From 698ca8e1786fff3ebb2f46d2bb215d195e1c134f Mon Sep 17 00:00:00 2001 From: MrSharpBones <127972050+MrSharpBones@users.noreply.github.com> Date: Thu, 24 Oct 2024 14:27:15 -0400 Subject: [PATCH 1/8] Update azuredeploy.json Parametrize the function URL --- Playbooks/MDTI-Actor-Lookup/azuredeploy.json | 846 ++++++++++++------- 1 file changed, 522 insertions(+), 324 deletions(-) diff --git a/Playbooks/MDTI-Actor-Lookup/azuredeploy.json b/Playbooks/MDTI-Actor-Lookup/azuredeploy.json index 837be74ed75..f41d28b3d5a 100644 --- a/Playbooks/MDTI-Actor-Lookup/azuredeploy.json +++ b/Playbooks/MDTI-Actor-Lookup/azuredeploy.json @@ -25,11 +25,17 @@ "PlaybookName": { "defaultValue": "MDTI-Actor-LookupV2", "type": "string" + }, + "Function App URL": { + "type": "String", + "metadata": { + "description": "Enter value for Function App URL" + } } }, "variables": { "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", - "azuresentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]", + "AzuresentinelConnectionName": "[concat('Azuresentinel-', parameters('PlaybookName'))]", "SecuritycopilotConnectionName": "[concat('Securitycopilot-', parameters('PlaybookName'))]", "KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]" }, @@ -46,6 +52,10 @@ "defaultValue": { }, "type": "Object" + }, + "Function App URL": { + "defaultValue": "[parameters('Function App URL')]", + "type": "String" } }, "triggers": { @@ -121,7 +131,7 @@ }, "Compose_2": { "type": "Compose", - "inputs": "@concat(string(body('Parse_JSON_1')?['name']), ', ', string(body('Parse_JSON_1')?['description']))" + "inputs": "@concat(string(item()?['name']), ', ', string(item()?['description']))" }, "Condition_2": { "actions": { @@ -147,21 +157,9 @@ } }, "Compose_3": { - "runAfter": { - "Join_1": [ - "Succeeded" - ] - }, "type": "Compose", "inputs": "@body('Join_1')" }, - "Join_1": { - "type": "Join", - "inputs": { - "from": "@variables('entity_host')", - "joinWith": "\n" - } - }, "Submit_a_Copilot_for_Security_prompt_2": { "runAfter": { "Compose_3": [ @@ -213,7 +211,7 @@ } }, "runAfter": { - "Append_to_array_variable_1": [ + "Join_1": [ "Succeeded" ] }, @@ -232,6 +230,18 @@ ] }, "type": "If" + }, + "Join_1": { + "runAfter": { + "Append_to_array_variable_1": [ + "Succeeded" + ] + }, + "type": "Join", + "inputs": { + "from": "@variables('entity_host')", + "joinWith": "\n" + } } }, "runAfter": { @@ -355,7 +365,7 @@ }, "Compose": { "type": "Compose", - "inputs": "@concat(string(body('Parse_JSON')?['name']), ', ', string(body('Parse_JSON')?['description']))" + "inputs": "@concat(string(item()?['name']), ', ', string(item()?['description']))" }, "Condition_1": { "actions": { @@ -381,21 +391,9 @@ } }, "Compose_1": { - "runAfter": { - "Join": [ - "Succeeded" - ] - }, "type": "Compose", "inputs": "replace(replace(body('Join'), 'Cyber Threat Intelligence', ''), ',', '')" }, - "Join": { - "type": "Join", - "inputs": { - "from": "@variables('entity_ip')", - "joinWith": "\n" - } - }, "Submit_a_Copilot_for_Security_prompt_1": { "runAfter": { "Compose_1": [ @@ -447,7 +445,7 @@ } }, "runAfter": { - "Append_to_array_variable": [ + "Join": [ "Succeeded" ] }, @@ -466,6 +464,18 @@ ] }, "type": "If" + }, + "Join": { + "runAfter": { + "Append_to_array_variable": [ + "Succeeded" + ] + }, + "type": "Join", + "inputs": { + "from": "@variables('entity_ip')", + "joinWith": "\n" + } } }, "runAfter": { @@ -572,111 +582,222 @@ "For_each_3": { "foreach": "@body('Entities_-_Get_IPs')?['IPs']", "actions": { - "Append_to_array_variable_3": { - "runAfter": { - "Function_App_call": [ - "Succeeded" - ] - }, - "type": "AppendToArrayVariable", + "Function_App_call": { + "type": "Http", "inputs": { - "name": "groups", - "value": "@body('Function_App_call')" - } + "uri": "@{parameters('Function App URL')}item=@{items('For_each_3')?