From 54b6a85734284f3e8bc526cb8515fe63195f46ee Mon Sep 17 00:00:00 2001
From: sschuur <78623042+sschuur@users.noreply.github.com>
Date: Thu, 22 Jun 2023 17:02:41 -0700
Subject: [PATCH 01/47] Remove old Analytic Rules
---
...umberOfHighThreatLevelQueriesDetected.yaml | 42 ------------------
...hNumberOfNXDOMAINDNSResponsesDetected.yaml | 43 ------------------
...ighThreatLevelQueryNotBlockedDetected.yaml | 44 -------------------
3 files changed, 129 deletions(-)
delete mode 100644 Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighNumberOfHighThreatLevelQueriesDetected.yaml
delete mode 100644 Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighNumberOfNXDOMAINDNSResponsesDetected.yaml
delete mode 100644 Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml
diff --git a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighNumberOfHighThreatLevelQueriesDetected.yaml b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighNumberOfHighThreatLevelQueriesDetected.yaml
deleted file mode 100644
index 993f39e7ec5..00000000000
--- a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighNumberOfHighThreatLevelQueriesDetected.yaml
+++ /dev/null
@@ -1,42 +0,0 @@
-id: 57113ad7-7dd6-4150-84d8-252e162aaf4a
-name: Infoblox - High Number of High Threat Level Queries Detected
-description: |
- 'This creates an incident in the event a single host generates at least 200 high threat level RPZ queries (Threat Defense security hits) in 1 hour. Query count threshold and scheduling is customizable. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
-severity: Medium
-status: Available
-requiredDataConnectors:
- - connectorId: InfobloxCloudDataConnector
- dataTypes:
- - CommonSecurityLog (InfobloxCDC)
-queryFrequency: 1h
-queryPeriod: 1h
-triggerOperator: gt
-triggerThreshold: 0
-tactics:
- - Impact
-relevantTechniques:
- - T1498
- - T1565
-query: |
- let threshold = 200;
- InfobloxCDC
- | where DeviceEventClassID has_cs "RPZ"
- | where ThreatLevel_Score >=80
- | summarize count() by SourceIP
- | where count_ > threshold
- | join kind=inner (InfobloxCDC
- | where DeviceEventClassID has_cs "RPZ"
- | where ThreatLevel_Score >=80
- ) on SourceIP
- | extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName
-entityMappings:
- - entityType: IP
- fieldMappings:
- - identifier: Address
- columnName: IPCustomEntity
- - entityType: Host
- fieldMappings:
- - identifier: HostName
- columnName: HostCustomEntity
-version: 1.0.1
-kind: Scheduled
diff --git a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighNumberOfNXDOMAINDNSResponsesDetected.yaml b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighNumberOfNXDOMAINDNSResponsesDetected.yaml
deleted file mode 100644
index 4963aa2e5e4..00000000000
--- a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighNumberOfNXDOMAINDNSResponsesDetected.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
-id: 818eddaa-3806-43a2-8930-3defc5a06803
-name: Infoblox - High Number of NXDOMAIN DNS Responses Detected
-description: |
- 'This creates an incident in the event a single host generates at least 200 DNS responses for non-existent domains in 1 hour. Query count threshold and scheduling is customizable. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
-severity: Medium
-status: Available
-requiredDataConnectors:
- - connectorId: InfobloxCloudDataConnector
- dataTypes:
- - CommonSecurityLog (InfobloxCDC)
-queryFrequency: 1h
-queryPeriod: 1h
-triggerOperator: gt
-triggerThreshold: 0
-tactics:
- - Impact
-relevantTechniques:
- - T1498
- - T1565
-query: |
- let threshold = 200;
- InfobloxCDC
- | where DeviceEventClassID == "DNS Response"
- | where InfobloxDNSRCode == "NXDOMAIN"
- | summarize count() by SourceIP
- | where count_ > threshold
- | join kind=inner (InfobloxCDC
- | where DeviceEventClassID == "DNS Response"
- | where InfobloxDNSRCode == "NXDOMAIN"
- ) on SourceIP
- | extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName
-entityMappings:
- - entityType: IP
- fieldMappings:
- - identifier: Address
- columnName: IPCustomEntity
- - entityType: Host
- fieldMappings:
- - identifier: HostName
- columnName: HostCustomEntity
-version: 1.0.1
-kind: Scheduled
-
diff --git a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml
deleted file mode 100644
index e7780309d3b..00000000000
--- a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml
+++ /dev/null
@@ -1,44 +0,0 @@
-id: dc7af829-d716-4774-9d6f-03d9aa7c27a4
-name: Infoblox - High Threat Level Query Not Blocked Detected
-description: |
- 'This creates an incident in the event a single host generates at least 1 high threat level query (Threat Defense security hit) that is not blocked or redirected in 1 hour. Query count threshold and scheduling is customizable. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
-severity: Medium
-status: Available
-requiredDataConnectors:
- - connectorId: InfobloxCloudDataConnector
- dataTypes:
- - CommonSecurityLog (InfobloxCDC)
-queryFrequency: 1h
-queryPeriod: 1h
-triggerOperator: gt
-triggerThreshold: 0
-tactics:
- - Impact
-relevantTechniques:
- - T1498
- - T1565
-query: |
- let threshold = 1;
- InfobloxCDC
- | where DeviceEventClassID has_cs "RPZ"
- | where ThreatLevel_Score >=80
- | where InfobloxB1PolicyAction == "Log" or SimplifiedDeviceAction == "PASSTHRU"
- | summarize count() by SourceIP
- | where count_ > threshold
- | join kind=inner (InfobloxCDC
- | where DeviceEventClassID has_cs "RPZ"
- | where ThreatLevel_Score >=80
- | where InfobloxB1PolicyAction == "Log" or SimplifiedDeviceAction == "PASSTHRU"
- ) on SourceIP
- | extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName
-entityMappings:
- - entityType: IP
- fieldMappings:
- - identifier: Address
- columnName: IPCustomEntity
- - entityType: Host
- fieldMappings:
- - identifier: HostName
- columnName: HostCustomEntity
-version: 1.0.1
-kind: Scheduled
From 24080c400f7f2d973001b63c95cdf1b1d85a7ad9 Mon Sep 17 00:00:00 2001
From: sschuur <78623042+sschuur@users.noreply.github.com>
Date: Thu, 22 Jun 2023 17:03:03 -0700
Subject: [PATCH 02/47] Add new Analytic Rules
---
.../Infoblox-DataExfiltrationAttack.yaml | 68 +++++++++++++++
...ighThreatLevelQueryNotBlockedDetected.yaml | 69 +++++++++++++++
...eatLevelQueriesFromSingleHostDetected.yaml | 53 ++++++++++++
...anyHighThreatLevelSingleQueryDetected.yaml | 53 ++++++++++++
...blox-ManyNXDOMAINDNSResponsesDetected.yaml | 53 ++++++++++++
...CommonSecurityLogMatchFound-MalwareC2.yaml | 71 ++++++++++++++++
...nfobloxCDCMatchFound-LookalikeDomains.yaml | 85 +++++++++++++++++++
.../Infoblox-TI-SyslogMatchFound-URL.yaml | 70 +++++++++++++++
8 files changed, 522 insertions(+)
create mode 100644 Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-DataExfiltrationAttack.yaml
create mode 100644 Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml
create mode 100644 Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyHighThreatLevelQueriesFromSingleHostDetected.yaml
create mode 100644 Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyHighThreatLevelSingleQueryDetected.yaml
create mode 100644 Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyNXDOMAINDNSResponsesDetected.yaml
create mode 100644 Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-CommonSecurityLogMatchFound-MalwareC2.yaml
create mode 100644 Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml
create mode 100644 Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-SyslogMatchFound-URL.yaml
diff --git a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-DataExfiltrationAttack.yaml b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-DataExfiltrationAttack.yaml
new file mode 100644
index 00000000000..5e5b244db24
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-DataExfiltrationAttack.yaml
@@ -0,0 +1,68 @@
+id: 8db2b374-0337-49bd-94c9-cfbf8e5d83ad
+name: Infoblox - Data Exfiltration Attack
+description: |
+ 'Data exfiltration attack detected by Infoblox Threat Insight. Customize query count, scheduling, responses and more.
+
+This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).'
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: InfobloxCloudDataConnector
+ dataTypes:
+ - CommonSecurityLog (InfobloxCDC)
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+relevantTechniques:
+ - T1498
+ - T1565
+query: |
+ let threshold = 1;
+ InfobloxCDC
+ | where DeviceEventClassID has_cs "RPZ"
+ | where InfobloxB1FeedName == "Threat Insight - Data Exfiltration"
+ | summarize count() by SourceIP
+ | where count_ > threshold
+ | join kind=innerunique (InfobloxCDC
+ | where DeviceEventClassID has_cs "RPZ"
+ | where InfobloxB1FeedName == "Threat Insight - Data Exfiltration"
+ ) on SourceIP
+entityMappings:
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: SourceIP
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: DeviceName
+ - identifier: OSVersion
+ columnName: InfobloxB1SrcOSVersion
+ - identifier: FullName
+ columnName: SourceUserName
+ - entityType: Malware
+ fieldMappings:
+ - identifier: Name
+ columnName: InfobloxB1FeedName
+ - identifier: Category
+ columnName: InfobloxB1FeedName
+customDetails:
+ SourceMACAddress: SourceMACAddress
+ InfobloxB1FeedName: InfobloxB1FeedName
+ InfobloxB1Network: InfobloxB1Network
+ InfobloxB1Action: InfobloxB1PolicyAction
+ InfobloxB1PolicyName: InfobloxB1PolicyName
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+incidentConfiguration:
+ createIncident: true
+ groupingConfiguration:
+ enabled: true
+ reopenClosedIncident: true
+ lookbackDuration: 7d
+ matchingMethod: AllEntities
+version: 1.0.0
+kind: Scheduled
diff --git a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml
new file mode 100644
index 00000000000..5897d273217
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml
@@ -0,0 +1,69 @@
+id: dfd8b74c-735e-48e4-9b2d-7f1216cb2283
+name: Infoblox - High Threat Level Query Not Blocked Detected
+description: |
+ 'At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more.
+
+This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).'
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: InfobloxCloudDataConnector
+ dataTypes:
+ - CommonSecurityLog (InfobloxCDC)
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+relevantTechniques:
+ - T1498
+ - T1565
+query: |
+ let threshold = 1;
+ InfobloxCDC
+ | where DeviceEventClassID has_cs "RPZ"
+ | where ThreatLevel_Score >=80
+ | where InfobloxB1PolicyAction == "Log" or SimplifiedDeviceAction == "PASSTHRU"
+ | summarize count() by SourceIP
+ | where count_ > threshold
+ | join kind=inner (InfobloxCDC
+ | where DeviceEventClassID has_cs "RPZ"
+ | where ThreatLevel_Score >=80
+ | where InfobloxB1PolicyAction == "Log" or SimplifiedDeviceAction == "PASSTHRU"
+ ) on SourceIP
+entityMappings:
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: SourceIP
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: DeviceName
+ - identifier: OSVersion
+ columnName: InfobloxB1SrcOSVersion
+ - identifier: FullName
+ columnName: SourceUserName
+ - entityType: DNS
+ fieldMappings:
+ - identifier: DomainName
+ columnName: DestinationDnsDomain
+ - entityType: Malware
+ fieldMappings:
+ - identifier: Name
+ columnName: ThreatProperty
+ - identifier: Category
+ columnName: ThreatClass
+customDetails:
+ SourceMACAddress: SourceMACAddress
+ InfobloxB1FeedName: InfobloxB1FeedName
+ InfobloxB1Network: InfobloxB1Network
+ InfobloxB1Action: InfobloxB1PolicyAction
+ InfobloxB1PolicyName: InfobloxB1PolicyName
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+incidentConfiguration:
+ createIncident: true
+version: 1.0.0
+kind: Scheduled
diff --git a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyHighThreatLevelQueriesFromSingleHostDetected.yaml b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyHighThreatLevelQueriesFromSingleHostDetected.yaml
new file mode 100644
index 00000000000..015827d40f7
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyHighThreatLevelQueriesFromSingleHostDetected.yaml
@@ -0,0 +1,53 @@
+id: 3822b794-fa89-4420-aad6-0e1a2307f419
+name: Infoblox - Many High Threat Level Queries From Single Host Detected
+description: |
+ 'At least 200 high threat level queries generated by single host in 1 hour. Queries do not need to be the same. Customize query count, scheduling, responses and more.
+
+This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).'
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: InfobloxCloudDataConnector
+ dataTypes:
+ - CommonSecurityLog (InfobloxCDC)
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+relevantTechniques:
+ - T1498
+ - T1565
+query: |
+ let threshold = 200;
+ InfobloxCDC
+ | where DeviceEventClassID has_cs "RPZ"
+ | where ThreatLevel_Score >= 80
+ | summarize count() by SourceIP
+ | where count_ > threshold
+ | join kind=inner (InfobloxCDC
+ | where DeviceEventClassID has_cs "RPZ"
+ | where ThreatLevel_Score >= 80
+ ) on SourceIP
+entityMappings:
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: SourceIP
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: DeviceName
+ - identifier: OSVersion
+ columnName: InfobloxB1SrcOSVersion
+ - identifier: FullName
+ columnName: SourceUserName
+customDetails:
+ SourceMACAddress: SourceMACAddress
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+incidentConfiguration:
+ createIncident: true
+version: 1.0.0
+kind: Scheduled
diff --git a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyHighThreatLevelSingleQueryDetected.yaml b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyHighThreatLevelSingleQueryDetected.yaml
new file mode 100644
index 00000000000..7351de5dc57
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyHighThreatLevelSingleQueryDetected.yaml
@@ -0,0 +1,53 @@
+id: 99278700-79ca-4b0f-b416-bf57ec699e1a
+name: Infoblox - Many High Threat Level Single Query Detected
+description: |
+ 'Single high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more.
+
+This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).'
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: InfobloxCloudDataConnector
+ dataTypes:
+ - CommonSecurityLog (InfobloxCDC)
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+relevantTechniques:
+ - T1498
+ - T1565
+query: |
+ let threshold = 200;
+ InfobloxCDC
+ | where DeviceEventClassID has_cs "RPZ"
+ | where ThreatLevel_Score >= 80
+ | summarize count() by DestinationDnsDomain
+ | where count_ > threshold
+ | join kind=inner (InfobloxCDC
+ | where DeviceEventClassID has_cs "RPZ"
+ | where ThreatLevel_Score >= 80
+ ) on DestinationDnsDomain
+entityMappings:
+ - entityType: DNS
+ fieldMappings:
+ - identifier: DomainName
+ columnName: DestinationDnsDomain
+ - entityType: Malware
+ fieldMappings:
+ - identifier: Name
+ columnName: ThreatProperty
+ - identifier: Category
+ columnName: ThreatClass
+customDetails:
+ InfobloxB1FeedName: InfobloxB1FeedName
+ InfobloxB1Network: InfobloxB1Network
+ InfobloxB1PolicyName: InfobloxB1PolicyName
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+incidentConfiguration:
+ createIncident: true
+version: 1.0.0
+kind: Scheduled
diff --git a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyNXDOMAINDNSResponsesDetected.yaml b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyNXDOMAINDNSResponsesDetected.yaml
new file mode 100644
index 00000000000..8c5660eb29f
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyNXDOMAINDNSResponsesDetected.yaml
@@ -0,0 +1,53 @@
+id: b2f34315-9065-488e-88d0-a171d2b0da8e
+name: Infoblox - Many NXDOMAIN DNS Responses Detected
+description: |
+ 'Detected at least 200 DNS responses for non-existent domains in 1 hour generated by single host. Queries do not need to be the same. Customize query count, scheduling, responses and more.
+
+This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).'
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: InfobloxCloudDataConnector
+ dataTypes:
+ - CommonSecurityLog (InfobloxCDC)
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+relevantTechniques:
+ - T1498
+ - T1565
+query: |
+ let threshold = 200;
+ InfobloxCDC
+ | where DeviceEventClassID == "DNS Response"
+ | where InfobloxDNSRCode == "NXDOMAIN"
+ | summarize count() by SourceIP
+ | where count_ > threshold
+ | join kind=inner (InfobloxCDC
+ | where DeviceEventClassID == "DNS Response"
+ | where InfobloxDNSRCode == "NXDOMAIN"
+ ) on SourceIP
+entityMappings:
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: SourceIP
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: DeviceName
+ - identifier: OSVersion
+ columnName: InfobloxB1SrcOSVersion
+ - identifier: FullName
+ columnName: SourceUserName
+customDetails:
+ SourceMACAddress: SourceMACAddress
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+incidentConfiguration:
+ createIncident: true
+version: 1.0.0
+kind: Scheduled
diff --git a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-CommonSecurityLogMatchFound-MalwareC2.yaml b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-CommonSecurityLogMatchFound-MalwareC2.yaml
new file mode 100644
index 00000000000..3d2f713f207
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-CommonSecurityLogMatchFound-MalwareC2.yaml
@@ -0,0 +1,71 @@
+id: 5b0864a9-4577-4087-b9fa-de3e14a8a999
+name: Infoblox - TI - CommonSecurityLog Match Found - MalwareC2
+description: |
+ 'CommonSecurityLog (CEF) MalwareC2/MalwareC2DGA match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: CEF
+ dataTypes:
+ - CommonSecurityLog
+ - connectorId: ThreatIntelligenceUploadIndicatorsAPI
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+relevantTechniques:
+ - T1498
+ - T1565
+query: |
+ let dt_lookBack = 1h;
+ let ioc_lookBack = 14d;
+ let TI = ThreatIntelligenceIndicator
+ | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
+ | where Description has_cs "Infoblox"
+ | where Description has_cs "MalwareC2"
+ | where Active == true
+ | where isnotempty(DomainName)
+ ;
+ let Data = CommonSecurityLog
+ | extend HitTime = TimeGenerated
+ | where TimeGenerated >= ago(dt_lookBack)
+ | where isnotempty(DestinationDnsDomain)
+ //Remove trailing period at end of domain
+ | extend DestinationDnsDomain = trim_end(@"\.$", DestinationDnsDomain)
+ ;
+ TI | join kind=innerunique Data on $left.DomainName == $right.DestinationDnsDomain
+ | where HitTime >= TimeGenerated and HitTime < ExpirationDateTime
+ //Get most recent ingested indicator in case there are copies
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | project LatestIndicatorTime, HitTime, DeviceEventClassID, DestinationDnsDomain, DeviceAction, SourceIP, DeviceName, SourceMACAddress, SourceUserName, AdditionalExtensions,
+ AdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags
+entityMappings:
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: SourceIP
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: DeviceName
+ - identifier: FullName
+ columnName: SourceUserName
+ - entityType: DNS
+ fieldMappings:
+ - identifier: DomainName
+ columnName: DestinationDnsDomain
+customDetails:
+ SourceMACAddress: SourceMACAddress
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+incidentConfiguration:
+ createIncident: true
+version: 1.0.0
+kind: Scheduled
diff --git a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml
new file mode 100644
index 00000000000..3f0a8a858e1
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml
@@ -0,0 +1,85 @@
+id: 568730be-b39d-45e3-a392-941e00837d52
+name: Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains
+description: |
+ 'InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired.
+
+This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).'
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: InfobloxCloudDataConnector
+ dataTypes:
+ - CommonSecurityLog (InfobloxCDC)
+ - connectorId: ThreatIntelligenceUploadIndicatorsAPI
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+relevantTechniques:
+ - T1498
+ - T1565
+query: |
+ let dt_lookBack = 1h;
+ let ioc_lookBack = 14d;
+ let TI = ThreatIntelligenceIndicator
+ | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
+ | where Description == "Infoblox - HOST - Policy"
+ | where Tags has_cs "Property: Policy_LookalikeDomains"
+ | where Active == true
+ | where isnotempty(DomainName)
+ ;
+ let Data = InfobloxCDC
+ | extend HitTime = TimeGenerated
+ | where TimeGenerated >= ago(dt_lookBack)
+ | where isnotempty(DestinationDnsDomain)
+ //Remove trailing period at end of domain
+ | extend DestinationDnsDomain = trim_end(@"\.$", DestinationDnsDomain)
+ ;
+ TI | join kind=innerunique Data on $left.DomainName == $right.DestinationDnsDomain
+ | where HitTime >= TimeGenerated and HitTime < ExpirationDateTime
+ //Get most recent ingested indicator in case there are copies
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | project LatestIndicatorTime, HitTime, DeviceEventClassID, ThreatLevel, ThreatLevel_Score, ThreatConfidence, DestinationDnsDomain, InfobloxB1FeedName, ThreatClass, ThreatProperty, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested,
+ AdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags
+entityMappings:
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: SourceIP
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: DeviceName
+ - identifier: OSVersion
+ columnName: InfobloxB1SrcOSVersion
+ - identifier: FullName
+ columnName: SourceUserName
+ - entityType: DNS
+ fieldMappings:
+ - identifier: DomainName
+ columnName: DestinationDnsDomain
+ - entityType: Malware
+ fieldMappings:
+ - identifier: Name
+ columnName: ThreatProperty
+ - identifier: Category
+ columnName: ThreatClass
+customDetails:
+ SourceMACAddress: SourceMACAddress
+ InfobloxB1FeedName: InfobloxB1FeedName
+ InfobloxB1Network: InfobloxB1Network
+ InfobloxB1Action: InfobloxB1PolicyAction
+ InfobloxB1PolicyName: InfobloxB1PolicyName
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+incidentConfiguration:
+ createIncident: true
+version: 1.0.0
+kind: Scheduled
diff --git a/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-SyslogMatchFound-URL.yaml b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-SyslogMatchFound-URL.yaml
new file mode 100644
index 00000000000..4b9fef235ce
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-SyslogMatchFound-URL.yaml
@@ -0,0 +1,70 @@
+id: 28ee3c2b-eb4b-44de-a71e-e462843fea72
+name: Infoblox - TI - Syslog Match Found - URL
+description: |
+ 'Syslog URL match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+ - connectorId: Syslog
+ dataTypes:
+ - Syslog
+ - connectorId: ThreatIntelligenceUploadIndicatorsAPI
+ dataTypes:
+ - ThreatIntelligenceIndicator
+ - connectorId: ThreatIntelligence
+ dataTypes:
+ - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+ - Impact
+relevantTechniques:
+ - T1498
+ - T1565
+query: |
+ let dt_lookBack = 1h;
+ let ioc_lookBack = 14d;
+ let TI = ThreatIntelligenceIndicator
+ | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
+ | where Description has_cs "Infoblox - URL"
+ | where Active == true
+ | where isnotempty(DomainName)
+ ;
+ let Data = Syslog
+ | extend HitTime = TimeGenerated
+ | where TimeGenerated >= ago(dt_lookBack)
+ //Extract URL patterns from syslog message
+ | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,SyslogMessage)
+ | where isnotempty(Url)
+ ;
+ TI | join kind=innerunique Data on $left.DomainName == $right.Url
+ | where HitTime >= TimeGenerated and HitTime < ExpirationDateTime
+ //Get most recent ingested indicator in case there are copies
+ | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+ | project LatestIndicatorTime, HitTime, SyslogMessage, Computer, ProcessName, Url, HostIP,
+ AdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags
+entityMappings:
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: HostIP
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: Computer
+ - entityType: DNS
+ fieldMappings:
+ - identifier: DomainName
+ columnName: Url
+ - entityType: URL
+ fieldMappings:
+ - identifier: Url
+ columnName: Url
+eventGroupingSettings:
+ aggregationKind: SingleAlert
+incidentConfiguration:
+ createIncident: true
+version: 1.0.0
+kind: Scheduled
From 8afabc983ada17149dc5deca462a154eddd4ce5f Mon Sep 17 00:00:00 2001
From: sschuur <78623042+sschuur@users.noreply.github.com>
Date: Thu, 22 Jun 2023 17:05:33 -0700
Subject: [PATCH 03/47] Add playbooks & playbook readme
---
.../azuredeploy.json | 517 +++++++++++++++++
.../azuredeploy.json | 516 +++++++++++++++++
.../azuredeploy.json | 516 +++++++++++++++++
.../azuredeploy.json | 517 +++++++++++++++++
.../azuredeploy.json | 517 +++++++++++++++++
.../azuredeploy.json | 517 +++++++++++++++++
.../azuredeploy.json | 516 +++++++++++++++++
.../azuredeploy.json | 516 +++++++++++++++++
.../azuredeploy.json | 516 +++++++++++++++++
.../azuredeploy.json | 434 ++++++++++++++
.../azuredeploy.json | 529 ++++++++++++++++++
.../Playbooks/readme.md | 140 +++++
12 files changed, 5751 insertions(+)
create mode 100644 Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-AISCOMM-Weekly/azuredeploy.json
create mode 100644 Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Emails-Weekly/azuredeploy.json
create mode 100644 Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hashes-Weekly/azuredeploy.json
create mode 100644 Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-LookalikeDomains/azuredeploy.json
create mode 100644 Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-MalwareC2DGA/azuredeploy.json
create mode 100644 Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-Phishing/azuredeploy.json
create mode 100644 Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Hourly/azuredeploy.json
create mode 100644 Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-IPs-Hourly/azuredeploy.json
create mode 100644 Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-URLs-Hourly/azuredeploy.json
create mode 100644 Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Incident-Enrichment-Domains/azuredeploy.json
create mode 100644 Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Incident-Send-Email/azuredeploy.json
create mode 100644 Solutions/Infoblox Cloud Data Connector/Playbooks/readme.md
diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-AISCOMM-Weekly/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-AISCOMM-Weekly/azuredeploy.json
new file mode 100644
index 00000000000..86787f8db5a
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-AISCOMM-Weekly/azuredeploy.json
@@ -0,0 +1,517 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "Infoblox Import AISCOMM Weekly",
+ "description": "Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports all indicators from the AISCOMM data provider on a scheduled weekly basis.",
+ "prerequisites": [
+ "1. Infoblox TIDE API key."
