": {
- "name": "status_message",
- "value": "Incident status was changed to \"Closed: True Positive - suspicious activity\"."
- },
"runAfter": {
"Update_incident_3": [
"Succeeded"
]
},
- "type": "SetVariable"
+ "type": "SetVariable",
+ "inputs": {
+ "name": "status_message",
+ "value": "Incident status was changed to \"Closed: True Positive - suspicious activity\"."
+ }
},
"Update_incident_3": {
+ "type": "ApiConnection",
"inputs": {
- "body": {
- "classification": {
- "ClassificationAndReason": "TruePositive - SuspiciousActivity"
- },
- "incidentArmId": "@triggerBody()?['object']?['id']",
- "status": "Closed"
- },
"host": {
"connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "put",
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "status": "Closed",
+ "classification": {
+ "ClassificationAndReason": "TruePositive - SuspiciousActivity"
+ }
+ },
"path": "/Incidents"
- },
- "type": "ApiConnection"
+ }
}
- },
- "case": "close_tp"
+ }
},
"Case_4": {
+ "case": "close_bp",
"actions": {
"Set_variable_10": {
- "inputs": {
- "name": "status_message",
- "value": "Incident status was changed to \"Closed: Benign Positive - suspicious but expected\"."
- },
"runAfter": {
"Update_incident_4": [
"Succeeded"
]
},
- "type": "SetVariable"
+ "type": "SetVariable",
+ "inputs": {
+ "name": "status_message",
+ "value": "Incident status was changed to \"Closed: Benign Positive - suspicious but expected\"."
+ }
},
"Update_incident_4": {
+ "type": "ApiConnection",
"inputs": {
- "body": {
- "classification": {
- "ClassificationAndReason": "BenignPositive - SuspiciousButExpected"
- },
- "incidentArmId": "@triggerBody()?['object']?['id']",
- "status": "Closed"
- },
"host": {
"connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "put",
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "status": "Closed",
+ "classification": {
+ "ClassificationAndReason": "BenignPositive - SuspiciousButExpected"
+ }
+ },
"path": "/Incidents"
- },
- "type": "ApiConnection"
+ }
}
- },
- "case": "close_bp"
+ }
},
"Case_5": {
+ "case": "close_fp_incorrect_logic",
"actions": {
"Set_variable_11": {
- "inputs": {
- "name": "status_message",
- "value": "Incident status was changed to \"Closed: False Positive - incorrect alert logic\"."
- },
"runAfter": {
"Update_incident_5": [
"Succeeded"
]
},
- "type": "SetVariable"
+ "type": "SetVariable",
+ "inputs": {
+ "name": "status_message",
+ "value": "Incident status was changed to \"Closed: False Positive - incorrect alert logic\"."
+ }
},
"Update_incident_5": {
+ "type": "ApiConnection",
"inputs": {
- "body": {
- "classification": {
- "ClassificationAndReason": "FalsePositive - IncorrectAlertLogic"
- },
- "incidentArmId": "@triggerBody()?['object']?['id']",
- "status": "Closed"
- },
"host": {
"connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "put",
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "status": "Closed",
+ "classification": {
+ "ClassificationAndReason": "FalsePositive - IncorrectAlertLogic"
+ }
+ },
"path": "/Incidents"
- },
- "type": "ApiConnection"
+ }
}
- },
- "case": "close_fp_incorrect_logic"
+ }
},
"Case_6": {
+ "case": "close_fp_inaccurate_data",
"actions": {
"Set_variable_12": {
- "inputs": {
- "name": "status_message",
- "value": "Incident status was changed to \"Closed: False Positive - inaccurate data\"."
- },
"runAfter": {
"Update_incident_6": [
"Succeeded"
]
},
- "type": "SetVariable"
+ "type": "SetVariable",
+ "inputs": {
+ "name": "status_message",
+ "value": "Incident status was changed to \"Closed: False Positive - inaccurate data\"."
+ }
},
"Update_incident_6": {
+ "type": "ApiConnection",
"inputs": {
- "body": {
- "classification": {
- "ClassificationAndReason": "FalsePositive - InaccurateData"
- },
- "incidentArmId": "@triggerBody()?['object']?['id']",
- "status": "Closed"
- },
"host": {
"connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "put",
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "status": "Closed",
+ "classification": {
+ "ClassificationAndReason": "FalsePositive - InaccurateData"
+ }
+ },
"path": "/Incidents"
- },
- "type": "ApiConnection"
+ }
}
- },
- "case": "close_fp_inaccurate_data"
+ }
},
"Case_7": {
+ "case": "close_undetermined",
"actions": {
"Set_variable_13": {
- "inputs": {
- "name": "status_message",
- "value": "Incident status was changed to \"Closed: Undetermined\"."
- },
"runAfter": {
"Update_incident_7": [
"Succeeded"
]
},
- "type": "SetVariable"
+ "type": "SetVariable",
+ "inputs": {
+ "name": "status_message",
+ "value": "Incident status was changed to \"Closed: Undetermined\"."
+ }
},
"Update_incident_7": {
+ "type": "ApiConnection",
"inputs": {
- "body": {
- "classification": {
- "ClassificationAndReason": "Undetermined"
- },
- "incidentArmId": "@triggerBody()?['object']?['id']",
- "status": "Closed"
- },
"host": {
"connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "put",
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "status": "Closed",
+ "classification": {
+ "ClassificationAndReason": "Undetermined"
+ }
+ },
"path": "/Incidents"
- },
- "type": "ApiConnection"
+ }
}
- },
- "case": "close_undetermined"
+ }
}
},
"expression": "@body('Post_adaptive_card_and_wait_for_a_response')['data']['status_choices']",
"type": "Switch"
}
},
+ "runAfter": {
+ "Update_severity": [
+ "Succeeded"
+ ]
+ },
"expression": {
"and": [
{
@@ -5856,15 +4575,18 @@
}
]
},
+ "type": "If"
+ },
+ "Get_IP": {
"runAfter": {
- "Update_severity": [
+ "Set_variable_16": [
"Succeeded"
]
},
- "type": "If"
+ "type": "Compose",
+ "inputs": "@item()['address']"
}
},
- "foreach": "@body('Entities_-_Get_IPs')?['IPs']",
"runAfter": {
"Entities_-_Get_IPs": [
"Succeeded"
@@ -5873,21 +4595,27 @@
"type": "Foreach"
},
"Get_list_of_destinations_lists_for_Teams_adaptive_card": {
+ "runAfter": {
+ "Parse_JSON_-_Parse_destination_lists": [
+ "Succeeded"
+ ]
+ },
+ "type": "Select",
"inputs": {
- "from": "@body('Retrieve_all_destination_lists')?['data']",
+ "from": "@body('Parse_JSON_-_Parse_destination_lists')?['data']",
"select": {
"title": "@item()['name']",
"value": "@item()['id']"
}
- },
+ }
+ },
+ "Initialize_variable_TeamsChannelId": {
"runAfter": {
- "Retrieve_all_destination_lists": [
+ "Initialize_variable_TeamsGroupId": [
"Succeeded"
]
},
- "type": "Select"
- },
- "Initialize_variable_TeamsChannelId": {
+ "type": "InitializeVariable",
"inputs": {
"variables": [
{
@@ -5896,15 +4624,10 @@
"value": "[[parameters('TeamsChannelId')]"
}
]
- },
- "runAfter": {
- "Initialize_variable_TeamsGroupId": [
- "Succeeded"
- ]
- },
- "type": "InitializeVariable"
+ }
},
"Initialize_variable_TeamsGroupId": {
+ "type": "InitializeVariable",
"inputs": {
"variables": [
{
@@ -5913,15 +4636,15 @@
"value": "[[parameters('TeamsGroupId')]"
}
]
- },
+ }
+ },
+ "Initialize_variable_action_message": {
"runAfter": {
- "Initialize_variable_organization_id": [
+ "Initialize_variable_TeamsChannelId": [
"Succeeded"
]
},
- "type": "InitializeVariable"
- },
- "Initialize_variable_action_message": {
+ "type": "InitializeVariable",
"inputs": {
"variables": [
{
@@ -5929,15 +4652,15 @@
"type": "string"
}
]
- },
+ }
+ },
+ "Initialize_variable_dest_lists_array": {
"runAfter": {
- "Initialize_variable_TeamsChannelId": [
+ "Get_list_of_destinations_lists_for_Teams_adaptive_card": [
"Succeeded"
]
},
- "type": "InitializeVariable"
- },
- "Initialize_variable_dest_lists_array": {
+ "type": "InitializeVariable",
"inputs": {
"variables": [
{
@@ -5946,27 +4669,15 @@
"value": "@body('Get_list_of_destinations_lists_for_Teams_adaptive_card')"
}
]
- },
+ }
+ },
+ "Initialize_variable_severity_message": {
"runAfter": {
- "Get_list_of_destinations_lists_for_Teams_adaptive_card": [
+ "Initialize_variable_action_message": [
"Succeeded"
]
},
- "type": "InitializeVariable"
- },
- "Initialize_variable_organization_id": {
- "inputs": {
- "variables": [
- {
- "name": "organization_id",
- "type": "integer",
- "value": "[[parameters('CiscoUmbrellaOrganizationId')]"
- }
- ]
- },
- "type": "InitializeVariable"
- },
- "Initialize_variable_severity_message": {
+ "type": "InitializeVariable",
"inputs": {
"variables": [
{
@@ -5974,15 +4685,15 @@
"type": "string"
}
]
- },
+ }
+ },
+ "Initialize_variable_status_message": {
"runAfter": {
- "Initialize_variable_action_message": [
+ "Initialize_variable_severity_message": [
"Succeeded"
]
},
- "type": "InitializeVariable"
- },
- "Initialize_variable_status_message": {
+ "type": "InitializeVariable",
"inputs": {
"variables": [
{
@@ -5990,90 +4701,374 @@
"type": "string"
}
]
- },
+ }
+ },
+ "Get_Client_Id": {
"runAfter": {
- "Initialize_variable_severity_message": [
+ "Initialize_variable_status_message": [