['Address']}\u0026code=@{body('Get_secret')?['value']}", + "method": "POST" + }, + "operationOptions": "DisableAsyncPattern" }, - "For_each_7": { - "foreach": "@variables('groups')", + "Condition_3": { "actions": { - "Compose_6": { - "type": "Compose", - "inputs": "@split(items('For_each_7'), ', ')\r\n" + "Parse_JSON_3": { + "type": "ParseJson", + "inputs": { + "content": "@body('Function_App_call')", + "schema": { + "type": "array", + "items": { + "type": "string" + } + } + } }, - "Compose_7": { + "Select_1": { "runAfter": { - "Compose_6": [ + "Parse_JSON_3": [ "Succeeded" ] }, - "type": "Compose", - "inputs": "@first(outputs('Compose_6'))\r\n" + "type": "Select", + "inputs": { + "from": "@body('Parse_JSON_3')", + "select": { + "Group": "@split(item(), ',')[0]" + } + } + }, + "Select_2": { + "runAfter": { + "Compose_4": [ + "Succeeded" + ] + }, + "type": "Select", + "inputs": { + "from": "@body('Parse_JSON_3')", + "select": { + "Group": "@split(item(), ',')[0]", + "Domain": "@split(item(), ',')[1]" + } + } }, - "Condition": { + "For_each_5": { + "foreach": "@body('Select_2')", "actions": { - "Add_comment_to_incident_(V3)_1": { - "runAfter": { - "Submit_a_Copilot_for_Security_prompt": [ - "Succeeded" - ] - }, - "type": "ApiConnection", + "Append_to_array_variable_3": { + "type": "AppendToArrayVariable", "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "groups", + "value": "@items('For_each_5')" + } + } + }, + "runAfter": { + "Select_2": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Compose_4": { + "runAfter": { + "Select_1": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@union(body('Select_1'), body('Select_1'))" + } + }, + "runAfter": { + "Function_App_call": [ + "Succeeded" + ] + }, + "else": { + "actions": { + } + }, + "expression": { + "and": [ + { + "greater": [ + "@length(body('Function_App_Call'))", + 2 + ] + }, + { + "not": { + "equals": [ + "@body('Function_App_call')", + "" + ] + } + } + ] + }, + "type": "If" + }, + "Condition_9": { + "actions": { + "For_each_7": { + "foreach": "@outputs('Compose_4')", + "actions": { + "Condition": { + "actions": { + "Add_comment_to_incident_(V3)_1": { + "runAfter": { + "Submit_a_Copilot_for_Security_prompt": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "\u003cp class=\"editor-paragraph\"\u003eActor Group Name: @{items('For_each_7')}\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003eCopilot Summary: @{body('Submit_a_Copilot_for_Security_prompt')?['EvaluationResultContent']}\u003c/p\u003e" + }, + "path": "/Incidents/Comment" } }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "\u003cp class=\"editor-paragraph\"\u003eActor Group Name: @{outputs('Compose_7')}\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003eCopilot Summary: @{body('Submit_a_Copilot_for_Security_prompt')?['EvaluationResultContent']}\u003c/p\u003e" - }, - "path": "/Incidents/Comment" - } - }, - "Add_comment_to_incident_(V3)_4": { - "runAfter": { - "Add_comment_to_incident_(V3)_1": [ - "Succeeded" - ] + "Submit_a_Copilot_for_Security_prompt": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['securitycopilot']['connectionId']" + } + }, + "method": "post", + "body": { + "PromptContent": "Provide a summary for actor group @{items('For_each_7')}" + }, + "path": "/process-prompt" + } + } }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "else": { + "actions": { + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_7')", + "" + ] + } + }, + { + "contains": [ + "@items('For_each_7')", + "Group" + ] } - }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "\u003cp class=\"editor-paragraph\"\u003eActor Groups and associated