+ ],
+ "postDeployment": [
+ ],
+ "prerequisitesDeployTemplateFile": "",
+ "lastUpdateTime": "",
+ "entities": [
+ ],
+ "tags": [
+ ],
+ "support": {
+ "tier": "community",
+ "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
+ },
+ "author": {
+ "name": "Infoblox"
+ }
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Infoblox-Import-AISCOMM-Weekly",
+ "type": "string"
+ },
+ "AD Application Secret": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for AD Application Secret"
+ }
+ },
+ "Client ID": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Client ID"
+ }
+ },
+ "TIDE API Key": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for TIDE API Key"
+ }
+ },
+ "Tenant ID": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Tenant ID"
+ }
+ }
+ },
+ "variables": {
+ },
+ "resources": [
+ {
+ "properties": {
+ "provisioningState": "Succeeded",
+ "state": "Disabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "AD Application Secret": {
+ "defaultValue": "[parameters('AD Application Secret')]",
+ "type": "string"
+ },
+ "Client ID": {
+ "defaultValue": "[parameters('Client ID')]",
+ "type": "string"
+ },
+ "TIDE API Key": {
+ "defaultValue": "[parameters('TIDE API Key')]",
+ "type": "string"
+ },
+ "Tenant ID": {
+ "defaultValue": "[parameters('Tenant ID')]",
+ "type": "string"
+ }
+ },
+ "triggers": {
+ "Recurrence": {
+ "recurrence": {
+ "frequency": "Week",
+ "interval": 1
+ },
+ "evaluatedRecurrence": {
+ "frequency": "Week",
+ "interval": 1
+ },
+ "type": "Recurrence"
+ }
+ },
+ "actions": {
+ "For_Each_Indicator_(Threat)": {
+ "foreach": "@body('Parse_JSON')?['threat']",
+ "actions": {
+ "Switch": {
+ "runAfter": {
+ },
+ "cases": {
+ "EMAIL": {
+ "case": "EMAIL",
+ "actions": {
+ "Send_Emails_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "emailSenderAddress": "@{items('For_Each_Indicator_(Threat)')?['email']}",
+ "emailSourceDomain": "@{items('For_Each_Indicator_(Threat)')?['domain']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "HASH": {
+ "case": "HASH",
+ "actions": {
+ "Send_Hashes_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "fileHashType": "@{toLower(items('For_Each_Indicator_(Threat)')?['hash_type'])}",
+ "fileHashValue": "@{items('For_Each_Indicator_(Threat)')?['hash']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}",
+ "Hash Type: @{items('For_Each_Indicator_(Threat)')?['hash_type']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "HOST": {
+ "case": "HOST",
+ "actions": {
+ "Send_Hosts_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "domainName": "@{items('For_Each_Indicator_(Threat)')?['host']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "IP": {
+ "case": "IP",
+ "actions": {
+ "Send_IPs_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "networkIPv4": "@{items('For_Each_Indicator_(Threat)')?['ip']}",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "URL": {
+ "case": "URL",
+ "actions": {
+ "Send_URLs_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white",
+ "url": "@{items('For_Each_Indicator_(Threat)')?['url']}"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ }
+ },
+ "default": {
+ "actions": {
+ }
+ },
+ "expression": "@items('For_Each_Indicator_(Threat)')?['type']",
+ "type": "Switch"
+ }
+ },
+ "runAfter": {
+ "Parse_JSON": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Get_TIDE_Data": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "headers": {
+ "Authorization": "Token @{parameters('TIDE API Key')}"
+ },
+ "method": "GET",
+ "queries": {
+ "fields": "notes,confidence,type,class,host,expiration,id,imported,type,profile,property,threat_level,extended,email,domain,hash,hash_type,ip,url",
+ "profile": "AISCOMM",
+ "rlimit": "90000"
+ },
+ "uri": "https://csp.infoblox.com/tide/api/data/threats/"
+ }
+ },
+ "Parse_JSON": {
+ "runAfter": {
+ "Get_TIDE_Data": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Get_TIDE_Data')",
+ "schema": {
+ "properties": {
+ "record_count": {
+ "type": "integer"
+ },
+ "threat": {
+ "items": {
+ "properties": {
+ "batch_id": {
+ "type": "string"
+ },
+ "class": {
+ "type": "string"
+ },
+ "confidence": {
+ "type": "integer"
+ },
+ "confidence_score": {
+ "type": "number"
+ },
+ "confidence_score_rating": {
+ "type": "string"
+ },
+ "confidence_score_vector": {
+ "type": "string"
+ },
+ "detected": {
+ "type": "string"
+ },
+ "dga": {
+ },
+ "domain": {
+ "type": "string"
+ },
+ "email": {
+ "type": "string"
+ },
+ "expiration": {
+ "type": "string"
+ },
+ "extended": {
+ "properties": {
+ "ais_consent": {
+ "type": "string"
+ },
+ "cyberint_guid": {
+ "type": "string"
+ },
+ "no_whitelist": {
+ "type": "string"
+ },
+ "notes": {
+ "type": "string"
+ },
+ "protocol": {
+ "type": "string"
+ },
+ "url_hash": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "hash": {
+ "type": "string"
+ },
+ "hash_type": {
+ "type": "string"
+ },
+ "host": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ },
+ "imported": {
+ "type": "string"
+ },
+ "ip": {
+ "type": "string"
+ },
+ "profile": {
+ "type": "string"
+ },
+ "property": {
+ "type": "string"
+ },
+ "received": {
+ "type": "string"
+ },
+ "risk_score": {
+ "type": "number"
+ },
+ "risk_score_rating": {
+ "type": "string"
+ },
+ "risk_score_vector": {
+ "type": "string"
+ },
+ "threat_level": {
+ "type": "integer"
+ },
+ "threat_score": {
+ "type": "number"
+ },
+ "threat_score_rating": {
+ "type": "string"
+ },
+ "threat_score_vector": {
+ "type": "string"
+ },
+ "tld": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "up": {
+ },
+ "url": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ }
+ }
+ },
+ "outputs": {
+ }
+ },
+ "parameters": {
+ }
+ },
+ "name": "[parameters('PlaybookName')]",
+ "type": "Microsoft.Logic/workflows",
+ "location": "[resourceGroup().location]",
+ "tags": {
+ "hidden-SentinelTemplateName": "Infoblox-Import-AISCOMM-Weekly",
+ "hidden-SentinelTemplateVersion": "1.0"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "apiVersion": "2017-07-01",
+ "dependsOn": [
+ ]
+ }
+ ]
+}
diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Emails-Weekly/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Emails-Weekly/azuredeploy.json
new file mode 100644
index 00000000000..0de7c448a43
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Emails-Weekly/azuredeploy.json
@@ -0,0 +1,516 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "Infoblox Import Emails Weekly",
+ "description": "Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected emails on a scheduled weekly basis.",
+ "prerequisites": [
+ "1. Infoblox TIDE API key."
+ ],
+ "postDeployment": [
+ ],
+ "prerequisitesDeployTemplateFile": "",
+ "lastUpdateTime": "",
+ "entities": [
+ ],
+ "tags": [
+ ],
+ "support": {
+ "tier": "community",
+ "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
+ },
+ "author": {
+ "name": "Infoblox"
+ }
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Infoblox-Import-Emails-Weekly",
+ "type": "string"
+ },
+ "AD Application Secret": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for AD Application Secret"
+ }
+ },
+ "Client ID": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Client ID"
+ }
+ },
+ "TIDE API Key": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for TIDE API Key"
+ }
+ },
+ "Tenant ID": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Tenant ID"
+ }
+ }
+ },
+ "variables": {
+ },
+ "resources": [
+ {
+ "properties": {
+ "provisioningState": "Succeeded",
+ "state": "Disabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "AD Application Secret": {
+ "defaultValue": "[parameters('AD Application Secret')]",
+ "type": "string"
+ },
+ "Client ID": {
+ "defaultValue": "[parameters('Client ID')]",
+ "type": "string"
+ },
+ "TIDE API Key": {
+ "defaultValue": "[parameters('TIDE API Key')]",
+ "type": "string"
+ },
+ "Tenant ID": {
+ "defaultValue": "[parameters('Tenant ID')]",
+ "type": "string"
+ }
+ },
+ "triggers": {
+ "Recurrence": {
+ "recurrence": {
+ "frequency": "Week",
+ "interval": 1
+ },
+ "evaluatedRecurrence": {
+ "frequency": "Week",
+ "interval": 1
+ },
+ "type": "Recurrence"
+ }
+ },
+ "actions": {
+ "For_Each_Indicator_(Threat)": {
+ "foreach": "@body('Parse_JSON')?['threat']",
+ "actions": {
+ "Switch": {
+ "runAfter": {
+ },
+ "cases": {
+ "EMAIL": {
+ "case": "EMAIL",
+ "actions": {
+ "Send_Emails_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "emailSenderAddress": "@{items('For_Each_Indicator_(Threat)')?['email']}",
+ "emailSourceDomain": "@{items('For_Each_Indicator_(Threat)')?['domain']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "HASH": {
+ "case": "HASH",
+ "actions": {
+ "Send_Hashes_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "fileHashType": "@{items('For_Each_Indicator_(Threat)')?['hash_type']}",
+ "fileHashValue": "@{items('For_Each_Indicator_(Threat)')?['hash']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}",
+ "Hash Type: @{items('For_Each_Indicator_(Threat)')?['hash_type']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "HOST": {
+ "case": "HOST",
+ "actions": {
+ "Send_Hosts_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "domainName": "@{items('For_Each_Indicator_(Threat)')?['host']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "IP": {
+ "case": "IP",
+ "actions": {
+ "Send_IPs_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "networkIPv4": "@{items('For_Each_Indicator_(Threat)')?['ip']}",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "URL": {
+ "case": "URL",
+ "actions": {
+ "Send_URLs_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white",
+ "url": "@{items('For_Each_Indicator_(Threat)')?['url']}"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ }
+ },
+ "default": {
+ "actions": {
+ }
+ },
+ "expression": "@items('For_Each_Indicator_(Threat)')?['type']",
+ "type": "Switch"
+ }
+ },
+ "runAfter": {
+ "Parse_JSON": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Get_TIDE_Data": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "headers": {
+ "Authorization": "Token @{parameters('TIDE API Key')}"
+ },
+ "method": "GET",
+ "queries": {
+ "fields": "notes,confidence,type,class,host,expiration,id,imported,type,profile,property,threat_level,extended,email,domain,hash,hash_type,ip,url",
+ "rlimit": "90000"
+ },
+ "uri": "https://csp.infoblox.com/tide/api/data/threats/email/"
+ }
+ },
+ "Parse_JSON": {
+ "runAfter": {
+ "Get_TIDE_Data": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Get_TIDE_Data')",
+ "schema": {
+ "properties": {
+ "record_count": {
+ "type": "integer"
+ },
+ "threat": {
+ "items": {
+ "properties": {
+ "batch_id": {
+ "type": "string"
+ },
+ "class": {
+ "type": "string"
+ },
+ "confidence": {
+ "type": "integer"
+ },
+ "confidence_score": {
+ "type": "number"
+ },
+ "confidence_score_rating": {
+ "type": "string"
+ },
+ "confidence_score_vector": {
+ "type": "string"
+ },
+ "detected": {
+ "type": "string"
+ },
+ "dga": {
+ },
+ "domain": {
+ "type": "string"
+ },
+ "email": {
+ "type": "string"
+ },
+ "expiration": {
+ "type": "string"
+ },
+ "extended": {
+ "properties": {
+ "ais_consent": {
+ "type": "string"
+ },
+ "cyberint_guid": {
+ "type": "string"
+ },
+ "no_whitelist": {
+ "type": "string"
+ },
+ "notes": {
+ "type": "string"
+ },
+ "protocol": {
+ "type": "string"
+ },
+ "url_hash": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "hash": {
+ "type": "string"
+ },
+ "hash_type": {
+ "type": "string"
+ },
+ "host": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ },
+ "imported": {
+ "type": "string"
+ },
+ "ip": {
+ "type": "string"
+ },
+ "profile": {
+ "type": "string"
+ },
+ "property": {
+ "type": "string"
+ },
+ "received": {
+ "type": "string"
+ },
+ "risk_score": {
+ "type": "number"
+ },
+ "risk_score_rating": {
+ "type": "string"
+ },
+ "risk_score_vector": {
+ "type": "string"
+ },
+ "threat_level": {
+ "type": "integer"
+ },
+ "threat_score": {
+ "type": "number"
+ },
+ "threat_score_rating": {
+ "type": "string"
+ },
+ "threat_score_vector": {
+ "type": "string"
+ },
+ "tld": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "up": {
+ },
+ "url": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ }
+ }
+ },
+ "outputs": {
+ }
+ },
+ "parameters": {
+ }
+ },
+ "name": "[parameters('PlaybookName')]",
+ "type": "Microsoft.Logic/workflows",
+ "location": "[resourceGroup().location]",
+ "tags": {
+ "hidden-SentinelTemplateName": "Infoblox-Import-Emails-Weekly",
+ "hidden-SentinelTemplateVersion": "1.0"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "apiVersion": "2017-07-01",
+ "dependsOn": [
+ ]
+ }
+ ]
+}
diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hashes-Weekly/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hashes-Weekly/azuredeploy.json
new file mode 100644
index 00000000000..4b9d21e1178
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hashes-Weekly/azuredeploy.json
@@ -0,0 +1,516 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "Infoblox Import Hashes Weekly",
+ "description": "Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected hashes on a scheduled weekly basis.",
+ "prerequisites": [
+ "1. Infoblox TIDE API key."
+ ],
+ "postDeployment": [
+ ],
+ "prerequisitesDeployTemplateFile": "",
+ "lastUpdateTime": "",
+ "entities": [
+ ],
+ "tags": [
+ ],
+ "support": {
+ "tier": "community",
+ "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
+ },
+ "author": {
+ "name": "Infoblox"
+ }
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Infoblox-Import-Hashes-Weekly",
+ "type": "string"
+ },
+ "AD Application Secret": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for AD Application Secret"
+ }
+ },
+ "Client ID": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Client ID"
+ }
+ },
+ "TIDE API Key": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for TIDE API Key"
+ }
+ },
+ "Tenant ID": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Tenant ID"
+ }
+ }
+ },
+ "variables": {
+ },
+ "resources": [
+ {
+ "properties": {
+ "provisioningState": "Succeeded",
+ "state": "Disabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "AD Application Secret": {
+ "defaultValue": "[parameters('AD Application Secret')]",
+ "type": "string"
+ },
+ "Client ID": {
+ "defaultValue": "[parameters('Client ID')]",
+ "type": "string"
+ },
+ "TIDE API Key": {
+ "defaultValue": "[parameters('TIDE API Key')]",
+ "type": "string"
+ },
+ "Tenant ID": {
+ "defaultValue": "[parameters('Tenant ID')]",
+ "type": "string"
+ }
+ },
+ "triggers": {
+ "Recurrence": {
+ "recurrence": {
+ "frequency": "Week",
+ "interval": 1
+ },
+ "evaluatedRecurrence": {
+ "frequency": "Week",
+ "interval": 1
+ },
+ "type": "Recurrence"
+ }
+ },
+ "actions": {
+ "For_Each_Indicator_(Threat)": {
+ "foreach": "@body('Parse_JSON')?['threat']",
+ "actions": {
+ "Switch": {
+ "runAfter": {
+ },
+ "cases": {
+ "EMAIL": {
+ "case": "EMAIL",
+ "actions": {
+ "Send_Emails_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "emailSenderAddress": "@{items('For_Each_Indicator_(Threat)')?['email']}",
+ "emailSourceDomain": "@{items('For_Each_Indicator_(Threat)')?['domain']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "HASH": {
+ "case": "HASH",
+ "actions": {
+ "Send_Hashes_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "fileHashType": "@{toLower(items('For_Each_Indicator_(Threat)')?['hash_type'])}",
+ "fileHashValue": "@{items('For_Each_Indicator_(Threat)')?['hash']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}",
+ "Hash Type: @{items('For_Each_Indicator_(Threat)')?['hash_type']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "HOST": {
+ "case": "HOST",
+ "actions": {
+ "Send_Hosts_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "domainName": "@{items('For_Each_Indicator_(Threat)')?['host']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "IP": {
+ "case": "IP",
+ "actions": {
+ "Send_IPs_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "networkIPv4": "@{items('For_Each_Indicator_(Threat)')?['ip']}",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "URL": {
+ "case": "URL",
+ "actions": {
+ "Send_URLs_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white",
+ "url": "@{items('For_Each_Indicator_(Threat)')?['url']}"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ }
+ },
+ "default": {
+ "actions": {
+ }
+ },
+ "expression": "@items('For_Each_Indicator_(Threat)')?['type']",
+ "type": "Switch"
+ }
+ },
+ "runAfter": {
+ "Parse_JSON": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Get_TIDE_Data": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "headers": {
+ "Authorization": "Token @{parameters('TIDE API Key')}"
+ },
+ "method": "GET",
+ "queries": {
+ "fields": "notes,confidence,type,class,host,expiration,id,imported,type,profile,property,threat_level,extended,email,domain,hash,hash_type,ip,url",
+ "rlimit": "90000"
+ },
+ "uri": "https://csp.infoblox.com/tide/api/data/threats/hash/weekly"
+ }
+ },
+ "Parse_JSON": {
+ "runAfter": {
+ "Get_TIDE_Data": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Get_TIDE_Data')",
+ "schema": {
+ "properties": {
+ "record_count": {
+ "type": "integer"
+ },
+ "threat": {
+ "items": {
+ "properties": {
+ "batch_id": {
+ "type": "string"
+ },
+ "class": {
+ "type": "string"
+ },
+ "confidence": {
+ "type": "integer"
+ },
+ "confidence_score": {
+ "type": "number"
+ },
+ "confidence_score_rating": {
+ "type": "string"
+ },
+ "confidence_score_vector": {
+ "type": "string"
+ },
+ "detected": {
+ "type": "string"
+ },
+ "dga": {
+ },
+ "domain": {
+ "type": "string"
+ },
+ "email": {
+ "type": "string"
+ },
+ "expiration": {
+ "type": "string"
+ },
+ "extended": {
+ "properties": {
+ "ais_consent": {
+ "type": "string"
+ },
+ "cyberint_guid": {
+ "type": "string"
+ },
+ "no_whitelist": {
+ "type": "string"
+ },
+ "notes": {
+ "type": "string"
+ },
+ "protocol": {
+ "type": "string"
+ },
+ "url_hash": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "hash": {
+ "type": "string"
+ },
+ "hash_type": {
+ "type": "string"
+ },
+ "host": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ },
+ "imported": {
+ "type": "string"
+ },
+ "ip": {
+ "type": "string"
+ },
+ "profile": {
+ "type": "string"
+ },
+ "property": {
+ "type": "string"
+ },
+ "received": {
+ "type": "string"
+ },
+ "risk_score": {
+ "type": "number"
+ },
+ "risk_score_rating": {
+ "type": "string"
+ },
+ "risk_score_vector": {
+ "type": "string"
+ },
+ "threat_level": {
+ "type": "integer"
+ },
+ "threat_score": {
+ "type": "number"
+ },
+ "threat_score_rating": {
+ "type": "string"
+ },
+ "threat_score_vector": {
+ "type": "string"
+ },
+ "tld": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "up": {
+ },
+ "url": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ }
+ }
+ },
+ "outputs": {
+ }
+ },
+ "parameters": {
+ }
+ },
+ "name": "[parameters('PlaybookName')]",
+ "type": "Microsoft.Logic/workflows",
+ "location": "[resourceGroup().location]",
+ "tags": {
+ "hidden-SentinelTemplateName": "Infoblox-Import-Hashes-Weekly",
+ "hidden-SentinelTemplateVersion": "1.0"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "apiVersion": "2017-07-01",
+ "dependsOn": [
+ ]
+ }
+ ]
+}
diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-LookalikeDomains/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-LookalikeDomains/azuredeploy.json
new file mode 100644
index 00000000000..c083590fc2b
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-LookalikeDomains/azuredeploy.json
@@ -0,0 +1,517 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "Infoblox Import Hosts Daily Lookalike Domains",
+ "description": "Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected Lookalike domains on a scheduled daily basis.",
+ "prerequisites": [
+ "1. Infoblox TIDE API key."
+ ],
+ "postDeployment": [
+ ],
+ "prerequisitesDeployTemplateFile": "",
+ "lastUpdateTime": "",
+ "entities": [
+ ],
+ "tags": [
+ ],
+ "support": {
+ "tier": "community",
+ "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
+ },
+ "author": {
+ "name": "Infoblox"
+ }
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Infoblox-Import-Hosts-Daily-LookalikeDomains",
+ "type": "string"
+ },
+ "AD Application Secret": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for AD Application Secret"
+ }
+ },
+ "Client ID": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Client ID"
+ }
+ },
+ "TIDE API Key": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for TIDE API Key"
+ }
+ },
+ "Tenant ID": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Tenant ID"
+ }
+ }
+ },
+ "variables": {
+ },
+ "resources": [
+ {
+ "properties": {
+ "provisioningState": "Succeeded",
+ "state": "Disabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "AD Application Secret": {
+ "defaultValue": "[parameters('AD Application Secret')]",
+ "type": "string"
+ },
+ "Client ID": {
+ "defaultValue": "[parameters('Client ID')]",
+ "type": "string"
+ },
+ "TIDE API Key": {
+ "defaultValue": "[parameters('TIDE API Key')]",
+ "type": "string"
+ },
+ "Tenant ID": {
+ "defaultValue": "[parameters('Tenant ID')]",
+ "type": "string"
+ }
+ },
+ "triggers": {
+ "Recurrence": {
+ "recurrence": {
+ "frequency": "Day",
+ "interval": 1
+ },
+ "evaluatedRecurrence": {
+ "frequency": "Day",
+ "interval": 1
+ },
+ "type": "Recurrence"
+ }
+ },
+ "actions": {
+ "For_Each_Indicator_(Threat)": {
+ "foreach": "@body('Parse_JSON')?['threat']",
+ "actions": {
+ "Switch": {
+ "runAfter": {
+ },
+ "cases": {
+ "EMAIL": {
+ "case": "EMAIL",
+ "actions": {
+ "Send_Emails_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "emailSenderAddress": "@{items('For_Each_Indicator_(Threat)')?['email']}",
+ "emailSourceDomain": "@{items('For_Each_Indicator_(Threat)')?['domain']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "HASH": {
+ "case": "HASH",
+ "actions": {
+ "Send_Hashes_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "fileHashType": "@{items('For_Each_Indicator_(Threat)')?['hash_type']}",
+ "fileHashValue": "@{items('For_Each_Indicator_(Threat)')?['hash']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}",
+ "Hash Type: @{items('For_Each_Indicator_(Threat)')?['hash_type']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "HOST": {
+ "case": "HOST",
+ "actions": {
+ "Send_Hosts_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "domainName": "@{items('For_Each_Indicator_(Threat)')?['host']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "IP": {
+ "case": "IP",
+ "actions": {
+ "Send_IPs_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "networkIPv4": "@{items('For_Each_Indicator_(Threat)')?['ip']}",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "URL": {
+ "case": "URL",
+ "actions": {
+ "Send_URLs_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white",
+ "url": "@{items('For_Each_Indicator_(Threat)')?['url']}"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ }
+ },
+ "default": {
+ "actions": {
+ }
+ },
+ "expression": "@items('For_Each_Indicator_(Threat)')?['type']",
+ "type": "Switch"
+ }
+ },
+ "runAfter": {
+ "Parse_JSON": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Get_TIDE_Data": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "headers": {
+ "Authorization": "Token @{parameters('TIDE API Key')}"
+ },
+ "method": "GET",
+ "queries": {
+ "fields": "notes,confidence,type,class,host,expiration,id,imported,type,profile,property,threat_level,extended,email,domain,hash,hash_type,ip,url",
+ "property": "Policy_LookalikeDomains",
+ "rlimit": "90000"
+ },
+ "uri": "https://csp.infoblox.com/tide/api/data/threats/host/daily"
+ }
+ },
+ "Parse_JSON": {
+ "runAfter": {
+ "Get_TIDE_Data": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Get_TIDE_Data')",
+ "schema": {
+ "properties": {
+ "record_count": {
+ "type": "integer"
+ },
+ "threat": {
+ "items": {
+ "properties": {
+ "batch_id": {
+ "type": "string"
+ },
+ "class": {
+ "type": "string"
+ },
+ "confidence": {
+ "type": "integer"
+ },
+ "confidence_score": {
+ "type": "number"
+ },
+ "confidence_score_rating": {
+ "type": "string"
+ },
+ "confidence_score_vector": {
+ "type": "string"
+ },
+ "detected": {
+ "type": "string"
+ },
+ "dga": {
+ },
+ "domain": {
+ "type": "string"
+ },
+ "email": {
+ "type": "string"
+ },
+ "expiration": {
+ "type": "string"
+ },
+ "extended": {
+ "properties": {
+ "ais_consent": {
+ "type": "string"
+ },
+ "cyberint_guid": {
+ "type": "string"
+ },
+ "no_whitelist": {
+ "type": "string"
+ },
+ "notes": {
+ "type": "string"
+ },
+ "protocol": {
+ "type": "string"
+ },
+ "url_hash": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "hash": {
+ "type": "string"
+ },
+ "hash_type": {
+ "type": "string"
+ },
+ "host": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ },
+ "imported": {
+ "type": "string"
+ },
+ "ip": {
+ "type": "string"
+ },
+ "profile": {
+ "type": "string"
+ },
+ "property": {
+ "type": "string"
+ },
+ "received": {
+ "type": "string"
+ },
+ "risk_score": {
+ "type": "number"
+ },
+ "risk_score_rating": {
+ "type": "string"
+ },
+ "risk_score_vector": {
+ "type": "string"
+ },
+ "threat_level": {
+ "type": "integer"
+ },
+ "threat_score": {
+ "type": "number"
+ },
+ "threat_score_rating": {
+ "type": "string"
+ },
+ "threat_score_vector": {
+ "type": "string"
+ },
+ "tld": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "up": {
+ },
+ "url": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ }
+ }
+ },
+ "outputs": {
+ }
+ },
+ "parameters": {
+ }
+ },
+ "name": "[parameters('PlaybookName')]",
+ "type": "Microsoft.Logic/workflows",
+ "location": "[resourceGroup().location]",
+ "tags": {
+ "hidden-SentinelTemplateName": "Infoblox-Import-Hosts-Daily-LookalikeDomains",
+ "hidden-SentinelTemplateVersion": "1.0"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "apiVersion": "2017-07-01",
+ "dependsOn": [
+ ]
+ }
+ ]
+}
diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-MalwareC2DGA/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-MalwareC2DGA/azuredeploy.json
new file mode 100644
index 00000000000..806b017e6f5
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-MalwareC2DGA/azuredeploy.json
@@ -0,0 +1,517 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "Infoblox Import Hosts Daily MalwareC2DGA",
+ "description": "Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected MalwareC2DGA domains on a scheduled daily basis.",
+ "prerequisites": [
+ "1. Infoblox TIDE API key."
