Skip to content

Commit 3576a8f

Browse files
Yaniv-ShashaYaniv-Shasha
committed
commit 13 files
3 new playbook to the sentinel soar solution
1 parent ad01c72 commit 3576a8f

File tree

13 files changed

+1285
-0
lines changed

13 files changed

+1285
-0
lines changed

Solutions/SentinelSOARessentials/Playbooks/Http-Trigger-Entity-Analyzer/azuredeploy.json

Lines changed: 293 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,293 @@
1+
{
2+
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3+
"contentVersion": "1.0.0.0",
4+
"parameters": {
5+
"PlaybookName": {
6+
"defaultValue": "Http-Trigger-Entity-Analyzer",
7+
"type": "string",
8+
"metadata": {
9+
"description": "Name of the Logic App playbook"
10+
}
11+
},
12+
"workspaceId": {
13+
"type": "string",
14+
"metadata": {
15+
"description": "Azure Sentinel workspace ID"
16+
}
17+
},
18+
"lookBackDays": {
19+
"defaultValue": 40,
20+
"type": "int",
21+
"metadata": {
22+
"description": "Number of days to look back for entity analysis"
23+
}
24+
}
25+
},
26+
"variables": {
27+
"SentinelMCPConnectionName": "[concat('SentinelMCP-', parameters('PlaybookName'))]"
28+
},
29+
"resources": [
30+
{
31+
"type": "Microsoft.Web/connections",
32+
"apiVersion": "2016-06-01",
33+
"name": "[variables('SentinelMCPConnectionName')]",
34+
"location": "[resourceGroup().location]",
35+
"kind": "V1",
36+
"properties": {
37+
"displayName": "[variables('SentinelMCPConnectionName')]",
38+
"customParameterValues": {},
39+
"api": {
40+
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/sentinelmcp')]"
41+
}
42+
}
43+
},
44+
{
45+
"type": "Microsoft.Logic/workflows",
46+
"apiVersion": "2017-07-01",
47+
"name": "[parameters('PlaybookName')]",
48+
"location": "[resourceGroup().location]",
49+
"tags": {
50+
"Created By": "ARM Template"
51+
},
52+
"dependsOn": [
53+
"[resourceId('Microsoft.Web/connections', variables('SentinelMCPConnectionName'))]"
54+
],
55+
"properties": {
56+
"state": "Enabled",
57+
"definition": {
58+
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
59+
"contentVersion": "1.0.0.0",
60+
"parameters": {
61+
"$connections": {
62+
"defaultValue": {},
63+
"type": "Object"
64+
}
65+
},
66+
"triggers": {
67+
"When_an_HTTP_request_is_received": {
68+
"type": "Request",
69+
"kind": "Http",
70+
"inputs": {
71+
"schema": {
72+
"type": "object",
73+
"properties": {
74+
"Type": {
75+
"type": "string"
76+
},
77+
"Value": {
78+
"type": "string"
79+
}
80+
}
81+
}
82+
}
83+
}
84+
},
85+
"actions": {
86+
"Response_Accepted": {
87+
"runAfter": {},
88+
"type": "Response",
89+
"kind": "Http",
90+
"inputs": {
91+
"statusCode": 202,
92+
"headers": {
93+
"Retry-After": "10"
94+
},
95+
"body": {
96+
"status": "Accepted",
97+
"message": "Entity analysis started. Processing in background.",
98+
"runId": "@{workflow().run.name}",
99+
"entityType": "@{triggerBody()?['Type']}",
100+
"entityValue": "@{triggerBody()?['Value']}"
101+
}
102+
}
103+
},
104+
"Condition": {
105+
"actions": {
106+
"User_Analyzer": {
107+
"type": "ApiConnection",
108+
"inputs": {
109+
"host": {
110+
"connection": {
111+
"name": "@parameters('$connections')['sentinelmcp']['connectionId']"
112+
}
113+
},
114+
"method": "post",
115+
"body": {
116+
"workspaceId": "[parameters('workspaceId')]",
117+
"lookBackDays": "[parameters('lookBackDays')]",
118+
"properties": {
119+
"entityType": "User",
120+
"userId": "@{triggerBody()?['Value']}"
121+
}
122+
},
123+
"path": "/aiprimitives/analysis",
124+
"queries": {
125+
