diff --git a/Playbooks/MDTI-Actor-Lookup/FunctionApp.zip b/Playbooks/MDTI-Actor-Lookup/FunctionApp.zip new file mode 100644 index 00000000000..9f034c2efbc Binary files /dev/null and b/Playbooks/MDTI-Actor-Lookup/FunctionApp.zip differ diff --git a/Playbooks/MDTI-Actor-Lookup/MDTIAFunc.zip b/Playbooks/MDTI-Actor-Lookup/MDTIAFunc.zip deleted file mode 100644 index 95b538b7762..00000000000 Binary files a/Playbooks/MDTI-Actor-Lookup/MDTIAFunc.zip and /dev/null differ diff --git a/Playbooks/MDTI-Actor-Lookup/azuredeploy.json b/Playbooks/MDTI-Actor-Lookup/azuredeploy.json index 837be74ed75..e8ff60960c0 100644 --- a/Playbooks/MDTI-Actor-Lookup/azuredeploy.json +++ b/Playbooks/MDTI-Actor-Lookup/azuredeploy.json @@ -2,13 +2,13 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "", - "description": "", + "title": "MTI Threat Actor Lookup", + "description": "To be deployed with the bundled function app to automate infrastructure chaining with the MTI API", "prerequisites": "", "postDeployment": [ ], "prerequisitesDeployTemplateFile": "", - "lastUpdateTime": "", + "lastUpdateTime": "2024-10-18T09:44:59Z", "entities": [ ], "tags": [ @@ -18,18 +18,24 @@ "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" }, "author": { - "name": "" + "name": "Geoff Roote" } }, "parameters": { "PlaybookName": { "defaultValue": "MDTI-Actor-LookupV2", "type": "string" + }, + "Function App URL": { + "type": "String", + "metadata": { + "description": "Enter value for Function App URL" + } } }, "variables": { "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", - "azuresentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]", + "AzuresentinelConnectionName": "[concat('Azuresentinel-', parameters('PlaybookName'))]", "SecuritycopilotConnectionName": "[concat('Securitycopilot-', parameters('PlaybookName'))]", "KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]" }, @@ -46,6 +52,10 @@ "defaultValue": { }, "type": "Object" + }, + "Function App URL": { + "defaultValue": "[parameters('Function App URL')]", + "type": "String" } }, "triggers": { @@ -121,7 +131,7 @@ }, "Compose_2": { "type": "Compose", - "inputs": "@concat(string(body('Parse_JSON_1')?['name']), ', ', string(body('Parse_JSON_1')?['description']))" + "inputs": "@concat(string(item()?['name']), ', ', string(item()?['description']))" }, "Condition_2": { "actions": { @@ -147,21 +157,9 @@ } }, "Compose_3": { - "runAfter": { - "Join_1": [ - "Succeeded" - ] - }, "type": "Compose", "inputs": "@body('Join_1')" }, - "Join_1": { - "type": "Join", - "inputs": { - "from": "@variables('entity_host')", - "joinWith": "\n" - } - }, "Submit_a_Copilot_for_Security_prompt_2": { "runAfter": { "Compose_3": [ @@ -213,7 +211,7 @@ } }, "runAfter": { - "Append_to_array_variable_1": [ + "Join_1": [ "Succeeded" ] }, @@ -232,6 +230,18 @@ ] }, "type": "If" + }, + "Join_1": { + "runAfter": { + "Append_to_array_variable_1": [ + "Succeeded" + ] + }, + "type": "Join", + "inputs": { + "from": "@variables('entity_host')", + "joinWith": "\n" + } } }, "runAfter": { @@ -355,7 +365,7 @@ }, "Compose": { "type": "Compose", - "inputs": "@concat(string(body('Parse_JSON')?['name']), ', ', string(body('Parse_JSON')?['description']))" + "inputs": "@concat(string(item()?['name']), ', ', string(item()?['description']))" }, "Condition_1": { "actions": { @@ -381,21 +391,9 @@ } }, "Compose_1": { - "runAfter": { - "Join": [ - "Succeeded" - ] - }, "type": "Compose", "inputs": "replace(replace(body('Join'), 'Cyber Threat Intelligence', ''), ',', '')" }, - "Join": { - "type": "Join", - "inputs": { - "from": "@variables('entity_ip')", - "joinWith": "\n" - } - }, "Submit_a_Copilot_for_Security_prompt_1": { "runAfter": { "Compose_1": [ @@ -447,7 +445,7 @@ } }, "runAfter": { - "Append_to_array_variable": [ + "Join": [ "Succeeded" ] }, @@ -466,6 +464,18 @@ ] }, "type": "If" + }, + "Join": { + "runAfter": { + "Append_to_array_variable": [ + "Succeeded" + ] + }, + "type": "Join", + "inputs": { + "from": "@variables('entity_ip')", + "joinWith": "\n" + } } }, "runAfter": { @@ -572,111 +582,222 @@ "For_each_3": { "foreach": "@body('Entities_-_Get_IPs')?