+ ],
+ "postDeployment": [
+ ],
+ "prerequisitesDeployTemplateFile": "",
+ "lastUpdateTime": "",
+ "entities": [
+ ],
+ "tags": [
+ ],
+ "support": {
+ "tier": "community",
+ "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
+ },
+ "author": {
+ "name": "Infoblox"
+ }
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Infoblox-Import-Hosts-Daily-MalwareC2DGA",
+ "type": "string"
+ },
+ "AD Application Secret": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for AD Application Secret"
+ }
+ },
+ "Client ID": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Client ID"
+ }
+ },
+ "TIDE API Key": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for TIDE API Key"
+ }
+ },
+ "Tenant ID": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Tenant ID"
+ }
+ }
+ },
+ "variables": {
+ },
+ "resources": [
+ {
+ "properties": {
+ "provisioningState": "Succeeded",
+ "state": "Disabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "AD Application Secret": {
+ "defaultValue": "[parameters('AD Application Secret')]",
+ "type": "string"
+ },
+ "Client ID": {
+ "defaultValue": "[parameters('Client ID')]",
+ "type": "string"
+ },
+ "TIDE API Key": {
+ "defaultValue": "[parameters('TIDE API Key')]",
+ "type": "string"
+ },
+ "Tenant ID": {
+ "defaultValue": "[parameters('Tenant ID')]",
+ "type": "string"
+ }
+ },
+ "triggers": {
+ "Recurrence": {
+ "recurrence": {
+ "frequency": "Day",
+ "interval": 1
+ },
+ "evaluatedRecurrence": {
+ "frequency": "Day",
+ "interval": 1
+ },
+ "type": "Recurrence"
+ }
+ },
+ "actions": {
+ "For_Each_Indicator_(Threat)": {
+ "foreach": "@body('Parse_JSON')?['threat']",
+ "actions": {
+ "Switch": {
+ "runAfter": {
+ },
+ "cases": {
+ "EMAIL": {
+ "case": "EMAIL",
+ "actions": {
+ "Send_Emails_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "emailSenderAddress": "@{items('For_Each_Indicator_(Threat)')?['email']}",
+ "emailSourceDomain": "@{items('For_Each_Indicator_(Threat)')?['domain']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "HASH": {
+ "case": "HASH",
+ "actions": {
+ "Send_Hashes_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "fileHashType": "@{items('For_Each_Indicator_(Threat)')?['hash_type']}",
+ "fileHashValue": "@{items('For_Each_Indicator_(Threat)')?['hash']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}",
+ "Hash Type: @{items('For_Each_Indicator_(Threat)')?['hash_type']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "HOST": {
+ "case": "HOST",
+ "actions": {
+ "Send_Hosts_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "domainName": "@{items('For_Each_Indicator_(Threat)')?['host']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "IP": {
+ "case": "IP",
+ "actions": {
+ "Send_IPs_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "networkIPv4": "@{items('For_Each_Indicator_(Threat)')?['ip']}",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "URL": {
+ "case": "URL",
+ "actions": {
+ "Send_URLs_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white",
+ "url": "@{items('For_Each_Indicator_(Threat)')?['url']}"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ }
+ },
+ "default": {
+ "actions": {
+ }
+ },
+ "expression": "@items('For_Each_Indicator_(Threat)')?['type']",
+ "type": "Switch"
+ }
+ },
+ "runAfter": {
+ "Parse_JSON": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Get_TIDE_Data": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "headers": {
+ "Authorization": "Token @{parameters('TIDE API Key')}"
+ },
+ "method": "GET",
+ "queries": {
+ "class": "MalwareC2DGA",
+ "fields": "notes,confidence,type,class,host,expiration,id,imported,type,profile,property,threat_level,extended,email,domain,hash,hash_type,ip,url",
+ "rlimit": "90000"
+ },
+ "uri": "https://csp.infoblox.com/tide/api/data/threats/host/daily"
+ }
+ },
+ "Parse_JSON": {
+ "runAfter": {
+ "Get_TIDE_Data": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Get_TIDE_Data')",
+ "schema": {
+ "properties": {
+ "record_count": {
+ "type": "integer"
+ },
+ "threat": {
+ "items": {
+ "properties": {
+ "batch_id": {
+ "type": "string"
+ },
+ "class": {
+ "type": "string"
+ },
+ "confidence": {
+ "type": "integer"
+ },
+ "confidence_score": {
+ "type": "number"
+ },
+ "confidence_score_rating": {
+ "type": "string"
+ },
+ "confidence_score_vector": {
+ "type": "string"
+ },
+ "detected": {
+ "type": "string"
+ },
+ "dga": {
+ },
+ "domain": {
+ "type": "string"
+ },
+ "email": {
+ "type": "string"
+ },
+ "expiration": {
+ "type": "string"
+ },
+ "extended": {
+ "properties": {
+ "ais_consent": {
+ "type": "string"
+ },
+ "cyberint_guid": {
+ "type": "string"
+ },
+ "no_whitelist": {
+ "type": "string"
+ },
+ "notes": {
+ "type": "string"
+ },
+ "protocol": {
+ "type": "string"
+ },
+ "url_hash": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "hash": {
+ "type": "string"
+ },
+ "hash_type": {
+ "type": "string"
+ },
+ "host": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ },
+ "imported": {
+ "type": "string"
+ },
+ "ip": {
+ "type": "string"
+ },
+ "profile": {
+ "type": "string"
+ },
+ "property": {
+ "type": "string"
+ },
+ "received": {
+ "type": "string"
+ },
+ "risk_score": {
+ "type": "number"
+ },
+ "risk_score_rating": {
+ "type": "string"
+ },
+ "risk_score_vector": {
+ "type": "string"
+ },
+ "threat_level": {
+ "type": "integer"
+ },
+ "threat_score": {
+ "type": "number"
+ },
+ "threat_score_rating": {
+ "type": "string"
+ },
+ "threat_score_vector": {
+ "type": "string"
+ },
+ "tld": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "up": {
+ },
+ "url": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ }
+ }
+ },
+ "outputs": {
+ }
+ },
+ "parameters": {
+ }
+ },
+ "name": "[parameters('PlaybookName')]",
+ "type": "Microsoft.Logic/workflows",
+ "location": "[resourceGroup().location]",
+ "tags": {
+ "hidden-SentinelTemplateName": "Infoblox-Import-Hosts-Daily-MalwareC2DGA",
+ "hidden-SentinelTemplateVersion": "1.0"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "apiVersion": "2017-07-01",
+ "dependsOn": [
+ ]
+ }
+ ]
+}
diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-Phishing/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-Phishing/azuredeploy.json
new file mode 100644
index 00000000000..ab9df4794cf
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Daily-Phishing/azuredeploy.json
@@ -0,0 +1,517 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "Infoblox Import Hosts Daily Phishing",
+ "description": "Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected Phishing domains on a scheduled daily basis.",
+ "prerequisites": [
+ "1. Infoblox TIDE API key."
+ ],
+ "postDeployment": [
+ ],
+ "prerequisitesDeployTemplateFile": "",
+ "lastUpdateTime": "",
+ "entities": [
+ ],
+ "tags": [
+ ],
+ "support": {
+ "tier": "community",
+ "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
+ },
+ "author": {
+ "name": "Infoblox"
+ }
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Infoblox-Import-Hosts-Daily-Phishing",
+ "type": "string"
+ },
+ "AD Application Secret": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for AD Application Secret"
+ }
+ },
+ "Client ID": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Client ID"
+ }
+ },
+ "TIDE API Key": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for TIDE API Key"
+ }
+ },
+ "Tenant ID": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Tenant ID"
+ }
+ }
+ },
+ "variables": {
+ },
+ "resources": [
+ {
+ "properties": {
+ "provisioningState": "Succeeded",
+ "state": "Disabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "AD Application Secret": {
+ "defaultValue": "[parameters('AD Application Secret')]",
+ "type": "string"
+ },
+ "Client ID": {
+ "defaultValue": "[parameters('Client ID')]",
+ "type": "string"
+ },
+ "TIDE API Key": {
+ "defaultValue": "[parameters('TIDE API Key')]",
+ "type": "string"
+ },
+ "Tenant ID": {
+ "defaultValue": "[parameters('Tenant ID')]",
+ "type": "string"
+ }
+ },
+ "triggers": {
+ "Recurrence": {
+ "recurrence": {
+ "frequency": "Day",
+ "interval": 1
+ },
+ "evaluatedRecurrence": {
+ "frequency": "Day",
+ "interval": 1
+ },
+ "type": "Recurrence"
+ }
+ },
+ "actions": {
+ "For_Each_Indicator_(Threat)": {
+ "foreach": "@body('Parse_JSON')?['threat']",
+ "actions": {
+ "Switch": {
+ "runAfter": {
+ },
+ "cases": {
+ "EMAIL": {
+ "case": "EMAIL",
+ "actions": {
+ "Send_Emails_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "emailSenderAddress": "@{items('For_Each_Indicator_(Threat)')?['email']}",
+ "emailSourceDomain": "@{items('For_Each_Indicator_(Threat)')?['domain']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "HASH": {
+ "case": "HASH",
+ "actions": {
+ "Send_Hashes_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "fileHashType": "@{items('For_Each_Indicator_(Threat)')?['hash_type']}",
+ "fileHashValue": "@{items('For_Each_Indicator_(Threat)')?['hash']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}",
+ "Hash Type: @{items('For_Each_Indicator_(Threat)')?['hash_type']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "HOST": {
+ "case": "HOST",
+ "actions": {
+ "Send_Hosts_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "domainName": "@{items('For_Each_Indicator_(Threat)')?['host']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "IP": {
+ "case": "IP",
+ "actions": {
+ "Send_IPs_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "networkIPv4": "@{items('For_Each_Indicator_(Threat)')?['ip']}",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "URL": {
+ "case": "URL",
+ "actions": {
+ "Send_URLs_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white",
+ "url": "@{items('For_Each_Indicator_(Threat)')?['url']}"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ }
+ },
+ "default": {
+ "actions": {
+ }
+ },
+ "expression": "@items('For_Each_Indicator_(Threat)')?['type']",
+ "type": "Switch"
+ }
+ },
+ "runAfter": {
+ "Parse_JSON": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Get_TIDE_Data": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "headers": {
+ "Authorization": "Token @{parameters('TIDE API Key')}"
+ },
+ "method": "GET",
+ "queries": {
+ "class": "Phishing",
+ "fields": "notes,confidence,type,class,host,expiration,id,imported,type,profile,property,threat_level,extended,email,domain,hash,hash_type,ip,url",
+ "rlimit": "90000"
+ },
+ "uri": "https://csp.infoblox.com/tide/api/data/threats/host/daily"
+ }
+ },
+ "Parse_JSON": {
+ "runAfter": {
+ "Get_TIDE_Data": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Get_TIDE_Data')",
+ "schema": {
+ "properties": {
+ "record_count": {
+ "type": "integer"
+ },
+ "threat": {
+ "items": {
+ "properties": {
+ "batch_id": {
+ "type": "string"
+ },
+ "class": {
+ "type": "string"
+ },
+ "confidence": {
+ "type": "integer"
+ },
+ "confidence_score": {
+ "type": "number"
+ },
+ "confidence_score_rating": {
+ "type": "string"
+ },
+ "confidence_score_vector": {
+ "type": "string"
+ },
+ "detected": {
+ "type": "string"
+ },
+ "dga": {
+ },
+ "domain": {
+ "type": "string"
+ },
+ "email": {
+ "type": "string"
+ },
+ "expiration": {
+ "type": "string"
+ },
+ "extended": {
+ "properties": {
+ "ais_consent": {
+ "type": "string"
+ },
+ "cyberint_guid": {
+ "type": "string"
+ },
+ "no_whitelist": {
+ "type": "string"
+ },
+ "notes": {
+ "type": "string"
+ },
+ "protocol": {
+ "type": "string"
+ },
+ "url_hash": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "hash": {
+ "type": "string"
+ },
+ "hash_type": {
+ "type": "string"
+ },
+ "host": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ },
+ "imported": {
+ "type": "string"
+ },
+ "ip": {
+ "type": "string"
+ },
+ "profile": {
+ "type": "string"
+ },
+ "property": {
+ "type": "string"
+ },
+ "received": {
+ "type": "string"
+ },
+ "risk_score": {
+ "type": "number"
+ },
+ "risk_score_rating": {
+ "type": "string"
+ },
+ "risk_score_vector": {
+ "type": "string"
+ },
+ "threat_level": {
+ "type": "integer"
+ },
+ "threat_score": {
+ "type": "number"
+ },
+ "threat_score_rating": {
+ "type": "string"
+ },
+ "threat_score_vector": {
+ "type": "string"
+ },
+ "tld": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "up": {
+ },
+ "url": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ }
+ }
+ },
+ "outputs": {
+ }
+ },
+ "parameters": {
+ }
+ },
+ "name": "[parameters('PlaybookName')]",
+ "type": "Microsoft.Logic/workflows",
+ "location": "[resourceGroup().location]",
+ "tags": {
+ "hidden-SentinelTemplateName": "Infoblox-Import-Hosts-Daily-Phishing",
+ "hidden-SentinelTemplateVersion": "1.0"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "apiVersion": "2017-07-01",
+ "dependsOn": [
+ ]
+ }
+ ]
+}
diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Hourly/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Hourly/azuredeploy.json
new file mode 100644
index 00000000000..5ec011b3a7d
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-Hosts-Hourly/azuredeploy.json
@@ -0,0 +1,516 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "Infoblox Import Hosts Hourly",
+ "description": "Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports all newly detected hosts on a scheduled hourly basis.",
+ "prerequisites": [
+ "1. Infoblox TIDE API key."
+ ],
+ "postDeployment": [
+ ],
+ "prerequisitesDeployTemplateFile": "",
+ "lastUpdateTime": "",
+ "entities": [
+ ],
+ "tags": [
+ ],
+ "support": {
+ "tier": "community",
+ "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
+ },
+ "author": {
+ "name": "Infoblox"
+ }
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Infoblox-Import-Hosts-Hourly",
+ "type": "string"
+ },
+ "AD Application Secret": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for AD Application Secret"
+ }
+ },
+ "Client ID": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Client ID"
+ }
+ },
+ "TIDE API Key": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for TIDE API Key"
+ }
+ },
+ "Tenant ID": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Tenant ID"
+ }
+ }
+ },
+ "variables": {
+ },
+ "resources": [
+ {
+ "properties": {
+ "provisioningState": "Succeeded",
+ "state": "Disabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "AD Application Secret": {
+ "defaultValue": "[parameters('AD Application Secret')]",
+ "type": "string"
+ },
+ "Client ID": {
+ "defaultValue": "[parameters('Client ID')]",
+ "type": "string"
+ },
+ "TIDE API Key": {
+ "defaultValue": "[parameters('TIDE API Key')]",
+ "type": "string"
+ },
+ "Tenant ID": {
+ "defaultValue": "[parameters('Tenant ID')]",
+ "type": "string"
+ }
+ },
+ "triggers": {
+ "Recurrence": {
+ "recurrence": {
+ "frequency": "Hour",
+ "interval": 1
+ },
+ "evaluatedRecurrence": {
+ "frequency": "Hour",
+ "interval": 1
+ },
+ "type": "Recurrence"
+ }
+ },
+ "actions": {
+ "For_Each_Indicator_(Threat)": {
+ "foreach": "@body('Parse_JSON')?['threat']",
+ "actions": {
+ "Switch": {
+ "runAfter": {
+ },
+ "cases": {
+ "EMAIL": {
+ "case": "EMAIL",
+ "actions": {
+ "Send_Emails_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "emailSenderAddress": "@{items('For_Each_Indicator_(Threat)')?['email']}",
+ "emailSourceDomain": "@{items('For_Each_Indicator_(Threat)')?['domain']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "HASH": {
+ "case": "HASH",
+ "actions": {
+ "Send_Hashes_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "fileHashType": "@{items('For_Each_Indicator_(Threat)')?['hash_type']}",
+ "fileHashValue": "@{items('For_Each_Indicator_(Threat)')?['hash']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}",
+ "Hash Type: @{items('For_Each_Indicator_(Threat)')?['hash_type']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "HOST": {
+ "case": "HOST",
+ "actions": {
+ "Send_Hosts_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "domainName": "@{items('For_Each_Indicator_(Threat)')?['host']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "IP": {
+ "case": "IP",
+ "actions": {
+ "Send_IPs_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "networkIPv4": "@{items('For_Each_Indicator_(Threat)')?['ip']}",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "URL": {
+ "case": "URL",
+ "actions": {
+ "Send_URLs_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white",
+ "url": "@{items('For_Each_Indicator_(Threat)')?['url']}"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ }
+ },
+ "default": {
+ "actions": {
+ }
+ },
+ "expression": "@items('For_Each_Indicator_(Threat)')?['type']",
+ "type": "Switch"
+ }
+ },
+ "runAfter": {
+ "Parse_JSON": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Get_TIDE_Data": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "headers": {
+ "Authorization": "Token @{parameters('TIDE API Key')}"
+ },
+ "method": "GET",
+ "queries": {
+ "fields": "notes,confidence,type,class,host,expiration,id,imported,type,profile,property,threat_level,extended,email,domain,hash,hash_type,ip,url",
+ "rlimit": "90000"
+ },
+ "uri": "https://csp.infoblox.com/tide/api/data/threats/host/hourly"
+ }
+ },
+ "Parse_JSON": {
+ "runAfter": {
+ "Get_TIDE_Data": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Get_TIDE_Data')",
+ "schema": {
+ "properties": {
+ "record_count": {
+ "type": "integer"
+ },
+ "threat": {
+ "items": {
+ "properties": {
+ "batch_id": {
+ "type": "string"
+ },
+ "class": {
+ "type": "string"
+ },
+ "confidence": {
+ "type": "integer"
+ },
+ "confidence_score": {
+ "type": "number"
+ },
+ "confidence_score_rating": {
+ "type": "string"
+ },
+ "confidence_score_vector": {
+ "type": "string"
+ },
+ "detected": {
+ "type": "string"
+ },
+ "dga": {
+ },
+ "domain": {
+ "type": "string"
+ },
+ "email": {
+ "type": "string"
+ },
+ "expiration": {
+ "type": "string"
+ },
+ "extended": {
+ "properties": {
+ "ais_consent": {
+ "type": "string"
+ },
+ "cyberint_guid": {
+ "type": "string"
+ },
+ "no_whitelist": {
+ "type": "string"
+ },
+ "notes": {
+ "type": "string"
+ },
+ "protocol": {
+ "type": "string"
+ },
+ "url_hash": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "hash": {
+ "type": "string"
+ },
+ "hash_type": {
+ "type": "string"
+ },
+ "host": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ },
+ "imported": {
+ "type": "string"
+ },
+ "ip": {
+ "type": "string"
+ },
+ "profile": {
+ "type": "string"
+ },
+ "property": {
+ "type": "string"
+ },
+ "received": {
+ "type": "string"
+ },
+ "risk_score": {
+ "type": "number"
+ },
+ "risk_score_rating": {
+ "type": "string"
+ },
+ "risk_score_vector": {
+ "type": "string"
+ },
+ "threat_level": {
+ "type": "integer"
+ },
+ "threat_score": {
+ "type": "number"
+ },
+ "threat_score_rating": {
+ "type": "string"
+ },
+ "threat_score_vector": {
+ "type": "string"
+ },
+ "tld": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "up": {
+ },
+ "url": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ }
+ }
+ },
+ "outputs": {
+ }
+ },
+ "parameters": {
+ }
+ },
+ "name": "[parameters('PlaybookName')]",
+ "type": "Microsoft.Logic/workflows",
+ "location": "[resourceGroup().location]",
+ "tags": {
+ "hidden-SentinelTemplateName": "Infoblox-Import-Hosts-Hourly",
+ "hidden-SentinelTemplateVersion": "1.0"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "apiVersion": "2017-07-01",
+ "dependsOn": [
+ ]
+ }
+ ]
+}
diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-IPs-Hourly/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-IPs-Hourly/azuredeploy.json
new file mode 100644
index 00000000000..3dc68efcd40
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-IPs-Hourly/azuredeploy.json
@@ -0,0 +1,516 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "Infoblox Import IPs Hourly",
+ "description": "Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports all newly detected IPs on a scheduled hourly basis.",
+ "prerequisites": [
+ "1. Infoblox TIDE API key."
+ ],
+ "postDeployment": [
+ ],
+ "prerequisitesDeployTemplateFile": "",
+ "lastUpdateTime": "",
+ "entities": [
+ ],
+ "tags": [
+ ],
+ "support": {
+ "tier": "community",
+ "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
+ },
+ "author": {
+ "name": "Infoblox"
+ }
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Infoblox-Import-IPs-Hourly",
+ "type": "string"
+ },
+ "AD Application Secret": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for AD Application Secret"
+ }
+ },
+ "Client ID": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Client ID"
+ }
+ },
+ "TIDE API Key": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for TIDE API Key"
+ }
+ },
+ "Tenant ID": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Tenant ID"
+ }
+ }
+ },
+ "variables": {
+ },
+ "resources": [
+ {
+ "properties": {
+ "provisioningState": "Succeeded",
+ "state": "Disabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "AD Application Secret": {
+ "defaultValue": "[parameters('AD Application Secret')]",
+ "type": "string"
+ },
+ "Client ID": {
+ "defaultValue": "[parameters('Client ID')]",
+ "type": "string"
+ },
+ "TIDE API Key": {
+ "defaultValue": "[parameters('TIDE API Key')]",
+ "type": "string"
+ },
+ "Tenant ID": {
+ "defaultValue": "[parameters('Tenant ID')]",
+ "type": "string"
+ }
+ },
+ "triggers": {
+ "Recurrence": {
+ "recurrence": {
+ "frequency": "Hour",
+ "interval": 1
+ },
+ "evaluatedRecurrence": {
+ "frequency": "Hour",
+ "interval": 1
+ },
+ "type": "Recurrence"
+ }
+ },
+ "actions": {
+ "For_Each_Indicator_(Threat)": {
+ "foreach": "@body('Parse_JSON')?['threat']",
+ "actions": {
+ "Switch": {
+ "runAfter": {
+ },
+ "cases": {
+ "EMAIL": {
+ "case": "EMAIL",
+ "actions": {
+ "Send_Emails_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "emailSenderAddress": "@{items('For_Each_Indicator_(Threat)')?['email']}",
+ "emailSourceDomain": "@{items('For_Each_Indicator_(Threat)')?['domain']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "HASH": {
+ "case": "HASH",
+ "actions": {
+ "Send_Hashes_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "fileHashType": "@{items('For_Each_Indicator_(Threat)')?['hash_type']}",
+ "fileHashValue": "@{items('For_Each_Indicator_(Threat)')?['hash']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}",
+ "Hash Type: @{items('For_Each_Indicator_(Threat)')?['hash_type']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "HOST": {
+ "case": "HOST",
+ "actions": {
+ "Send_Hosts_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "domainName": "@{items('For_Each_Indicator_(Threat)')?['host']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "IP": {
+ "case": "IP",
+ "actions": {
+ "Send_IPs_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "networkIPv4": "@{items('For_Each_Indicator_(Threat)')?['ip']}",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "URL": {
+ "case": "URL",
+ "actions": {
+ "Send_URLs_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white",
+ "url": "@{items('For_Each_Indicator_(Threat)')?['url']}"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ }
+ },
+ "default": {
+ "actions": {
+ }
+ },
+ "expression": "@items('For_Each_Indicator_(Threat)')?['type']",
+ "type": "Switch"
+ }
+ },
+ "runAfter": {
+ "Parse_JSON": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Get_TIDE_Data": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "headers": {
+ "Authorization": "Token @{parameters('TIDE API Key')}"
+ },
+ "method": "GET",
+ "queries": {
+ "fields": "notes,confidence,type,class,host,expiration,id,imported,type,profile,property,threat_level,extended,email,domain,hash,hash_type,ip,url",
+ "rlimit": "90000"
+ },
+ "uri": "https://csp.infoblox.com/tide/api/data/threats/ip/hourly"
+ }
+ },
+ "Parse_JSON": {
+ "runAfter": {
+ "Get_TIDE_Data": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Get_TIDE_Data')",
+ "schema": {
+ "properties": {
+ "record_count": {
+ "type": "integer"
+ },
+ "threat": {
+ "items": {
+ "properties": {
+ "batch_id": {
+ "type": "string"
+ },
+ "class": {
+ "type": "string"
+ },
+ "confidence": {
+ "type": "integer"
+ },
+ "confidence_score": {
+ "type": "number"
+ },
+ "confidence_score_rating": {
+ "type": "string"
+ },
+ "confidence_score_vector": {
+ "type": "string"
+ },
+ "detected": {
+ "type": "string"
+ },
+ "dga": {
+ },
+ "domain": {
+ "type": "string"
+ },
+ "email": {
+ "type": "string"
+ },
+ "expiration": {
+ "type": "string"
+ },
+ "extended": {
+ "properties": {
+ "ais_consent": {
+ "type": "string"
+ },
+ "cyberint_guid": {
+ "type": "string"
+ },
+ "no_whitelist": {
+ "type": "string"
+ },
+ "notes": {
+ "type": "string"
+ },
+ "protocol": {
+ "type": "string"
+ },
+ "url_hash": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "hash": {
+ "type": "string"
+ },
+ "hash_type": {
+ "type": "string"
+ },
+ "host": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ },
+ "imported": {
+ "type": "string"
+ },
+ "ip": {
+ "type": "string"
+ },
+ "profile": {
+ "type": "string"
+ },
+ "property": {
+ "type": "string"
+ },
+ "received": {
+ "type": "string"
+ },
+ "risk_score": {
+ "type": "number"
+ },
+ "risk_score_rating": {
+ "type": "string"
+ },
+ "risk_score_vector": {
+ "type": "string"
+ },
+ "threat_level": {
+ "type": "integer"
+ },
+ "threat_score": {
+ "type": "number"
+ },
+ "threat_score_rating": {
+ "type": "string"
+ },
+ "threat_score_vector": {
+ "type": "string"
+ },
+ "tld": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "up": {
+ },
+ "url": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ }
+ }
+ },
+ "outputs": {
+ }
+ },
+ "parameters": {
+ }
+ },
+ "name": "[parameters('PlaybookName')]",
+ "type": "Microsoft.Logic/workflows",
+ "location": "[resourceGroup().location]",
+ "tags": {
+ "hidden-SentinelTemplateName": "Infoblox-Import-IPs-Hourly",
+ "hidden-SentinelTemplateVersion": "1.0"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "apiVersion": "2017-07-01",
+ "dependsOn": [
+ ]
+ }
+ ]
+}
diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-URLs-Hourly/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-URLs-Hourly/azuredeploy.json
new file mode 100644
index 00000000000..b9e24b82752
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Import-URLs-Hourly/azuredeploy.json
@@ -0,0 +1,516 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "Infoblox Import URLs Hourly",
+ "description": "Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports all newly detected URLs on a scheduled hourly basis.",
+ "prerequisites": [
+ "1. Infoblox TIDE API key."
