diff --git a/Solutions/Microsoft Defender for Office 365/Data/Solution_MicrosoftDefenderforOffice365.json b/Solutions/Microsoft Defender for Office 365/Data/Solution_MicrosoftDefenderforOffice365.json index 59a1e2fdcf5..402c63a289b 100644 --- a/Solutions/Microsoft Defender for Office 365/Data/Solution_MicrosoftDefenderforOffice365.json +++ b/Solutions/Microsoft Defender for Office 365/Data/Solution_MicrosoftDefenderforOffice365.json @@ -14,11 +14,12 @@ "Solutions/Microsoft Defender for Office 365/Playbooks/O365DefenderPlaybooks/o365-BlockMalwareFileExtension/azuredeploy.json", "Solutions/Microsoft Defender for Office 365/Playbooks/O365DefenderPlaybooks/o365-BlockSender/azuredeploy.json", "Solutions/Microsoft Defender for Office 365/Playbooks/O365DefenderPlaybooks/o365-BlockSender-EntityTrigger/azuredeploy.json", - "Solutions/Microsoft Defender for Office 365/Playbooks/O365DefenderPlaybooks/o365-BlockSpamDomain/azuredeploy.json" + "Solutions/Microsoft Defender for Office 365/Playbooks/O365DefenderPlaybooks/o365-BlockSpamDomain/azuredeploy.json", + "Solutions/Microsoft Defender for Office 365/Playbooks/O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule/azuredeploy.json" ], - "BasePath": "C:\\GitHub\\Azure-Sentinel", - "Version": "3.0.0", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\", + "Version": "3.0.1", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, - "Is1PConnector": true + "Is1PConnector": true } \ No newline at end of file diff --git a/Solutions/Microsoft Defender for Office 365/Data/system_generated_metadata.json b/Solutions/Microsoft Defender for Office 365/Data/system_generated_metadata.json new file mode 100644 index 00000000000..7c07cd51878 --- /dev/null +++ b/Solutions/Microsoft Defender for Office 365/Data/system_generated_metadata.json @@ -0,0 +1,38 @@ +{ + "Name": "Microsoft Defender for Office 365", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The [Microsoft Defender for Office 365](https://www.microsoft.com/security/business/threat-protection/office-365-defender) solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Office 365 platform, providing visibility into threats within email messages, links (URLs) and collaboration tools.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform/Native Sentinel Polling](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal)", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\", + "Version": "3.0.1", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": true, + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-microsoftdefenderforo365", + "providers": [ + "Microsoft" + ], + "categories": { + "domains": [ + "Security - Threat Protection" + ] + }, + "firstPublishDate": "2022-05-17", + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + }, + "Data Connectors": "[\n \"template_OfficeATP.json\"\n]", + "Playbooks": [ + "Playbooks/CustomConnector/O365_Defender_FunctionAppConnector/azuredeploy.json", + "Playbooks/O365DefenderPlaybooks/o365-BlockMalwareFileExtension/azuredeploy.json", + "Playbooks/O365DefenderPlaybooks/o365-BlockSender-EntityTrigger/azuredeploy.json", + "Playbooks/O365DefenderPlaybooks/o365-BlockSender/azuredeploy.json", + "Playbooks/O365DefenderPlaybooks/o365-BlockSpamDomain/azuredeploy.json", + "Playbooks/O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule/azuredeploy.json" + ], + "Workbooks": "[\n \"MicrosoftDefenderForOffice365.json\"\n]" +} diff --git a/Solutions/Microsoft Defender for Office 365/Package/3.0.1.zip b/Solutions/Microsoft Defender for Office 365/Package/3.0.1.zip new file mode 100644 index 00000000000..409668288b3 Binary files /dev/null and b/Solutions/Microsoft Defender for Office 365/Package/3.0.1.zip differ diff --git a/Solutions/Microsoft Defender for Office 365/Package/createUiDefinition.json b/Solutions/Microsoft Defender for Office 365/Package/createUiDefinition.json index 4cdaa49696d..dff5156b48f 100644 --- a/Solutions/Microsoft Defender for Office 365/Package/createUiDefinition.json +++ b/Solutions/Microsoft Defender for Office 365/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20for%20Office%20365/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution.\n\nThe [Microsoft Defender for Office 365](https://www.microsoft.com/security/business/threat-protection/office-365-defender) solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Office 365 platform, providing visibility into threats within email messages, links (URLs) and collaboration tools.