"Succeeded"
]
},
- "type": "InitializeVariable"
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/secrets/@{encodeURIComponent(parameters('Umbrella API ClientId Key Name'))}/value"
+ },
+ "runtimeConfiguration": {
+ "secureData": {
+ "properties": [
+ "inputs",
+ "outputs"
+ ]
+ }
+ }
},
- "Retrieve_all_destination_lists": {
+ "Get_Secret": {
+ "runAfter": {
+ "Get_Client_Id": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
"inputs": {
"host": {
"connection": {
- "name": "@parameters('$connections')['ciscoumbrellamanagement']['connectionId']"
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
}
},
"method": "get",
- "path": "/v1/organizations/@{encodeURIComponent(variables('organization_id'))}/destinationlists"
+ "path": "/secrets/@{encodeURIComponent(parameters('Umbrella API Secret Key Name'))}/value"
},
+ "runtimeConfiguration": {
+ "secureData": {
+ "properties": [
+ "inputs",
+ "outputs"
+ ]
+ }
+ }
+ },
+ "HTTP_-_Generate_Login_Token": {
"runAfter": {
- "Initialize_variable_status_message": [
+ "Get_Secret": [
"Succeeded"
]
},
- "type": "ApiConnection"
- }
- },
- "contentVersion": "1.0.0.0",
- "parameters": {
- "$connections": {
- "type": "Object"
- }
- },
- "triggers": {
- "When_Azure_Sentinel_incident_creation_rule_was_triggered": {
+ "type": "Http",
"inputs": {
- "body": {
- "callback_url": "@{listCallbackUrl()}"
+ "uri": "https://@{parameters('Host End Point')}/auth/v2/token",
+ "method": "POST",
+ "headers": {
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "authentication": {
+ "type": "Basic",
+ "username": "@{body('Get_Client_Id')?['value']}",
+ "password": "@{body('Get_Secret')?['value']}"
+ }
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
},
+ "secureData": {
+ "properties": [
+ "inputs",
+ "outputs"
+ ]
+ }
+ }
+ },
+ "Parse_JSON_-_Parse_Login_Response": {
+ "runAfter": {
+ "HTTP_-_Generate_Login_Token": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('HTTP_-_Generate_Login_Token')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "token_type": {
+ "type": "string"
+ },
+ "access_token": {
+ "type": "string"
+ },
+ "expires_in": {
+ "type": "integer"
+ }
+ }
+ }
+ }
+ },
+ "HTTP_-_Retrieve_all_destination_lists": {
+ "runAfter": {
+ "Parse_JSON_-_Parse_Login_Response": [
+ "Succeeded"
+ ]
+ },
+ "type": "Http",
+ "inputs": {
+ "uri": "https://@{parameters('Host End Point')}/policies/v2/destinationlists",
+ "method": "GET",
+ "headers": {
+ "Content-Type": "application-json",
+ "Authorization": "Bearer @{body('Parse_JSON_-_Parse_Login_Response')?['access_token']}"
+ }
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
+ },
+ "Parse_JSON_-_Parse_destination_lists": {
+ "runAfter": {
+ "HTTP_-_Retrieve_all_destination_lists": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('HTTP_-_Retrieve_all_destination_lists')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "status": {
+ "type": "object",
+ "properties": {
+ "code": {
+ "type": "integer"
+ },
+ "text": {
+ "type": "string"
+ }
+ }
+ },
+ "meta": {
+ "type": "object",
+ "properties": {
+ "page": {
+ "type": "integer"
+ },
+ "limit": {
+ "type": "integer"
+ },
+ "total": {
+ "type": "integer"
+ }
+ }
+ },
+ "data": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "integer"
+ },
+ "organizationId": {
+ "type": "integer"
+ },
+ "access": {
+ "type": "string"
+ },
+ "isGlobal": {
+ "type": "boolean"
+ },
+ "name": {
+ "type": "string"
+ },
+ "createdAt": {
+ "type": "integer"
+ },
+ "modifiedAt": {
+ "type": "integer"
+ },
+ "isMspDefault": {
+ "type": "boolean"
+ },
+ "markedForDeletion": {
+ "type": "boolean"
+ },
+ "bundleTypeId": {
+ "type": "integer"
+ },
+ "meta": {
+ "type": "object",
+ "properties": {
+ "domainCount": {
+ "type": "integer"
+ },
+ "urlCount": {
+ "type": "integer"
+ },
+ "ipv4Count": {
+ "type": "integer"
+ },
+ "applicationCount": {
+ "type": "integer"
+ },
+ "destinationCount": {
+ "type": "integer"
+ }
+ }
+ }
+ },
+ "required": [
+ "id",
+ "organizationId",
+ "access",
+ "isGlobal",
+ "name",
+ "thirdpartyCategoryId",
+ "createdAt",
+ "modifiedAt",
+ "isMspDefault",
+ "markedForDeletion",
+ "bundleTypeId",
+ "meta"
+ ]
+ }
+ }
+ }
+ }
+ }
+ },
+ "Entities_-_Get_IPs": {
+ "runAfter": {
+ "Append_to_array_variable": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
"host": {
"connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
- "path": "/incident-creation"
+ "method": "post",
+ "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "path": "/entities/ip"
+ }
+ }
+ }
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "microsoftsentinel": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
},
- "type": "ApiConnectionWebhook"
+ "teams": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
+ "connectionName": "[[variables('TeamsConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]"
+ },
+ "keyvault": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]",
+ "connectionName": "[[variables('KeyvaultConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/keyvault')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ }
}
}
+ }
+ },
+ "name": "[[parameters('PlaybookName')]",
+ "type": "Microsoft.Logic/workflows",
+ "location": "[[variables('workspace-location-inline')]",
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "tags": {
+ "hidden-SentinelTemplateName": "CiscoUmbrella-AddIpToDestinationList",
+ "hidden-SentinelTemplateVersion": "1.0",
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
+ "apiVersion": "2017-07-01",
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
+ "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('MicrosoftSentinelConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[[variables('MicrosoftSentinelConnectionName')]",
+ "parameterValueType": "Alternative",
+ "api": {
+ "id": "[[variables('_connection-2')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('TeamsConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[[variables('TeamsConnectionName')]",
+ "api": {
+ "id": "[[variables('_connection-3')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('KeyvaultConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[[variables('KeyvaultConnectionName')]",
+ "parameterValueType": "Alternative",
+ "alternativeParameterValues": {
+ "vaultName": "[[parameters('keyvault name')]"
},
- "parameters": {
- "$connections": {
- "value": {
- "azuresentinel": {
- "connectionName": "[[variables('AzureSentinelConnectionName')]",
- "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
- "id": "[[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]"
- },
- "teams": {
- "connectionName": "[[variables('TeamsConnectionName')]",
- "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
- "id": "[[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/teams')]"
- },
- "ciscoumbrellamanagement": {
- "connectionId": "[[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaManagementAPIConnectionName'))]",
- "connectionName": "[[variables('CiscoUmbrellaManagementAPIConnectionName')]",
- "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellamanagement_name'))]"
- }
- }
- }
+ "nonSecretParameterValues": {
+ "vaultName": "[[parameters('keyvault name')]"
+ },
+ "api": {
+ "id": "[[variables('_connection-4')]"
}
- },
- "tags": {
- "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]",
"properties": {
- "parentId": "[variables('playbookId5')]",
- "contentId": "[variables('_playbookContentId5')]",
+ "parentId": "[variables('playbookId3')]",
+ "contentId": "[variables('_playbookContentId3')]",
"kind": "Playbook",
- "version": "[variables('playbookVersion5')]",
+ "version": "[variables('playbookVersion3')]",
"source": {
"kind": "Solution",
"name": "CiscoUmbrella",
@@ -6088,35 +5083,26 @@
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
- },
- "dependencies": {
- "criteria": [
- {
- "kind": "LogicAppsCustomConnector",
- "contentId": "[variables('_CiscoUmbrellaManagementAPIConnector')]",
- "version": "[variables('playbookVersion3')]"
- }
- ]
}
}
}
],
"metadata": {
"title": "CiscoUmbrella-AddIpToDestinationList",
- "description": "This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident.",
+ "description": "This playbook creates a team notification and once acted on team notification it adds the IP to Cisco Umbrella's destination list and also add's comment to incident. For more details, click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/readme.md#summary).",
"prerequisites": [
- "1. ServiceNow Instance URL, Username, and password.",
- "2. Access and authorization to enable API connectors",
- "3. Teams Group ID, Channel ID and Alert details where the messages are to be posted in."