+ ],
+ "postDeployment": [
+ ],
+ "prerequisitesDeployTemplateFile": "",
+ "lastUpdateTime": "",
+ "entities": [
+ ],
+ "tags": [
+ ],
+ "support": {
+ "tier": "community",
+ "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
+ },
+ "author": {
+ "name": "Infoblox"
+ }
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Infoblox-Import-URLs-Hourly",
+ "type": "string"
+ },
+ "AD Application Secret": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for AD Application Secret"
+ }
+ },
+ "Client ID": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Client ID"
+ }
+ },
+ "TIDE API Key": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for TIDE API Key"
+ }
+ },
+ "Tenant ID": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Tenant ID"
+ }
+ }
+ },
+ "variables": {
+ },
+ "resources": [
+ {
+ "properties": {
+ "provisioningState": "Succeeded",
+ "state": "Disabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "AD Application Secret": {
+ "defaultValue": "[parameters('AD Application Secret')]",
+ "type": "string"
+ },
+ "Client ID": {
+ "defaultValue": "[parameters('Client ID')]",
+ "type": "string"
+ },
+ "TIDE API Key": {
+ "defaultValue": "[parameters('TIDE API Key')]",
+ "type": "string"
+ },
+ "Tenant ID": {
+ "defaultValue": "[parameters('Tenant ID')]",
+ "type": "string"
+ }
+ },
+ "triggers": {
+ "Recurrence": {
+ "recurrence": {
+ "frequency": "Hour",
+ "interval": 1
+ },
+ "evaluatedRecurrence": {
+ "frequency": "Hour",
+ "interval": 1
+ },
+ "type": "Recurrence"
+ }
+ },
+ "actions": {
+ "For_Each_Indicator_(Threat)": {
+ "foreach": "@body('Parse_JSON')?['threat']",
+ "actions": {
+ "Switch": {
+ "runAfter": {
+ },
+ "cases": {
+ "EMAIL": {
+ "case": "EMAIL",
+ "actions": {
+ "Send_Emails_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "emailSenderAddress": "@{items('For_Each_Indicator_(Threat)')?['email']}",
+ "emailSourceDomain": "@{items('For_Each_Indicator_(Threat)')?['domain']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "HASH": {
+ "case": "HASH",
+ "actions": {
+ "Send_Hashes_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "fileHashType": "@{items('For_Each_Indicator_(Threat)')?['hash_type']}",
+ "fileHashValue": "@{items('For_Each_Indicator_(Threat)')?['hash']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}",
+ "Hash Type: @{items('For_Each_Indicator_(Threat)')?['hash_type']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "HOST": {
+ "case": "HOST",
+ "actions": {
+ "Send_Hosts_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "domainName": "@{items('For_Each_Indicator_(Threat)')?['host']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "IP": {
+ "case": "IP",
+ "actions": {
+ "Send_IPs_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "networkIPv4": "@{items('For_Each_Indicator_(Threat)')?['ip']}",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ },
+ "URL": {
+ "case": "URL",
+ "actions": {
+ "Send_URLs_to_Sentinel": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "https://graph.microsoft.com",
+ "clientId": "@parameters('Client ID')",
+ "secret": "@parameters('AD Application Secret')",
+ "tenant": "@parameters('Tenant ID')",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "body": {
+ "action": "alert",
+ "additionalInformation": "@{items('For_Each_Indicator_(Threat)')?['extended']?['notes']}",
+ "confidence": "@items('For_Each_Indicator_(Threat)')?['confidence']",
+ "description": "Infoblox - @{items('For_Each_Indicator_(Threat)')?['type']} - @{items('For_Each_Indicator_(Threat)')?['class']}",
+ "expirationDateTime": "@items('For_Each_Indicator_(Threat)')?['expiration']",
+ "externalId": "@{items('For_Each_Indicator_(Threat)')?['id']}",
+ "indicatorProvider": "Infoblox TIDE",
+ "lastReportedDateTime": "@items('For_Each_Indicator_(Threat)')?['imported']",
+ "tags": [
+ "@{items('For_Each_Indicator_(Threat)')?['type']}",
+ "Imported: @{items('For_Each_Indicator_(Threat)')?['imported']}",
+ "Profile: @{items('For_Each_Indicator_(Threat)')?['profile']}",
+ "Property: @{items('For_Each_Indicator_(Threat)')?['property']}",
+ "Threat Level: @{items('For_Each_Indicator_(Threat)')?['threat_level']}"
+ ],
+ "targetProduct": "Azure Sentinel",
+ "threatType": "WatchList",
+ "tlpLevel": "white",
+ "url": "@{items('For_Each_Indicator_(Threat)')?['url']}"
+ },
+ "method": "POST",
+ "uri": "https://graph.microsoft.com/beta/security/tiIndicators"
+ }
+ }
+ }
+ }
+ },
+ "default": {
+ "actions": {
+ }
+ },
+ "expression": "@items('For_Each_Indicator_(Threat)')?['type']",
+ "type": "Switch"
+ }
+ },
+ "runAfter": {
+ "Parse_JSON": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Get_TIDE_Data": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "headers": {
+ "Authorization": "Token @{parameters('TIDE API Key')}"
+ },
+ "method": "GET",
+ "queries": {
+ "fields": "notes,confidence,type,class,host,expiration,id,imported,type,profile,property,threat_level,extended,email,domain,hash,hash_type,ip,url",
+ "rlimit": "90000"
+ },
+ "uri": "https://csp.infoblox.com/tide/api/data/threats/url/hourly"
+ }
+ },
+ "Parse_JSON": {
+ "runAfter": {
+ "Get_TIDE_Data": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Get_TIDE_Data')",
+ "schema": {
+ "properties": {
+ "record_count": {
+ "type": "integer"
+ },
+ "threat": {
+ "items": {
+ "properties": {
+ "batch_id": {
+ "type": "string"
+ },
+ "class": {
+ "type": "string"
+ },
+ "confidence": {
+ "type": "integer"
+ },
+ "confidence_score": {
+ "type": "number"
+ },
+ "confidence_score_rating": {
+ "type": "string"
+ },
+ "confidence_score_vector": {
+ "type": "string"
+ },
+ "detected": {
+ "type": "string"
+ },
+ "dga": {
+ },
+ "domain": {
+ "type": "string"
+ },
+ "email": {
+ "type": "string"
+ },
+ "expiration": {
+ "type": "string"
+ },
+ "extended": {
+ "properties": {
+ "ais_consent": {
+ "type": "string"
+ },
+ "cyberint_guid": {
+ "type": "string"
+ },
+ "no_whitelist": {
+ "type": "string"
+ },
+ "notes": {
+ "type": "string"
+ },
+ "protocol": {
+ "type": "string"
+ },
+ "url_hash": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "hash": {
+ "type": "string"
+ },
+ "hash_type": {
+ "type": "string"
+ },
+ "host": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ },
+ "imported": {
+ "type": "string"
+ },
+ "ip": {
+ "type": "string"
+ },
+ "profile": {
+ "type": "string"
+ },
+ "property": {
+ "type": "string"
+ },
+ "received": {
+ "type": "string"
+ },
+ "risk_score": {
+ "type": "number"
+ },
+ "risk_score_rating": {
+ "type": "string"
+ },
+ "risk_score_vector": {
+ "type": "string"
+ },
+ "threat_level": {
+ "type": "integer"
+ },
+ "threat_score": {
+ "type": "number"
+ },
+ "threat_score_rating": {
+ "type": "string"
+ },
+ "threat_score_vector": {
+ "type": "string"
+ },
+ "tld": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "up": {
+ },
+ "url": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ }
+ }
+ },
+ "outputs": {
+ }
+ },
+ "parameters": {
+ }
+ },
+ "name": "[parameters('PlaybookName')]",
+ "type": "Microsoft.Logic/workflows",
+ "location": "[resourceGroup().location]",
+ "tags": {
+ "hidden-SentinelTemplateName": "Infoblox-Import-URLs-Hourly",
+ "hidden-SentinelTemplateVersion": "1.0"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "apiVersion": "2017-07-01",
+ "dependsOn": [
+ ]
+ }
+ ]
+}
diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Incident-Enrichment-Domains/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Incident-Enrichment-Domains/azuredeploy.json
new file mode 100644
index 00000000000..3e4ff79c39e
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Incident-Enrichment-Domains/azuredeploy.json
@@ -0,0 +1,434 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "Infoblox Incident Enrichment Domains",
+ "description": "Leverages the Infoblox TIDE API to enrich Sentinel incidents with detailed TIDE data. This playbook can be configured to run automatically when an incident occurs (recommended) or run on demand.",
+ "prerequisites": [
+ "1. Infoblox TIDE API key."
+ ],
+ "postDeployment": [
+ "1. Grant playbook's Managed Identity **Microsoft Sentinel Responder** or greater to Resource Group."
+ ],
+ "prerequisitesDeployTemplateFile": "",
+ "lastUpdateTime": "",
+ "entities": [ "DnsResolution"
+ ],
+ "tags": [ "Enrichment"
+ ],
+ "support": {
+ "tier": "community",
+ "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
+ },
+ "author": {
+ "name": "Infoblox"
+ }
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Infoblox-Incident-Enrichment-Domains",
+ "type": "string"
+ },
+ "TIDE API Key": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for TIDE API Key"
+ }
+ }
+ },
+ "variables": {
+ "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]"
+ },
+ "resources": [
+ {
+ "properties": {
+ "provisioningState": "Succeeded",
+ "state": "Disabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "defaultValue": {
+ },
+ "type": "Object"
+ },
+ "TIDE API Key": {
+ "defaultValue": "[parameters('TIDE API Key')]",
+ "type": "string"
+ }
+ },
+ "triggers": {
+ "Microsoft_Sentinel_incident": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "path": "/incident-creation"
+ }
+ }
+ },
+ "actions": {
+ "Entities_-_Get_DNS": {
+ "runAfter": {
+ "Initialize_HTML": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/entities/dnsresolution"
+ }
+ },
+ "For_each_DNS_Domain_Entity": {
+ "foreach": "@body('Entities_-_Get_DNS')?['Dnsresolutions']",
+ "actions": {
+ "For_each_Threat_IoC": {
+ "foreach": "@body('Parse_JSON')?['threat']",
+ "actions": {
+ "Enrich_Incident_with_TIDE_Data_if_it_exists": {
+ "actions": {
+ },
+ "runAfter": {
+ },
+ "else": {
+ "actions": {
+ "Add_comment_to_incident": {
+ "runAfter": {
+ "Set_HTML_Table_with_TIDE_Data": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "message": "\u003cp\u003eIoC - @{items('For_each_DNS_Domain_Entity')?['DomainName']} - @{items('For_each_Threat_IoC')?['type']} - @{items('For_each_Threat_IoC')?['class']}\u003cbr\u003e\n@{variables('html')}\u003c/p\u003e"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/Incidents/Comment"
+ }
+ },
+ "Set_HTML_Table_with_TIDE_Data": {
+ "runAfter": {
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "html",
+ "value": "\u003cp style=\"height:0px\"\u003e\u003ctable\u003e\u003ctbody\u003e \n\u003ctr\u003e\u003ctd\u003eID\u003c/td\u003e\u003ctd style=\"text-align:left\"\u003e@{items('For_each_Threat_IoC')?['id']}\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003eType\u003c/td\u003e\u003ctd style=\"text-align:left\"\u003e@{items('For_each_Threat_IoC')?['type']}\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003eHost\u003c/td\u003e\u003ctd style=\"text-align:left\"\u003e@{items('For_each_Threat_IoC')?['host']}\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003eDomain\u003c/td\u003e\u003ctd style=\"text-align:left\"\u003e@{items('For_each_Threat_IoC')?['domain']}\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003eURL\u003c/td\u003e\u003ctd style=\"text-align:left\"\u003e@{items('For_each_Threat_IoC')?['url']}\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003eIP\u003c/td\u003e\u003ctd style=\"text-align:left\"\u003e@{items('For_each_Threat_IoC')?['ip']}\u003c/td\u003e\u003c/tr\u003e\n\u003ctd\u003eEmail\u003c/td\u003e\u003ctd style=\"text-align:left\"\u003e@{items('For_each_Threat_IoC')?['email']}\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003eHash\u003c/td\u003e\u003ctd style=\"text-align:left\"\u003e@{items('For_each_Threat_IoC')?['hash']} @{items('For_each_Threat_IoC')?['hash_type']}\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003eProfile\u003c/td\u003e\u003ctd style=\"text-align:left\"\u003e@{items('For_each_Threat_IoC')?['profile']}\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003eProperty\u003c/td\u003e\u003ctd style=\"text-align:left\"\u003e@{items('For_each_Threat_IoC')?['property']}\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003eThreat Level\u003c/td\u003e\u003ctd style=\"text-align:left\"\u003e@{items('For_each_Threat_IoC')?['threat_level']}\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003eConfidence\u003c/td\u003e\u003ctd style=\"text-align:left\"\u003e@{items('For_each_Threat_IoC')?['confidence']}\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003eDetected\u003c/td\u003e\u003ctd style=\"text-align:left\"\u003e@{items('For_each_Threat_IoC')?['detected']}\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003eReceived\u003c/td\u003e\u003ctd style=\"text-align:left\"\u003e@{items('For_each_Threat_IoC')?['received']}\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003eImported\u003c/td\u003e\u003ctd style=\"text-align:left\"\u003e@{items('For_each_Threat_IoC')?['imported']}\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd\u003eExpiration\u003c/td\u003e\u003ctd style=\"text-align:left\"\u003e@{items('For_each_Threat_IoC')?['expiration']}\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd \u003eDescription\u003c/td\u003e\u003ctd style=\"text-align:left\"\u003e@{items('For_each_Threat_IoC')?['extended']?['notes']}\u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd \u003eOpen in CSP\u003c/td\u003e\u003ctd style=\"text-align:left\"\u003ehttps://csp.infoblox.com/#/security_research/search/auto/@{items('For_each_Threat_IoC')?['host']}/summary\u003c/td\u003e\u003c/tr\u003e\n\u003c/tbody\u003e\u003c/table\u003e\u003c/p\u003e"
+ }
+ },
+ "Update_incident_Tags": {
+ "runAfter": {
+ "Add_comment_to_incident": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "tagsToAdd": {
+ "TagsToAdd": [
+ {
+ "Tag": "@items('For_each_Threat_IoC')?['type']"
+ },
+ {
+ "Tag": "Imported: @{items('For_each_Threat_IoC')?['imported']}"
+ },
+ {
+ "Tag": "Profile: @{items('For_each_Threat_IoC')?['profile']}"
+ },
+ {
+ "Tag": "Property: @{items('For_each_Threat_IoC')?['property']}"
+ },
+ {
+ "Tag": "Threat Level: @{items('For_each_Threat_IoC')?['threat_level']}"
+ }
+ ]
+ }
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "put",
+ "path": "/Incidents"
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@body('Parse_JSON')?['record_count']",
+ 0
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {
+ "Parse_JSON": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "HTTP_-_Get_TIDE_Data_(Hosts)": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "headers": {
+ "Authorization": "Token @{parameters('TIDE API Key')}"
+ },
+ "method": "GET",
+ "queries": {
+ "host": "@items('For_each_DNS_Domain_Entity')?['DomainName']",
+ "rlimit": "1"
+ },
+ "uri": "https://csp.infoblox.com/tide/api/data/threats"
+ }
+ },
+ "Parse_JSON": {
+ "runAfter": {
+ "HTTP_-_Get_TIDE_Data_(Hosts)": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('HTTP_-_Get_TIDE_Data_(Hosts)')",
+ "schema": {
+ "properties": {
+ "record_count": {
+ "type": "integer"
+ },
+ "threat": {
+ "items": {
+ "properties": {
+ "batch_id": {
+ "type": "string"
+ },
+ "class": {
+ "type": "string"
+ },
+ "confidence": {
+ "type": "integer"
+ },
+ "confidence_score": {
+ "type": "number"
+ },
+ "confidence_score_rating": {
+ "type": "string"
+ },
+ "confidence_score_vector": {
+ "type": "string"
+ },
+ "detected": {
+ "type": "string"
+ },
+ "dga": {
+ },
+ "domain": {
+ "type": "string"
+ },
+ "email": {
+ "type": "string"
+ },
+ "expiration": {
+ "type": "string"
+ },
+ "extended": {
+ "properties": {
+ "ais_consent": {
+ "type": "string"
+ },
+ "cyberint_guid": {
+ "type": "string"
+ },
+ "no_whitelist": {
+ "type": "string"
+ },
+ "notes": {
+ "type": "string"
+ },
+ "protocol": {
+ "type": "string"
+ },
+ "url_hash": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "hash": {
+ "type": "string"
+ },
+ "hash_type": {
+ "type": "string"
+ },
+ "host": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ },
+ "imported": {
+ "type": "string"
+ },
+ "ip": {
+ "type": "string"
+ },
+ "profile": {
+ "type": "string"
+ },
+ "property": {
+ "type": "string"
+ },
+ "received": {
+ "type": "string"
+ },
+ "risk_score": {
+ "type": "number"
+ },
+ "risk_score_rating": {
+ "type": "string"
+ },
+ "risk_score_vector": {
+ "type": "string"
+ },
+ "threat_level": {
+ "type": "integer"
+ },
+ "threat_score": {
+ "type": "number"
+ },
+ "threat_score_rating": {
+ "type": "string"
+ },
+ "threat_score_vector": {
+ "type": "string"
+ },
+ "tld": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "up": {
+ },
+ "url": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "Entities_-_Get_DNS": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Initialize_HTML": {
+ "runAfter": {
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "html",
+ "type": "string"
+ }
+ ]
+ }
+ }
+ },
+ "outputs": {
+ }
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "connectionName": "[variables('MicrosoftSentinelConnectionName')]",
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "name": "[parameters('PlaybookName')]",
+ "type": "Microsoft.Logic/workflows",
+ "location": "[resourceGroup().location]",
+ "tags": {
+ "hidden-SentinelTemplateName": "Infoblox-Incident-Enrichment-Domains",
+ "hidden-SentinelTemplateVersion": "1.0"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "apiVersion": "2017-07-01",
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[variables('MicrosoftSentinelConnectionName')]",
+ "location": "[resourceGroup().location]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[variables('MicrosoftSentinelConnectionName')]",
+ "customParameterValues": {
+ },
+ "parameterValueType": "Alternative",
+ "api": {
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
+ }
+ }
+ }
+ ]
+}
diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Incident-Send-Email/azuredeploy.json b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Incident-Send-Email/azuredeploy.json
new file mode 100644
index 00000000000..1f09316d43e
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/Infoblox-Incident-Send-Email/azuredeploy.json
@@ -0,0 +1,529 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "Infoblox Incident Send Email",
+ "description": "Sends a detailed email. Optionally enriches an applicable entity within the email with Infoblox TIDE data. This playbook can be configured to run automatically when an incident occurs (recommended) or run on demand.",
+ "prerequisites": [
+ "1. Infoblox TIDE API key (optional)."
+ ],
+ "postDeployment": [
+ "1. Grant playbook's Managed Identity **Microsoft Sentinel Responder** or greater to Resource Group."