['IPs']", "actions": { - "Append_to_array_variable_3": { - "runAfter": { - "Function_App_call": [ - "Succeeded" - ] - }, - "type": "AppendToArrayVariable", + "Function_App_call": { + "type": "Http", "inputs": { - "name": "groups", - "value": "@body('Function_App_call')" - } + "uri": "@{parameters('Function App URL')}item=@{items('For_each_3')?['Address']}\u0026code=@{body('Get_secret')?['value']}", + "method": "POST" + }, + "operationOptions": "DisableAsyncPattern" }, - "For_each_7": { - "foreach": "@variables('groups')", + "Condition_3": { "actions": { - "Compose_6": { - "type": "Compose", - "inputs": "@split(items('For_each_7'), ', ')\r\n" + "Parse_JSON_3": { + "type": "ParseJson", + "inputs": { + "content": "@body('Function_App_call')", + "schema": { + "type": "array", + "items": { + "type": "string" + } + } + } }, - "Compose_7": { + "Select_1": { "runAfter": { - "Compose_6": [ + "Parse_JSON_3": [ "Succeeded" ] }, - "type": "Compose", - "inputs": "@first(outputs('Compose_6'))\r\n" + "type": "Select", + "inputs": { + "from": "@body('Parse_JSON_3')", + "select": { + "Group": "@split(item(), ',')[0]" + } + } + }, + "Select_2": { + "runAfter": { + "Compose_4": [ + "Succeeded" + ] + }, + "type": "Select", + "inputs": { + "from": "@body('Parse_JSON_3')", + "select": { + "Group": "@split(item(), ',')[0]", + "Domain": "@split(item(), ',')[1]" + } + } }, - "Condition": { + "For_each_5": { + "foreach": "@body('Select_2')", "actions": { - "Add_comment_to_incident_(V3)_1": { - "runAfter": { - "Submit_a_Copilot_for_Security_prompt": [ - "Succeeded" - ] - }, - "type": "ApiConnection", + "Append_to_array_variable_3": { + "type": "AppendToArrayVariable", "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "groups", + "value": "@items('For_each_5')" + } + } + }, + "runAfter": { + "Select_2": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Compose_4": { + "runAfter": { + "Select_1": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@union(body('Select_1'), body('Select_1'))" + } + }, + "runAfter": { + "Function_App_call": [ + "Succeeded" + ] + }, + "else": { + "actions": { + } + }, + "expression": { + "and": [ + { + "greater": [ + "@length(body('Function_App_Call'))", + 2 + ] + }, + { + "not": { + "equals": [ + "@body('Function_App_call')", + "" + ] + } + } + ] + }, + "type": "If" + }, + "Condition_9": { + "actions": { + "For_each_7": { + "foreach": "@outputs('Compose_4')", + "actions": { + "Condition": { + "actions": { + "Add_comment_to_incident_(V3)_1": { + "runAfter": { + "Submit_a_Copilot_for_Security_prompt": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "\u003cp class=\"editor-paragraph\"\u003eActor Group Name: @{items('For_each_7')}\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003eCopilot Summary: @{body('Submit_a_Copilot_for_Security_prompt')?['EvaluationResultContent']}\u003c/p\u003e" + }, + "path": "/Incidents/Comment" } }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "\u003cp class=\"editor-paragraph\"\u003eActor Group Name: @{outputs('Compose_7')}\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003eCopilot Summary: @{body('Submit_a_Copilot_for_Security_prompt')?['EvaluationResultContent']}\u003c/p\u003e" - }, - "path": "/Incidents/Comment" - } - }, - "Add_comment_to_incident_(V3)_4": { - "runAfter": { - "Add_comment_to_incident_(V3)_1": [ - "Succeeded" - ] + "Submit_a_Copilot_for_Security_prompt": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['securitycopilot']['connectionId']" + } + }, + "method": "post", + "body": { + "PromptContent": "Provide a summary for actor group @{items('For_each_7')}" + }, + "path": "/process-prompt" + } + } }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "else": { + "actions": { + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_7')", + "" + ] + } + }, + { + "contains": [ + "@items('For_each_7')", + "Group" + ] } - }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "\u003cp class=\"editor-paragraph\"\u003eActor Groups and associated domains:\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003e@{body('Create_HTML_table')}\u003c/p\u003e" - }, - "path": "/Incidents/Comment" - } - }, - "Create_HTML_table": { - "type": "Table", - "inputs": { - "from": "@variables('groups')", - "format": "HTML" - } - }, - "Submit_a_Copilot_for_Security_prompt": { - "runAfter": { - "Create_HTML_table": [ - "Succeeded" ] }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['securitycopilot']['connectionId']" - } - }, - "method": "post", - "body": { - "PromptContent": "Provide a summary for actor group @{outputs('Compose_7')}" - }, - "path": "/process-prompt" + "type": "If" + } + }, + "type": "Foreach" + }, + "Create_HTML_table_2": { + "runAfter": { + "For_each_7": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "from": "@variables('groups')", + "format": "HTML" + } + }, + "Add_comment_to_incident_(V3)_4": { + "runAfter": { + "Create_HTML_table_2": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "\u003cp class=\"editor-paragraph\"\u003eActor Groups and associated domains:\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003e@{body('Create_HTML_table_2')}\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e" + }, + "path": "/Incidents/Comment" + } + }, + "For_each_9": { + "foreach": "@body('Select_1')", + "actions": { "Update_incident_1": { - "runAfter": { - "Add_comment_to_incident_(V3)_4": [ - "Succeeded" - ] - }, "type": "ApiConnection", "inputs": { "host": { @@ -690,7 +811,7 @@ "tagsToAdd": { "TagsToAdd": [ { - "Tag": "@outputs('Compose_7')" + "Tag": "@item()['Group']" } ] }, @@ -702,61 +823,43 @@ } }, "runAfter": { - "Compose_7": [ + "Add_comment_to_incident_(V3)_4": [ "Succeeded" ] }, - "else": { - "actions": { - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@outputs('Compose_7')", - "" - ] - } - }, - { - "not": { - "equals": [ - "@length(outputs('Compose_7'))", - 0 - ] - } - } - ] - }, - "type": "If" + "type": "Foreach" } }, "runAfter": { - "Append_to_array_variable_3": [ + "Condition_3": [ "Succeeded" ] }, - "type": "Foreach" - }, - "Function_App_call": { - "type": "Http", - "inputs": { - "uri": "https://mdti-lookup.azurewebsites.net/api/mdtipdns?item=@{items('For_each_3')?['Address']}\u0026code=@{body('Get_secret')?['value']}", - "method": "POST" - }, - "runtimeConfiguration": { - "contentTransfer": { - "transferMode": "Chunked" - }, - "secureData": { - "properties": [ - "inputs", - "outputs" - ] + "else": { + "actions": { } - } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Select_1')", + "" + ] + } + }, + { + "not": { + "equals": [ + "@length(variables('groups'))", + 0 + ] + } + } + ] + }, + "type": "If" } }, "runAfter": { @@ -764,116 +867,232 @@ "Succeeded" ] }, - "type": "Foreach" + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } }, "For_each_3-copy": { "foreach": "@body('Entities_-_Get_Hosts')?['Hosts']", "actions": { - "Append_to_array_variable_4": { - "runAfter": { - "Function_App_call_1": [ - "Succeeded" - ] - }, - "type": "AppendToArrayVariable", + "Function_App_call_1": { + "type": "Http", "inputs": { - "name": "hostpivot", - "value": "@body('Function_App_call_1')" - } + "uri": "@{parameters('Function App URL')}item=@{item()?['HostName']}.@{item()?['DnsDomain']}\u0026code=@{body('Get_secret')?['value']}", + "method": "POST" + }, + "operationOptions": "DisableAsyncPattern" }, - "For_each_8": { - "foreach": "@variables('hostpivot')", + "Condition_5": { "actions": { - "Compose_8": { - "type": "Compose", - "inputs": "@split(items('For_each_8'), ', ')\r\n" + "Parse_JSON_2": { + "type": "ParseJson", + "inputs": { + "content": "@body('Function_App_call_1')", + "schema": { + "type": "array", + "items": { + "type": "string" + } + } + } }, - "Compose_9": { + "Select": { "runAfter": { - "Compose_8": [ + "Parse_JSON_2": [ "Succeeded" ] }, - "type": "Compose", - "inputs": "@first(outputs('Compose_8'))\r\n" + "type": "Select", + "inputs": { + "from": "@body('Parse_JSON_2')", + "select": { + "Group": "@split(item(), ',')[0]" + } + } + }, + "Select_4": { + "runAfter": { + "Compose_5": [ + "Succeeded" + ] + }, + "type": "Select", + "inputs": { + "from": "@body('Parse_JSON_2')", + "select": { + "Group": "@split(item(), ',')[0]", + "Domain": "@split(item(), ',')[1]" + } + } }, - "Condition_4": { + "For_each_1": { + "foreach": "@body('Select_4')", "actions": { - "Add_comment_to_incident_(V3)_5": { - "runAfter": { - "Submit_a_Copilot_for_Security_prompt_4": [ - "Succeeded" - ] - }, - "type": "ApiConnection", + "Append_to_array_variable_2": { + "type": "AppendToArrayVariable", "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "hostpivot", + "value": "@items('For_each_1')" + } + } + }, + "runAfter": { + "Select_4": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Compose_5": { + "runAfter": { + "Select": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@union(body('Select'), body('Select'))" + } + }, + "runAfter": { + "Function_App_call_1": [ + "Succeeded" + ] + }, + "else": { + "actions": { + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Function_App_call_1')", + "" + ] + } + }, + { + "greater": [ + "@length(body('Function_App_Call_1'))", + 2 + ] + } + ] + }, + "type": "If" + }, + "Condition_8": { + "actions": { + "For_each_8": { + "foreach": "@outputs('Compose_5')", + "actions": { + "Condition_4": { + "actions": { + "Add_comment_to_incident_(V3)_5": { + "runAfter": { + "Submit_a_Copilot_for_Security_prompt_4": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "\u003cp class=\"editor-paragraph\"\u003eActor Group Name: @{items('For_each_8')}\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003eCopilot Summary: @{body('Submit_a_Copilot_for_Security_prompt_4')?['EvaluationResultContent']}\u003c/p\u003e" + }, + "path": "/Incidents/Comment" } }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "\u003cp class=\"editor-paragraph\"\u003eActor Group Name: @{outputs('Compose_9')}\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003eCopilot Summary: @{body('Submit_a_Copilot_for_Security_prompt_4')?['EvaluationResultContent']}\u003c/p\u003e" - }, - "path": "/Incidents/Comment" - } - }, - "Add_comment_to_incident_(V3)_6": { - "runAfter": { - "Add_comment_to_incident_(V3)_5": [ - "Succeeded" - ] + "Submit_a_Copilot_for_Security_prompt_4": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['securitycopilot']['connectionId']" + } + }, + "method": "post", + "body": { + "PromptContent": "Provide a summary for actor group @{items('For_each_8')}" + }, + "path": "/process-prompt" + } + } }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "else": { + "actions": { + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_8')", + "" + ] + } + }, + { + "contains": [ + "@items('For_each_8')", + "Group" + ] } - }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "\u003cp class=\"editor-paragraph\"\u003eActor Groups and associated domains:\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003e@{body('Create_HTML_table_1')}\u003c/p\u003e" - }, - "path": "/Incidents/Comment" - } - }, - "Create_HTML_table_1": { - "type": "Table", - "inputs": { - "from": "@variables('hostpivot')", - "format": "HTML" - } - }, - "Submit_a_Copilot_for_Security_prompt_4": { - "runAfter": { - "Create_HTML_table_1": [ - "Succeeded" ] }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['securitycopilot']['connectionId']" - } - }, - "method": "post", - "body": { - "PromptContent": "Provide a summary for actor group @{outputs('Compose_9')}" - }, - "path": "/process-prompt" + "type": "If" + } + }, + "type": "Foreach" + }, + "Create_HTML_table_1": { + "runAfter": { + "For_each_8": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "from": "@variables('hostpivot')", + "format": "HTML" + } + }, + "Add_comment_to_incident_(V3)_6": { + "runAfter": { + "Create_HTML_table_1": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, - "Update_incident_4": { - "runAfter": { - "Add_comment_to_incident_(V3)_6": [ - "Succeeded" - ] - }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "\u003cp class=\"editor-paragraph\"\u003eActor Groups and associated domains:\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003e@{body('Create_HTML_table_1')}\u003c/p\u003e" + }, + "path": "/Incidents/Comment" + } + }, + "For_each_10": { + "foreach": "@body('Select')", + "actions": { + "Update_incident_3": { "type": "ApiConnection", "inputs": { "host": { @@ -887,7 +1106,7 @@ "tagsToAdd": { "TagsToAdd": [ { - "Tag": "@outputs('Compose_9')" + "Tag": "@item()['Group']" } ] }, @@ -899,61 +1118,43 @@ } }, "runAfter": { - "Compose_9": [ + "Add_comment_to_incident_(V3)_6": [ "Succeeded" ] }, - "else": { - "actions": { - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@outputs('Compose_9')", - "" - ] - } - }, - { - "not": { - "equals": [ - "@length(outputs('Compose_9'))", - 0 - ] - } - } - ] - }, - "type": "If" + "type": "Foreach" } }, "runAfter": { - "Append_to_array_variable_4": [ + "Condition_5": [ "Succeeded" ] }, - "type": "Foreach" - }, - "Function_App_call_1": { - "type": "Http", - "inputs": { - "uri": "https://mdti-lookup.azurewebsites.net/api/mdtipdns?item=@{item()?