+ "1. Login to Cisco Umbrella dashboard and navigating to Admin-->API Keys. Create New API Key if not already created and select the appropriate 'Key Scope' with Read/Write permission. Store 'Api Key' and 'Key Secret' to a safe place. This 'Api Key' is a 'Client Id' and 'Key Secret' is a 'Secret' used for this Playbook.",
+ "2. Store the 'Api Key' and 'Key Secret' from previous step to Key vault Secrets.",
+ "3. To send notification to Microsoft Teams, Teams group id and channel id is needed at the time of playbook creation."
],
- "lastUpdateTime": "2021-06-29T10:00:00Z",
+ "postDeployment": [
+ "For more details on Post Deployment Instructions, click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AddIpToDestinationList/readme.md#post-deployment-instructions)."
+ ],
+ "lastUpdateTime": "2024-12-16T10:00:00Z",
"entities": [
- "Account",
- "Url",
- "Host"
+ "IP"
],
"tags": [
- "Sync",
"Notification",
"Teams Response"
],
@@ -6134,142 +5120,166 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_playbookContentId5')]",
+ "contentId": "[variables('_playbookContentId3')]",
"contentKind": "Playbook",
"displayName": "CiscoUmbrella-AddIpToDestinationList",
- "contentProductId": "[variables('_playbookcontentProductId5')]",
- "id": "[variables('_playbookcontentProductId5')]",
- "version": "[variables('playbookVersion5')]"
+ "contentProductId": "[variables('_playbookcontentProductId3')]",
+ "id": "[variables('_playbookcontentProductId3')]",
+ "version": "[variables('playbookVersion3')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('playbookTemplateSpecName6')]",
+ "name": "[variables('playbookTemplateSpecName4')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoUmbrella-AssignPolicyToIdentity Playbook with template version 3.0.2",
+ "description": "CiscoUmbrella-AssignPolicyToIdentity Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion6')]",
+ "contentVersion": "[variables('playbookVersion4')]",
"parameters": {
"PlaybookName": {
"defaultValue": "CiscoUmbrella-AssignPolicyToIdentity",
- "type": "String"
+ "type": "string"
},
- "PolicyId": {
+ "CiscoUmbrellaOrganizationId": {
+ "type": "string",
"defaultValue": "",
- "type": "String"
+ "metadata": {
+ "description": "Organization Id from Cisco Umbrella."
+ }
},
- "customApis_ciscoumbrellanetworkdevicemanagement_name": {
- "defaultValue": "CiscoUmbrellaNetworkDeviceManagementAPI",
- "type": "String"
+ "CiscoUmbrellaPolicyId": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Policy Id from Cisco Umbrella."
+ }
+ },
+ "Keyvault name": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Enter the Key vault name where CiscoUmbrella Secrets are stored"
+ }
+ },
+ "Umbrella API ClientId Key Name": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter CiscoUmbrella ClientId Key Name from Key vault"
+ }
+ },
+ "Umbrella API Secret Key Name": {
+ "type": "securestring",
+ "metadata": {
+ "description": "Enter CiscoUmbrella Secret Key Name from Key vault"
+ }
+ },
+ "Host End Point": {
+ "type": "string",
+ "defaultValue": "api.umbrella.com",
+ "metadata": {
+ "description": "Enter Host End Point(hostname) without http:// or https://"
+ }
}
},
"variables": {
- "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
- "CiscoUmbrellaNetworkDeviceManagementAPIConnectionName": "[[concat('ciscoumbrellanetworkdevice-connection-', parameters('PlaybookName'))]",
- "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
- "_connection-1": "[[variables('connection-1')]",
- "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellanetworkdevicemanagement_name'))]",
+ "MicrosoftSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
+ "KeyvaultConnectionName": "[[concat('Keyvault-', parameters('PlaybookName'))]",
+ "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
"_connection-2": "[[variables('connection-2')]",
+ "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/keyvault')]",
+ "_connection-3": "[[variables('connection-3')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
- "type": "Microsoft.Web/connections",
- "apiVersion": "2016-06-01",
- "name": "[[variables('AzureSentinelConnectionName')]",
- "location": "[[variables('workspace-location-inline')]",
- "properties": {
- "displayName": "[[variables('AzureSentinelConnectionName')]",
- "api": {
- "id": "[[variables('_connection-1')]"
- }
- }
- },
- {
- "type": "Microsoft.Web/connections",
- "apiVersion": "2016-06-01",
- "name": "[[variables('CiscoUmbrellaNetworkDeviceManagementAPIConnectionName')]",
- "location": "[[variables('workspace-location-inline')]",
- "kind": "V1",
- "properties": {
- "displayName": "[[variables('CiscoUmbrellaNetworkDeviceManagementAPIConnectionName')]",
- "api": {
- "id": "[[variables('_connection-2')]"
- }
- }
- },
- {
- "type": "Microsoft.Logic/workflows",
- "apiVersion": "2017-07-01",
- "name": "[[parameters('PlaybookName')]",
- "location": "[[variables('workspace-location-inline')]",
- "dependsOn": [
- "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
- "[[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaNetworkDeviceManagementAPIConnectionName'))]"
- ],
"properties": {
+ "provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
- "actions": {
- "Add_comment_to_incident_(V3)": {
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "type": "Object"
+ },
+ "Umbrella API ClientId Key Name": {
+ "type": "string",
+ "defaultValue": "[[parameters('Umbrella API ClientId Key Name')]"
+ },
+ "Umbrella API Secret Key Name": {
+ "type": "securestring",
+ "defaultValue": "[[parameters('Umbrella API Secret Key Name')]"
+ },
+ "Host End Point": {
+ "type": "string",
+ "defaultValue": "[[parameters('Host End Point')]"
+ }
+ },
+ "triggers": {
+ "When_Azure_Sentinel_incident_creation_rule_was_triggered": {
+ "type": "ApiConnectionWebhook",
"inputs": {
- "body": {
- "incidentArmId": "@triggerBody()?['object']?['id']",
- "message": "@{outputs('Create_logo')} CiscoUmbrella-AssignPolicyToIdentity
\nThe following origin ids were assigned to policy @{variables('policyId')} for organization @{variables('organizationId')}:
\n@{body('Create_HTML_table_with_updated_origin_IDs')}
\nThe following origin ids were not assigned because of errors:
\n@{body('Create_HTML_table_with_not_updated_origin_IDs')}
@{outputs('Create_logo')} CiscoUmbrella-AssignPolicyToIdentity
\nThe following origin ids were assigned to policy @{variables('policyId')} for organization @{variables('organizationId')}:
\n@{body('Create_HTML_table_with_updated_origin_IDs')}
\nThe following origin ids were not assigned because of errors:
\n@{body('Create_HTML_table_with_not_updated_origin_IDs')}
",
"runAfter": {
"Create_HTML_table_with_not_updated_origin_IDs": [
"Succeeded"
]
},
- "type": "Compose"
+ "type": "Compose",
+ "inputs": ""
},
"For_each_alert_in_incident": {
+ "foreach": "@triggerBody()?['object']?['properties']?['Alerts']",
"actions": {
"For_each_originId": {
+ "foreach": "@body('Parse_alert_custom_details')?['originId']",
"actions": {
"Add_unique_originId_to_OriginId_array": {
"actions": {
"Append_to_array_variable": {
+ "type": "AppendToArrayVariable",
"inputs": {
"name": "originId_array",
"value": "@items('For_each_originId')"
- },
- "type": "AppendToArrayVariable"
+ }
}
},
"expression": {
@@ -6318,7 +5340,6 @@
"type": "If"
}
},
- "foreach": "@body('Parse_alert_custom_details')?['originId']",
"runAfter": {
"Parse_alert_custom_details": [