+ ],
+ "prerequisitesDeployTemplateFile": "",
+ "lastUpdateTime": "",
+ "entities": [ "DnsResolution"
+ ],
+ "tags": [ "Enrichment", "Notification"
+ ],
+ "support": {
+ "tier": "community",
+ "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
+ },
+ "author": {
+ "name": "Infoblox"
+ }
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Infoblox-Incident-Send-Email",
+ "type": "string"
+ },
+ "Email Recipient": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Email Recipient"
+ }
+ },
+ "TIDE API Key": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for TIDE API Key"
+ }
+ }
+ },
+ "variables": {
+ "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
+ "Office365ConnectionName": "[concat('Office365-', parameters('PlaybookName'))]"
+ },
+ "resources": [
+ {
+ "properties": {
+ "provisioningState": "Succeeded",
+ "state": "Disabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "defaultValue": {
+ },
+ "type": "Object"
+ },
+ "Email Recipient": {
+ "defaultValue": "[parameters('Email Recipient')]",
+ "type": "string"
+ },
+ "TIDE API Key": {
+ "defaultValue": "[parameters('TIDE API Key')]",
+ "type": "string"
+ }
+ },
+ "triggers": {
+ "Microsoft_Sentinel_incident": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "path": "/incident-creation"
+ }
+ }
+ },
+ "actions": {
+ "Create_HTML_table_with_Entities": {
+ "runAfter": {
+ "Select_Entities": [
+ "Succeeded"
+ ]
+ },
+ "type": "Table",
+ "inputs": {
+ "format": "HTML",
+ "from": "@body('Select_Entities')"
+ }
+ },
+ "Entities_-_Get_DNS": {
+ "runAfter": {
+ "Set_Entities_HTML": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/entities/dnsresolution"
+ }
+ },
+ "For_each_DNS_Domain_Entity": {
+ "foreach": "@body('Entities_-_Get_DNS')?['Dnsresolutions']",
+ "actions": {
+ "For_each_Threat_IoC": {
+ "foreach": "@body('Parse_JSON')?['threat']",
+ "actions": {
+ "Enrich_Email_with_TIDE_Data_if_it_exists": {
+ "actions": {
+ },
+ "runAfter": {
+ },
+ "else": {
+ "actions": {
+ "Append_HTML_Table_with_TIDE_Data": {
+ "runAfter": {
+ },
+ "type": "AppendToStringVariable",
+ "inputs": {
+ "name": "html_tide",
+ "value": "\u003cstyle\u003e\n@{variables('css')}\n\u003c/style\u003e\n\u003cdiv class=\"title\"\u003eIoC - @{items('For_each_DNS_Domain_Entity')?['DomainName']} - @{items('For_each_Threat_IoC')?['type']} - @{items('For_each_Threat_IoC')?['class']}\u003c/div\u003e\n\u003ctable class=\"table\"\u003e\u003ctbody\u003e \n\u003ctr\u003e\n\u003ctd class=\"tkey\"\u003eID\u003c/td\u003e\n\u003ctd class=\"tvalue\"\u003e@{items('For_each_Threat_IoC')?['id']}\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd class=\"tkey\"\u003eType\u003c/td\u003e\n\u003ctd class=\"tvalue\" \u003e@{items('For_each_Threat_IoC')?['type']}\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd class=\"tkey\"\u003eHost\u003c/td\u003e\n\u003ctd class=\"tvalue\"\u003e@{items('For_each_Threat_IoC')?['host']}\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd class=\"tkey\"\u003eDomain\u003c/td\u003e\n\u003ctd class=\"tvalue\"\u003e@{items('For_each_Threat_IoC')?['domain']}\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd class=\"tkey\"\u003eURL\u003c/td\u003e\n\u003ctd class=\"tvalue\"\u003e@{items('For_each_Threat_IoC')?['url']}\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd class=\"tkey\"\u003eIP\u003c/td\u003e\n\u003ctd class=\"tvalue\"\u003e@{items('For_each_Threat_IoC')?['ip']}\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctd class=\"tkey\"\u003eEmail\u003c/td\u003e\n\u003ctd class=\"tvalue\"\u003e@{items('For_each_Threat_IoC')?['email']}\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd class=\"tkey\"\u003eHash\u003c/td\u003e\n\u003ctd class=\"tvalue\"\u003e@{items('For_each_Threat_IoC')?['hash']} @{items('For_each_Threat_IoC')?['hash_type']}\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd class=\"tkey\"\u003eProfile\u003c/td\u003e\n\u003ctd class=\"tvalue\"\u003e@{items('For_each_Threat_IoC')?['profile']}\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd class=\"tkey\"\u003eProperty\u003c/td\u003e\n\u003ctd class=\"tvalue\"\u003e@{items('For_each_Threat_IoC')?['property']}\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd class=\"tkey\"\u003eThreat Level\u003c/td\u003e\n\u003ctd class=\"tvalue\"\u003e@{items('For_each_Threat_IoC')?['threat_level']}\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd class=\"tkey\"\u003eConfidence\u003c/td\u003e\n\u003ctd class=\"tvalue\"\u003e@{items('For_each_Threat_IoC')?['confidence']}\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd class=\"tkey\"\u003eDetected\u003c/td\u003e\n\u003ctd class=\"tvalue\"\u003e@{items('For_each_Threat_IoC')?['detected']}\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd class=\"tkey\"\u003eReceived\u003c/td\u003e\n\u003ctd class=\"tvalue\"\u003e@{items('For_each_Threat_IoC')?['received']}\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd class=\"tkey\"\u003eImported\u003c/td\u003e\n\u003ctd class=\"tvalue\"\u003e@{items('For_each_Threat_IoC')?['imported']}\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd class=\"tkey\"\u003eExpiration\u003c/td\u003e\n\u003ctd class=\"tvalue\"\u003e@{items('For_each_Threat_IoC')?['expiration']}\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd class=\"tkey\"\u003eDescription\u003c/td\u003e\n\u003ctd class=\"tvalue\"\u003e@{items('For_each_Threat_IoC')?['extended']?['notes']}\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd class=\"tkey\"\u003eOpen in CSP\u003c/td\u003e\n\u003ctd class=\"tvalue\"\u003ehttps://csp.infoblox.com/#/security_research/search/auto/@{items('For_each_Threat_IoC')?['host']}/summary\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e"
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@body('Parse_JSON')?['record_count']",
+ 0
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {
+ "Parse_JSON": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "HTTP_-_Get_TIDE_Data_(Hosts)": {
+ "runAfter": {
+ },
+ "type": "Http",
+ "inputs": {
+ "headers": {
+ "Authorization": "Token @{parameters('TIDE API Key')}"
+ },
+ "method": "GET",
+ "queries": {
+ "host": "@items('For_each_DNS_Domain_Entity')?['DomainName']",
+ "rlimit": "1"
+ },
+ "uri": "https://csp.infoblox.com/tide/api/data/threats"
+ }
+ },
+ "Parse_JSON": {
+ "runAfter": {
+ "HTTP_-_Get_TIDE_Data_(Hosts)": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('HTTP_-_Get_TIDE_Data_(Hosts)')",
+ "schema": {
+ "properties": {
+ "record_count": {
+ "type": "integer"
+ },
+ "threat": {
+ "items": {
+ "properties": {
+ "batch_id": {
+ "type": "string"
+ },
+ "class": {
+ "type": "string"
+ },
+ "confidence": {
+ "type": "integer"
+ },
+ "confidence_score": {
+ "type": "number"
+ },
+ "confidence_score_rating": {
+ "type": "string"
+ },
+ "confidence_score_vector": {
+ "type": "string"
+ },
+ "detected": {
+ "type": "string"
+ },
+ "dga": {
+ },
+ "domain": {
+ "type": "string"
+ },
+ "email": {
+ "type": "string"
+ },
+ "expiration": {
+ "type": "string"
+ },
+ "extended": {
+ "properties": {
+ "ais_consent": {
+ "type": "string"
+ },
+ "cyberint_guid": {
+ "type": "string"
+ },
+ "no_whitelist": {
+ "type": "string"
+ },
+ "notes": {
+ "type": "string"
+ },
+ "protocol": {
+ "type": "string"
+ },
+ "url_hash": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "hash": {
+ "type": "string"
+ },
+ "hash_type": {
+ "type": "string"
+ },
+ "host": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ },
+ "imported": {
+ "type": "string"
+ },
+ "ip": {
+ "type": "string"
+ },
+ "profile": {
+ "type": "string"
+ },
+ "property": {
+ "type": "string"
+ },
+ "received": {
+ "type": "string"
+ },
+ "risk_score": {
+ "type": "number"
+ },
+ "risk_score_rating": {
+ "type": "string"
+ },
+ "risk_score_vector": {
+ "type": "string"
+ },
+ "threat_level": {
+ "type": "integer"
+ },
+ "threat_score": {
+ "type": "number"
+ },
+ "threat_score_rating": {
+ "type": "string"
+ },
+ "threat_score_vector": {
+ "type": "string"
+ },
+ "tld": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "up": {
+ },
+ "url": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "Entities_-_Get_DNS": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Initialize_CSS": {
+ "runAfter": {
+ "Initialize_Incident_HTML": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "css",
+ "type": "string",
+ "value": ".title {\n color: #1F2A47;\n font-size: 2rem;\n letter-spacing: .04em;\n padding: 8px;\n border-bottom: 1px solid #7B7B7B;\n font-weight: bold;\n}\n\ntable {\n border-collapse: collapse;\n border-spacing: 0;\n padding: 0;\n margin: 0 0 20px;\n}\n\n.tkey {\n text-align: right;\n border-right: 1px solid #7B7B7B;\n}\n.tvalue {\n text-align: left;\n border-top: 1px solid #eee !important;\n padding-left: 10px;\n}\n.value {\n font-size: 1.4rem;\n font-weight: bold;\n}\n\n.tkey, .key{\n color: #263137;\n letter-spacing: .04em;\n font-style: italic;\n padding-right: 10px;\n}\n.tvalue, .value {\n color: #1f4728 !important;\n letter-spacing: .02rem;\n}\n\n"
+ }
+ ]
+ }
+ },
+ "Initialize_Entities_HTML": {
+ "runAfter": {
+ "Initialize_CSS": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "html_entities",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "Initialize_Incident_HTML": {
+ "runAfter": {
+ "Initialize_TIDE_HTML": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "html_incident",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "Initialize_TIDE_HTML": {
+ "runAfter": {
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "html_tide",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "Select_Entities": {
+ "runAfter": {
+ "Initialize_Entities_HTML": [
+ "Succeeded"
+ ]
+ },
+ "type": "Select",
+ "inputs": {
+ "from": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "select": {
+ "Entity": "@item()?['properties']?['friendlyName']",
+ "Type": "@item()?['kind']"
+ }
+ }
+ },
+ "Send_an_email_with_Incident_details": {
+ "runAfter": {
+ "Set_Incident_HTML": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "Body": "\u003cp\u003e\u003cspan style=\"font-size: 14px\"\u003e\u003c/span\u003e\u003cspan style=\"font-size: 14px\"\u003e@{variables('html_incident')}\u003c/span\u003e\u003cspan style=\"font-size: 14px\"\u003e\u003cbr\u003e\n\u003c/span\u003e\u003cspan style=\"font-size: 14px\"\u003e@{variables('html_tide')}\u003c/span\u003e\u003cspan style=\"font-size: 14px\"\u003e\u003c/span\u003e\u003c/p\u003e",
+ "Importance": "Normal",
+ "Subject": "New Sentinel Incident - @{triggerBody()?['object']?['properties']?['title']}",
+ "To": "@parameters('Email Recipient')"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['office365_1']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/v2/Mail"
+ }
+ },
+ "Set_Entities_HTML": {
+ "runAfter": {
+ "Create_HTML_table_with_Entities": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "html_entities",
+ "value": "\u003cstyle\u003e\n@{variables('css')}\ntable, table td, table th {\n text-align: left;\n color: #1f4728 !important;\n border-top: 1px solid #eee !important;\n letter-spacing: .02rem;\n padding-left: 10px;\n}\n\u003c/style\u003e\n@{body('Create_HTML_table_with_Entities')}\n"
+ }
+ },
+ "Set_Incident_HTML": {
+ "runAfter": {
+ "For_each_DNS_Domain_Entity": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "html_incident",
+ "value": "\u003cstyle\u003e\n@{variables('css')}\np {\n margin-bottom: 15px !important;\n}\n\u003c/style\u003e\n\u003cdiv class=\"title\"\u003e New incident created in Microsoft Sentinel \u003c/div\u003e\n\n\u003cp\u003e\u003cspan class=\"key\"\u003e Triggered - \u003c/span \u003e\u003cspan class=\"value\"\u003e@{triggerBody()?['object']?['properties']?['title']} \u003c/span \u003e\u003c/p\u003e\n\n\u003cp\u003e\u003cspan class=\"key\"\u003e Incident ID - \u003c/span\u003e\u003cspan class=\"value\"\u003e @{triggerBody()?['object']?['properties']?['incidentNumber']}\u003c/span\u003e\u003c/p\u003e\n\n\u003cp\u003e\u003cspan class=\"key\"\u003e Triggered on - \u003c/span \u003e\u003cspan class=\"value\"\u003e @{triggerBody()?['object']?['properties']?['createdTimeUtc']}\u003c/span\u003e\u003c/p\u003e\n\n\u003cp\u003e\u003cspan class=\"key\"\u003e Severity - \u003c/span \u003e\u003cspan class=\"value\"\u003e@{triggerBody()?['object']?['properties']?['severity']}\u003c/span\u003e\u003c/p\u003e\n\n\u003cp\u003e\u003cspan class=\"key\"\u003e Alert providers - \u003c/span \u003e\u003cspan class=\"value\"\u003e@{join(triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames'], '\u003cbr /\u003e')}\u003c/span\u003e\u003c/p\u003e\n\n\u003cp\u003e\u003cspan class=\"key\"\u003e Tactics - \u003c/span \u003e\u003cspan class=\"value\"\u003e\n@{join(triggerBody()?['object']?['properties']?['additionalData']?['tactics'], '\u003cbr /\u003e')}\u003c/span\u003e\u003c/p\u003e\n\n\u003cp\u003e\u003cspan class=\"key\"\u003e Description - \u003c/span \u003e\u003cspan class=\"value\"\u003e\n@{triggerBody()?['object']?['properties']?['description']}\u003c/span\u003e\u003c/p\u003e\n\n\u003cp\u003e\u003cspan class=\"key\"\u003e Entities - \u003c/span \u003e\u003cspan class=\"value\"\u003e\n@{variables('html_entities')}\u003c/span\u003e\u003c/p\u003e\n\n\u003cp\u003e\u003cspan class=\"key\"\u003e Incident link - \u003c/span \u003e\u003cspan class=\"value\"\u003e\n\u003ca href=\"@{triggerBody()?['object']?['properties']?['incidentUrl']}\"\u003e@{triggerBody()?['object']?['properties']?['incidentUrl']}\u003c/a\u003e\u003c/span\u003e\u003c/p\u003e\n\n\u003cdiv class=\"title\"\u003e TIDE Data \u003c/div \u003e"
+ }
+ }
+ },
+ "outputs": {
+ }
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "connectionName": "[variables('MicrosoftSentinelConnectionName')]",
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ },
+ "office365_1": {
+ "connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
+ "connectionName": "[variables('Office365ConnectionName')]",
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]"
+ }
+ }
+ }
+ }
+ },
+ "name": "[parameters('PlaybookName')]",
+ "type": "Microsoft.Logic/workflows",
+ "location": "[resourceGroup().location]",
+ "tags": {
+ "hidden-SentinelTemplateName": "Infoblox-Incident-Send-Email",
+ "hidden-SentinelTemplateVersion": "1.0"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "apiVersion": "2017-07-01",
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[variables('MicrosoftSentinelConnectionName')]",
+ "location": "[resourceGroup().location]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[variables('MicrosoftSentinelConnectionName')]",
+ "customParameterValues": {
+ },
+ "parameterValueType": "Alternative",
+ "api": {
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[variables('Office365ConnectionName')]",
+ "location": "[resourceGroup().location]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[variables('Office365ConnectionName')]",
+ "customParameterValues": {
+ },
+ "api": {
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]"
+ }
+ }
+ }
+ ]
+}
diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/readme.md b/Solutions/Infoblox Cloud Data Connector/Playbooks/readme.md
new file mode 100644
index 00000000000..a4a13e26797
--- /dev/null
+++ b/Solutions/Infoblox Cloud Data Connector/Playbooks/readme.md
@@ -0,0 +1,140 @@
+# Infoblox Threat Intelligence Playbooks for Microsoft Sentinel
+[
](https://www.infoblox.com/)
+
+These playbooks integrate Infoblox [Threat Intelligence Data Exchange (TIDE)](https://docs.infoblox.com/space/BloxOneThreatDefense/35898533)
+data into Microsoft Sentinel.
+
+Use these playbooks to import data from TIDE and enrich incidents and emails.
+
+# Prerequisites
+1. Register an app with Azure Active Directory and apply appropriate permissions, and enable the Threat Intelligence data connector.
+Find instructions [here](https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-tip).
+
+2. Apply the **Microsoft Sentinel Contributor** or **Microsoft Sentinel Responder** role to the playbooks.
+It is recommended to assign the role to the resource group that contains your Microsoft Sentinel workspace.
+Find instructions [here](https://learn.microsoft.com/en-us/azure/sentinel/roles).
+
+3. Create and copy a TIDE API key into the playbook parameters.
+Find instructions [here](https://docs.infoblox.com/space/BloxOneThreatDefense/230394187).
+
+# Installation
+There are multiple ways to install the playbooks.
+- Install the solution from the [Content Hub](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/infoblox.infoblox-cdc-solution/resourceGroupId/%2Fsubscriptions%2Fbe1e61b7-8dbe-4986-a9c2-d85f65524d6e%2FresourceGroups%2Ftme-rg)
+(Recommended). This will not only install the playbook templates, but the other Sentinel templates as part of this solution as well.
+- Copy and paste the ```azuredeploy.json``` files to a blank playbook.
+- Click the **Deploy to Azure** buttons below for each desired playbook.
+
+# The Playbooks
+This solution installs several playbooks that fit different needs.
+You may wish to mix and match, omit some or modify others.
+
+## Intelligence Import
+These playbooks import TIDE intelligence using the Infoblox TIDE API and send the indicators to Microsoft Sentinel via the Microsoft Security Graph API.
+The indicators are stored in the ```ThreatIntelligenceIndicator``` table and can be viewed from the **Threat intelligence** blade.
+
+Because there are millions of indicators provided by TIDE, and thousands of new ones detected per day,
+these playbooks are intended to give you a starting point for importing the indicators you want.
+
+
+You may wish to import everything, or you may only need a handful of threat classes from a single profile or provider.
+
+
+You can modify or create copies of these playbooks and tweak the action **Get TIDE Data** API call within the playbook to suit your needs.
+Keep in mind due to [current limitations](https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-limits-and-config?tabs=consumption%2Cazure-portal), there is a 105MB download limit per API call and a 120 second HTTP timeout.
+This is why you may only need to import new emails on a weekly basis, whereas hosts should be imported more frequently with an ```rlimit``` parameter because there are so many more.
+
+
+Use the following TIDE endpoints to see what is available for you to import. You can also view indicators in the [CSP](https://csp.infoblox.com/#/threat_intelligence/active-threat-indicators).
+
+***GET** available threat properties* - ```/tide/api/data/properties```
+
+***GET** available threat classes* - ```/tide/api/data/threat_classes```
+
+***GET** available profiles (data providers)* - ```/tide/api/entitlements/profiles```
+
+View the list of APIs [here](https://csp.infoblox.com/apidoc?url=https%3A%2F%2Fcsp.infoblox.com%2Fapidoc%2Fdocs%2FTIDEData).
+
+Find a quick technical intro and examples for how to query TIDE data [here](https://docs.infoblox.com/space/BloxOneThreatDefense/117014574/Query+Active+Threats).
+
+---
+### Import-AISCOMM-Weekly
+This playbook imports all indicators from the AISCOMM data provider on a scheduled weekly basis.
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Import-AISCOMM-Weekly%2Fazuredeploy.json)
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Import-AISCOMM-Weekly%2Fazuredeploy.json)
+---
+### Import-Emails-Weekly
+This playbook imports newly detected emails on a scheduled weekly basis.
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Import-Emails-Weekly%2Fazuredeploy.json)
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Import-Emails-Weekly%2Fazuredeploy.json)
+---
+### Import-Hashes-Weekly
+This playbook imports newly detected hashes on a scheduled weekly basis.
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Import-Hashes-Weekly%2Fazuredeploy.json)
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Import-Hashes-Weekly%2Fazuredeploy.json)
+---
+### Import-Hosts-Daily-LookalikeDomains
+This playbook imports newly detected Lookalike domains on a scheduled daily basis.
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Import-Hosts-Daily-LookalikeDomains%2Fazuredeploy.json)
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Import-Hosts-Daily-LookalikeDomains%2Fazuredeploy.json)
+---
+### Import-Hosts-Daily-MalwareC2DGA
+This playbook imports newly detected MalwareC2DGA domains on a scheduled daily basis.
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Import-Hosts-Daily-MalwareC2DGA%2Fazuredeploy.json)
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Import-Hosts-Daily-MalwareC2DGA%2Fazuredeploy.json)
+---
+### Import-Hosts-Daily-Phishing
+This playbook imports newly detected Phishing domains on a scheduled daily basis.
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Import-Hosts-Daily-Phishing%2Fazuredeploy.json)
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Import-Hosts-Daily-Phishing%2Fazuredeploy.json)
+---
+### Import-Hosts-Hourly
+This playbook imports all newly detected hosts on a scheduled hourly basis.
+
+This playbook will import thousands of IoCs per run, which can become costly for your organization.
+It will also create duplicates if concurrently enabled with the Import-Hosts-Daily playbooks, so use one or the other.
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Import-Hosts-Hourly%2Fazuredeploy.json)
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Import-Hosts-Hourly%2Fazuredeploy.json)
+---
+### Import-IPs-Hourly
+This playbook imports all newly detected IPs on a scheduled hourly basis.
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Import-IPs-Hourly%2Fazuredeploy.json)
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Import-IPs-Hourly%2Fazuredeploy.json)
+---
+### Import-URLs-Daily
+This playbook imports all newly detected URLs on a scheduled hourly basis.
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Import-URLs-Daily%2Fazuredeploy.json)
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Import-URLs-Daily%2Fazuredeploy.json)
+
+## Enrichment & Emails
+Enrich your incidents and emails with TIDE data.
+
+These playbooks can be configured to run automatically on Analytic Rules. Find instructions [here](https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#set-automated-responses-and-create-the-rule).
+
+You can also run them on demand when viewing incidents.
+
+---
+### Incident-Enrichment-Domains
+Enrich incidents containing a **DNS entity** with rich TIDE data. Will add a comment and tags to the incident.
+
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Incident-Enrichment-Domains%2Fazuredeploy.json)
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Incident-Enrichment-Domains%2Fazuredeploy.json)
+---
+
+### Incident-Send-Email
+Sends a detailed email about an incident. Enriches a **DNS entity** within the email with Infoblox TIDE data.
+
+
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Incident-Send-Email%2Fazuredeploy.json)
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2520Cloud%2520Data%2520Connector%2FPlaybooks%2FInfoblox-Incident-Send-Email%2Fazuredeploy.json)
+
From 247c6061306bcd709a8745fd5d556a8f8b4eea9e Mon Sep 17 00:00:00 2001
From: sschuur <78623042+sschuur@users.noreply.github.com>
Date: Thu, 22 Jun 2023 17:07:36 -0700
Subject: [PATCH 04/47] add playbook images
---
.../Playbooks/images/email.jpg | Bin 0 -> 93122 bytes
.../Playbooks/images/incident.jpg | Bin 0 -> 123035 bytes
.../Playbooks/images/infoblox.png | Bin 0 -> 15597 bytes
.../Playbooks/images/tide.jpg | Bin 0 -> 46346 bytes
4 files changed, 0 insertions(+), 0 deletions(-)
create mode 100644 Solutions/Infoblox Cloud Data Connector/Playbooks/images/email.jpg
create mode 100644 Solutions/Infoblox Cloud Data Connector/Playbooks/images/incident.jpg
create mode 100644 Solutions/Infoblox Cloud Data Connector/Playbooks/images/infoblox.png
create mode 100644 Solutions/Infoblox Cloud Data Connector/Playbooks/images/tide.jpg
diff --git a/Solutions/Infoblox Cloud Data Connector/Playbooks/images/email.jpg b/Solutions/Infoblox Cloud Data Connector/Playbooks/images/email.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..c856805881ec8189ffa98778c48474f816bc00fb
GIT binary patch
literal 93122
zcmeFZd0bNK+b>L`sVP|wr762it(7#Eh+_rlyqU
zlp;=u147P~nmH$?2&U$Mf*LLb@zC#_=REKHp6C61-apQB_6^sE^X5j%~ln&h6W`?U2|hA@NIgNlHuZ+9kD1LPAPLN=kaSxJXFKf@OBg
z{yP5kBfl>Hb(Q$NdzZwnUp4+?W%E5qZr9eK9TMBN90qNb+p=ZXiN?Kfjyhq&pZQHhr8@prsc5&@!@p;g8xgC2Coj9{|pW}6j!=dsg
zA0)lmrGB=&QQ=At_lUub+YcqB6qWWLP}b1YI(qE5p^>r4AE!($&ska9oVUH;bk*6#
z)y>_*=cccpe?VZ+ox5S-5va&}j~>Uw#yyG0B|m?WlA881JtHUgZC-vsVbQya$|`a-
zrKYy7skx=Kt^LEtPrZHp1A{|fhZ!vP#P`Xm=^rz*yrt!ppZrx|ZT**CTR_|Xt6KkE
zv;Tu$a$>!!JG&pM0=O{%q2l@p7h}QJo?joS&QLZ=*c7VVCTNE;
zH-#V1PUx0*9|JI6TI`*~aaFx$hwAzvvMwfSr&%7Qs)`aga-#Udha`IHJKJcwQ6Q#w
z6I50mFK`qFaTnv!wo$6>aVrGrxokz+myC{1ZX-f6Hse}o8pGLLc`_WGR5ffkuO>*9B(%1-*T1^=Q-=zm2-aXTFcYKV4
zgv`!*w>HA=9J|A`{P6=j{uZ{wkJ|@70Sq7M9co-vI}MNNU3A}xM~3pF;w!&zf`~Zm
zXajwHB}7@Hw1Z{Cu^fjz^FChFgVrv^1_vqL)68NYdu*I0Egx=*GaJ6(dsA*9<#4#$
zYGkIXh7}6d3IR0oNG;Lo<3i(mLyv@Dt>&mA*Q;c1+9TJCy+21yqeh}SGIt>?df7c1
zsl(DIB1Qfw)sw&+eVhO*J58TI#KJ4Mo5bT2^vx}!kl($GU+H){^yzSJkju;3UkV0y
z_0Z6zQzevaIrK5-?Vyye?^Qeh@p?CK)H$N3q5G7O_1bt)&`yzcMTx%
zvGZQE2!6(S!e66&eA*|bs2i*sC6+HN3(>~NC5OIbQFXUUTjai!zf(Q57EYiL59AQC_9Dv~0+5ncxF
zOpxSJy{MH9i*`1qU>qyu5on<{pfwPdi8_pPJJUCyL5*s_t6xaiJ1>{@A=BdxZ&kQA
zXRc+;kT--gWIn+Tk7@G2E%soxaa$MXNN5RIbAG{5wi>
zr|dg1Q;Z5MD#}GX{&rXckemQ-)&9)Zp`p|zj>e+v)hlC(wq2qbp2Y3WdYM;6NxF<{{Fk7p#jGi$#spq#<
zo>5(|IGW>&C0FHW-1%NTY~k@9259cqoxn@ZrLI#RnV&Q_8PAGp($7OVG$!N*p0p^^
zoT`gua&AYem{vs*I{o~{>dRfQ{v<$C^hWT9&<${6Cu+63m?Vzt$5wBGc9Wx`h+9Sk
zw|ga1@7BZ&&R{<3XV6)zN3Q
zJ?-@tHi)|FsYkPyCW-8@Dzdw#m5I{MKVFotiCo&DV4=J^OQu8kr!VhZ2a;QDmw=S_
zwn)UJ-t%hN7pV{D$Hsk1o$h>Zhf1G(-g)-Pr&$j|D}7j{#p1|DNfkZ8TZT74di?V`
z%a!X_iHv%^2?`<(JZP|cn>s)RXx(8dk&WKYHSyGe(QUzNHTvS2u2I`?6SQB{frVJ?
zpY_&DcEcE<7@MFro_BsSfu~-Z5#^bQ%2rAmoH?A)s~Oz}HImlbXZG%Jk-JwM{mV~P
zCH^9ChmDk+U8iM+vIUEP%}>LgpY|u2jUL}JrUWh8ydT}xY#LHK0hSd8dpUD{j>u?Vc`h)SztB-RKNGNcB>SHE9rgW;e$BPB
z#5-z6;_EJ9o33+l&CN-6Txhd_8>)1u<+(c$!E)tC#0t;;eMaZT(A7R@l_#gT?h1>#
z!uUkjS1Dp{$Bw^Hj(e{!A?h|>*Kd*0^Ma4-6|kjW)YWop1#0E+k}k7vf9mGcJ5<&k
zX>=U4alYA|+Ogyk@3^?(DQxY!%+CUg7f%N^IAIgSearyz=+#}LQv~_vfe~ea5w0!)
z-V0-@XIP%63LaQSCRrJn20y=@m`M33QouGk-X$;~{1q;~nGUjt7o))5T$eX&+n;6)
z;LByTH5t-{F^~8a6*;a;s~rUXp`Naosb>pi)PPr^>a
z96b}5aq;5GDdm3u6)$dcsWiPN(J<4_BXw!SZ;@RLt%wlrQ}N!&#uy0Ac-CZ|=}>Dp
zR$8bKI(}NkA+8xRoVT)?suVMo#<{YXrKtP#)4OMHP8X5Ol*P_0H_Vup}7lkwtv6n^&;cqd?VrFPC@%pVr9$H%X1h@1Fg@#j2fdEC`jDj
zpgTl;#u@Y3;Qlb_c&ZUP15@lICB}7sjBA
zBpo+FGN;+dL`IrWi|`f8t*LSV|7etr=M(1f^Tmx}Q_~#D>ByQ9%J<=+JJAe2_7S#n
z3t%NUFT4rFY}9VN*#t?4tlClq5?_Ucc~aR-j~iz>f|5z^V6HlaaOfsuMQN3jJ#*r}
z*#vDbT>i$@kA-mEI7%%TvyInPSOwHshh4)$IlOyAWrJu)3C>QiKhBRbD>%30v*hJ#
z7djb|mRY4z7lP;C68FN~IYQM%@m%0b`-0Zzw#~I^?GQW)MKkRe5
zq3&#QNez>qa_(!1LVERJL?V4WURl2dx^E^UyI=yIScY~OL`M~!k$o;+py4x&ta+v6
zA9oZ8Qwd$wad)W;jIW6iu9o9?;7AK*FK;L&ES?&{|A98(8MI*K)P@8~p9FsmVlqoE6jj{;})%O1x72vQ4z6j+y5gvvLPw}*#`te?+()Myo{?1zE#Lfg{7fpVKf#`l>)V(K=&QLZ(#SllDOglyc
z>w-Sq5FmcmG17zoI;nm9Ummtn2&6NV7J!t?`6etu;Z#e
z6DokxrGcL^p5BzIhy2NvQN{ID`?6S+H%g5yI_mM6*%g1FuPY^Dx6h&;su&C$V>UtL
z1MjtDLxzkHL30;-^wDSh5s)~e^Re{6pb?F}lNK-_83>cuE%qYIy=BKn-&qi=h;pZZ0g(6gSH$S?ZM~V3_2QLm&T3}>wbGlGB55PCBdnXjTe{-8%
zkBFxp%+}~zw5)R2(bUS%yq%`FWJS}|<1O6w(DY6GJFQ~MZ4jgT7
zTm%bmP`O4-9O)2GF|(8bgz&IsVTu*y{UIsJj4?QwA~3W!{wYawc13)8Tk$(gauXDH
z9EfVRFyQiwbH~u;Jge&GEE%oFRb#?l;TENYmZZSJ-ZpGI*d9;d3JY3B)~qBC_&dX+Z1qIl{F}*M
z6Mi!`FNd8ww6{z`#B2U|igMgD(Oxu)t4nXumN99DDpTReiI=OWz-d|!(q+z}Cd2qS
z2bZ>o&cF8#e_YeSFu6N1pP3+bj+xvP6rt_cG>!G&1U+tNXUFr7S{r&XeMFy^pkFGd
zg(75%h%z}+zhHDFQE6zsPqYie{dp9Nq{pmxw`3A_&R{f>Ct9+@He&KO)Yc5U&hkGS
zXmk-91ZS($_BE3!t@5376@OkmX*`H+JOvHdxWlJ!#M2qDIDW$@BEq=|Oyzic3M|Cl%+b5};l&9>3egQ8bFVtRXwEdh5)oC1HnrhlQde_a
zmU0GTzIKM%Y9mGw^&Nip%obXoKo--f#Xq_6f~v%&3y`9{4uIu+Mz_Fj9_u6U^Nlo#
z^kn)o+e|1IK4ZG{Zxt>xod$p8;99;M&B1~GSC;SQp}f9En2b@tyt(ZJSQ@~rpKqB#
z7R{Dsb&AaQ%j7}Y{)bJ=T_@K>D~GtQ0rpPpK1|e?;6Q15aA-4nZl#8k
z!W|Tkc!3(L0yTk*%ypF(S`C!2Q{?W{fu%E5`HaL%KP5@#4iJiBD|u(wUA
zCi{x4`Z<-Cn;_=la*I9a3uK_1OKP^ztt{`a8iC3OhS!lB^4}=iL?GpPI)%ya%-(%?