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform/Native Microsoft Sentinel Polling](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Function Apps:** 1, **Playbooks:** 4\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20for%20Office%20365/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution.\n\nThe [Microsoft Defender for Office 365](https://www.microsoft.com/security/business/threat-protection/office-365-defender) solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Office 365 platform, providing visibility into threats within email messages, links (URLs) and collaboration tools.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform/Native Microsoft Sentinel Polling](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Function Apps:** 1, **Playbooks:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/Microsoft Defender for Office 365/Package/mainTemplate.json b/Solutions/Microsoft Defender for Office 365/Package/mainTemplate.json index 4f5e3f1f80b..1254b2e2e3f 100644 --- a/Solutions/Microsoft Defender for Office 365/Package/mainTemplate.json +++ b/Solutions/Microsoft Defender for Office 365/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Microsoft Defender for Office 365", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "azuresentinel.azure-sentinel-solution-microsoftdefenderforo365", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "OfficeATP", @@ -101,6 +101,14 @@ "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]", "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]", "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]", + "o365-DeleteMaliciousInboxRule": "o365-DeleteMaliciousInboxRule", + "_o365-DeleteMaliciousInboxRule": "[variables('o365-DeleteMaliciousInboxRule')]", + "playbookVersion6": "1.0", + "playbookContentId6": "o365-DeleteMaliciousInboxRule", + "_playbookContentId6": "[variables('playbookContentId6')]", + "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]", + "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]", + "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]", "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ @@ -113,7 +121,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Defender for Office 365 data connector with template version 3.0.0", + "description": "Microsoft Defender for Office 365 data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -191,7 +199,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_dataConnectorContentId1')]", "contentKind": "DataConnector", - "displayName": "Microsoft Defender for Office 365", + "displayName": "Microsoft Defender for Office 365 (Preview)", "contentProductId": "[variables('_dataConnectorcontentProductId1')]", "id": "[variables('_dataConnectorcontentProductId1')]", "version": "[variables('dataConnectorVersion1')]" @@ -272,7 +280,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MicrosoftDefenderForOffice365Workbook Workbook with template version 3.0.0", + "description": "MicrosoftDefenderForOffice365Workbook Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -364,7 +372,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "O365_Defender_FunctionAppConnector Playbook with template version 3.0.0", + "description": "O365_Defender_FunctionAppConnector Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -539,7 +547,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "o365-BlockMalwareFileExtension Playbook with template version 3.0.0", + "description": "o365-BlockMalwareFileExtension Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -1244,7 +1252,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "o365-BlockSender Playbook with template version 3.0.0", + "description": "o365-BlockSender Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -1875,7 +1883,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "o365-BlockSender-EntityTrigger Playbook with template version 3.0.0", + "description": "o365-BlockSender-EntityTrigger Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -2382,7 +2390,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "o365-BlockSpamDomain Playbook with template version 3.0.0", + "description": "o365-BlockSpamDomain Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", @@ -3280,74 +3288,828 @@ } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName6')]", "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], "properties": { - "version": "3.0.0", - "kind": "Solution", - "contentSchemaVersion": "3.0.0", - "displayName": "Microsoft Defender for Office 365", - "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Microsoft Defender for Office 365 solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Office 365 platform, providing visibility into threats within email messages, links (URLs) and collaboration tools.