"Succeeded"
@@ -6327,6 +5348,7 @@
"type": "Foreach"
},
"Parse_alert_custom_details": {
+ "type": "ParseJson",
"inputs": {
"content": "@items('For_each_alert_in_incident')?['properties']?['additionalData']?['Custom Details']",
"schema": {
@@ -6340,59 +5362,61 @@
},
"type": "object"
}
- },
- "type": "ParseJson"
+ }
}
},
- "foreach": "@triggerBody()?['object']?['properties']?['Alerts']",
"runAfter": {
- "Set_value_for_organizationId_variable": [
+ "Parse_JSON_-_Parse_Login_Response": [
"Succeeded"
]
},
"type": "Foreach"
},
"For_each_originId_assign_policy_to_originId": {
+ "foreach": "@variables('originId_array')",
"actions": {
"Append_originId_to_not_updated_originIds_array_variable_in_case_of_error": {
- "inputs": {
- "name": "not_updated_oridinIds_array",
- "value": "@items('For_each_originId_assign_policy_to_originId')"
- },
"runAfter": {
- "Assign_a_policy_to_an_identity": [
+ "HTTP_-_Assign_a_policy_to_an_identity": [
"Failed",
"TimedOut"
]
},
- "type": "AppendToArrayVariable"
- },
- "Append_originId_to_updated_originIds_array_variable": {
+ "type": "AppendToArrayVariable",
"inputs": {
- "name": "updated_oridinIds_array",
+ "name": "not_updated_oridinIds_array",
"value": "@items('For_each_originId_assign_policy_to_originId')"
- },
+ }
+ },
+ "Append_originId_to_updated_originIds_array_variable": {
"runAfter": {
"Append_originId_to_not_updated_originIds_array_variable_in_case_of_error": [
"Skipped"
]
},
- "type": "AppendToArrayVariable"
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "updated_oridinIds_array",
+ "value": "@items('For_each_originId_assign_policy_to_originId')"
+ }
},
- "Assign_a_policy_to_an_identity": {
+ "HTTP_-_Assign_a_policy_to_an_identity": {
+ "type": "Http",
"inputs": {
- "host": {
- "connection": {
- "name": "@parameters('$connections')['ciscoumbrellanetworkdevicemanagement']['connectionId']"
- }
- },
- "method": "put",
- "path": "/v1/organizations/@{encodeURIComponent(variables('organizationId'))}/policies/@{encodeURIComponent(variables('policyId'))}/identities/@{encodeURIComponent(items('For_each_originId_assign_policy_to_originId'))}"
+ "uri": "https://@{parameters('Host End Point')}/deployments/v2/policies/@{encodeURIComponent(variables('policyId'))}/identities/@{encodeURIComponent(items('For_each_originId_assign_policy_to_originId'))}",
+ "method": "PUT",
+ "headers": {
+ "Content-Type": "application-json",
+ "Authorization": "Bearer @{body('Parse_JSON_-_Parse_Login_Response')?['access_token']}"
+ }
},
- "type": "ApiConnection"
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
}
},
- "foreach": "@variables('originId_array')",
"runAfter": {
"For_each_alert_in_incident": [
"Succeeded"
@@ -6400,497 +5424,278 @@
},
"type": "Foreach"
},
- "Get_organization_id": {
- "inputs": {
- "host": {
- "connection": {
- "name": "@parameters('$connections')['ciscoumbrellanetworkdevicemanagement']['connectionId']"
- }
- },
- "method": "get",
- "path": "/v1/organizations"
- },
- "runAfter": {
- "Initialize_variable_not_updated_oridinIds_array": [
- "Succeeded"
- ]
- },
- "type": "ApiConnection"
- },
"Initialize_variable_not_updated_oridinIds_array": {
- "inputs": {
- "variables": [
- {
- "name": "not_updated_oridinIds_array",
- "type": "array"
- }
- ]
- },
"runAfter": {
- "Initialize_variable_updated_oridinIds_array": [
- "Succeeded"
- ]
- },
- "type": "InitializeVariable"
- },
- "Initialize_variable_organizationId": {
- "inputs": {
- "variables": [
- {
- "name": "organizationId",
- "type": "string"
- }
+ "Initialize_variable_updated_oridinIds_array": [
+ "Succeeded"
]
},
- "type": "InitializeVariable"
- },
- "Initialize_variable_originId_array": {
+ "type": "InitializeVariable",
"inputs": {
"variables": [
{
- "name": "originId_array",
+ "name": "not_updated_oridinIds_array",
"type": "array"
}
]
- },
- "runAfter": {
- "Initialize_variable_policyId": [
- "Succeeded"
- ]
- },
- "type": "InitializeVariable"
+ }
},
- "Initialize_variable_policyId": {
+ "Initialize_variable_organizationId": {
+ "type": "InitializeVariable",
"inputs": {
"variables": [
{
- "name": "policyId",
+ "name": "organizationId",
"type": "string",
- "value": "[[parameters('PolicyId')]"
+ "value": "[[parameters('CiscoUmbrellaOrganizationId')]"
}
]
- },
+ }
+ },
+ "Initialize_variable_originId_array": {
"runAfter": {
- "Initialize_variable_organizationId": [
+ "Initialize_variable_policyId": [
"Succeeded"
]
},
- "type": "InitializeVariable"
- },
- "Initialize_variable_updated_oridinIds_array": {
+ "type": "InitializeVariable",
"inputs": {
"variables": [
{
- "name": "updated_oridinIds_array",
+ "name": "originId_array",
"type": "array"
}
]
- },
- "runAfter": {
- "Initialize_variable_originId_array": [
- "Succeeded"
- ]
- },
- "type": "InitializeVariable"
+ }
},
- "Set_value_for_organizationId_variable": {
- "inputs": {
- "name": "organizationId",
- "value": "@{body('Get_organization_id')[0]['organizationId']}"
- },
+ "Initialize_variable_policyId": {
"runAfter": {
- "Get_organization_id": [
+ "Initialize_variable_organizationId": [
"Succeeded"
]
},
- "type": "SetVariable"
- }
- },
- "contentVersion": "1.0.0.0",
- "parameters": {
- "$connections": {
- "type": "Object"
- }
- },
- "triggers": {
- "When_Azure_Sentinel_incident_creation_rule_was_triggered": {
+ "type": "InitializeVariable",
"inputs": {
- "body": {
- "callback_url": "@{listCallbackUrl()}"
- },
- "host": {
- "connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ "variables": [
+ {
+ "name": "policyId",
+ "type": "string",
+ "value": "[[parameters('CiscoUmbrellaPolicyId')]"
}
- },
- "path": "/incident-creation"
- },
- "type": "ApiConnectionWebhook"
- }
- }
- },
- "parameters": {
- "$connections": {
- "value": {
- "azuresentinel": {
- "connectionName": "[[variables('AzureSentinelConnectionName')]",
- "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
- "id": "[[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]"
- },
- "ciscoumbrellanetworkdevicemanagement": {
- "connectionId": "[[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaNetworkDeviceManagementAPIConnectionName'))]",
- "connectionName": "[[variables('CiscoUmbrellaNetworkDeviceManagementAPIConnectionName')]",
- "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellanetworkdevicemanagement_name'))]"
+ ]
}
- }
- }
- }
- },
- "tags": {
- "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]",
- "properties": {
- "parentId": "[variables('playbookId6')]",
- "contentId": "[variables('_playbookContentId6')]",
- "kind": "Playbook",
- "version": "[variables('playbookVersion6')]",
- "source": {
- "kind": "Solution",
- "name": "CiscoUmbrella",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "tier": "Microsoft",
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "link": "https://support.microsoft.com/"
- },
- "dependencies": {
- "criteria": [
- {
- "kind": "LogicAppsCustomConnector",
- "contentId": "[variables('_CiscoUmbrellaNetworkDeviceManagementAPIConnector')]",
- "version": "[variables('playbookVersion4')]"
- }
- ]
- }
- }
- }
- ],
- "metadata": {
- "title": "CiscoUmbrella-AssignPolicyToIdentity",
- "description": "This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident.",
- "prerequisites": [
- "1. ServiceNow Instance URL, Username, and password.",
- "2. Access and authorization to enable API connectors",
- "3. Teams Group ID, Channel ID and Alert details where the messages are to be posted in."