zH*v_lEb5EIrRlAYPbstsuLB$w?7s3&!aG#Gv*=^lK$xAEVlS+s3z{BrTW}~rPF>;K
zw-D&j1*K+I&++a&n%Q3k$W`#y%Q=TELM-nOL|L)TJz|1Pv`)J`*tCZN@OklX40SLS~wn=k?
z#gKD?2XNyqlVe+|o`~=lgw`nT;DZi&`i~b1z>Y^_7gHmjfloo
zfp#1=-T0QOk7C%r`??_wL9Hd=MT5T3-u;zLXlt?DTTzD6fNScSPGYH%mcdm_xjBE``tIs@9c394LS
z98}Zj*U#-Ycf8Bbu+Gd6biGH*D>8R9>|HZXO|mm934P-qW?y)srquP&$z+epFGowd
zrBJyJVz6{&6n>%Z+3Ljs&W(o38vMdF%j4R)B!NzeOyI)n*ZFCAGOdwXar9uY^elAG
zUApA#pxRMx+7qEITgK72h!|V?ShWA!djzkX_HN2f2Tpvq8
zMg@s{8@|I09Uj&v#g5;KE|f(Cd*?4sC2oRrBatnH5io10$>G_UJP^nR@72qkK&ohE
z=FD{a-|9fsXm+;c?}Cd5oWp&Wcm6r8!j!Wx2V7YuIH5)k@aU>Q
zwrC>Dswzu%3&M~dQtQTWvH$S2=&=jpvoprKYVGf+^NV+?WHJtvdm{u_F})s;`6MpX
z1$e-=^YU1>>G7|8h`Rfs*E8S5^%f(4Aj0Z5TT{igxKAoY?D{TO7fMf6app*od41F$
z8G*1J)j5fsw@%0WKIK}D>@3*#Kn&-ZVFt$}H;SvU9O!lj_Gug2WQE#Cm#JJ@QQok(
zb<6$h*$ZPwr@ljeUi?bB?37J5o0m&Yu2WsLGUYv*ev3%i@B9+txt9EE6sET@M
zhXK1hAo&#S5Xyzg$;eI~jF2;wyRq|I1@*=;jOUZva>HqzMN^Wty4_b9M;Y23n;?JW
zhy<&fgG90=F={}Pxg{iqB<{LK#&&iI*O3+`e?|5byv)028saqk&I`&<`w|9aWL^QR
zQ|su$BOb8Wao$CW{Xy(?cwmUys3Q!s2{O57Y~58Kx*T56`G{dXR6Fy+u`aRyld`;W
z#08%{P#iU+kG}*sMY5xv>|p!OE7{c4Ro3)po^P;M;wY9;R~2UpUt-#IdaUG2dX98X
zd`z2MQwbi`{dfmAn*B*7%#=Dkj^vyk?`E8wYf%&_^phpYV98M%-;$a2RD9IiAmzIi
z))j3U)%CH*QoIdnJ^cpP$}aVJCpyV+BFu>cGNC=i63G!IkFSP%tNmxacUc85VCxyx8I*MyPpBO*#+_Bh5dZ&9m?sKX)@6_>w%$
za#jL;+YhW{h!DXNAY<#WF&2=qp!NJzzG!PhM4fWt%152XoPI^)ssN3O_=(ZrByG?3
zR8qC@I``R}D-e;7ifG3C&eLjM={dOzl1pl*>Jdr_H!^UauW$XYbC6GWB!>>f^`0?O`(edDIS
zPDdR#o+9-L*=YyV9+ssXVH%v8y?*`Fa^+INpW=Y1KdR$BY?~1Lb`G{Jm>Ly8kTg==
zij{RA{V}rW=<#L(3TT?N1yX(4z=BW}l7L1K
zM*zj4X6(Mt<$iQ-;@HgZUrXNYyXD
zH_}Sj_DzoFdnNZ^#`-zEV{lvR>5E1AXz}E{oxhQeMsm~mN{`-;9ik0dr~-LpqQ@d9
z<7!>>~rqXlezKtrNU*NKIHmOCgkL$ViD+Q;>G1=0=-ekKO%?Qf$k}^D82F!2ASP@E$%+09%d|_P6^?Y-o85
z{x*QPo*`{lbv?(ET7Ld>4?0QbhAz|Zn`e+Q{O5Ct!KV-p@3yV$DF#cqYzg5$BwOj3
z;auZ5^AVj}Le;;O4X$e7;`#Y$N_^tvv)6shpc-;5N-21Ed5Hh=B*Qagb{>63077Lp
ztwURM^&J4u2|K$em?~U(u^C~NayVAoE-@|iQ{u7~_x%_$
z9Wo=P2?m)6ocJfeh3|#!c#-5956f2KfZ<{i$}M2EwXS7QO)=cr^DS^b&`Kcqh;#49}6*oh4Nx{qzNI{$IPey2l>^#r>LbLhEy0}sz1#fc&B
z_lambWTE9=0<_c5^L%x&cZv6zct;EOypeT8RZmsV{0)c`{?78wc9G;VPkTa(lLASg
z`f|w#D!2rFxrV3rreL-%KQoeYFK=^RMz5vxy)vMwdiOMX2*Xa0$O3YXrjN$)!_{SfGOW%an;%M^8zV~!8-33pV-VoF4n}3bVgRXPDfUQjcU-BwFLCR~HIIt5nqBWWY2Mlk_wTE{Pzy*@=(z6G
zn5U$;3O&969nXfT8QO7tT9W|ixgoUA1U}Y;&P~>xuS1Mh!t3zy#4wf29kDFN0cB~q
zBcX=x`1Qmb7e9xTN}-rMu>C!+Ei07O<#Y`&Gj4c;@@I1f$w*eiWmF(3vw2AQhE0p{
zl2v{i9scw@pC|9N2|8Kq6Nahq8G9PlGrxzHD?2^8*n$PL=q;puqEAdks+Lw$Jc)J;
zh4)OJnrQn-`r0Zceud=%8EyO{PW+e`Yc98FOtOwOSpB9Mby{JieZF3Bd=9n+Z7(<<
zsEmx6M;na86obmfP-gahV`D0c;5PpOZn?Hf;0
z$C=$9VZUgPyvwuwj`&tvvIzoVS_z64a%dYa{+S^*HsVopoqqz=Ke7O|wZpmZPz^Uf
ztJvKN8C(lbsXEU8sKMshTY-t)LV_$(B5(^ta#huAA2-1I`Uch0$X^v4N|*fDf6Sw)2?#QpW51uct{C#7(=l5FYQDtF$
zgf<3?>Bp8uw3{vBu?iv$v_TK6l9#fWfEa3yxXonfL}XYkJW|Un{B-B&&49e~zRu_q
zaNk3aNm8HkuCA-E-y&Qd2WcBDk*Q2s2n=LJ9Z
zc9(cuy43J?&I#r*9Jibqw03Ow1x~ewZTP}9W2nao(ZK%IBL1%F^`~Zpml&muhayvN
zp;b-IfVsN=2A=301Xc7W_Zua^Gxwumr}H+dOru)@^`_2uRwHQoqlkpX1%+t~6>-CF
zq67L@Mz6Fv#3?^}o&z^6c!(se%#@lNPF8dbTRj|4QQ$`OKypnIYM7D-J%cAk1B7lzVu<@%s*47N9CL|2_?
z=SyM+iwj3Q&vj@5!44@pw<#aIG9&UaEfy+3y+B^nSxuLk0xaL5Xv^>0U5qn0+4Ovm
znK6y{$=bT=6Oj~1z_TfLU)-_nyu@CkP5?YpzZF3K$2I3*r34$_G*UW)kziT}XOKToG)qq}3%MO4wU9BAck`dYIKT
zNdL=`u0M8PF}P8BqN2QK*U{ob0XevwhyOzAexY^$8Rg?3)ioaoU$vw38|gwF2yS%(
zS%OT<%s%F~$SZc=TlNc=A{{RXl%_`ZQLK!Jf9_DgvmI0dL^7U=17v#>J5hf<{!*pD
zxAzRcqv+1$8MP&oPk`BFbl1#Pp)(I^#YHBd4c^R}F#QLp*TalbpNEuD6T@^|mcD)b
zRCLuDr-bMx-yz?rO*t=NYo+j<4UwP8mLtbbxb#Kw{gVEtxWs+DphRzc@h
zudQ~@VQ_l-fVJ&wnILVg7TWP%p-P@EpIGD;Xsn4sV0t2N|9#Fc`)cg|)l=Kh$#vGn
z1KC#29Y(j20%x>-0-G-U4Z(xF*Pg(ei38r;XM{Z-*r2r-lX-#I!!QYFW`;29yFm98
zmW
z5a|*!Np^+;*^AyL`(|SQ>zXgRH+c#$5?=Q^&#e`;>>DdwYzJ
zfz6YyF|SK>lQE9VuJ_&07QhI18!NjZB5w|&Ahc(XU>_@^8RWq?*ys|Sx}O7mM=ECc
z&kY*+nSbam>_4*=`8=AQQ9*szy}rZB^@MrB2MqWN+UhNwDeJ`gMo=LM^*8cLfY@26
z^4P4M?)328{7MQr{U>;(=8ZV7K+{bx-NZIzDQ8y-yb&!4=h6oC8vLQP=v-BPUKvTi5mL8AA4+*UIp|)fKrTL;oey!1fz%jnX_=SHMx=V#V1p$Z?38CyF9&$legDd+DslbPQQl
z`x2M@)O4v^rX?bxtW~x3)7NH%ylv2Djykfbu8_z%T#Bz
z)O>FQS*E)QeSth~EYFe+39Z?`eWA)I*0Q2tlHbN=2=aPFWQJ>0))i*3
zvbyJjb&5$-W>RK=3yEYQ6*#5|xC%l8>mW@dBwPlinWPA(Y4NmL%p4Se(<=??RyA3J
zZg2Y*^UJDJ{i15a-v;XTR-GA{bY9lxaOm@2P<)~GAAJ-jDU`Qs)H78v()V>v>S)gW
zf8;-EgA#%iiekr`jtdSWg0GYf8fIPDURO>lueD2ne>fOo>ysp{ovVNR)2*iaMuq=k
zmL~Rt9IXSoK=O{S9P7ju?@}oQsipz+*7$>zfSgKh>yem{iKPb_>2F=
zxv9VOUrP{4A-GXZ5M|-EaWEKo-h@%%?aX8A9}HMG&b(7JGq~zB!#(}o)g$ij-dy=W
zo#4_voVm97!jf~e8o+>ehwV&%j9g*HiE~=E12_7d(wf!OzTBPj^s;lhOQYBCJ@t6)
za&$WJK(g+$&n#if+GDzB<&Bu&z8WI2y9CoE_b~P#4Eg7kF7-~GpIbBq-$Q0;C;=Ax?M`s{$ZqIYNS9HfU+Z6
zRA6#q6fN^gZAAuSN?Q``_zrucs(PWKQG4d$#QaI~+d1b;xCWByHiAz?G5)i=c6`l3
zw|OG!rO>trJ{aK;bu%LkXJp4QbErXO@62Gd!Q-kZ&p#!f1Iu4<_D!-jsYa&Db*N7|
zJb+fa;%P_G7+zdF*&$wSTd(lYxD#8Y3&xtH(S7ceGG^BAI0PQ3=^MFZSAUG!kMqx3
zoJ^R$x~DM3{Uqk7sE4p$v{Sef&_}YnaqEhBHVK!i<-(JAg0{tqllAPlbB+Gn6Z40!
z+2(t-JnuNdqW8Yedg}>K%(k9fqMt3dayU6};T{3~Lkw(ef*6(U-aEPCwA}{ygi)y&
z6alkhQuFe%l$#x*@HmgDoFT`nu}wo1dvJ;RH6@xRqP
z10Ty>(ik~j?jGI2{}V`@z&~M@YsCni@0=zjn7fzER0J9Co9)d{Q6%n8{=mOtuTdhK
z6q!1;wOf9-1)>oe+t7q_RmGd|@CoX@bU#jn8&H)2eLPPztS=H;*IlX&3k&oKezW>=
zp~bk5vQT!rTzvsiTtDe2Eay(HJ}|c#pW>w^6r)dn5lIWJfmT+QXA1#bHEP{v4{fqg
z#YrMK`GdNg(brX;9fcf?>;o3(!eUe@kxvK}ndgJ-bG2}vZcY78w8eNuTV#!cCV-$ULq24~QgufhWiaDvSjKBT@Mzv~lQg4N
zCy6dSI6=HKZnVT0iyd=Wx{+%X5Eagd%`qfx`{CcJkM$ujKPTJlV@lV1+Q9>I
zKBP>(`1JSj%Hqg`J=j!?Q6K?~*(uz=fxFRfaT@~-MIn_&Xis!*)YK}O
z%%}+sUFIJSgg~B5B=~>mY@&Ns_mnx;MHps7(#NK!^;-zT-R~((uCvU&=|
zrmBiavYjj4Op^l|askg4*a#y#nW0NdSFF^d+&QxT^h;o+Nf%#ruEIBkKY0}^?V2HK
z<*+=Nd(mbB=+h(IBdZV@BRt@ht=<>r_;%JbBv11V
zhV=Cs!muhzm8>*y_ksZH)!m5&GzslqTFp@ICHw<#RW81@OQq>v3&x~>C8CE@)jy;;
zI2N_x0Y~WhEF0moanE&IGBIxJthsiqAAJw1&nA=Awfeq64I+mQLv90-Fq$LHI&w^G
zutSk`xqXRIbBw^crYlvR$7dsTMbQu;$2|dbeCt@`{+Ju(y0^A||yT
zalSf4stZ<$+Ij!Pi2TO0R}}5px}(f@+~KP@5YPr|AK4O=AbR
z_$Ohj_GeG~MSHtc51MNu6y6f=CV%|i8d7vnr&!*0dfp{yqn+_~CD&hYxZvwr(odD2
zP<;z+0Mlo^QAqcX`bgH_J%?2~#4}E~PWr(&zN7Vw=pU`YuA|k|XSnBO+QwLR@-(Qw
zpIq4BPu=)NnD^qQS&HZ7Krgck1Ca5>7X9rg*Z0b;-L3ixD6A85&&=2{<~=>#QX?Y2
zX>jSA~2NsZf*|+((F9%yx`iuG51Y~t>G>yd_NF#A;0Vse?YnK(^}umkh9>Mp`c`A581b;u
zPZ;|hU_lcN=S8N?kZMmOhDHkeOGH7VG%e$
zAI}rVVB@L?3fC+iy$xDM>pIAFPnbnH9+4s<-(C9}P<`ve(#ck%=@*riA8W5131`%&
zSbfC?!Wd>v5Gl=C9`X_TP##dlloB_sPa?doMocMZ>&
z@SD+Jj=x)@Ulhmk2;AgAZ_P586c91*Z5Vlzw}Z~VYvEF})N=U6X#TfL-WpetzZ*~P
zH+P9>-UJPIvlg2g6g%v>^!q{;R)a;eBf@*I??MlvWSra(@KkeVuc5R1(~CW8kEX=l
zKkn4uw<{+d7<6`8OFH@#4{p;dbj%O**69^fL8JgFrdQwV0o~VWPJ@dc+Hutt$`786
z1x!%;#*U?AqeRi4=gOTLcxjyL6WuWcr4g2SFUsH=k6+}&8b+I#dqfWq8^lg=DYDNg
z+cUg2)e1Mrbcm$6dv4q~7Vb}q;`uj1cLJNBKZgvXqna!Z3>gySuh~Qp-Gh{`DY-CO
zcsj@ADZ74j7(S^UoGn>9US_q?+U6e%_0N)MqAMFg)U5T8MjeUAA>gk%#Zry0X9}Ge
zpL^u?-Mn%k$92qWIA!Oe-q9r4n~HvM&oIBuj>+>Z9{CgikXCQas)6aH(x18~qm9kH
zKhbYc29B}`=llg2L(UB|lQD*(*+W7rCybt9aitW4UG^B@MoOm6M1y||I!|S|>V&=-FH^l)(rh%&z
zWO-K5?N_IqpvQ%_Vg}9;UN}i`H2^9OA$hhA
z5v0R(rQ0B1X<+5Y{B;a*XH4$M=a8Fm3nB2iguIjUepe~5hU$juZjsa$flZ)=EH`-U
zFc)EVt!dp?&EQd$@QI
zaGQB1?h+UJ_%1-zmg%D5QrAycY3H_wwSMy4;qa}bX07QjD9^9V5dW1lJ{>1KMnqwn
zSu&H=+Yr1Y>&VA1~lRLy`?-Q>04&W}{px365xlNau^%eY5ZF7>e_IFdy4
zF5YJnJEn)K#Ks?(5$OVbrJh0WD0JW0h2Ex5Gci@6-`Jdk%KMDB{5rL?ag}y_leg?3FBExqHtk*)+tSp`CUmK-{6k4XVn?le0x`PbwWyOW
zBQzeY2o!tOXt{#w>=65+>Mxuda2WYq(zSU8K|fR8@ogq%z3ttwl(vEO##0M0>UJaX
zt~ewtPAMxve3z4m9cfm)+$Oq8L%TaCK#tI2VAV&k}Tu0Xf(gr#}sBc<$a-A$n?;G3X%XKL4%;~|XC#2LaqtPdm(
ztA^3ikEi_xL|g0bsJWH`6xGRIQ?mFy@7#l)dk}ivl;;m
z(8M->!0fkYN$Q!~8skJVG_Da98yI`aaKm)=`?o)0k~KySm&IItl~~;q;)3WLSa`m;
z-(stHny(U`0%EwN*0JBqdd=PMf+{;%u4z9F$1
zDK45LfQKrJdwx{k)69G8H(WLHwlXS>k~a1D+mR#i4`82pFc%g6pYCf^a;-iuNNPCkhGSS@kFNP})TV|m;!wbsRFNJ+wP>j+D^Ru7LzUf;_R~5Y(s8EG%3T^#CgZAQjt@2A!bT6FL{uVgw8EL^#3
zR~X_gjgn*e+80l15NTbro1ob=3@^#1PL017^Jj*
zzJ^Sz>Jc-V95N)6C(R2dYQy3_-%MNm`$D#BXGJj?{8ihMrzG~V)B;UcpPEOqWun-I
zE~)DzT;&rLV{C)FjX(b;^VAonI&Q((sP5OpE{mz80{~1tC`2DbO;2s3fq{M|#
z_1VR$KJ8FBq0Ku~v3*Zf+aOt`7)%KaoiVxM-jA{+26%?Dg8)5QkHxA@W#$Q
zez4LKpoiRt>S)b2rg1fEO`hoJ{Y0&N^=7l?7j%03?Cj2~-^7{Kx*O+IZoh}}M(F)43kZ1{)Ey~iGCmuyHZCnqqM0*^XhkmP2mya{^SVJzmDMNN^M
z&HGb|mTZLbclay3h%T6{Q|HT6TwQk%q9m#y<8-3A3K~9g4PclFHVHIq+O_qowK6E
zPuM|B=C$w0pR2Er+}qa4dBuJ0v-oW)jWUf0b_O1ZJQwXyOSUuO1McV`!LC2&wUN6%}7Wv_-#GmA;aq1IGZmk!5iqVB
z?6ENnG7d!X>pO^N?Gfh2VbW%!7M?JUB4yd-(3V=I?tR8ztv)d}2whmhhKz-)3GoeTW>kE}{qQc{cuN50y4j)H9cx&{q*ZhSKyWn>ni{PmZ>ju&pJ`^TZFisi{hxF?oC5)3<5idWJ?<
zw8YWD={}!kj0Uzb_-;LEnBvUye@K;>(2l+#XiTH&af^Z2&mV)s0ua9E^$w(}EE?*_
z3bH(XOx5>OyFS(hV#kZ%TuKWg4Tt&7W`byDR{?~+LE%;#tJimCntb(d7)ZQdAG@I4
z9(j>?#GW6nb@Kv|V3cu)>5gqYEZRSUHsZF&X!Z-QN4`ZlH8LmYET8?+-@}XxQ`RJO&HlRZ!CE(7nXld_k*opgE#mR}riR?dwC+@JiJSJ?(
z^`2>!cCCMZYgpyqJM-Owvv`-9NJqV^hRzp@JNM4#eA-6MJc4?x*vpnncLT0ut3SF}
zL#DVB$>)YbN;LgbOsXf{%o~ce&y7Una~kn?CJ2Bg@)6aC=i|wnB*miNkcA3v_$ofrn4nA(uWpKT=P@%7kOVo1mLn&_*caFpw3^#w((7+q79n
zxOa!{rB^&Nt3TI}%Duqz7&-eedg;Zdz=iyUEi!diEWg(*h{8tW6+o$lKVCw(N
zgN||y{r;U1aN-xU?diW~#{4D2)newrQl#x*Y
z*`|P3uls9ki_L;~Px3G4EY2+d(+ZN;vUjdd(2Qr+5TF?G1B?cu;e_Yh#EqvFf=GGD<*-l15&
z$71t?09IPZv(oWaLx+bNJ2N$ok^#d+PvIXoYasWHyS!bI1`ID&_tEis4$YS_wrR7I
zXC^r%hxW?9C7W%mF}kwFVl>3
zBb(tL9NrY-jDb)NO$OV=+J?l!_6<_xQJM*Puyl3T_h|HqMthKh?e)QBtidx_+YDs;
zo#dR_ygX@w))pU-;-$LqX7fv&fmGYN%7L$>YZGShBEzf>R-vCR@dl!LbucgewzriI
zGvxlCBNa}(@B}n2h!d%MuigB*viqeIhPM`!Lfdmf{`#?tVIBF@>K;bmWq}FUTD9AG
zjz7LgtXfWPMSFH24{nSs-KiaTlM1q$46~xj%1Y0quSzv6B&a)<9Cya|%~h40j0n2Y
zUEh>0{U}Sdk_WfpNhhEOxQ7z_3t01;G+t^;RyNAxQh{cp^X<~A>h>yw^E=?vE>n`W
z%iXB~JHH6P3o;tn4w0o*5;$NQ^z=qgAg!7@EI^V1)6~Xhm!gOScu<3*N;#M!A@BzQ
zYdX~BY9%*vQN`MN(6g^14eFMVD%)q2MR?J8)(+WiS?z@&
z39T1S!k_Yk%i?HD$PL1%zwAyzIFXS(LnsqVv4cvEuCpgD6ko4^*ONsTSpPQgtN~^D
zwC6-#`huNJ5qND83O50yW5&&i!fQoQ$}HW=+zZDi>ihbfZyHSBtCm`}76<{yd<#xv
z9OYsW!3(IrpKZ;|;|cOL|%qI=%yEqyb#K2x>g-erJ1y-46$6XGWK?NsZC
zE>01T`19vgkJI?&^+l*nmX4#sw!z|q-#fj~u+byrgT)oKUf%9q`NM&?$^($ROQwc(
zyd@J1UCR7BTY3x|Ch2cfaR5~PI1#+M)*759cJg7JQUjk>b*$xZ%Z=fab{REABi*cf
z@QiIC!)2$CFjYp7#_tyW3X(1;rl4TA>~c#u#7lTYDew)-8#f;*pTkHa2rM7ell>d1yIbY5Q<8>jW45wZ6*=q1(hEve4NBaZ_G8ziQR#(>Rpov`#%52zskb#I
z|Nmq}|9^w;{NLXzgR6f3JAL(e-+#cwe<@=BwMqZmZ~K3}8z23jpqs&edUOBzf&cBm
zZ=e6qe%;akwXyfVe(wG6yYMfY?LPCIJ7_{f$VnH=5x|%!wLOsUvk?`i~ew^
zcDL3xTJE7}%Ub^8l^Grwa#6PJi$+#sLjw!