\n

Underlying Microsoft Technologies used:

\n

This solution is dependent on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Codeless Connector Platform/Native Sentinel Polling
    2. \n
\n

Data Connectors: 1, Workbooks: 1, Function Apps: 1, Playbooks: 4

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", - "contentKind": "Solution", - "contentProductId": "[variables('_solutioncontentProductId')]", - "id": "[variables('_solutioncontentProductId')]", - "icon": "", - "contentId": "[variables('_solutionId')]", - "parentId": "[variables('_solutionId')]", - "source": { - "kind": "Solution", - "name": "Microsoft Defender for Office 365", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId1')]", - "version": "[variables('workbookVersion1')]" + "description": "o365-DeleteMaliciousInboxRule Playbook with template version 3.0.1", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion6')]", + "parameters": { + "PlaybookName": { + "defaultValue": "o365-DeleteMaliciousInboxRule", + "type": "string" }, - { - "kind": "AzureFunction", - "contentId": "[variables('_O365_Defender_FunctionAppConnector')]", - "version": "[variables('playbookVersion1')]" + "Applicationid": { + "type": "string", + "metadata": { + "description": "Enter value for Applicationid" + } }, - { - "kind": "Playbook", - "contentId": "[variables('_o365-BlockMalwareFileExtension')]", - "version": "[variables('playbookVersion2')]" + "Keyvault name": { + "type": "String", + "metadata": { + "description": "Enter the key vault name where certificate thumbprint is stored" + } }, - { - "kind": "Playbook", - "contentId": "[variables('_o365-BlockSender')]", - "version": "[variables('playbookVersion3')]" + "Certificate_key_name": { + "type": "string", + "metadata": { + "description": "Your Key name for the thumbprint secret stored in keyvault under secrets" + } }, - { - "kind": "Playbook", - "contentId": "[variables('_o365-BlockSender-EntityTrigger')]", - "version": "[variables('playbookVersion4')]" + "OrganizationName": { + "type": "string", + "metadata": { + "description": "Enter value for OrganizationName" + } }, + "FunctionsAppName": { + "defaultValue": "o365def", + "type": "string", + "metadata": { + "description": "Name of the FunctionsApp custom connector, if you want to change the default name, make sure to use the same in all o365 automation playbooks as well" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "FunctionsAppName": "[[concat(parameters('FunctionsAppName'), uniqueString(resourceGroup().id))]", + "o365FuntionsAppId": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/', variables('FunctionsAppName'))]", + "KeyvaultConnectionName": "[[concat('Keyvault-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/', 'keyvault')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ { - "kind": "Playbook", - "contentId": "[variables('_o365-BlockSpamDomain')]", - "version": "[variables('playbookVersion5')]" + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "Applicationid": { + "defaultValue": "[[parameters('Applicationid')]", + "type": "string" + }, + "Certificate_key_name": { + "defaultValue": "[[parameters('Certificate_key_name')]", + "type": "string" + }, + "OrganizationName": { + "defaultValue": "[[parameters('OrganizationName')]", + "type": "string" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Rules provided below are deleted from their respective mailboxes:
\n
\n@{variables('Finalarray')}
\n
\n