- ],
- "lastUpdateTime": "2021-06-29T10:00:00Z",
- "entities": [
- "Account",
- "Url",
- "Host"
- ],
- "tags": [
- "Sync",
- "Notification",
- "Teams Response"
- ],
- "releaseNotes": {
- "version": "1.0",
- "title": "[variables('blanks')]",
- "notes": [
- "Initial version"
- ]
- }
- }
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_playbookContentId6')]",
- "contentKind": "Playbook",
- "displayName": "CiscoUmbrella-AssignPolicyToIdentity",
- "contentProductId": "[variables('_playbookcontentProductId6')]",
- "id": "[variables('_playbookcontentProductId6')]",
- "version": "[variables('playbookVersion6')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('playbookTemplateSpecName7')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "CiscoUmbrella-BlockDomain Playbook with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion7')]",
- "parameters": {
- "PlaybookName": {
- "defaultValue": "CiscoUmbrella-BlockDomain",
- "type": "String"
- },
- "customApis_ciscoumbrellaenforcement_name": {
- "defaultValue": "CiscoUmbrellaEnforcementAPI",
- "type": "String"
- }
- },
- "variables": {
- "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
- "CiscoUmbrellaEnforcementAPIConnectionName": "[[concat('ciscoumbrellaenforcement-connection-', parameters('PlaybookName'))]",
- "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
- "_connection-1": "[[variables('connection-1')]",
- "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellaenforcement_name'))]",
- "_connection-2": "[[variables('connection-2')]",
- "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
- "workspace-name": "[parameters('workspace')]",
- "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
- },
- "resources": [
- {
- "type": "Microsoft.Web/connections",
- "apiVersion": "2016-06-01",
- "name": "[[variables('AzureSentinelConnectionName')]",
- "location": "[[variables('workspace-location-inline')]",
- "properties": {
- "displayName": "[[variables('AzureSentinelConnectionName')]",
- "api": {
- "id": "[[variables('_connection-1')]"
- }
- }
- },
- {
- "type": "Microsoft.Web/connections",
- "apiVersion": "2016-06-01",
- "name": "[[variables('CiscoUmbrellaEnforcementAPIConnectionName')]",
- "location": "[[variables('workspace-location-inline')]",
- "kind": "V1",
- "properties": {
- "displayName": "[[variables('CiscoUmbrellaEnforcementAPIConnectionName')]",
- "api": {
- "id": "[[variables('_connection-2')]"
- }
- }
- },
- {
- "type": "Microsoft.Logic/workflows",
- "apiVersion": "2017-07-01",
- "name": "[[parameters('PlaybookName')]",
- "location": "[[variables('workspace-location-inline')]",
- "dependsOn": [
- "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
- "[[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaEnforcementAPIConnectionName'))]"
- ],
- "properties": {
- "state": "Enabled",
- "definition": {
- "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
- "actions": {
- "Add_comment_to_incident_(V3)": {
- "inputs": {
- "body": {
- "incidentArmId": "@triggerBody()?['object']?['id']",
- "message": "@{outputs('Create_logo')}CiscoUmbrella-BlockDomain
\nThe following domains have been added to Cisco Umbrella block destination list:
\n@{body('Create_HTML_table')}
",
+ "Get_Secret": {
"runAfter": {
- "Create_HTML_table": [
+ "Get_Client_Id": [
"Succeeded"
]
},
- "type": "Compose"
- },
- "Entities_-_Get_URLs": {
+ "type": "ApiConnection",
"inputs": {
- "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
}
},
- "method": "post",
- "path": "/entities/url"
+ "method": "get",
+ "path": "/secrets/@{encodeURIComponent(parameters('Umbrella API Secret Key Name'))}/value"
},
+ "runtimeConfiguration": {
+ "secureData": {
+ "properties": [
+ "inputs",
+ "outputs"
+ ]
+ }
+ }
+ },
+ "HTTP_-_Generate_Login_Token": {
"runAfter": {
- "Initialize_variable_blocked_domains": [
+ "Get_Secret": [
"Succeeded"
]
},
- "type": "ApiConnection"
- },
- "For_each_URL": {
- "actions": {
- "Append_domain_to_blocked_domains_variable": {
- "inputs": {
- "name": "blocked_domains",
- "value": "@outputs('Get_Domain_from_URL')"
- },
- "runAfter": {
- "Block_domain": [
- "Succeeded"
- ]
- },
- "type": "AppendToArrayVariable"
- },
- "Block_domain": {
- "inputs": {
- "body": [
- {
- "alertTime": "@{utcNow()}",
- "deviceId": "azuresentinel",
- "deviceVersion": "13.7a",
- "dstDomain": "@{outputs('Get_Domain_from_URL')}",
- "dstUrl": "@{outputs('Get_Domain_from_URL')}",
- "eventTime": "@{utcNow()}",
- "protocolVersion": "1.0a",
- "providerName": "Security Platform"
- }
- ],
- "headers": {
- "Accept": "application/json"
- },
- "host": {
- "connection": {
- "name": "@parameters('$connections')['ciscoumbrellaenforcement']['connectionId']"
- }
- },
- "method": "post",
- "path": "/1.0/events"
- },
- "runAfter": {
- "Get_Domain_from_URL": [
- "Succeeded"
- ]
- },
- "type": "ApiConnection"
+ "type": "Http",
+ "inputs": {
+ "uri": "https://@{parameters('Host End Point')}/auth/v2/token",
+ "method": "POST",
+ "headers": {
+ "Content-Type": "application/x-www-form-urlencoded"
},
- "Get_Domain_from_URL": {
- "inputs": "@split(replace(replace(items('For_each_URL')?['Url'],'http://',''), 'https://', ''), '/')[0]",
- "type": "Compose"
+ "authentication": {
+ "type": "Basic",
+ "username": "@{body('Get_Client_Id')?['value']}",
+ "password": "@{body('Get_Secret')?['value']}"
}
},
- "foreach": "@body('Entities_-_Get_URLs')?['URLs']",
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ },
+ "secureData": {
+ "properties": [
+ "inputs",
+ "outputs"
+ ]
+ }
+ }
+ },
+ "Parse_JSON_-_Parse_Login_Response": {
"runAfter": {
- "Entities_-_Get_URLs": [
+ "HTTP_-_Generate_Login_Token": [
"Succeeded"
]
},
- "type": "Foreach"
- },
- "Initialize_variable_blocked_domains": {
- "inputs": {
- "variables": [
- {
- "name": "blocked_domains",
- "type": "array"
- }
- ]
- },
- "type": "InitializeVariable"
- }
- },
- "contentVersion": "1.0.0.0",
- "parameters": {
- "$connections": {
- "type": "Object"
- }
- },
- "triggers": {
- "When_Azure_Sentinel_incident_creation_rule_was_triggered": {
+ "type": "ParseJson",
"inputs": {
- "body": {
- "callback_url": "@{listCallbackUrl()}"
- },
- "host": {
- "connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ "content": "@body('HTTP_-_Generate_Login_Token')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "token_type": {
+ "type": "string"
+ },
+ "access_token": {
+ "type": "string"
+ },
+ "expires_in": {
+ "type": "integer"
+ }
}
- },
- "path": "/incident-creation"
- },
- "type": "ApiConnectionWebhook"
+ }
+ }
}
}
},
"parameters": {
"$connections": {
"value": {
- "azuresentinel": {
- "connectionName": "[[variables('AzureSentinelConnectionName')]",
- "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
- "id": "[[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]"
+ "microsoftsentinel": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
},
- "ciscoumbrellaenforcement": {
- "connectionId": "[[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaEnforcementAPIConnectionName'))]",
- "connectionName": "[[variables('CiscoUmbrellaEnforcementAPIConnectionName')]",
- "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellaenforcement_name'))]"
+ "keyvault": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]",
+ "connectionName": "[[variables('KeyvaultConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/keyvault')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
}
}
}
}
},
+ "name": "[[parameters('PlaybookName')]",
+ "type": "Microsoft.Logic/workflows",
+ "location": "[[variables('workspace-location-inline')]",
+ "identity": {
+ "type": "SystemAssigned"
+ },
"tags": {
+ "hidden-SentinelTemplateName": "CiscoUmbrella-AssignPolicyToIdentity",
+ "hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
+ "apiVersion": "2017-07-01",
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('MicrosoftSentinelConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[[variables('MicrosoftSentinelConnectionName')]",
+ "parameterValueType": "Alternative",
+ "api": {
+ "id": "[[variables('_connection-2')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('KeyvaultConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[[variables('KeyvaultConnectionName')]",
+ "parameterValueType": "Alternative",
+ "alternativeParameterValues": {
+ "vaultName": "[[parameters('keyvault name')]"
+ },
+ "nonSecretParameterValues": {
+ "vaultName": "[[parameters('keyvault name')]"
+ },
+ "api": {
+ "id": "[[variables('_connection-3')]"
+ }
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]",
"properties": {
- "parentId": "[variables('playbookId7')]",
- "contentId": "[variables('_playbookContentId7')]",
+ "parentId": "[variables('playbookId4')]",
+ "contentId": "[variables('_playbookContentId4')]",
"kind": "Playbook",
- "version": "[variables('playbookVersion7')]",
+ "version": "[variables('playbookVersion4')]",
"source": {
"kind": "Solution",
"name": "CiscoUmbrella",
@@ -6905,37 +5710,24 @@
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
- },
- "dependencies": {
- "criteria": [
- {
- "kind": "LogicAppsCustomConnector",
- "contentId": "[variables('_CiscoUmbrellaEnforcementAPIConnector')]",
- "version": "[variables('playbookVersion1')]"
- }
- ]
}
}
}
],
"metadata": {
- "title": "CiscoUmbrella-BlockDomain",
- "description": "This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident.",
+ "title": "CiscoUmbrella-AssignPolicyToIdentity",
+ "description": "This playbook provides an automated way to associate an identity to an existing policy in Cisco Umbrella. For more details, click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/readme.md#summary).",
"prerequisites": [
- "1. ServiceNow Instance URL, Username, and password.",
- "2. Access and authorization to enable API connectors",
- "3. Teams Group ID, Channel ID and Alert details where the messages are to be posted in."