zet$*iGU@E%@F+7at?zBx^hox<~Ow
z%}_>1gLEuR`P(*{Vtd}nxwE)?r!XkE5^AyUWeD`w(b^7FV_-l<9N``ABbKQ(WAsz_cH?`6ZKhX&&UA
zVV;r_5-*|9p4YNlO^~s#`4)`0d(8U~tH)hPvv=i-L9_3Ce$&Y4^`jq*AM?IfUYyP*
z!CO@>bGm>oHrMj66|)m_<}|?){&)=<`Z-a_5>c~nZS#y;wbb~T%4Lsp{6>KhKZEY>
z+M#+9G~s+|X*)<_9K{B^k-m^jM>zwbHU?Jlqv>5Mp|#<0U>1-aO_wYG`c!7!n9d_C
zUEtbyf*!D-*4c{VT-d}H{n#ZFx}(?StVybEO1N%gVEuR^_lVGPblM`bFeEw)J0zkt
ze%QRUv~BrOZ1zR0g|%h4@g_<6*e90ei@Yn9{Pb$lAGC;xbXdg@+3qu@1
zsVecqTPyZ<<`>j^bM+N;)6z4ed_KRnna%%9^X;PiAv=HPW!hTt7}7^XtA)3iV)i*>
zQxNgULwUTFck7nE#n5L<(K!RH;(A+*foDy`RxL532`8M!j6$a~+LA}dnpLHTX&eU@
z8+Udv#N4CBI?7?2%WfN(&p6vq#>&1TJcu}gsFw+>S}Q+Lilj92EJbqG9SK4QtRuIe
zDRe5^^d*0v13#Vgc7AghYFv8`@vg%&FrA@M6|ugW=$-C(Z7uzO`vc_Px*Vb|G^ponCS8;a4zi*om
zmJ4~ow`n9&El|m0&MvI|*d^4QJVilxtsx@Pkku#S9t?PAe1$;O;sGS6*M6)mx>~pM
zk4S@+Dz-K
z0H|pVYDVZ(B>Hm4L(4~o6Nk9YzE?k(sLyN63S7gyoaGN&R);N@(0on_(oE%+!M20`
z24)^|7ruOsH$y$)0bImIO{MdFvXYG^<96y%J9z=ma#7V|tLrij@PAS$`sUgR09g9$
zISd#~fv(JY{O9n)X8PPjXtPN`KtmcW)(CtC{F5(=n`=+~Gu;!Oc8H}P0uXK1)BDp13nZH7w?$$qCw$V9E(xS%mEPM?iK5JZ?O>DY-&St5^GiDAi
zTP%^r|Ak|m#v3uJXd%k!KM^b1OhtKG4&`!f4BT?vZCNX~G2cCfvGJ!Zv%Y;!X}Az`
z^FSr|z$#F#l^bRR5++6j<%uzeahDwdIC^j1PC6f8-~2EzRB$ftraFJz8ht9nG&ap(
zr^7DB(tdal?yn#F(Dzx0jplSmt`vF5%*xA1_hgrQz^I-P%JyhmTZ7_+j_a-Lhk?@@GR!Pn
zK_Y9M0(InDj93?<%69o2@PeH3xz#{HP7_7)z8~SczVaO^-@9Q69z1xgp*7l83ehUo
z9ndGKILuma=}h)2OJ9I&qUGeYVa(HKq_fUz&!WS{``7s;Z6Nu=kSOU9fRrrrthFO$25se*XTFGNX&=9
zv;agtR@o+TCJSE8c19+Y^_EEPuJ!&2sy7Q6FA}8bzSXoxk>0{8`v?IQF)%e=?wbm5
z@t2`UM!lZ59cztz@46^RVU0F*UJOj>s;E?Qc=_{QIQ;L%;5rAbX8keKW{47XPXI(#
zVF4itINA*A-`CfpSm-F64q#?Tq176<%9PrBiP{F=)qaEP;u`tgf-C%tHUx0mw^hX!
ztt^DJ;?=9F`TF$is0&(yhR#M(GBe`Oh}!PmR)$HN`?C*NYIfVB|6XA41B*UW@p(UX
zbw07RJAn}Mz>5f6Wx>5d
z`Q>8wZ&8>?;a!o&03PBDG)!|dS{n%x3yMB1!>+0HFzZ6M@m=(mjJ*imfA(Nr7;|cv
zTFa8cd*6r>)IEN=#yqwFlbqU?HJSMuc&KZ78&S2W2ptX@v#gp?uxCL{XY6T1FOk29
zhmcjVZO9nfuP69M?Fq$E)m-ChuDhoT;unjkA}7Bu6aE5Y2`{ol9@2W2am<#ILj5Ox
z>1yXaFHfy6>>9KE);*@)4&7#&rf?02XDt=a_g2
zaN+s438j=q%~TnFUX$pvxSSA}+eSt+YBj<{2g$1u4#yG6Z|mPh`(c+1HYw(%!Y
z7Np2@qTy)x=&%)Ug*Y9_K7>_@BD9&5SC<4R#Z;>_nrDn~$k5@c>tmBvn>wzHPPxOy
z7s?$4AYl0TJ|LVfY^OcTHRBPUQA}S0F>8!gM~?%Py1GoS{tdL=EN9X>+Q}W45ziTz
zVK+twx`meee?M025Fa*-`~t3mpvu!8^As*CJ|VjDWp*f^mqTo|&IkJ=B1`jv>^x+(
z+qlaLsm`B%$?zMOXE`f8rTQWWmKSEVmFy5BD
z((sO%t5%(BZrH7#b~rN~F|qn;$$ey;eQK6!288~Lk^vuRzlzkj3`J~VbCp|wQVmRv
zKQ?L;Y?hIgn*;K8%xXCti|j6;d$}OPSM>1xfpJF(?kb>G*nx=4J;HZWJ;~R45-NrA
z;Hi+GPKrUNIHmTooj2jCjsEYO`m7VswKomVn&^`1P9-T~4z=mC5S4jlF2gtBzk});
z;3komv;q)$>*6!(pfV5wya!iqZm5v0y`#KIr0uMB3Y*x_Ze~4F3P0YUpF};r=z;{J
zng0u2RfRWM35_Me75uY86kY7g-^d20|0MedCVvEodlx^%bqquXRO>$%_tAKN>{xRP
zm*HH7Ty5+d?C?jiXA
zv_lXGR14L{fr=KY0y4H??$JiFEE`DuV~}KXeNE~{n;s3%Jnv$8zmK-Mc~x&u*RmCK
zOV6(B;cQN~AWh$=#+32+$FADmXnrIY)R9O>a6lg?E&8PNKp82a1TJHVg5-GqiS%wU
zZ=!b<8{@i9TPgn8m7J{#=e3F@)uw*zItny$dgIE#VJAvb!)-;g8Lb(&3>_UbTZI>w
zbXEd$o+BjPKAjv>YUljHms)P1u)*!}Czv@-7m(m<3te0B$N2l&R+H>pv0B%!6t}<_}c$+q<-F03^ydj$V)R^LOv*6J?+w4Hrm
zxyIeIg?fgUL3dqt>0fU%#;cP}!k(x^r%u{ve|j_>YHw4Pk=zY2Fv3lPt>xYS0L`3V
zGn{yg^*I0bq)h6ita0
zke4?Cn&Jd$f=a;#d-*6&&>~qs%b$C~iAD6k9WKwc37BvgLuBmOFM?Z$F34IqShfcB
zbY?j&2lEQ)O0_i4LJh4hG5o(ztwEYqkxi
z%Si^*2yGV&fCmh^sus_EJE9hhHs!Y9&{-rF)@!3=jq=jn*Av=kT{o_LKfp-h&-NNK
z6nH}_05)H%y|q`>a`X5x2csT;yJ7gD#ol#j&S%Jy8rk6qpaYLDS3RCJ+%
z2M~-(g%U6>kxpfzLY5M7Ihz-Iu}?SDnjH@sUl?{Tc9!av&+&C%{pse`mTa;+EERPv
zd*Fd|X86I4Qg>IuaNoeRanlq-8bGv98W5Y;MlW-t5SMC5xs29+ckh=P&RSM;q0b|d
z(kpL#Dy?_#K;zc=ieiaSt~=O6;52}5H#N;iLA
zquWLO)t6Jb8V>ex4LnoEU+k)Vbi}A4H{*E*XM*-9kRr+ddCq1~RoB<4Nr-v6a)NB_
z`YO(00xaC$uDy-RTlXd5O0=P--)3JH)|5ous-I>6r{|vH<*^xb7i6611YfRo{Tp6>
z(9GKl6C!l_v5WkD%$Ux&PxM>&Os$Kb*JZ2N2Vf2onr%dqIu9U6=V7M-mokn6pY#OC
z)xMhS(0?;9Ju*V4T<_MqL}y9YY8@c$0KN4$J}5H5w}3_pxWDB7>T5#&kw
zl7QWHa0r-?xEH|dA4HC$WNo5C(&shvgVY6r##;)#Y;;vgpw3nfei32Va8!7GN9H@R
z8O~}zJcmBS4d9G`w5er?%K+PMAT;V>Z>P=*=jL;0LS#`sDa`UvN$4^4=)0S*%5Lu@
z(E^Ek#beuuI6aC6NK{(pWRH~jJaMeOrU{bOWg}4|k4;xd4{FW%g8S%28$hE;(OQu`vsaOSNmr&$Q7#Lkr!!zuTkdyfLSt
z%Ui=NxDRdQ7v#<>T0kUH7SvURduZ@9HXkpGP8YEjAG0Kdc6YiASF7{W{yA)7DQB%5
zLHliDGyC=XF2|AggJqvA<1EZ(sp_vFP9sWuGUPy?@;AVJ)#}>~dkU!ov0qV!`nm&~{J%SHtVbZ1wL8h;P@Q)F!zAYd6I0S4PE=(RkDmr1Ab8W^S=E+Hz
z$BxiF4YGdUBgmok~P`@Fa6pVE}`#&E1z^B#DT5C_k5o2h)L{V>)ht
zll7E!UADI)pZ?Ru{KQbzu+tGLTulv*xb5-!Oqx)&Qy4CuaDgse=CJpX=0s{x6LwN4
zP-9~}?8;a23ky>FdBB75XJ1z*=I5uAi*n2U_dKBSD@*VIM64oAe~@C#K5QllmONKu
z50aG%US#c*O!{}qu4K+65dMCa&}~q>tPcMOqbL8tmXQVf`TK=ns@THP+qO}MAcE^{k0v9Tslw-PwsZzO$3gUf23>tr?iSzi{{V@tsP%?1acPyRA=T
z3j}LDEn6j2dou^<={ALy;UD0mtm)5dO!s%jJ!2m}ZdN=o^9NtEI8f(m$GM-SNqUdd
z9w-N+?r9dZRdRRDP{qpIdNE_@zCLW&peg14x~;_Uy*xBVfA&sW>d?RBnBS-;2(3Pg
z5JfZnpefgHWg?KXoqUZaC?W*=qCyWUNejF?{^5^Vf9VTF$oiPHZ6P0R+67#A)2@wQebb$v@%WCQR?us<}@M;0N|HY;9Jgisu6*y|+3q#gH9~U6*|SwS2q`SDi;_HWURF
z5Sleb7#>7u*IdG7$V@EAIgkH7e0cusyX|Dw3&@1wv)u%}p{p$HIQwB9NZp^xR5czj
z5_U5ODUdlgT<8E^vos+nXjbYBYd;q&83E_>TbB_V*x>c@X-mWJU({@?YI9^ZX36}H
zX1qKR8EeOnjS1PJXkp}M>s6Q~yKV9=p7K0GK0(|(#c@T!hR}ubAYP8Z84Zb#BRHnW
zXLyM^zD12q5G?snW56c=YGp(|YnS-m`{%Lajw_;x3l*-y&f$1JAkV=D5^*=
zcKRz?l56&2o}v2>%Qz<-Rs4JPjiRcfN=~`EC&%77kJ>xi&r?;wY|0zplU5G_zPD+-
z`yLWJ8r|KKyBl`0mQqKM2|(VrE=zwfMrxoZG%U(~(t~_pZhI`
z$ONzxZ4SL&J*WvJPC4BVmHKT#K$b-@6QqWog+8B9%V2$34Mm>AyVDOcrP~=}h>tXo
zH0oOmyl#jUX-vwYgi$8i6;eHz_d5NIhqXwxt&*b>rt$>h%*gbr6p2>|jwDNhD4PZI
z2v)qZ_99+YkC{HNe~}{~8k&@S?|HaNKtISxneD;ldp#?;LiJ(Vo3aTj;?|vdn%6Q)
zkhqiN$YI22efhq8NwP=D&t{CG5Y*-!fiZo*HXR00*SL*dB(L<(Wg{+L&39DHuQ44Z
zpemjU#Ci>1-T^s0fq5_@X~nwf0>#3I9M*}N-O10@H+b;OER)jGx{0@2X=hfP-pPPZ
zy{AcwFW?S<#Mo1y1e6e)btn(4lp5|Kf&PivyK=@u4YKdFF%S6B8J`?7WEzZDPz;I|
z7-39)VT_q~VE~ckA&0ES5r)KP{@^j-S=;Vk4X(TZb+5CFa~57db~%#p!h0X6a)f3h
z{2AOn9=xS7QA4Z@6w-4gd3YK}%K8sxsC8r1sq(ysfwl`r(|es&(*8_JJQ6wdH|9vB
zl|U=ENg%E#Lc|p9NB|2#Cn#Xkhp!KT<;^Kf
z$Z|mct!z4@wU`ukIE$PkP!G-u@%to_?{IHU)9+6yC%ck*cz05zjpK
zSUc(HhDLasY!tt9aQveL9nv!!wEOcnwbYgR&;zbU?f4-`Z4I&tU(acbvgWYq(z4D#
zwL{ex!wJi)saD1V3yw*hd)~MveDikj@o>*u%XlE#30jjPi)4sghs1p?t_kKC4katL
zx%*e2s+zPw1qMAlcoE48PY);5`&dijqDkN|!f)l>s$mtw?Ap1dp>lkG1EJ+xh-ulG
z9*P`a?J_^=$F8yb6u5DJdsu|6?lWP&H~bX3WTD$7*s3fs?RwRd{?A;IH`s5m<5fHo
zS(ScM6#oo7r=I>IvIJX02W;{zRsSA7A7C<6R96$HAq;;RjZCrhx3^F3a>fT_(}}#>
z75f0Yt69nw`$fOUwmanN4T$8zrv&6mcOS;h!ONt$FjS@AogBLde`H9hO5Y;YZY3{+
zVY_<*NSns6;O&zz-tyezz*Gk?=c_p8{}7*FG~p8Q;aixdb?aH-d+!`~e@C7acFe6lA@FW6e#J_`y^MzRDcT{lUH3Qqa2ID71_?!aHM6zR
zWxxCmU49j#i8%Gw`SW;}`r!F4e>;|c=T1O!zMLQn2-2*4J)#e4oJpJUugUd&=$Lxc
z>;m5{g6Nwv0bR-TUdtcptb@K12G=m7VwdB1sm{EDrgCR+FAooWi*@HDI}e`ZYrINt
zu)Z#KyTrYvH{#6xdh=^w;69@@_!13#dN24Ht+MH2tznApk@L7;seqThVMZ3JL^3-d&pL+mz?)<^FzYu<4x;#AGmCQAekxfz!xl+J10|xj!d$
z+U6HqWPHLy7Oe7a$*4_!yY7R`bj)v_J!u~MYqeLipf`@9-tigBnN!3VWX*2&A<@MM
z&DaPuN5TvhR2m?65tYXp$zO2(kiz-8M}6JPZe4GJ)|RV1L;MTEvjMI9_TZ0$o!k(z
zs>GlXLISiG_Bb(UILFt^H&NDou>Wlf(#CIn-0k9re|n3(7y65Q0u~8ir4MLf5@`Xe
z391Ie6w_j?M=yg8mk2c56PT4q@6-uj3t(=(wUm&2v@cCk>SJ}F_tv@fTRqwy&C6%j
zplAdF04uLOrhqQbvgM&qbR*W%f4YP^y^Y34xSGDi
zqe5V+yry(SsFZ1Aa
zfH)yN3|Rw-BdyB#<*M*KlDQCNLQ8}vn7zw{j!BqZz<;?y)5}n)uWIyjKPv0%H^DvO
zwrA_79#}KO1GHKE6+{I50;#9Ixu7R1THW>9(U)5uI>vt*q+rm6V;?iJy60mQa=E`w
zPblSGr_4Hx$(GMbAsyR51HE%~K&IB?X)rms%76aAO!|!;&3~t$Ldh_xfKAA*ziA*t
zj@~V(U?ggb_h;~JTR9dnG25H1f<_Y0;R&bXZd63|vI0yEZR_hGG!8SABDn@mYjxe$
z?{QAdfef9zCIr58Qq>W53IXGFg>epy;c@13@NLKoP&
zw4S>fB-f=rQhrP2aca(cgr`Fw9EFKC#_s{eyHGkKmXGyyYcO^RD;J-vaaFl==bGP}
zzdL6>O_kt^KjZC?D)Thnb%Y#B$@i}neF}7HLYY2!l<)g=!^ZbE;aS6G+%R$=BqOsR
z`X06RXSVW>U7-ik5t9wouW!*@FM$hKAQ&}4{O!dKmK`V=hO*3@r*$tH>Y{EoK5h%y
z2`$Ui(5bBw@8Ek|oWkzEL}IdF8~zMfyO>G#T>1@UMM(eL&G!@^J~xe#fG8Jl#kSH|
zOi(6VOm)mAR%6zKW<*b1pV
z#yt9k6lX7Q3#7x>=x*sW{I6jCY-Yi0o$jTTx%-I~_|eaEp;SI2W&`wNMKuI`gN7ge
zIc_KV2;!djc8|_=@xyA@swZ7(82g<9xHlVuXA&xNGhSn#IPj8U`JUGrKJa%dy0|&Y
z`bm~J_i7~?cY{@MwW(e^JSse})e{Btcm9SnzhPNWm?tvZ$Hu}Sh|mGS3gZ?!V)Ts!6w;TZKaSR5nyO6K|;2O^gcz1<@c
zv0FUa|CI*_y61Q_iF$X&;E2dkUU(m(4BVJ1^XRBeQ&gl0XlE}oHsJDP35*LwQB
z$@gRHlIn@!kR6XL0;wjiggx0)*jd;a$aA+;4=1Q)kkcm}9;mvV*k{%#$r@}*5rc)+
z<0wU*viN`_FL;^(Qc)rFzj3J7Sl`x?NIhZ*&Z1=0sk`t-b+@cW$7-gUzk{64MWVi(
zwrAE7&PwQoQ|EbP76vGRUKz0_Hc1se83L#xUZd)<_F}k(tzXX9pRbL+eB2-^tJ!w!
zChUVx<*?q(N$J4m&bu
zy`W>v@0?ElQM+0B`aJO{VL#5Y02R(6v>{@lOuW)Fo04%?Agjx%=9T^j^JZsbI@Py3
zqobz{7Yy3vs}tx_uH25N8&Obuo>6WpM@aaoRhPyJyhY<)R5R+OyGAuSJLw?L|JX&U
zD#sGV5{>+1(8rT?rhTCW!GO{VfS(rWTG
z5XM?RecgxZST7Q5e08Kh3>V4TabNN|{DSJxsU47P!Y9NVO<14!0#8_ZTfF=NW;RixcRp9V?e~FgF;ACjq1K3!W8!yn41K%ciEpWYMi%qw
z3s`<(Yglr4VJRm|AS&eschtNV7I5^5BUlCTtZAdkpdhD}s@({@3@Y|#%i{IbJBvL$Mw+N^yfN}A
z{$VgL{mP+q$b`7!6w
z306%;IQ%XfqqS{qeFU|8@mS)Y;pCh(SU75ghJqgHAKxCZ-gzrlU91g*D!@#6Q8U!S
zf}T?6?n7kENq47@K}Lh#$hpVHoEgZO&68EJ%P)D)Q6?U_YM>z{8`EUN&ED%tl@5P%29dvjQ@nGi-(@G=GIPgwktf>5ABf
zf|ne3)J36D8sizEHn40ZZ-6@JA?QL$pG3J|mw4;#Wr^~Q!QP^m9vTV{TQ^R$T3aqE
z6gq&3mxV}9Xd;3!jnIm>c^yec6;h~&VF_h^wfK`Ura8wZCdz7se;{W_R0S2$XEzejctmTARwR?unCAsB+0BVh`p
z6C4JI8^Lb_aRmzxRhE1^8j_za8(zb?mjK@7Iu#)$D5wvu@)-m3AZ4rsZShj|f{HU0
zT?5tzzY4E!HYL9X`{cl>*uUUj$$vG(K8JIT^O9&K#z{s!`!2!M$t1AF-YCx!6wdjp
zd83=BE!_@$mp&-&&z0cseN@P{;<68nH3{+$J^oT#9q3~2;FNAZfZr5FEr;$fwp-q*
zfbE7h44|%+2m#CDM2Z2}RkQ@|f}f>DS9qF4PV4{)c{so&S#%Pr5FYG)hK10`vkKi^
zaePJ;lgQ&B@3l`H`LCjag`um!+J|of1g*#S#pnEq3f{Ern-q83t1-Qxt=NgcTB>dI
zT7lQA-Z8#XRlzJP(h7M;K-#JWxk5L=Wr_GN%@g+M&0_BHK9K=$v$cU1J;y&b+z^|1
zKNodWjj1`XTlfCr5vtvn)jE5A`i7zppeJ(VA}H~
zm|_o5V6V^SmsT^^(;2hq%#=$qj{{lbssZd6P=G><5gYM~0Z&UH
zb}G@8{#o;MzB8(}8hJKuLW6#0Mr@g6fytQh8&SPI{0WRcIYfucp?nVEFb>);(&y3I
zYgs+LZ;BRg;w*-ZgwLWs3wpx5pta8%-i6<4t6!eAj!J2kD_w39Y$2Dx40-nqkjY=a
z);JK_tqdxfj`rg-=L~A*Mmq$-G8EVf4uX5!LIL{*1F`Z2h3)akN61@{%bcTmEAYO(~>vp(2
z$B!cS6F&~Cg6|~pkaBC-aI1B;gQ`ZA@F3J1nh-|(JW{p1MQIwVU5^JMxkQodW$ti$
z@}noMtmxrZ{X+|rN`SLJZ_Fafz^*Ba?Q%NGH%NDA+9=CVqPFk)r3Cn@w-0+wG_koX
z2VNY5znX+UC%VBWMEmf{a^{|eMuCf98XbRv`lUhy4f1|xb!YgJYovePM7qRRGusZs
zLtQ;`XZjeh=H*4g>5X^n8b)gfpZby$1EQsmhv~V;$w{l${Ymu!`lMeqc6aEUU1gs%
zDLT`2;DcR!J#T%w<1zkhz{4KmQ`}t+Qr-g_X8**V+;8L>IUh25G{;`kDd+hgE*JJf
zAPZx{0xF!BA(E49ONZB}f~K>|mTyEiEBOkfx7d_T+wAu3;aJUq4P{g8$t+Gt<28@2
z<#Z>r5wrG$0CHNI{e(xRa6i72APe_V)>rb|POs0K$4gR^WH?d3*bJ_OmPGBHyZ?BW
zdsL4T?{_>+M0V9o;oL(Dy-l-&lv1hh>u$fFe7{j9DQE?(xJ^)3O27CN&SY>IXZm4b
zfQ3!z^84PjI-`}_t$A`n>l1W37}w;l`(xLA{ikHuPZa)b0!ZTNO`gU=uWSmbLpi;c*9>3B1>hze{hrypw`s?1hgR3eY9
z##E#5!_j)WwId(+o$GyKj1*5`*9%d_a=}vmK;B+K>WCQa}1#U&R0!-
z9S}}d2qOoL`t{Ebs54Y*XufIAeQ!dnuFCDPQ0M`FTh+q!p=vJ3jE0S2meC)g%p?^?py(>}YWbOn%Qs
zvi)aG!(2xK1NAO#^{MCDeq1R2{3xNgR)Knvmn@R0XlI2#6aU&B!NnXJo6o|R6+s}*
ztO+->hvJMK3JU~I5Bptp1_k==Z7^r$gKYZTY5#jAw@V67!g7F%;KgeK)_mv`A{KuV
zrK&lASN=AsRo7HqUCS@X_syF$WM;@-JdgIzJermYSF4pD{tbSrOn9Hre1)PYJO-RD
z5cl&K&nWI1?YXsL1rRokku<-)B3bf&N_fdK_Ql(h>aUihT1e)@PFAf@)J?k|3VUf#qc#0zIG`E(oC*;IfqtT-lGS}|ziq8#9EOV$`pxA!YgIFsMJ0Y|s=LZg
z{@B%R?{i?^g#Q@`piW*&o_>?@ZgdLIP0~QNe-UKEB^E*
zODlcpByGaG#+IgcwD_Mw0=C#l+hf2r7aZ3mK41j)l!-Ntf8mwq8_3Z(s}d~HxuKsl
zSj(4h7zb`%L}_%U%Tf^ZG~QRwUF0d^F_%tq`RuSJ}5giv`E`{Ux&F
z<`Ay&)w+XVmEk*;QjAyYt|aoSs%D)RE2^l{5~Ur+DV@JTlo|ASI1BP6A+nBc!)AJu
z$N4_VoJiDZjG1pKHmK={&GQnl^CVwyKpraB#6T{WE!sy>i*Ei9Mm(kpk=WY$XQt4hlq>XGN
zs!*h-AjkYwj}Du8a-tyMhIz-ZNmJ-RCQ}Ei#`dL3)}^?SyVstqJAQ&I5bjhYL5|V_
zAmB}L9yUA6I+Qt0l*TsQXFMl4#9pnfdVCJVP39N<(lZVXY(39NSxS3#CJnqbTJP|E
zgv!li3P=+N9Jz{*Hp<{FXIrImGr3YOV=fIb!dv~G>ET(;-`5Y;lJ`(%&$+EWc2c?u
zr;MZ(nl&m%UeEd#xrexn=2h4Y;w(@YK9nOGRy`c=yfKo;m(PPG96?k$*5A^+bDNNs
zWz*>TB)*ahXGL;oPXc`t9DwMl96f6
zcMTJ#dJZt+B>#kBW&9Q54(HGwnO)|n$l3R;l>654cW1?y23bc+j$N(oJNZ8B+Ds0m
z{a%?3A1;zD;r`gwhK!HnVq|)F)GpAZ$GW@F1>EyqX1mK;;Ro}-R@*F}IeV&69v^lU
zu9bNbTta;};@MqMJ+DDJsWi@xy9{mJ_D!NFzh7iAbF*rR1ulyY{gX)NPq_hZZL-wO
z=+rsqBl6n4LCz0-mveXoXP!qM7X=3ibt@ETUblRcxI{6o^j&3Ty2nW?ALlSNIIjef
zO~UR=gijGwf8)aw#HRDwp;PrZHGY+UMJlo}CBkS`+D0>J8yl~T(dzbg2-FZ>ucEIN
zFo+MfHb9zkA$^#=FOSs3BShb)o^TrV5Bn2{8J<>*ThYs0n#ws@SCbogRos&zF`*f!