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "ConnectExchangeOnline": { + "runAfter": { + "Parse_JSON_-_Parsing_mailbox_Entries": [ + "Succeeded" + ] + }, + "type": "Function", + "inputs": { + "body": { + "ApplicationId": "@parameters('Applicationid')", + "CertificateThumbPrint": "@body('Get_secret')?['value']", + "OrganizationName": "@parameters('OrganizationName')" + }, + "function": { + "id": "[[concat(variables('o365FuntionsAppId'), '/functions/ConnectExchangeOnline')]" + } + } + }, + "Create_HTML_table": { + "runAfter": { + "For_each_-_deleting_Mail_rules_action": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('Finalarray')" + } + }, + "DisconnectExchangeOnline_-_Clearing_any_pre-existing-cache_connection": { + "type": "Function", + "inputs": { + "body": { + "ApplicationId": "@parameters('Applicationid')", + "OrganizationName": "@parameters('OrganizationName')" + }, + "function": { + "id": "[[concat(variables('o365FuntionsAppId'), '/functions/DisconnectExchangeOnline')]" + } + } + }, + "DisconnectExchangeOnline_2": { + "runAfter": { + "Parse_JSON_-_Parsing_final_Array": [ + "Succeeded" + ] + }, + "type": "Function", + "inputs": { + "body": { + "ApplicationId": "@parameters('Applicationid')", + "OrganizationName": "@parameters('OrganizationName')" + }, + "function": { + "id": "[[concat(variables('o365FuntionsAppId'), '/functions/DisconnectExchangeOnline')]" + } + } + }, + "For_each_-_Collecting_all_rules_and_Recipient_in_one_array": { + "foreach": "@body('Parse_JSON_-_Parsing_mailbox_Entries')", + "actions": { + "Condition_-_check_if_Response_Body_is_empty_or_not": { + "actions": { + "Append_to_array_variable_2": { + "runAfter": { + "For_each": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Finalarray", + "value": { + "CompromisedMailBox": "@items('For_each_-_Collecting_all_rules_and_Recipient_in_one_array')?['properties']?['recipient']", + "RuleList": "@variables('RuleNameList')" + } + } + }, + "Append_to_array_variable_4": { + "runAfter": { + "Parse_JSON_-_GetInboxrule-1": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "RuleNameList", + "value": "@body('Parse_JSON_-_GetInboxrule-1')?['Name']" + } + }, + "Append_to_array_variable_5": { + "runAfter": { + "Append_to_array_variable_4": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Finalarray", + "value": { + "CompromisedMailBox": "@items('For_each_-_Collecting_all_rules_and_Recipient_in_one_array')?['properties']?['recipient']", + "RuleList": "@variables('RuleNameList')" + } + } + }, + "Compose_-dummy_": { + "type": "Compose", + "inputs": "@body('GetInboxRule')" + }, + "For_each": { + "foreach": "@body('Parse_JSON_-_GetInboxrule')", + "actions": { + "Append_to_array_variable": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "RuleNameList", + "value": "@items('For_each')['Name']" + } + } + }, + "runAfter": { + "Parse_JSON_-_GetInboxrule": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Parse_JSON_-_GetInboxrule": { + "runAfter": { + "Compose_-dummy_": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('GetInboxRule')", + "schema": { + "items": { + "properties": { + "Description": { + "type": "string" + }, + "Enabled": { + "type": "boolean" + }, + "Identity": { + "type": "string" + }, + "InError": { + "type": "boolean" + }, + "Name": { + "type": "string" + } + }, + "required": [ + "Description", + "Enabled", + "Identity", + "InError", + "Name" + ], + "type": "object" + }, + "type": "array" + } + } + }, + "Parse_JSON_-_GetInboxrule-1": { + "runAfter": { + "Compose_-dummy_": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('GetInboxRule')", + "schema": { + "properties": { + "Description": { + "type": "string" + }, + "Enabled": { + "type": "boolean" + }, + "Identity": { + "type": "string" + }, + "InError": { + "type": "boolean" + }, + "Name": { + "type": "string" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "GetInboxRule": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_to_array_variable_3": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "Finalarray", + "value": { + "CompromisedMailBox": "@items('For_each_-_Collecting_all_rules_and_Recipient_in_one_array')?['properties']?['recipient']", + "RuleList": [ + "No rule found - Deleted Nothing" + ] + } + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('GetInboxRule')", + "" + ] + } + } + ] + }, + "type": "If" + }, + "GetInboxRule": { + "type": "Function", + "inputs": { + "body": { + "Mailbox": "@items('For_each_-_Collecting_all_rules_and_Recipient_in_one_array')?['properties']?['recipient']" + }, + "function": { + "id": "[[concat(variables('o365FuntionsAppId'), '/functions/GetInboxRule')]" + } + } + } + }, + "runAfter": { + "ConnectExchangeOnline": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "For_each_-_deleting_Mail_rules_action": { + "foreach": "@body('Parse_JSON_-_Parsing_final_Array')", + "actions": { + "For_each_3": { + "foreach": "@items('For_each_-_deleting_Mail_rules_action')['RuleList']", + "actions": { + "ConnectExchangeOnline_2": { + "type": "Function", + "inputs": { + "body": { + "ApplicationId": "@parameters('Applicationid')", + "CertificateThumbPrint": "@body('Get_secret')?