+ "1. Login to Cisco Umbrella dashboard and navigating to Admin-->API Keys. Create New API Key if not already created and select the appropriate 'Key Scope' with Read/Write permission. Store 'Api Key' and 'Key Secret' to a safe place. This 'Api Key' is a 'Client Id' and 'Key Secret' is a 'Secret' used for this Playbook.",
+ "2. Store the 'Api Key' and 'Key Secret' from previous step to Key vault Secrets.",
+ "3. To obtain the Organization ID and Policy ID, press F12 or right-click on the page and select 'Inspect' in your browser on the Cisco Umbrella dashboard page. Then, navigate to the 'Policies' section and click on the 'All Policies' tab. Now open the 'Network' tab and search with 'policy'. Open the 'Response' tab of the request to get the Policy ID and Organization ID. For more details click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/readme.md#Prerequisites)"
],
- "lastUpdateTime": "2021-06-29T10:00:00Z",
- "entities": [
- "Account",
- "Url",
- "Host"
+ "postDeployment": [
+ "For more details on Post Deployment Instructions, click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-AssignPolicyToIdentity/readme.md#post-deployment-instructions)."
],
+ "lastUpdateTime": "2024-12-18T10:00:00Z",
"tags": [
- "Sync",
- "Notification",
- "Teams Response"
+ "Notification"
],
"releaseNotes": {
"version": "1.0",
@@ -6951,288 +5743,459 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_playbookContentId7')]",
+ "contentId": "[variables('_playbookContentId4')]",
"contentKind": "Playbook",
- "displayName": "CiscoUmbrella-BlockDomain",
- "contentProductId": "[variables('_playbookcontentProductId7')]",
- "id": "[variables('_playbookcontentProductId7')]",
- "version": "[variables('playbookVersion7')]"
+ "displayName": "CiscoUmbrella-AssignPolicyToIdentity",
+ "contentProductId": "[variables('_playbookcontentProductId4')]",
+ "id": "[variables('_playbookcontentProductId4')]",
+ "version": "[variables('playbookVersion4')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('playbookTemplateSpecName8')]",
+ "name": "[variables('playbookTemplateSpecName5')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoUmbrella-GetDomainInfo Playbook with template version 3.0.2",
+ "description": "CiscoUmbrella-GetDomainInfo Playbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion8')]",
+ "contentVersion": "[variables('playbookVersion5')]",
"parameters": {
"PlaybookName": {
"defaultValue": "CiscoUmbrella-GetDomainInfo",
- "type": "String"
+ "type": "string"
},
- "customApis_ciscoumbrellainvestigate_name": {
- "defaultValue": "CiscoUmbrellaInvestigateAPI",
- "type": "String"
+ "Keyvault name": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Enter the Key vault name where CiscoUmbrella Secrets are stored"
+ }
+ },
+ "Umbrella API ClientId Key Name": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter CiscoUmbrella ClientId Key Name from Key vault"
+ }
+ },
+ "Umbrella API Secret Key Name": {
+ "type": "securestring",
+ "metadata": {
+ "description": "Enter CiscoUmbrella Secret Key Name from Key vault"
+ }
+ },
+ "Host End Point": {
+ "type": "string",
+ "defaultValue": "api.umbrella.com",
+ "metadata": {
+ "description": "Enter Host End Point(hostname) without http:// or https://"
+ }
}
},
"variables": {
- "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
- "CiscoUmbrellaInvestigateAPIConnectionName": "[[concat('ciscoumbrellainvestigate-connection-', parameters('PlaybookName'))]",
- "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
- "_connection-1": "[[variables('connection-1')]",
- "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellainvestigate_name'))]",
+ "MicrosoftSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
+ "KeyvaultConnectionName": "[[concat('Keyvault-', parameters('PlaybookName'))]",
+ "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
"_connection-2": "[[variables('connection-2')]",
+ "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/keyvault')]",
+ "_connection-3": "[[variables('connection-3')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
- "type": "Microsoft.Web/connections",
- "apiVersion": "2016-06-01",
- "name": "[[variables('AzureSentinelConnectionName')]",
- "location": "[[variables('workspace-location-inline')]",
- "properties": {
- "displayName": "[[variables('AzureSentinelConnectionName')]",
- "api": {
- "id": "[[variables('_connection-1')]"
- }
- }
- },
- {
- "type": "Microsoft.Web/connections",
- "apiVersion": "2016-06-01",
- "name": "[[variables('CiscoUmbrellaInvestigateAPIConnectionName')]",
- "location": "[[variables('workspace-location-inline')]",
- "kind": "V1",
- "properties": {
- "displayName": "[[variables('CiscoUmbrellaInvestigateAPIConnectionName')]",
- "api": {
- "id": "[[variables('_connection-2')]"
- }
- }
- },
- {
- "type": "Microsoft.Logic/workflows",
- "apiVersion": "2017-07-01",
- "name": "[[parameters('PlaybookName')]",
- "location": "[[variables('workspace-location-inline')]",
- "dependsOn": [
- "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
- "[[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaInvestigateAPIConnectionName'))]"
- ],
"properties": {
+ "provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "type": "Object"
+ },
+ "Umbrella API ClientId Key Name": {
+ "type": "string",
+ "defaultValue": "[[parameters('Umbrella API ClientId Key Name')]"
+ },
+ "Umbrella API Secret Key Name": {
+ "type": "securestring",
+ "defaultValue": "[[parameters('Umbrella API Secret Key Name')]"
+ },
+ "Host End Point": {
+ "type": "string",
+ "defaultValue": "[[parameters('Host End Point')]"
+ }
+ },
+ "triggers": {
+ "When_Azure_Sentinel_incident_creation_rule_was_triggered": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
+ }
+ },
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "path": "/incident-creation"
+ }
+ }
+ },
"actions": {
"Entities_-_Get_URLs": {
+ "type": "ApiConnection",
"inputs": {
- "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ "name": "@parameters('$connections')['microsoftsentinel']['connectionId']"
}
},
"method": "post",
+ "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"path": "/entities/url"
- },
- "type": "ApiConnection"
+ }
},
"For_each_URL": {
+ "foreach": "@body('Entities_-_Get_URLs')?['URLs']",
"actions": {
"Add_comment_to_incident_(V3)": {
- "inputs": {
- "body": {
- "incidentArmId": "@triggerBody()?['object']?['id']",
- "message": "@{outputs('Get_logo')} CiscoUmbrella-GetDomainInfo
\nRisk score for domain @{outputs('Get_domain_from_URL')} is @{body('Get_Risk_score_for_a_domain')?['risk_score']}.