zp#4lx^YVQ8l~-GHBmMSg1TcWN`8A9-aB&HdfgNRGP{SE|2a)#;$N!pnh{ShlnFj^40
z=J+Wyt*cuHo$h<8sPlBwmm4)ph4OC%WnhK^%AzbrFfbjF5lQy?iObNqrPSa|?`Ow9
z6C*#9bI$F2^HRB0Nz-5cY08=q-v=B*C}Sztvz;B
zPHo_1lDjdQ;0#!St4}r)rX;#aOLnU16Q98PAdj?i%k&)wDWT=_!%Frn7mJ@eH4_dP
zC647?xov8rY-UrL?I(HbD5LV9AbH{_>@(Q-W;a8W^9Gecw$y=PZozJ3
z@i2RQ!gOMckk@g(v=RLVd0P1xZe_^!pQV~J_QmhA;x;)uAE=$&7fD_2~
zCyx=T31m1&y;|HObeLfK3N15dw(915mPeL7%sKkN8A7x=`0Ip8{1;W7exENjrq*NK
zG6f^-*2p027o?TngqTJ$EKOtukHu;00WWpJJ9imVlOlwUl7YD
zw<%RE5ImczoTvNK3I@F>~_aKY0kQlfO_Zek{-uZPCnvN3Okt&bkTes9g@#E=(MHrfW9--_Hcr|Y{%=k
zF-Yn*B|e+n6SLTQwllc&vL?;1%Kx0jnKrfYpSR*{9rk|~UaH0FDC7}}%o`y1M!dPh%8D**r7KvybloTm`s&YUXU~cH2>bR0+B62x=t!X0
z@QB=|=O*Ns>0yd9KL@Yre^U4AT9;|}Z&^ccD;pc56=p$>ZRk1n-gUY2RmS-F9$0JQ
z^_^SaS4xCFI0!f(=N*u;&Ly{I!~X|+-yPQE((Q}7m92;<2nZ=Nr}`*jdZ1m^b%TvfRsQ25&{X~POxltJKwkObDsO0
z`yKxh=Y2Ep%v!%yW@gP=8^#)x%$!o7fobvCEmjhF2J7pk-ihunUoDOFs$?LUo*+0i
zfob583W{fDm~*y`%!ro9MJGB+ljq*Pe}~9BvlGLQn><#U?KR(ChZf|-dG!gn5&}Z)
zwRrHrbl$$gI$FRg+0h6kIeLVS${#sHz~|lK1(u&E-_zT-b1vNQWvSE}z5U^E*h1hU
z*G1S?b}f7>)~qc9^
z$hq_=w@dJd?a3j!B{xM|;YUX0(eyHgUOz>=`gEI?3`)Hz&DH$CjF@aHf&biLUP^Z6
z*%)biE{~_Tce&2#o-v!pQ3U%T8&EpUMG`3<1Eq8=xi*8H&7aLfF89hGn}fJj1@&O-
zt`fyon?xry5ma&}86b?QvcbPkG?wZV@SJf5jpXNnYX
z{9t!z#B2h4RSA1=Cpx!hA{v!?b_(Re&MCO+ZajR8fB-wQ=(6qP5btWU;Tx#cai4q@
zi>T=#3+*8;%qUB}8Zok4n1y7~RN^dC0;{47i!AX0D;$CS)dW8DMes%T#^xca{BTIg
zX4VNU%>tbk1$mdA3);QU#{?|WQ){w3g`E}XH}i7LJ-L*x7l3IZ$^5J{1vCs%<6xRn
z-^QYI4AKm+|#rxq0%9p?uJ7t9hwO~<33qnXAxcA
z!2%UZZHhemTWOHH>HM=Nn(pUbQOrHCb+7LE+vulqSCR+MZBFUxeO%B^fq?B!tUx+S
zFxg|ev`uSYkqq5u<$zgU@R`@W`=aEZvf8@UE_mXevNxeip&B++C_R9xcvoW;l0@(?
z5o}JQjBCKG6B*fttpjaxJ94@ruXptjuRQI~Ume>bWbP>>GkEM~K^~G~&*VZ`F~Egn
zgK9DloZk*_#gj`z`WGEZGV5iep3Sxt?>p7e?lzWqgy&qho<>kpdPRD%$0=b)+2OD}
zC3@IFBm$PE!9yE(15U?^bkgm>IemnmhIT5$>5NeNg#>UrE<)6N@=~XUbG}{FH8s+k
zxyScg2Yt5#4&3#SM>}G0t=On9?f0Vj!u>OX6?+4AHwn3x
z=Xj$MN%^ZF^eqdIihP(#jL9kk2eU*>5=*@$TqXz2GtyPrmX5Gb-v1V<(C?URXud^S
zeJ4{m$|X=P`=P?m4fP+;rCWWa#(dXO6>rVxJCfKDu?+5VtG(3pyu!rp9^IFYdmUvC
z_>;*(_~QdMwlI}Vvi|!l1Ro6(kG?!r8zx|w;3%s&I^3;>s9#fYe52de|-Bkr&9%eznzMXW)Cm9xO6Q8Fm}DHD(jFB!VW|s+5DL@e-=|
z1bQu%!o%?fI@giT&UWB5{HJV*O3_MZv7Mn6rCKJ*D2@x0#>l0us`kn&2JvDH;R>^G
z0uBWZLiCc(0h!5xzKVUVuje9z%siQ{I`PogSfpprr%Uq%lc%e#`N;SfU)Lj2OcJ?X
zteoDrNrUG)&LgNvc0u-JuvM;iy5(ExD!YTd
zj-f+xoLtW+L-LzDG>t}dncUs}`cZkd=}rXQ^LYq-_}ciM_xDQ7ueJ^XKcaMhuI)k^
z>l``V{A9Dn1rlsU^gwY{qd4%(E6ma<1n+K{-6pZL4?X(MdbXP0!G
zf7)@UD^=`L&?k+x1A5TARsvaVa@$*kXJTjzVg3$K%2(|z?`QFKhPaB!HiXtaR=!YORpss74+9toO$@WPR
zF;X0g-X>5#=jNH7>i`3{Win%MWI`Z1haQ{A+TDDCrdkoqBQH?yyEjDXb+4XSh*sBo
z=9QAGg+VU%$ZfMb-A
ze80$u%p-58-&UX%i%d+2c~BTgbZVn#o+^hZP7a2>Dj_Jl&Pe_!EAy?a%s=>7(8}jm
z9^;BfN5ovqUz;K6#W>c2Iap7(KIb`W1gChz=jQQ?T!d7eA5Z?r(crAx?4};6Pdz)W
zo*MTU{)-f2f6lf4pHzQfwdeUzlwhRY!ehmm%?(+)?G$%ND4M2x<=HwaoUwZahyqR>
za9;>C!?8o(8GbgAG8_!HeeDwpn`6CZJzC@nj2{n0Hw;#P#Ip2#&$E;mQAnya-GHHL
zP4%wsTjN6UuI^O_W(1|5j5~%Pesuj$!h}W6!lY$pQB`TQBT8HBidrl
zz+Bl0k(N!mg@YAIK0e!+LcYyd5npL`X9V_V4Wo2Rm~^R9YgAQa)QHL}j3Cd`W+w0b
zw~vn$H1;C9?{t5d4m)sBIb*j+g1o5KFmpY2dd_(c+~yI`=>SVWY%S&;lo6S=L0d4h
z!}xEWW@~f(|Mlo_<^w*)SFEHeonC#!{+F#i-M+w2uV|#}Zb4V~l(N8?eIQP9p^z=a
za3o{Lu>+}S0fzfwnqbMJSoo-$fkPz9B+%Y{+cUEI-8(_0l9rU*_8~EhMmxBL#3)Vy
zp0p|mMFn2eWF>61U6&>P4(l-KI0a>$VDBZFRiEb2u6Eo<^>p~zdnYF8$>G9s!`HfT
zv)9kPPm*mJPPHr@&4C(dRqtBliYQ!SfmXH5_rF<5i~*)I>l%Xx$7m>!%l3QJc6!+~_i}0T;
za;5gY$(!f9f93>wg~x5HTzpBJ(iwX(&+u?;=g{a7iPaXVes{8MN8|V&#Og?&to^2M
z`@*X~L6(6-s~m)IS}ako^U-zv-ZJ<_{W41A}E4s8I>GQMqoz54vD@qnbdMd{JdedKecl|!qlLc$iaKa7+iZ@X*FC8QCopL$F;%$0FqJOX~a{cj3?gvEX&hCBATZGP@
zZ^Y2iX0#|YaX-nX`j#@n6{jp_?jvA`Z*=<1B&>H(DX4IdSRu;e+H8Y2uMRZ|6A|2w
z7A>VgX2SZiA&5xbpz9Gfg2f-T_;peJeZzysl3PG;FAee1QoLgVBbNZrw
z%tc$V_WkwZAH9#eYgV6+KabO-DON*QdK~F@LGvpjDSf4nOo^ig4#viYy*_a~Au)QD
zTX#+A66*A0H$Qr9ER@PLW@$E}#1h9M^4PmFF{T8c{jlZ?4T03kGza0e0w=~cJZr;V
z2{Yd5uJCZ5Ur3bO=H{Uz!Wu@tJf%l!)`Cu7|A|PZ0=8
z|7ld!lUn>cncQ&g2*+b@Ye?sgZ&88gLdqAcNgJXD>i2;fepX_wIH^~7AL-J0aCK%_
zduQVb@g^RV{6J$pPlIT(QTJx2xd`XF+cBCAW<9##B>f!|%@V_u8_ySvinhG6P{w#bK<+1#2p57y366`~#9yXl==<_iZ(PTuHekcJ2KD;0CQ1fol>*E48BuvA`E
zUM;vGvs2(jf-z)Q2C6D7Mmgln_2ch@VuN={?^|uiciEM>T5PqaP!iLKrP9pa>|s(>
zdp+5~3POu6ayOH;x7tc*nN*DRI7vQik6hLL^5?3d%YjDwR1rH(Jo`hgA7%vh*GpH3
z%7v@l55b)~lH6f=^hUKSa<^>t4%+OwEvf@L`+lxbyzBz}{qbP<+ziLx*VCbE<5=@V
zuo6f}G;jz?U3loY$fcFH$Td4+$9@YADY52g=I5Lh|8F0CWbgE7E{FbHBrBCqmXZIw
zAg_>qr3;;v(-BT4%i0}lF-At($6E|IOmw?tm=!3FN5ST1z@Q0^hlG+}5;}zl(_=`G
z0y-S?+f4u4pCnT#@i~|)&MzF>*A+UP_+MSBUKYy;!8!D9p>D`bvGd}s4pIhQ=;h3&
z9R)#6`X^k^WNlJ*WbmyHm~;pBT1KFC
z0wW$yQz&+}?S~1Bc$ow%nH2lCy>B|0aVbBj=eeDHT~j%4MNo4!sN-|g2Kix%S4uRS
zetgj5Y-6UZ|OduRuW<`5^e(YBM-i7ot_)&C%zs=&Bv*LG1W
z)cVBHN;a}jzp%M$*930HJeBq$zV_PFeC>ixLNM|n!Kdlhgv14nM<~A;b
zca5X2(+G5EYl$F(ugnWtR;)^X5hK~il5{7T<`(mu{veTEpnLKfx}uqR_AS%uqe!H=
z>CQ0s`VitR)f|*;P8-1%azhPzo5F&SkwW_59K`Eb7(yjVAxfCF^VEYhexD~6mX(=t
zQ{YmbM#Ao~%mhS@rjH3imbc}aME3w?ZvbEPq#k>2C
zw2rfs2fVk5ow;xBt#sEyN4_Lw{q@ebRyG~8>xd86;w2mv8?jmV+br;1`W5P_z=1VQ
zARCfYlZ&Ib-sk36f3f42j`C#f^gj@1q`mI-eI;1Lppk`1ykF%{mmgbSC=0!7pe=a$
z=3i9ll)`JM@BVAi#<_RG6Cm%HY+%&&EL`p8eJZLpd8BI<
z>*fObbxL{lsv$Z19lNB<+nQ%!e5?!YGd!Rq4b0t^*&}I72(sLZ_NF()ocnbFTf7}0;yI{u%{#U#@6mjkAkAN7DtS7&tT
zBhcaZ1Jf|}?i+HAMkPJcthsJqdvGLb@Z-t^C92sQ;3FUP(n5!~PI1+f&af~G+0cYAfApOXCvgZq9>yHg
zyO#ka63RO`^F=$JYqQ2yH_KVEvuZ~TZbNXGu^@8O~F4_T32qL
z1MQC$wY{bEHnt75e*j^rv`zgOw$kdC?3`>%Rc+Bb&RZrV`>uu-IJw)JdnDL}tH=eV
z`OPnKVfr#N9)XJomDe5W$(St+!-2CO5~x*qN+OgvOLu*DTcK$s>WO!mF+Q9$$hfYZ
zbL@#;{#o`~a7Ae?tO6rgo9aQRa4X?%m(Nj`aoMId!6$2pZzl5$!ac+5XsLTXcIgQm
zzhCq5Wn6~g(5LGJM<2fAn{VT8zKP3KyY+7zi}6V=WS6MJee2QL^!Nc@l{T^35U61j
zB2q@)wxEZ%Ey>YQ;*Ta9B?*72)*uK%)+!r@jInU~ro|)coggiTrAT``8+1s8w)}vRU=9Hc>
z5_v3oTdQA%fo_6UgwJ)ftvjMXrD9C8cDSxjZ1>B@T^3r`hD-bfB@AaVGx_gE(NqI{
zK5aWCB5sw(RC`ss_%E>aAm&T9_WeOCgF41C>;-yGE1
zwQ%DK%aS@)!4@xKgwR%!VOvj5F|cQ2`i>S9&{l5Y@7WGc_=ofE?}|J6a~`#F+9vAy
z{{8MyKIr9WRT8q&@=QgSIG!x4u4%2G3zBUKdwaUHJDP_7te~nP_3^~3xFmtOD+hO(
z4<$_oX*JEqL}_m}ivDNz;y-&2{2$Tc*sl7&-|JcVZwSwS;ydf6CCec_y6e%C72pi)
z^5(wXlWcF!X&5*msBHCD*Y+Hyz-W>1&SAP6Eg%FzK_EfQ%TxJ}r+f52nrA1^X|z|r
z+qhF0NjlxK&M>P`ov^%v4;Kp;xnkPD68hsJ7tM8wK+$0yVx3=zVr`2bp^nAy(%do1
z7g9zag2beoC=@8jv`X^46hZO*<<eI)lZ*&cpH^J9WP@N{Fs(RhTAq3kP2qQq;ii*d9ABZ
zz_yS&_i$0o_wjOj>bhP$>QO7s48+h~_S!HWQ$TgI9CTNFr8DX%2pX(}ZSe?rvp0RV
zlowuUW@hIl-#ScJv#_$8(q2!EDsF#`NY0Ay3N$^gQi*pJZ{(+K(qc}5ySl@ZkVI&8Ep6TVDOwSq4@nOb*o7&-9^YZwjYh=Yu+kN5
z?-Ko3J>=;|%O=i2l)Mx8GX_Ioc0u${^X2afmNCr5(;YtD)yHOG*$Uw5n=K`bcDsTt
zOue6e;R1EIQW!3*A(86wsLX3k%%iTJPt)c{*3;?js{6WgOb9gUgBp@tm{gaRkv<-9_K?x+=TT@ipXnK-q;kcJ7BN8F6vQle>hNcao
zMU3vdC|)Um*m$~Iv(3MOvT?B2cER-v#ZWj}Jeg3bD2BSk5RcT1Nul1?)T?x-3rE@p
zA>>`9T3cPr$8MZ+sW+{n?XF(a{;!~{R#8n^Dcv31W#l<)$G+0Pjbth{fmdamt`
zo%s#qiXeFhNQQrEAt}8`IDX{1hj1xds-!U&0Y8`D@;T7ePKvqV)jT``fj}ld*RS)}
zLFb;zoD306;2koNr4s2k+jA5Hv0K6ATJflO(+;>te8pwNAq&a&z@VdngCkAm^^h>S
zy++<^pI(Q+{*J(*v{CP)ifKBq{S&a|!q+%x2`bMyqM1`@MggPSw*w-egb*JyXl^fc
zBtd`bVCYU#6w{HD%9Q4MMmKODmn3FO@B3c^+gV=p1B
zcfTUnJ940_m^RfZF;uhUzD8oS{YS;QB{
zW`oUHcRa8ZUbz#W-p3q&PwHU(x{#x_6Q#P4=mJ@r#FAi3eMom*;41?aN$}JL`Xv>7
z*ByhB4kyVr@rz7J-3nbBwU-BuVXxYr>H1~9Y~06l&`sEte<)v0&ydiip?!ssX_H;>{Z
zQ4P(DsNm!BZ54&wv9=Vhh!MrpgdUP0{8rke%p`5cWJ1U!)NUKN33qb_#?3&VE}||B2P))lLm$T)
zpWAV3sH^)hZ;q;4(xiox=gAjR5|$xD6Q@?r(hF$aRvJDR1^Tg!UlHt`mDExF6=@St
zyhYK7BfZg`j*&Tc>4Ak0c04`Gre`R_UFLnj?o6GQ->IPZn%`+}T2gsmR{;G6BPpFB
z)CbFFs3+>sL>nxMvi5)S3M;ouO>Fq-_$8tT)JAd)u|opttmAO{86Pp50)CIN~xS`u;tSO2L%kcYY6Npm(CRTIMN_5U-6>L2NTKOTzcT+(L
z!+k&?juBN+fcDFnOdJ249dG7f?@@55#c;4@A#c}d
zM|_uWF>U4h_b_1(m1bSqQD2GIc2Z$BQh`F-0VBJ4dZyEdsNUorWH@~Ca@=cw#C{gAXgOj6Vnev?9Wvu9^w
z0bYA*!&BjiZEce(+JR=M$rZlseVb7x?j-EW-chTyjo=PmS4EfG%L44}$tx6;!iSMW
z29f7N%JG87SuexyJ9<|H*YqxO?Y&!7ttLy97;D`20W$W@xPIDXiJ3!uGraJX9z=Qt
z?O5~-e$(aUtlqnYP@
z8-11AlyQO#+fv_M)V=_n+bkG$TJ5%3gR6u>N_zF?5Bh_a<;*O?<;y2AD!saK(6KgC
zj9uV-g{xN4-;?Rl45UlC+KjtOaU(OSiRTLLdHd|E}rlj8)y+)_DT|mNaH*$Kd0JkpBSc-_2JeNHTsi~c!E_cAinfUEi(oDu%MF5v%?|G)G~eCn8H
zKP%)OPVG6@Q}v<#r)2Si5B=MIS4L+cH
zS3X*W6dPRUbJy3Xmw4!1MpjVN4xeYK(JV5%>lcPhyChSd`C6GdrPIAU%VQYc@qjrDcI!
zKd3#l<}F%Y)z%L8Yh3Uzbm#GFXdbYiuihUMA{Et7Sj(_26TQ;p335>tSg4`)L1%-G
z1|<}aJz>C^zc5yjbnef<1Wg&&bqi>|DamjLe#drWp(%%lK3VQD<}UfBZQ3`K?g{Rn
z^_m#7O41fO{7$_3**SI%gePa3d<@S(_U|&UIvfF?VnOW)#GB6wd5UzHtU@8J%aczY
zoiS(E_VFT$B;r7#_yFHEm~ysQ3A?#TsqzEDxIwS5yPke`M`xCd`|)8fuFlKDk)K6(
zW%1dHSF3{BS8#t{g-`T(bWo9MEF-e2ZBX$-UTfNpB7c!)b;+}j_XSu)r?Bi;lRip6xRbIYtjs
z35uPHuP-{xltRhTV0V<$5}NO6wIx#XVRoim-E${t
zsk|A!TfH0FJ{lKMBm9w~>iM}Fn@6tZn?EJnU4CW*ZF?tBpuR9ZwrlX@wgZ}t
zLnT5B57;33{aE|wdOi}Sya%FBJGrCpTy7SXl29a?bHt6G#J?w75nKV3{fMe=i*{s!
ztYEJ|mW8x(YWth3W1>H8G_!YqM;g=4Z;rij`=`@yC3^Uep1or9i$ZIaY}2l|w+AIU
zhI}Pi+o{+pEVw&%kx^YP4gq(LhvYyVxHhFvNXp6JXxv~;TA@GeKtsK$F^Dm5D3?VF
zjYP7b0L0>jaYSP0$b9H0p<5GGTewVj1X)H69KV%OX}Gc%E?nL;{!#x`CX%9B{Hid5a-jU6?;!RN|&LzKzVD(Pw2A!u^tj-Ac>7uM+8V~
zVXUTETzofQm;Y?kyQ6D|7S~4M^
zmz$>3rHIbC%x?RDKpu_II%&-I_Dt@Kc4xqc6Coi#QAu;l)(*WJ!clV#*3-#MvOpD@)$P2
zm-{u%hGls8db-~8u6M~j66GJ&G)rN7!(yd&q;)6N&U(D01Mc&cc|-lDJyf9nP(Ev_
zUu7TtUV*5`wGZ}L7X6Ab2o^!E*3Y0QV`8c&fIc7x%18E#|
zKrtr@&DW)E?JcVQHc)PNj73n!M5*c3_thyl?Rv4~tPRKM2Q01W&LHoMBDa-?_h~BM
zt;r&2vT~uNeT1lFPM*6yaforT({@wk%(!ptz43*%Qo>S+;4;@%15>u4YXJN)B6|yE8gdXYyB45B=Y>X
zD;dijnlE=iF8@1MG&psNzn2pJUIF;8_WAZl?*CRfdD*|5kHjnegFs@D?;lw{ljVPN
zKK_SV#eY`}S)_9L5C6sA7Ly>v_EX8)c9v@5XhaAvShl)yH+_C$xK`3J)h{<@B;upt
zrlUg5TC-gQ1yv^-<4?(4aakHVpf32j^uU7Pvk&@ub*zOuK92?0XF+@HH6EjPD^BW3
zbu=@cIto-Ra&2*$TnRR^;C>T`8J-ZmYE={CHUv^s$+#BjC|{RVcP_%=f}qyv`jWGA
zZWA_KRP1PJOxqn408UDa!FxP#P^tF9^9dWXNR*|O(UIDI5nFls2Q#Rt}A0k>f%
zS;z7ixm=ndT+GzRzbacRfOJkn2{vbpYVQa3d418_<{6;5}g
z8I}0a#K@B%2~NO#PwUIR(j>;CN@F#nmbSWy;C+=E$rKTfkEi?3Kk2aD?Ocsv$O?~V
z!C235Z}?aTymS`1cAE5av&5eCKTAnuRkzb_5aWG9C+281J6C6=pSO`ad0<^?1lfQ6;#-sfU6c0`qS6^IuM6g}t
z`pT^{Xwo<|t7eg_{tJb_(k92?JQSY??so#ZN&k*+-0XGbOgZdaKKurRarHBXeH=&T
z53&HH(P6Ixd|Cb^;WzgAHh@gyS989;F2_xu1GxzQG#Z1yYBZs7YoA^s&TTr#tQ8;5
zSONOwJHE*EG3dyb>3aJ%_5H>v$<1lp^x5xSeFxPewm29%W-k9LuZ1|g7G(X}sC|Ro
z2PKWevl-MYg_ej9r_%X4Z6QsL8kj9-$fFM|11Za}@wxcjG}cpSrJ8HR|BNVMzyo@cBPOii4g#OLG8lH&igKrHUAWJVA?S=OCbF&n1(>LbUP00r^i#4$Oa98;-moh>P7D!CpsT$^rAq@hZMq&Sh$D
znSgRkh8_@KDqzjOZ{NX?K7Hq<>@xf;frR5F{AN&vf{edAKY#XRfCl<~qb%cg+>?Lo
zJ^&pG+=nkZ6gnQu@p3pe126yx${%#D!jc&PihVpA^9Nsvz;S;rLFNuFvq}6x2M@7(
zF-tD2dq(?YLlQ@82oBshL8up33<
zSVfK|!_5B%lovqn1Fr@6+23sk@UuC6|3h|taXrJqFvEWHoKJDw5U_Z_Fy1Y9?m52p
z31En@e|Fm;e{KSv{273@F9Tij@xd-o@RChldYj`#EyD=VoJ;6jGH933%O8Q)fzvg>
z-Un7b%S;x>#{C1oU+@t6I+h3B9}DFwIl!2xF6&*(AW_j(;!>>|4VfdN()V&Gzp^K5
zLlPd<-V%w_A&RO;KPMRk_6t~*!ruzBLfj9z?=B>y}MzoO?H+Ld1a-mRKhSsOIh07!ky
zl~LZWQ*P1wh+uM_5UIjp3vDWhXm;T$fnNRNac*Qdcw
zP}wPDuuY~A1uCL}ST${Sh!nv!&HkEW%s!gsz?)gGJ9y)1y#iQ|KHYO-n_KS3sL<7?
zW#_=5A6Rp?^Z~~!hr@0-aA{jGdxsKDU2wNrK*jU
zd#T>`{l&u#y3M2EFkI*`Syw|fsYf?{-bV~>W_`K3%8p;TBH
zz8NL_q8GK9I(b(^06}|XO5+{&N65S2By<{ko2K5sKOP%%>E?M){+dzKi6m#2tSsW0jU%nFA$1#1_?5fJ+jS<%_p(2J1nxay$En2b6
z)gA+<8GTgx82rNk4O>oF`$>EYRUwr$R@kvRFCT&6ZOI-D4e)7}FaDTUnQk*DZOSu;
z+<97*2_Zwud(5l45`$Hu2C#x2$F?b;)rN?=_-316)044N8N59&CQ_!d*rYgQbP2K$
z&j70kpjVby3*oHNK}`_WL%pT7M+)K7Ajn$+*4CWiohEwUGS*^&Bx)_E(ETaC0GwGS
zNsC+~eWtj#YU5hUAd8CDLV|`7GJ|!DR((&yC%vmn{*GwC-I=Ip<54kJcUM1~=$^Jc
zQ^!kJyxF(6%5)g>{KAi00Drql$=wI|;fP@+!TW6&su#ItAT49_3%HLwY+j)49*?os
zFLJ#Gk{3T8jfUqe+kf4>f^`Gvibm*EH0(Zn7BH#>t&h9mID=$wPywn5g+ehv->V}S
z@5tEIEIvjtNOZb>6x~6vZv6~fGpgq2*MT|GOhzks#9s2rl88rG`ybS{J$I#P8qmSS|ROo2BMW2QeY>_6yIU)LssXFuH&B`VEbhL0~t70j@<+
z^cT5~HPbjd6ud*YMXtA>3Dl9vt|!0<<*+|M7)WI_Tjx0+_7e^bKnmmN9|RNvi1MX-
z0MZRHOQS&pkg7%!7P%xoa5sE5Az&FhLGLG_L(9h*!QQ6HJcDlhtFAft|M$8E3le~N
z2jsj876WFnG{kuJHt15%EHKV;&(uY(DNQawlu0nu5pcNm1YMuA>=9(CF^V0M#L=5#
z_3%Zmho4rx+4WCn`A>%OxBU4+Kws#0cK&Pra7IoC0Q)vmu&t@>4fy>H01OU8{iiv0
z%L__s?gOe%3