domains:\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003e@{body('Create_HTML_table')}\u003c/p\u003e" - }, - "path": "/Incidents/Comment" - } - }, - "Create_HTML_table": { - "type": "Table", - "inputs": { - "from": "@variables('groups')", - "format": "HTML" - } - }, - "Submit_a_Copilot_for_Security_prompt": { - "runAfter": { - "Create_HTML_table": [ - "Succeeded" ] }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['securitycopilot']['connectionId']" - } - }, - "method": "post", - "body": { - "PromptContent": "Provide a summary for actor group @{outputs('Compose_7')}" - }, - "path": "/process-prompt" + "type": "If" + } + }, + "type": "Foreach" + }, + "Create_HTML_table_2": { + "runAfter": { + "For_each_7": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "from": "@variables('groups')", + "format": "HTML" + } + }, + "Add_comment_to_incident_(V3)_4": { + "runAfter": { + "Create_HTML_table_2": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "\u003cp class=\"editor-paragraph\"\u003eActor Groups and associated domains:\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003e@{body('Create_HTML_table_2')}\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e" + }, + "path": "/Incidents/Comment" + } + }, + "For_each_9": { + "foreach": "@body('Select_1')", + "actions": { "Update_incident_1": { - "runAfter": { - "Add_comment_to_incident_(V3)_4": [ - "Succeeded" - ] - }, "type": "ApiConnection", "inputs": { "host": { @@ -690,7 +811,7 @@ "tagsToAdd": { "TagsToAdd": [ { - "Tag": "@outputs('Compose_7')" + "Tag": "@item()['Group']" } ] }, @@ -702,61 +823,43 @@ } }, "runAfter": { - "Compose_7": [ + "Add_comment_to_incident_(V3)_4": [ "Succeeded" ] }, - "else": { - "actions": { - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@outputs('Compose_7')", - "" - ] - } - }, - { - "not": { - "equals": [ - "@length(outputs('Compose_7'))", - 0 - ] - } - } - ] - }, - "type": "If" + "type": "Foreach" } }, "runAfter": { - "Append_to_array_variable_3": [ + "Condition_3": [ "Succeeded" ] }, - "type": "Foreach" - }, - "Function_App_call": { - "type": "Http", - "inputs": { - "uri": "https://mdti-lookup.azurewebsites.net/api/mdtipdns?item=@{items('For_each_3')?['Address']}\u0026code=@{body('Get_secret')?['value']}", - "method": "POST" - }, - "runtimeConfiguration": { - "contentTransfer": { - "transferMode": "Chunked" - }, - "secureData": { - "properties": [ - "inputs", - "outputs" - ] + "else": { + "actions": { } - } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Select_1')", + "" + ] + } + }, + { + "not": { + "equals": [ + "@length(variables('groups'))", + 0 + ] + } + } + ] + }, + "type": "If" } }, "runAfter": { @@ -764,116 +867,232 @@ "Succeeded" ] }, - "type": "Foreach" + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } }, "For_each_3-copy": { "foreach": "@body('Entities_-_Get_Hosts')?['Hosts']", "actions": { - "Append_to_array_variable_4": { - "runAfter": { - "Function_App_call_1": [ - "Succeeded" - ] - }, - "type": "AppendToArrayVariable", + "Function_App_call_1": { + "type": "Http", "inputs": { - "name": "hostpivot", - "value": "@body('Function_App_call_1')" - } + "uri": "@{parameters('Function App URL')}item=@{item()?['HostName']}.@{item()?['DnsDomain']}\u0026code=@{body('Get_secret')?