\nRisk score indicators:
\n@{body('Create_HTML_table_with_security_indicators')}
\n
\n
@{outputs('Get_logo')} CiscoUmbrella-GetDomainInfo
\nSecurity data for @{outputs('Get_domain_from_URL')} (part 1) :
\ndga_score: @{body('Get_domain_security_data')?['dga_score']}
\nDomain Generation Algorithm. This score is generated based on the likeliness of the domain name being generated by an algorithm rather than a human. This algorithm is designed to identify domains which have been created using an automated randomization strategy, which is a common evasion technique in malware kits or botnets. This score ranges from -100 (suspicious) to 0 (benign).
\nperplexity: @{body('Get_domain_security_data')?['perplexity']}
\nA second score on the likeliness of the name to be algorithmically generated, on a scale from 0 to 100. This score is to be used in conjunction with DGA.
\nentropy: @{body('Get_domain_security_data')?['entropy']}
\nThe number of bits required to encode the domain name, as a score. This score is to be used in conjunction with DGA and Perplexity.
\nsecurerank2: @{body('Get_domain_security_data')?['securerank2']}
\nSuspicious rank for a domain that reviews based on the lookup behavior of client IP for the domain. Securerank is designed to identify hostnames requested by known infected clients but never requested by clean clients, assuming these domains are more likely to be bad. Scores returned range from -100 (suspicious) to 100 (benign).
\n
@{outputs('Get_logo')} CiscoUmbrella-GetDomainInfo
Risk score for domain @{outputs('Get_domain_from_URL')} is @{body('HTTP_-_Get_Risk_score_for_a_domain')?['risk_score']}.
Risk score indicators:
@{body('Create_HTML_table_with_security_indicators')}
@{outputs('Get_logo')} CiscoUmbrella-GetDomainInfo
\nSecurity data for @{outputs('Get_domain_from_URL')} (part 2):
\npagerank: @{body('Get_domain_security_data')?['pagerank']}
\nPopularity according to Google's pagerank algorithm.
\nasn_score: @{body('Get_domain_security_data')?['asn_score']}
\nASN reputation score, ranges from -100 to 0 with -100 being very suspicious.
\nprefix_score: @{body('Get_domain_security_data')?['prefix_score']}
\nPrefix ranks domains given their IP prefixes (first three octets in IP) and the reputation score of these prefixes. Ranges from -100 to 0, -100 being very suspicious.
\nrip_score: @{body('Get_domain_security_data')?['rip_score']}
\nRIP ranks domains given their IP addresses and the reputation score of these IP addresses. Ranges from -100 to 0, -100 being very suspicious.
\npopularity: @{body('Get_domain_security_data')?['popularity']}
\nThe number of unique client IPs visiting this site, relative to the all requests to all sites.
\ngeoscore: @{body('Get_domain_security_data')?['geoscore']}
\nA score that represents how far the different physical locations serving this name are from each other.
\nks_test: @{body('Get_domain_security_data')?['ks_test']}
\nKolmogorov–Smirnov test on geodiversity. 0 means that the client traffic matches what is expected for this TLD.
\nattack: @{body('Get_domain_security_data')?['attack']}
\nThe name of any known attacks associated with this domain.
\nthreat_type: @{body('Get_domain_security_data')?['threat_type']}
\nThe type of the known attack.
@{outputs('Get_logo')} CiscoUmbrella-GetDomainInfo
Security data for @{outputs('Get_domain_from_URL')} (part 1) :
dga_score: @{body('HTTP_-_Get_domain_security_data')?['dga_score']}
Domain Generation Algorithm. This score is generated based on the likeliness of the domain name being generated by an algorithm rather than a human. This algorithm is designed to identify domains which have been created using an automated randomization strategy, which is a common evasion technique in malware kits or botnets. This score ranges from -100 (suspicious) to 0 (benign).
perplexity: @{body('HTTP_-_Get_domain_security_data')?['perplexity']}
A second score on the likeliness of the name to be algorithmically generated, on a scale from 0 to 100. This score is to be used in conjunction with DGA.
entropy: @{body('HTTP_-_Get_domain_security_data')?['entropy']}
The number of bits required to encode the domain name, as a score. This score is to be used in conjunction with DGA and Perplexity.
securerank2: @{body('HTTP_-_Get_domain_security_data')?['securerank2']}
Suspicious rank for a domain that reviews based on the lookup behavior of client IP for the domain. Securerank is designed to identify hostnames requested by known infected clients but never requested by clean clients, assuming these domains are more likely to be bad. Scores returned range from -100 (suspicious) to 100 (benign).
@{outputs('Get_logo')} CiscoUmbrella-GetDomainInfo
Security data for @{outputs('Get_domain_from_URL')} (part 2):
pagerank: @{body('HTTP_-_Get_domain_security_data')?['pagerank']}
Popularity according to Google's pagerank algorithm.
asn_score: @{body('HTTP_-_Get_domain_security_data')?['asn_score']}
ASN reputation score, ranges from -100 to 0 with -100 being very suspicious.
prefix_score: @{body('HTTP_-_Get_domain_security_data')?['prefix_score']}
Prefix ranks domains given their IP prefixes (first three octets in IP) and the reputation score of these prefixes. Ranges from -100 to 0, -100 being very suspicious.
rip_score: @{body('HTTP_-_Get_domain_security_data')?['rip_score']}
RIP ranks domains given their IP addresses and the reputation score of these IP addresses. Ranges from -100 to 0, -100 being very suspicious.
popularity: @{body('HTTP_-_Get_domain_security_data')?['popularity']}
The number of unique client IPs visiting this site, relative to the all requests to all sites.
geoscore: @{body('HTTP_-_Get_domain_security_data')?['geoscore']}
A score that represents how far the different physical locations serving this name are from each other.
ks_test: @{body('HTTP_-_Get_domain_security_data')?['ks_test']}
Kolmogorov–Smirnov test on geodiversity. 0 means that the client traffic matches what is expected for this TLD.
attack: @{body('HTTP_-_Get_domain_security_data')?['attack']}
The name of any known attacks associated with this domain.
threat_type: @{body('HTTP_-_Get_domain_security_data')?['threat_type']}
The type of the known attack.