['value']", + "OrganizationName": "@parameters('OrganizationName')" + }, + "function": { + "id": "[[concat(variables('o365FuntionsAppId'), '/functions/ConnectExchangeOnline')]" + } + } + }, + "DisconnectExchangeOnline": { + "runAfter": { + "RemoveInboxRule": [ + "Succeeded" + ] + }, + "type": "Function", + "inputs": { + "body": { + "ApplicationId": "@parameters('Applicationid')", + "OrganizationName": "@parameters('OrganizationName')" + }, + "function": { + "id": "[[concat(variables('o365FuntionsAppId'), '/functions/DisconnectExchangeOnline')]" + } + } + }, + "RemoveInboxRule": { + "runAfter": { + "ConnectExchangeOnline_2": [ + "Succeeded" + ] + }, + "type": "Function", + "inputs": { + "body": { + "Identity": "@items('For_each_3')", + "Mailbox": "@{items('For_each_-_deleting_Mail_rules_action')['CompromisedMailBox']}" + }, + "function": { + "id": "[[concat(variables('o365FuntionsAppId'), '/functions/RemoveInboxRule')]" + } + } + } + }, + "type": "Foreach" + } + }, + "runAfter": { + "DisconnectExchangeOnline_2": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Get_secret": { + "runAfter": { + "DisconnectExchangeOnline_-_Clearing_any_pre-existing-cache_connection": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent(parameters('Certificate_key_name'))}/value" + } + }, + "Initialize_variable": { + "runAfter": { + "Get_secret": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "RuleNameList", + "type": "array" + } + ] + } + }, + "Initialize_variable_-_Final_result_array_of_object": { + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Finalarray", + "type": "array" + } + ] + } + }, + "Parse_JSON_-_Parsing_final_Array": { + "runAfter": { + "For_each_-_Collecting_all_rules_and_Recipient_in_one_array": [ + "Succeeded", + "Failed" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@variables('Finalarray')", + "schema": { + "items": { + "properties": { + "CompromisedMailBox": { + "type": "string" + }, + "RuleList": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "CompromisedMailBox", + "RuleList" + ], + "type": "object" + }, + "type": "array" + } + } + }, + "Parse_JSON_-_Parsing_mailbox_Entries": { + "runAfter": { + "Initialize_variable_-_Final_result_array_of_object": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "schema": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "properties": { + "properties": { + "fileEntityIds": { + "type": "array" + }, + "friendlyName": { + "type": "string" + }, + "recipient": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + } + }, + "required": [ + "id", + "type", + "kind", + "properties" + ], + "type": "object" + }, + "type": "array" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "keyvault": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", + "connectionName": "[[variables('KeyvaultConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "o365-DeleteMaliciousInboxRule", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/Connections", + "apiVersion": "2016-06-01", + "name": "[[variables('KeyvaultConnectionName')]", + "kind": "V1", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-3')]", + "type": "Microsoft.Web/locations/managedApis" + }, + "parameterValueType": "Alternative", + "alternativeParameterValues": { + "vaultName": "[[parameters('keyvault name')]" + }, + "displayName": "[[variables('KeyvaultConnectionName')]", + "nonSecretParameterValues": { + "vaultName": "[[parameters('keyvault name')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId6')]", + "contentId": "[variables('_playbookContentId6')]", + "kind": "Playbook", + "version": "[variables('playbookVersion6')]", + "source": { + "kind": "Solution", + "name": "Microsoft Defender for Office 365", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "criteria": [ + { + "kind": "AzureFunction", + "contentId": "[variables('_O365_Defender_FunctionAppConnector')]", + "version": "[variables('playbookVersion1')]" + } + ] + } + } + } + ], + "metadata": { + "title": "O365 - Delete All Malicious Inbox Rule", + "description": "This Playbook provides the automation on deleting all the suspicious/malicious Inbox Rules from Provided Mailbox", + "prerequisites": [ + "1. Prior to the deployment of this playbook, Defender for office 365 Custom Connector needs to be deployed under the same subscription.", + "2. Refer to [Defender for office 365 Logic App Custom Connector](../../CustomConnector/O365_Defender_FunctionAppConnector/readme.md) documentation for deployment instructions.", + "3. Refer to [DeleteMaliciousInboxRule](../../O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule/readme.md) documentation for deployment instructions." + ], + "postDeployment": [ + "1. Authorize each connection.", + "2. Configure Playbook in Microsoft Sentinel Analytic Rule.", + "3. Assign Microsoft Sentinel Responder Role to Playbook.", + "6. Check [readme.md](../../O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule/readme.md) for detailed instructions." + ], + "lastUpdateTime": "2023-09-29T12:00:00Z", + "entities": [ + "Account" + ], + "tags": [ + "Malicious", + "o365", + "Sender", + "Email", + "Account" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId6')]", + "contentKind": "Playbook", + "displayName": "o365-DeleteMaliciousInboxRule", + "contentProductId": "[variables('_playbookcontentProductId6')]", + "id": "[variables('_playbookcontentProductId6')]", + "version": "[variables('playbookVersion6')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.1", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Microsoft Defender for Office 365", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Microsoft Defender for Office 365 solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Office 365 platform, providing visibility into threats within email messages, links (URLs) and collaboration tools.