['value']}", + "method": "POST" + }, + "operationOptions": "DisableAsyncPattern" }, - "For_each_8": { - "foreach": "@variables('hostpivot')", + "Condition_5": { "actions": { - "Compose_8": { - "type": "Compose", - "inputs": "@split(items('For_each_8'), ', ')\r\n" + "Parse_JSON_2": { + "type": "ParseJson", + "inputs": { + "content": "@body('Function_App_call_1')", + "schema": { + "type": "array", + "items": { + "type": "string" + } + } + } }, - "Compose_9": { + "Select": { "runAfter": { - "Compose_8": [ + "Parse_JSON_2": [ "Succeeded" ] }, - "type": "Compose", - "inputs": "@first(outputs('Compose_8'))\r\n" + "type": "Select", + "inputs": { + "from": "@body('Parse_JSON_2')", + "select": { + "Group": "@split(item(), ',')[0]" + } + } + }, + "Select_4": { + "runAfter": { + "Compose_5": [ + "Succeeded" + ] + }, + "type": "Select", + "inputs": { + "from": "@body('Parse_JSON_2')", + "select": { + "Group": "@split(item(), ',')[0]", + "Domain": "@split(item(), ',')[1]" + } + } }, - "Condition_4": { + "For_each_1": { + "foreach": "@body('Select_4')", "actions": { - "Add_comment_to_incident_(V3)_5": { - "runAfter": { - "Submit_a_Copilot_for_Security_prompt_4": [ - "Succeeded" - ] - }, - "type": "ApiConnection", + "Append_to_array_variable_2": { + "type": "AppendToArrayVariable", "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "hostpivot", + "value": "@items('For_each_1')" + } + } + }, + "runAfter": { + "Select_4": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Compose_5": { + "runAfter": { + "Select": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@union(body('Select'), body('Select'))" + } + }, + "runAfter": { + "Function_App_call_1": [ + "Succeeded" + ] + }, + "else": { + "actions": { + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Function_App_call_1')", + "" + ] + } + }, + { + "greater": [ + "@length(body('Function_App_Call_1'))", + 2 + ] + } + ] + }, + "type": "If" + }, + "Condition_8": { + "actions": { + "For_each_8": { + "foreach": "@outputs('Compose_5')", + "actions": { + "Condition_4": { + "actions": { + "Add_comment_to_incident_(V3)_5": { + "runAfter": { + "Submit_a_Copilot_for_Security_prompt_4": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "\u003cp class=\"editor-paragraph\"\u003eActor Group Name: @{items('For_each_8')}\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003eCopilot Summary: @{body('Submit_a_Copilot_for_Security_prompt_4')?['EvaluationResultContent']}\u003c/p\u003e" + }, + "path": "/Incidents/Comment" } }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "\u003cp class=\"editor-paragraph\"\u003eActor Group Name: @{outputs('Compose_9')}\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003eCopilot Summary: @{body('Submit_a_Copilot_for_Security_prompt_4')?['EvaluationResultContent']}\u003c/p\u003e" - }, - "path": "/Incidents/Comment" - } - }, - "Add_comment_to_incident_(V3)_6": { - "runAfter": { - "Add_comment_to_incident_(V3)_5": [ - "Succeeded" - ] + "Submit_a_Copilot_for_Security_prompt_4": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['securitycopilot']['connectionId']" + } + }, + "method": "post", + "body": { + "PromptContent": "Provide a summary for actor group @{items('For_each_8')}" + }, + "path": "/process-prompt" + } + } }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "else": { + "actions": { + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_8')", + "" + ] + } + }, + { + "contains": [ + "@items('For_each_8')", + "Group" + ] } - }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "\u003cp class=\"editor-paragraph\"\u003eActor Groups and associated domains:\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003e@{body('Create_HTML_table_1')}\u003c/p\u003e" - }, - "path": "/Incidents/Comment" - } - }, - "Create_HTML_table_1": { - "type": "Table", - "inputs": { - "from": "@variables('hostpivot')", - "format": "HTML" - } - }, - "Submit_a_Copilot_for_Security_prompt_4": { - "runAfter": { - "Create_HTML_table_1": [ - "Succeeded" ] }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['securitycopilot']['connectionId']" - } - }, - "method": "post", - "body": { - "PromptContent": "Provide a summary for actor group @{outputs('Compose_9')}" - }, - "path": "/process-prompt" + "type": "If" + } + }, + "type": "Foreach" + }, + "Create_HTML_table_1": { + "runAfter": { + "For_each_8": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "from": "@variables('hostpivot')", + "format": "HTML" + } + }, + "Add_comment_to_incident_(V3)_6": { + "runAfter": { + "Create_HTML_table_1": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, - "Update_incident_4": { - "runAfter": { - "Add_comment_to_incident_(V3)_6": [ - "Succeeded" - ] - }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "\u003cp class=\"editor-paragraph\"\u003eActor Groups and associated domains:\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003e@{body('Create_HTML_table_1')}\u003c/p\u003e" + }, + "path": "/Incidents/Comment" + } + }, + "For_each_10": { + "foreach": "@body('Select')", + "actions": { + "Update_incident_3": { "type": "ApiConnection", "inputs": { "host": { @@ -887,7 +1106,7 @@ "tagsToAdd": { "TagsToAdd": [ { - "Tag": "@outputs('Compose_9')" + "Tag": "@item()['Group']" } ] }, @@ -899,61 +1118,43 @@ } }, "runAfter": { - "Compose_9": [ + "Add_comment_to_incident_(V3)_6": [ "Succeeded" ] }, - "else": { - "actions": { - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@outputs('Compose_9')", - "" - ] - } - }, - { - "not": { - "equals": [ - "@length(outputs('Compose_9'))", - 0 - ] - } - } - ] - }, - "type": "If" + "type": "Foreach" } }, "runAfter": { - "Append_to_array_variable_4": [ + "Condition_5": [ "Succeeded" ] }, - "type": "Foreach" - }, - "Function_App_call_1": { - "type": "Http", - "inputs": { - "uri": "https://mdti-lookup.azurewebsites.net/api/mdtipdns?item=@{item()?['HostName']}.@{item()?['DnsDomain']}\u0026code=@{body('Get_secret')?['value']}", - "method": "POST" - }, - "runtimeConfiguration": { - "contentTransfer": { - "transferMode": "Chunked" - }, - "secureData": { - "properties": [ - "inputs", - "outputs" - ] + "else": { + "actions": { } - } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Select')", + "" + ] + } + }, + { + "not": { + "equals": [ + "@length(variables('hostpivot'))", + 0 + ] + } + } + ] + }, + "type": "If" } }, "runAfter": { @@ -963,20 +1164,6 @@ }, "type": "Foreach" }, - "Get_secret": { - "runAfter": { - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['Keyvault']['connectionId']" - } - }, - "method": "get", - "path": "/secrets/@{encodeURIComponent('MDTI-Function-App')}/value" - } - }, "Initialize_variable": { "runAfter": { "Entities_-_Get_IPs": [ @@ -1082,6 +1269,20 @@ "triggerName": "manual" } } + }, + "Get_secret": { + "runAfter": { + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent('MechanicsDemo-AzureFunction')}/value" + } } }, "outputs": { @@ -1093,29 +1294,24 @@ "azuresentinel": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", "connectionName": "[variables('MicrosoftSentinelConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", "connectionProperties": { "authentication": { "type": "ManagedServiceIdentity" } } }, - "azuresentinel1": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('azuresentinelConnectionName'))]", - "connectionName": "[variables('azuresentinelConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzuresentinelConnectionName'))]", + "connectionName": "[variables('AzuresentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" }, "securitycopilot": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('SecuritycopilotConnectionName'))]", "connectionName": "[variables('SecuritycopilotConnectionName')]", "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]" }, - "": { + "keyvault": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", "connectionName": "[variables('KeyvaultConnectionName')]", "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]", @@ -1133,6 +1329,9 @@ "type": "Microsoft.Logic/workflows", "location": "[resourceGroup().location]", "tags": { + "CreatedDate": "10/17/2024 