"
+ },
+ "HTTP_-_Get_domain_security_data": {
"runAfter": {
"Get_domain_from_URL": [
"Succeeded"
]
},
- "type": "ApiConnection"
+ "type": "Http",
+ "inputs": {
+ "uri": "https://@{parameters('Host End Point')}/investigate/v2/security/name/@{encodeURIComponent(outputs('Get_domain_from_URL'))}",
+ "method": "GET",
+ "headers": {
+ "Authorization": "Bearer @{body('Parse_JSON')?['access_token']}"
+ }
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
},
- "Get_logo": {
- "inputs": "",
+ "HTTP_-_Get_Risk_score_for_a_domain": {
"runAfter": {
- "Get_Risk_score_for_a_domain": [
+ "HTTP_-_Get_domain_security_data": [
"Succeeded"
]
},
- "type": "Compose"
+ "type": "Http",
+ "inputs": {
+ "uri": "https://@{parameters('Host End Point')}/investigate/v2/domains/risk-score/@{encodeURIComponent(outputs('Get_domain_from_URL'))}",
+ "method": "GET",
+ "headers": {
+ "Authorization": "Bearer @{body('Parse_JSON')?['access_token']}"
+ }
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
}
},
- "foreach": "@body('Entities_-_Get_URLs')?['URLs']",
"runAfter": {
- "Entities_-_Get_URLs": [
+ "Parse_JSON": [
"Succeeded"
]
},
"type": "Foreach"
- }
- },
- "contentVersion": "1.0.0.0",
- "parameters": {
- "$connections": {
- "type": "Object"
- }
- },
- "triggers": {
- "When_Azure_Sentinel_incident_creation_rule_was_triggered": {
+ },
+ "Get_Client_Id": {
+ "runAfter": {
+ "Entities_-_Get_URLs": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
"inputs": {
- "body": {
- "callback_url": "@{listCallbackUrl()}"
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
+ }
},
+ "method": "get",
+ "path": "/secrets/@{encodeURIComponent(parameters('Umbrella API ClientId Key Name'))}/value"
+ },
+ "runtimeConfiguration": {
+ "secureData": {
+ "properties": [
+ "inputs",
+ "outputs"
+ ]
+ }
+ }
+ },
+ "Get_Secret": {
+ "runAfter": {
+ "Get_Client_Id": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
"host": {
"connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
}
},
- "path": "/incident-creation"
+ "method": "get",
+ "path": "/secrets/@{encodeURIComponent(parameters('Umbrella API Secret Key Name'))}/value"
},
- "type": "ApiConnectionWebhook"
+ "runtimeConfiguration": {
+ "secureData": {
+ "properties": [
+ "inputs",
+ "outputs"
+ ]
+ }
+ }
+ },
+ "HTTP_-_Generate_Login_Token": {
+ "runAfter": {
+ "Get_Secret": [
+ "Succeeded"
+ ]
+ },
+ "type": "Http",
+ "inputs": {
+ "uri": "https://@{parameters('Host End Point')}/auth/v2/token",
+ "method": "POST",
+ "headers": {
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "authentication": {
+ "type": "Basic",
+ "username": "@{body('Get_Client_Id')?['value']}",
+ "password": "@{body('Get_Secret')?['value']}"
+ }
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ },
+ "secureData": {
+ "properties": [
+ "inputs",
+ "outputs"
+ ]
+ }
+ }
+ },
+ "Parse_JSON": {
+ "runAfter": {
+ "HTTP_-_Generate_Login_Token": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('HTTP_-_Generate_Login_Token')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "token_type": {
+ "type": "string"
+ },
+ "access_token": {
+ "type": "string"
+ },
+ "expires_in": {
+ "type": "integer"
+ }
+ }
+ }
+ }
}
}
},
"parameters": {
"$connections": {
"value": {
- "azuresentinel": {
- "connectionName": "[[variables('AzureSentinelConnectionName')]",
- "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
- "id": "[[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]"
+ "microsoftsentinel": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
},
- "ciscoumbrellainvestigate": {
- "connectionId": "[[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaInvestigateAPIConnectionName'))]",
- "connectionName": "[[variables('CiscoUmbrellaInvestigateAPIConnectionName')]",
- "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellainvestigate_name'))]"
+ "keyvault": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]",
+ "connectionName": "[[variables('KeyvaultConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/keyvault')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
}
}
}
}
},
+ "name": "[[parameters('PlaybookName')]",
+ "type": "Microsoft.Logic/workflows",
+ "location": "[[variables('workspace-location-inline')]",
+ "identity": {
+ "type": "SystemAssigned"
+ },
"tags": {
+ "hidden-SentinelTemplateName": "CiscoUmbrella-GetDomainInfo",
+ "hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
+ "apiVersion": "2017-07-01",
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('MicrosoftSentinelConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[[variables('MicrosoftSentinelConnectionName')]",
+ "parameterValueType": "Alternative",
+ "api": {
+ "id": "[[variables('_connection-2')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('KeyvaultConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[[variables('KeyvaultConnectionName')]",
+ "parameterValueType": "Alternative",
+ "alternativeParameterValues": {
+ "vaultName": "[[parameters('keyvault name')]"
+ },
+ "nonSecretParameterValues": {
+ "vaultName": "[[parameters('keyvault name')]"
+ },
+ "api": {
+ "id": "[[variables('_connection-3')]"
+ }
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]",
"properties": {
- "parentId": "[variables('playbookId8')]",
- "contentId": "[variables('_playbookContentId8')]",
+ "parentId": "[variables('playbookId5')]",
+ "contentId": "[variables('_playbookContentId5')]",
"kind": "Playbook",
- "version": "[variables('playbookVersion8')]",
+ "version": "[variables('playbookVersion5')]",
"source": {
"kind": "Solution",
"name": "CiscoUmbrella",
@@ -7247,37 +6210,26 @@
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
- },
- "dependencies": {
- "criteria": [
- {
- "kind": "LogicAppsCustomConnector",
- "contentId": "[variables('_CiscoUmbrellaInvestigateAPIConnector')]",
- "version": "[variables('playbookVersion2')]"
- }
- ]
}
}
}
],
"metadata": {
"title": "CiscoUmbrella-GetDomainInfo",
- "description": "This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident.",
+ "description": "This playbook is used to get Security Information about a particular domain. It provides details such as security scores, reputation and other security-related metadata that can help assess if the domain is associated with malicious activity, phishing attempts, or other threats. This playbook also helps to assess the risk associated with a domain name and return a risk score that helps determine if the domain is considered suspicious or potentially malicious. This details are added to incident as a comment. For more details, click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/readme.md#summary).",
"prerequisites": [
- "1. ServiceNow Instance URL, Username, and password.",
- "2. Access and authorization to enable API connectors",
- "3. Teams Group ID, Channel ID and Alert details where the messages are to be posted in."
+ "1. Login to Cisco Umbrella dashboard and navigating to Admin-->API Keys. Create New API Key if not already created and select the appropriate 'Key Scope' with Read/Write permission. Store 'Api Key' and 'Key Secret' to a safe place. This 'Api Key' is a 'Client Id' and 'Key Secret' is a 'Secret' used for this Playbook.",
+ "2. Store the 'Api Key' and 'Key Secret' from previous step to Key vault Secrets."
],
- "lastUpdateTime": "2021-06-29T10:00:00Z",
+ "postDeployment": [
+ "For more details on Post Deployment Instructions, click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaPlaybooks/CiscoUmbrella-GetDomainInfo/readme.md#post-deployment-instructions)."
+ ],
+ "lastUpdateTime": "2024-12-20T10:00:00Z",
"entities": [
- "Account",
- "Url",
- "Host"
+ "URL"
],
"tags": [
- "Sync",
- "Notification",
- "Teams Response"
+ "Notification"
],
"releaseNotes": {
"version": "1.0",
@@ -7293,12 +6245,12 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_playbookContentId8')]",
+ "contentId": "[variables('_playbookContentId5')]",
"contentKind": "Playbook",
"displayName": "CiscoUmbrella-GetDomainInfo",
- "contentProductId": "[variables('_playbookcontentProductId8')]",
- "id": "[variables('_playbookcontentProductId8')]",
- "version": "[variables('playbookVersion8')]"
+ "contentProductId": "[variables('_playbookcontentProductId5')]",
+ "id": "[variables('_playbookcontentProductId5')]",
+ "version": "[variables('playbookVersion5')]"
}
},
{
@@ -7306,12 +6258,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.2",
+ "version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "CiscoUmbrella",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Cisco Umbrella solution for Microsoft Sentinel enables you to ingest Cisco Umbrella events stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10, Custom Azure Logic Apps Connectors: 4, Playbooks: 4
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Cisco Umbrella solution for Microsoft Sentinel enables you to ingest Cisco Umbrella events stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API.
\nData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10, Custom Azure Logic Apps Connectors: 1, Playbooks: 4
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -7453,43 +6405,28 @@ }, { "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_CiscoUmbrellaEnforcementAPIConnector')]", + "contentId": "[variables('_EnforcementAPICustomConnector')]", "version": "[variables('playbookVersion1')]" }, { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_CiscoUmbrellaInvestigateAPIConnector')]", + "kind": "Playbook", + "contentId": "[variables('_CiscoUmbrella-BlockDomain')]", "version": "[variables('playbookVersion2')]" }, - { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_CiscoUmbrellaManagementAPIConnector')]", - "version": "[variables('playbookVersion3')]" - }, - { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_CiscoUmbrellaNetworkDeviceManagementAPIConnector')]", - "version": "[variables('playbookVersion4')]" - }, { "kind": "Playbook", "contentId": "[variables('_CiscoUmbrella-AddIpToDestinationList')]", - "version": "[variables('playbookVersion5')]" + "version": "[variables('playbookVersion3')]" }, { "kind": "Playbook", "contentId": "[variables('_CiscoUmbrella-AssignPolicyToIdentity')]", - "version": "[variables('playbookVersion6')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_CiscoUmbrella-BlockDomain')]", - "version": "[variables('playbookVersion7')]" + "version": "[variables('playbookVersion4')]" }, { "kind": "Playbook", "contentId": "[variables('_CiscoUmbrella-GetDomainInfo')]", - "version": "[variables('playbookVersion8')]" + "version": "[variables('playbookVersion5')]" } ] }, @@ -7508,4 +6445,4 @@ } ], "outputs": {} -} +} \ No newline at end of file