"api-version": "2025-08-01-preview"
126+
}
127+
}
128+
},
129+
"Parse_JSON": {
130+
"runAfter": {
131+
"User_Analyzer": [
132+
"Succeeded"
133+
]
134+
},
135+
"type": "ParseJson",
136+
"inputs": {
137+
"content": "@body('User_Analyzer')",
138+
"schema": {
139+
"type": "object",
140+
"properties": {
141+
"id": {
142+
"type": "string"
143+
},
144+
"status": {
145+
"type": "string"
146+
},
147+
"classification": {
148+
"type": "string"
149+
},
150+
"analysis": {
151+
"type": "string"
152+
},
153+
"recommendation": {
154+
"type": "string"
155+
},
156+
"disclaimer": {
157+
"type": "string"
158+
},
159+
"dataSourceList": {
160+
"type": "array",
161+
"items": {
162+
"type": "string"
163+
}
164+
},
165+
"properties": {
166+
"type": "object",
167+
"properties": {
168+
"entityType": {
169+
"type": "string"
170+
}
171+
}
172+
}
173+
}
174+
}
175+
}
176+
}
177+
},
178+
"runAfter": {
179+
"Response_Accepted": [
180+
"Succeeded"
181+
]
182+
},
183+
"else": {
184+
"actions": {
185+
"Url_Analyzer": {
186+
"type": "ApiConnection",
187+
"inputs": {
188+
"host": {
189+
"connection": {
190+
"name": "@parameters('$connections')['sentinelmcp']['connectionId']"
191+
}
192+
},
193+
"method": "post",
194+
"body": {
195+
"workspaceId": "[parameters('workspaceId')]",
196+
"lookBackDays": "[parameters('lookBackDays')]",
197+
"properties": {
198+
"entityType": "@{triggerBody()?['Type']}",
199+
"url": "@{triggerBody()?['Value']}"
200+
}
201+
},
202+
"path": "/aiprimitives/analysis",
203+
"queries": {
204+
"api-version": "2025-08-01-preview"
205+
}
206+
}
207+
},
208+
"Parse_JSON_1": {
209+
"runAfter": {
210+
"Url_Analyzer": [
211+
"Succeeded"
212+
]
213+
},
214+
"type": "ParseJson",
215+
"inputs": {
216+
"content": "@body('Url_Analyzer')",
217+
"schema": {
218+
"type": "object",
219+
"properties": {
220+
"id": {
221+
"type": "string"
222+
},
223+
"status": {
224+
"type": "string"
225+
},
226+
"classification": {
227+
"type": "string"
228+
},
229+
"analysis": {
230+
"type": "string"
231+
},
232+
"recommendation": {
233+
"type": "string"
234+
},
235+
"disclaimer": {
236+
"type": "string"
237+
},
238+
"dataSourceList": {
239+
"type": "array",
240+
"items": {
241+
"type": "string"
242+
}
243+
},
244+
"properties": {
245+
"type": "object",
246+
"properties": {
247+
"entityType": {
248+
"type": "string"
249+
}
250+
}
251+
}
252+
}
253+
}
254+
}
255+
}
256+
}
257+
},
258+
"expression": {
259+
"and": [
260+
{
261+
"equals": [
262+
"@triggerBody()?['Type']",
263+
"User"
264+
]
265+
}
266+
]
267+
},
268+
"type": "If"
269+
}
270+
},
271+
"outputs": {}
272+
},
273+
"parameters": {
274+
"$connections": {
275+
"value": {
276+
"sentinelmcp": {
277+
"connectionId": "[resourceId('Microsoft.Web/connections', variables('SentinelMCPConnectionName'))]",
278+
"connectionName": "[variables('SentinelMCPConnectionName')]",
279+
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/sentinelmcp')]"
280+
}
281+
}
282+
}
283+
}
284+
}
285+
}
286+
],
287+
"outputs": {
288+
"logicAppUrl": {
289+
"type": "string",
290+
"value": "[listCallbackURL(concat(resourceId('Microsoft.Logic/workflows', parameters('PlaybookName')), '/triggers/When_an_HTTP_request_is_received'), '2017-07-01').value]"
291+
}
292+
}
293+
}

Solutions/SentinelSOARessentials/Playbooks/Http-Trigger-Entity-Analyzer/images/deployment.png

113 KB
Loading

Solutions/SentinelSOARessentials/Playbooks/Http-Trigger-Entity-Analyzer/images/logicapp_dis.png

59.6 KB
Loading

0 commit comments

Comments
 (0)