\n

Underlying Microsoft Technologies used:

\n

This solution is dependent on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Codeless Connector Platform/Native Sentinel Polling
    2. \n
\n

Data Connectors: 1, Workbooks: 1, Function Apps: 1, Playbooks: 5

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "Microsoft Defender for Office 365", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + }, + { + "kind": "AzureFunction", + "contentId": "[variables('_O365_Defender_FunctionAppConnector')]", + "version": "[variables('playbookVersion1')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_o365-BlockMalwareFileExtension')]", + "version": "[variables('playbookVersion2')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_o365-BlockSender')]", + "version": "[variables('playbookVersion3')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_o365-BlockSender-EntityTrigger')]", + "version": "[variables('playbookVersion4')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_o365-BlockSpamDomain')]", + "version": "[variables('playbookVersion5')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_o365-DeleteMaliciousInboxRule')]", + "version": "[variables('playbookVersion6')]" } ] }, @@ -3365,4 +4127,4 @@ } ], "outputs": {} -} \ No newline at end of file +} diff --git a/Solutions/Microsoft Defender for Office 365/ReleaseNotes.md b/Solutions/Microsoft Defender for Office 365/ReleaseNotes.md index ff55036f63b..6b4958a8744 100644 --- a/Solutions/Microsoft Defender for Office 365/ReleaseNotes.md +++ b/Solutions/Microsoft Defender for Office 365/ReleaseNotes.md @@ -1,4 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------------| +| 3.0.1 | 29-09-2023 | 1 new **Playbook** added to the solution | | 3.0.0 | 11-07-2023 | 4 new **Playbooks** added to the solution | | | | 1 **Custom Connector** added as a pre-requisite for playbooks deployment | diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index cc835fc9481..5f7306b2807 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -2880,19 +2880,7 @@ "title": "Microsoft Defender For Office 365", "templateRelativePath": "MicrosoftDefenderForOffice365.json", "subtitle": "", - "provider": "Microsoft Sentinel Community", - "support": { - "tier": "Community" - }, - "author": { - "name": "Brian Delaney" - }, - "source": { - "kind": "Community" - }, - "categories": { - "domains": [ "Security - Others" ] - } + "provider": "Microsoft Sentinel Community" }, { "workbookKey": "ProofPointThreatDashboard",