5:09:07 PM", + "Created By": "u1126", + "CreatorUPN": "u1126@a.alpineskihouse.co", "hidden-SentinelTemplateName": "MDTI-Actor-LookupV2", "hidden-SentinelTemplateVersion": "1.0" }, @@ -1142,7 +1341,7 @@ "apiVersion": "2017-07-01", "dependsOn": [ "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('azuresentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzuresentinelConnectionName'))]", "[resourceId('Microsoft.Web/connections', variables('SecuritycopilotConnectionName'))]", "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" ] @@ -1159,23 +1358,22 @@ }, "parameterValueType": "Alternative", "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" } } }, { "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", - "name": "[variables('azuresentinelConnectionName')]", + "name": "[variables('AzuresentinelConnectionName')]", "location": "[resourceGroup().location]", "kind": "V1", "properties": { - "displayName": "[variables('azuresentinelConnectionName')]", + "displayName": "[variables('AzuresentinelConnectionName')]", "customParameterValues": { }, - "parameterValueType": "Alternative", "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" } } }, From a85dec4a953d42014fcd55b9a9fff3eed5826c76 Mon Sep 17 00:00:00 2001 From: MrSharpBones <127972050+MrSharpBones@users.noreply.github.com> Date: Thu, 24 Oct 2024 14:27:46 -0400 Subject: [PATCH 2/8] Update function_app.py --- Playbooks/MDTI-Actor-Lookup/function_app.py | 1 + 1 file changed, 1 insertion(+) diff --git a/Playbooks/MDTI-Actor-Lookup/function_app.py b/Playbooks/MDTI-Actor-Lookup/function_app.py index 14bb5e95689..0d8a5e04aa4 100644 --- a/Playbooks/MDTI-Actor-Lookup/function_app.py +++ b/Playbooks/MDTI-Actor-Lookup/function_app.py @@ -75,6 +75,7 @@ def list_grab(item): logging.info(f"Fetched {len(artifact_ids)} artifacts, total so far: {len(artifact_list)}") else: logging.warning(f"'value' key not found in response: {data}") + continue # Check for the presence of @odata.nextLink services = data.get('@odata.nextLink', None) From 2b2f765874d253a4d6a1ca5eb751321111eb8628 Mon Sep 17 00:00:00 2001 From: MrSharpBones <127972050+MrSharpBones@users.noreply.github.com> Date: Thu, 24 Oct 2024 14:28:26 -0400 Subject: [PATCH 3/8] Delete Playbooks/MDTI-Actor-Lookup/MDTIAFunc.zip --- Playbooks/MDTI-Actor-Lookup/MDTIAFunc.zip | Bin 2999 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 Playbooks/MDTI-Actor-Lookup/MDTIAFunc.zip diff --git a/Playbooks/MDTI-Actor-Lookup/MDTIAFunc.zip b/Playbooks/MDTI-Actor-Lookup/MDTIAFunc.zip deleted file mode 100644 index 95b538b7762e9cbe682ee62c08cc83abec7105d1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2999 zcmbW3c|4T+7snqn_I({(gKL@WV~NsYD}}}~M*Qp%BgQ^6wq&bo87(MFC|kH=Le^o3 z7)8k-!=Mm~+m+&07YY4l{BGrSfB*dM?>w*P`981L_w_x`c|YfKUgsbYV0LkUn|TR_ zS-Jp!nUfd*2mwC>ei0!)_<+!mGu~lg@UR%i(*gk3Q5?rP){ULs^oxk*1K8MEhjt$| z&TgSE4v5DKWqvg!f|UiXElb4eE!Mge)Uu5<`A@T5^5(u`{=(fCrBu}#GW)d?N0fox zwQ{o-BEyP4-u`l8@rAqkaq%xLUeDjqZ!DSZ8xMptXxk>P>5C~#9hR*@E0igz8wb}x zCG$#U+R101k%S3zD1Sg98h0Lh{@BM`1Ir$t+76oxeFSuUTyNUks*la3X?7o)I`b+R zAOG?F;!4YkaU8$MD_ElboB9$r$ZX$0>=#UYM3Ge0{kk$#gN|lhafi>{{Z^CdL28oW z0+NZbl@;-!roReRG#oy#_McHHhcUlrj_daEy2XeW6;_!%eIU73Gt;84z~ zLb=XEFR1v15uSD-Pz)5_L!N~ireR5MoGb$UK=SfRSuht7g{u|S<*(4AGn5`aoq4zX z_Zo&>1l?-0iR<-4JWmBaU-si@KYfZMXKvdZNo?$$*~E-Bm$mg9SJs}bM9xnXn@PTm zE!HLFJN|;S?+2?C2q?`SZdUmTs>v`{r#|h=vEx~Kb+s+*Inv>cVU}9q_Tl`d)T?B| z)C{(J#97zF_vEE;yalCRTC`-NKkkeH5C^SzbYR>}UK1LjA8nlPOtI?C*U_~zySXmo z=YJtQE+S@s#y!uD)dCz%RQSC4$3H&I_bfnv=ND^A-T&bJq0lf}JDo9IA^(eNQZg}p z=EG_7S=Y)%0)QTMY;u1c)=1OQNH#;^9VLx?)E@OTCrc5GQ__ju8eWy_6}`Oqd1EI= zU)n9plR);?NAr4Y&3ag}K^KEMhw=}?+1Bio7E{w|MArv-`hb$nK<}l8$MJ zBhG?k`>SgV?utc^4ov9JA>y(G*FB{>ha9s5A>ep-Km4%PWx0MTZvUX$S-7!Mf?l_{ z0sl{>UPn;Zg%O~RNpGNK3&|)dYE?