['HostName']}.@{item()?['DnsDomain']}\u0026code=@{body('Get_secret')?['value']}", - "method": "POST" - }, - "runtimeConfiguration": { - "contentTransfer": { - "transferMode": "Chunked" - }, - "secureData": { - "properties": [ - "inputs", - "outputs" - ] + "else": { + "actions": { } - } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Select')", + "" + ] + } + }, + { + "not": { + "equals": [ + "@length(variables('hostpivot'))", + 0 + ] + } + } + ] + }, + "type": "If" } }, "runAfter": { @@ -963,20 +1164,6 @@ }, "type": "Foreach" }, - "Get_secret": { - "runAfter": { - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['Keyvault']['connectionId']" - } - }, - "method": "get", - "path": "/secrets/@{encodeURIComponent('MDTI-Function-App')}/value" - } - }, "Initialize_variable": { "runAfter": { "Entities_-_Get_IPs": [ @@ -1082,6 +1269,20 @@ "triggerName": "manual" } } + }, + "Get_secret": { + "runAfter": { + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent('MechanicsDemo-AzureFunction')}/value" + } } }, "outputs": { @@ -1093,29 +1294,24 @@ "azuresentinel": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", "connectionName": "[variables('MicrosoftSentinelConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", "connectionProperties": { "authentication": { "type": "ManagedServiceIdentity" } } }, - "azuresentinel1": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('azuresentinelConnectionName'))]", - "connectionName": "[variables('azuresentinelConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzuresentinelConnectionName'))]", + "connectionName": "[variables('AzuresentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" }, "securitycopilot": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('SecuritycopilotConnectionName'))]", "connectionName": "[variables('SecuritycopilotConnectionName')]", "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]" }, - "": { + "keyvault": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", "connectionName": "[variables('KeyvaultConnectionName')]", "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]", @@ -1133,6 +1329,9 @@ "type": "Microsoft.Logic/workflows", "location": "[resourceGroup().location]", "tags": { + "CreatedDate": "10/17/2024 5:09:07 PM", + "Created By": "u1126", + "CreatorUPN": "u1126@a.alpineskihouse.co", "hidden-SentinelTemplateName": "MDTI-Actor-LookupV2", "hidden-SentinelTemplateVersion": "1.0" }, @@ -1142,7 +1341,7 @@ "apiVersion": "2017-07-01", "dependsOn": [ "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('azuresentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzuresentinelConnectionName'))]", "[resourceId('Microsoft.Web/connections', variables('SecuritycopilotConnectionName'))]", "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" ] @@ -1159,23 +1358,22 @@ }, "parameterValueType": "Alternative", "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" } } }, { "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", - "name": "[variables('azuresentinelConnectionName')]", + "name": "[variables('AzuresentinelConnectionName')]", "location": "[resourceGroup().location]", "kind": "V1", "properties": { - "displayName": "[variables('azuresentinelConnectionName')]", + "displayName": "[variables('AzuresentinelConnectionName')]", "customParameterValues": { }, - "parameterValueType": "Alternative", "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" } } }, diff --git a/Playbooks/MDTI-Actor-Lookup/function_app.py b/Playbooks/MDTI-Actor-Lookup/function_app.py index 14bb5e95689..0d8a5e04aa4 100644 --- a/Playbooks/MDTI-Actor-Lookup/function_app.py +++ b/Playbooks/MDTI-Actor-Lookup/function_app.py @@ -75,6 +75,7 @@ def list_grab(item): logging.info(f"Fetched {len(artifact_ids)} artifacts, total so far: {len(artifact_list)}") else: logging.warning(f"'value' key not found in response: {data}") + continue # Check for the presence of @odata.nextLink services = data.get('@odata.nextLink', None)