_QW3ImQXrIKxfQ9XD;zh>REJ*&oNQ}PBGezsp zh5|joMj=p~+gb|AR^MSAs&nL#UbbM%z_6~Wr)tQWPow>n0*%bu=nDdb!CsliAftHG z)gGz#pC6p78h-HA*Vp(9S}z|ujw-w!-{&iDy~bs;cI1g=&YVWUO{rjT*P{_y;&jTn zYTY{evkaV6pP9}1?7l%LDZMq%;9bm@x6+h}y4QlgrYB_hJXMJb61v2XAA85G8t!@^ z73z<456v7qd57zdX!|Vf)F(f;XJV7WT{ix7NT967ENKT%Pug=(e|mk-th7*ROx8u5In{O0GIIOc zjW`%zR#}Cuq?u%7W`C>RiW!;N?WgaUvD~dRk@7MKvCGq9f{?|lLha@BbsF!#Uz&D#m4Th zpkGbe`n;>1J#RMrL5WQ)-LyTPe9SHD?C4nOdvq=*u0yf0lWRc{`gpXJA}KhaUeh=k zDAlIfBoalOp05+llTCG|tVNVgjyNiGA{JC^mIa$5C+~Xtl^G=SJ9ZC2$}4IiJtwTD z-nuddDy0vjOY^ox2!;`cBoEyX%)y!PXo=^jX20p{vSZcF6!4M2=|+#d<6*CJCyhSy z4Hb7)_xCxR=xs_pnoG&s=1$-sHMvRtffASp0LT5fLrU*8V*>ly(8H-Fjk}~&lja%9Fv#t8tdR)+lEd?FQsRX^(n#6p>ZtO) zt@8QV>sw_HKb}q}DEF?fcSr=ePPE9@ZDhuRF1$9UWj>Ozc(w?kC!?-*?{kte%yct5C<0Blv7g;g zQyow>L<#){dMn96KEtcY7MvDPOP4*>E8O2csJGL8t3I)>n%(71XJ$*k-7;bTI>SyNZQxsXsSdY2df zmm*o~-+1X72$}|X_ovc9mo~YW9#~$G2sV&7_{Uhcw-#7q-8UmAvEKgSkhj-4tDN>~ zl~qpPjGVNl>-=H1AsB+aRB%?bl Date: Thu, 24 Oct 2024 14:29:09 -0400 Subject: [PATCH 4/8] Add files via upload Small change to python file for fault tolerance --- Playbooks/MDTI-Actor-Lookup/FunctionApp.zip | Bin 0 -> 3007 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 Playbooks/MDTI-Actor-Lookup/FunctionApp.zip diff --git a/Playbooks/MDTI-Actor-Lookup/FunctionApp.zip b/Playbooks/MDTI-Actor-Lookup/FunctionApp.zip new file mode 100644 index 0000000000000000000000000000000000000000..9f034c2efbc2ae43072ff2c33e66cef69f53d694 GIT binary patch literal 3007 zcmb7Gc{o)28y_=`Fw7v^k6f~jrLnZ!N!CF^F@~8-D3Zb0&5)w9CMgl4EM-d=%cW!+ zg=Al|WX3wVj3t$1yQ6#kW_o_z>*?M01JnRE! zZSMg1Ux3+H2tXEqzz6%ed3pHx2f1VI1OR(eF_Ip>wvrwsC<7lH3ITBK;k@wmG^A$P zs|Es~E%)*a0i#)a+0QvB=)dqa(0}9m>;nK`Y3t3;x?sKFU2NX~Hzm}HNE-4??U#|3d7US_FHF2K@MC|19I7WK4Nsn3emJ*J zEdaVX8Y-1N-O%{^_T+YdHusHBe1?*1CId$jR@{Ue!t|c&Sl_m5ZZcPKkQAf$PkDPE z>ZC=Ls)(Blh#Q5rk+1kSKfZ&l;GSJ8*g=ak#H3_ogle6>oJWXh^BMT`TJWug==@=L zYo=S#_7S&o>|K?i4ELBf+k$a#l=sYBFFSx-kwX;ac}r`g$D_h;p>P+BVh-a5z1q8r z$}Yx^DNBUBt;&5oY_59f z=cof)8*l>oaTX0`1U!yRymq|J>!V=+k z0Y={gQ~4C~ugjsR_nI-e_}`MUtQj`k(^Y%0K&yRK0T!ucpejl_?UD;E6df~uLlO2xHn!+k?c3C=(zjk|39Mx49vBT;#56S< z_2e{6rj^&`+ZAFCMyY%-d+KuPr={#btXhbXnb~KYO}PVb%e-}=C{s)?)q!ycabI5C zx+D9Prl~+Q3QoIjC->^6q3?#6q5ahx&)UuOTPw&XTN}?{n)MGx8AxE!88YDvXH5m` zCqjCtRV+P~xNxQ7bq&@x;8I?C{d@%7Jk6L?>wZ14X$2GbR63n}e%LAUgYLYgtd3M! z1o-k=1cNGsGrHQZoqKJkv*Y|~H=Rzuig=dFe;g6V2nrpTt1v!6;XgMptgs*j=ws@G zj;cL;+SY7kIz6vh9esv$r~RxFpPP1fvi*_2(_+!c%VJe4WzcD0z@$@HkL4 zDxCxsiL@^Oy#00|{PGGx_4&PiSN#HiE6vxJ7jPlZER z3+8dgLGoZJQf)xQi@m6DkYEyHraVY!f--u=dq5o>ARoVg65#bYns^WlK9>0)uyJ5a zXN;~^dMw-EtlPyM145VIBYT?+%6`^RWG>6fcnVdSe4h3!w>$vHeW)p(PKyrIs`es; zpMXM1nq{9mr94}GTrN(eY}mFDvMvJ8ua6m<9HN$B!tZtV*VBB1-}5XaB0t>)8e`X< zg1rhRYmp@}Vb6N%>8U3*97v-Eakl<(nX)NL`6&W%pur4^;yb0)inC{^VJ>&e)aqn{ zX#4B%A(#K`O7PHhX6>Q$q(cL4J5RV7yqpH2KVKCa1HWxhwr_dc*_%hlicom}ypQdl zzW|JBq)kO7+gjpho*qL+#Q)MpqJ+BMaZ2ISSbMk*p?W|^otn@fT5=7*?BbD769?rf zO=MBo`!BF5)}&xYIphOki(5jRC4q-6^E+=fy8_Y-TpP0?apeU2;o|p6?_Vn8bmul| zSlg5ORFlPD7vIEeR2|jV9bRJ|ZCt~_?|ZBpNPmibplN`e1Kv$1%n-~j0+zBQvdb)A z41(w^`MPUcy6EVd5%Bb8{iLZi&zSRc(esw3{NrzT6l19A{`p3ZLphuD9fxHh`~=r$ ziv(%DN(pr3?Ul;+T38ziU0V@K5X761lMZ?at2c3ANRS6~{eSL!SSKm(y=~PoQr|(B z40SoK1Xb#tVNO4=sAi4N8gR6Z=SGzB9c}=CqiBC?-EJ*SXR9DDTkAaii6jJp=4yEAVuk-0D`GG;ir=?iw|okDvQFM1(LbC z+#g5SZR3^1=fvj=$qUDDWU+#!IxPtVfM120s9*LL&n}Ns;=dPvhrP3pUA&LKo2w6k=uRSe`FRlkNh51^=zBv@!o;A_ ztLh=WmI#VE-2Al76U<4=9u=z*uJ|}bX6j=xP%I@rCS2}y))!d62BZo>H1A)nTQ z!Hb9@_0EodTcB#`90mN9Ugo4k-BmUL4vBxKH^<%)WYY_B4-EDSa`$!jBM}j#P|{zY z=oQ=Whg^94p7+MZLSt8kd@{L@u#WK&!MP8toLfhu%b5Wl& zv>NG(t)wtu_^e59Qmd5NYo^#xEarBz5>5h{(EgjJZ5UfB@E$l41DglF69-qH z<5TDIz2Q|pByG_q*hTHr{*#(j8PQ(4$6?_`QcV|re={6Y4F>dZ0RWS{oV))5(Lk&` literal 0 HcmV?d00001 From aebaaa7a6e392c2a0232a674493b211f50539a5f Mon Sep 17 00:00:00 2001 From: MrSharpBones <127972050+MrSharpBones@users.noreply.github.com> Date: Thu, 24 Oct 2024 22:19:56 -0400 Subject: [PATCH 5/8] Update azuredeploy.json --- Playbooks/MDTI-Actor-Lookup/azuredeploy.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Playbooks/MDTI-Actor-Lookup/azuredeploy.json b/Playbooks/MDTI-Actor-Lookup/azuredeploy.json index f41d28b3d5a..b78d4e68e39 100644 --- a/Playbooks/MDTI-Actor-Lookup/azuredeploy.json +++ b/Playbooks/MDTI-Actor-Lookup/azuredeploy.json @@ -2,8 +2,8 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "", - "description": "", + "title": "MTI Threat Actor Lookup", + "description": "To be deployed with the bundled function app to automate infrastructure chaining with the MTI API", "prerequisites": "", "postDeployment": [ ], From bd859b6c893f5f2537dd8cd1c4377bf876306f8a Mon Sep 17 00:00:00 2001 From: MrSharpBones <127972050+MrSharpBones@users.noreply.github.com> Date: Thu, 24 Oct 2024 22:57:02 -0400 Subject: [PATCH 6/8] Update azuredeploy.json --- Playbooks/MDTI-Actor-Lookup/azuredeploy.json | 5 ----- 1 file changed, 5 deletions(-) diff --git a/Playbooks/MDTI-Actor-Lookup/azuredeploy.json b/Playbooks/MDTI-Actor-Lookup/azuredeploy.json index b78d4e68e39..1a3f26e60c8 100644 --- a/Playbooks/MDTI-Actor-Lookup/azuredeploy.json +++ b/Playbooks/MDTI-Actor-Lookup/azuredeploy.json @@ -4,11 +4,6 @@ "metadata": { "title": "MTI Threat Actor Lookup", "description": "To be deployed with the bundled function app to automate infrastructure chaining with the MTI API", - "prerequisites": "", - "postDeployment": [ - ], - "prerequisitesDeployTemplateFile": "", - "lastUpdateTime": "", "entities": [ ], "tags": [ From 540d5af057b5de0ce63d5053ad9e13de0b76acb5 Mon Sep 17 00:00:00 2001 From: MrSharpBones <127972050+MrSharpBones@users.noreply.github.com> Date: Fri, 25 Oct 2024 09:46:19 -0400 Subject: [PATCH 7/8] Update azuredeploy.json --- Playbooks/MDTI-Actor-Lookup/azuredeploy.json | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/Playbooks/MDTI-Actor-Lookup/azuredeploy.json b/Playbooks/MDTI-Actor-Lookup/azuredeploy.json index 1a3f26e60c8..2d94df70cde 100644 --- a/Playbooks/MDTI-Actor-Lookup/azuredeploy.json +++ b/Playbooks/MDTI-Actor-Lookup/azuredeploy.json @@ -4,7 +4,11 @@ "metadata": { "title": "MTI Threat Actor Lookup", "description": "To be deployed with the bundled function app to automate infrastructure chaining with the MTI API", - "entities": [ + "prerequisites": "", + "postDeployment": [ + ], + "prerequisitesDeployTemplateFile": "", + "lastUpdateTime": "2024-10-18T09:44:59Z", ], "tags": [ ], @@ -13,12 +17,12 @@ "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" }, "author": { - "name": "" + "name": "Geoff Roote" } }, "parameters": { "PlaybookName": { - "defaultValue": "MDTI-Actor-LookupV2", + "defaultValue": "MDTI-Actor-Lookup", "type": "string" }, "Function App URL": { From df5ed9e17d3a70d7f389f641c29d507ce3a842b4 Mon Sep 17 00:00:00 2001 From: MrSharpBones <127972050+MrSharpBones@users.noreply.github.com> Date: Fri, 25 Oct 2024 10:35:42 -0400 Subject: [PATCH 8/8] Update azuredeploy.json --- Playbooks/MDTI-Actor-Lookup/azuredeploy.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Playbooks/MDTI-Actor-Lookup/azuredeploy.json b/Playbooks/MDTI-Actor-Lookup/azuredeploy.json index 2d94df70cde..e8ff60960c0 100644 --- a/Playbooks/MDTI-Actor-Lookup/azuredeploy.json +++ b/Playbooks/MDTI-Actor-Lookup/azuredeploy.json @@ -9,6 +9,7 @@ ], "prerequisitesDeployTemplateFile": "", "lastUpdateTime": "2024-10-18T09:44:59Z", + "entities": [ ], "tags": [ ], @@ -22,7 +23,7 @@ }, "parameters": { "PlaybookName": { - "defaultValue": "MDTI-Actor-Lookup", + "defaultValue": "MDTI-Actor-LookupV2", "type": "string" }, "Function App URL": {