Skip to content

Commit

Permalink
Merge pull request #8844 from Accelerynt-Security/08-16-2023--AS-Add-…
Browse files Browse the repository at this point in the history 
…Azure-AD-User-Job-Title-to-Incident

08 16 2023  as add azure ad user job title to incident
  • Loading branch information
@v-atulyadav
v-atulyadav authored Aug 29, 2023
2 parents 15f30a2 + aa2c1b6 commit 99d3cb6
Show file tree
Hide file tree
Showing 56 changed files with 1,152 additions and 0 deletions.
Binary file added ...nt/Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Add_Contributor_Role_1.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...nt/Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Add_Contributor_Role_2.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...nt/Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Add_Contributor_Role_3.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...nt/Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Add_Contributor_Role_4.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...-Title-to-Incident/Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Demo_1.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...itle-to-Incident/Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_1.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...itle-to-Incident/Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_2.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...itle-to-Incident/Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_3.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...itle-to-Incident/Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_4.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...itle-to-Incident/Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_5.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...itle-to-Incident/Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_6.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
86 changes: 86 additions & 0 deletions Playbooks/AS-Add-Azure-AD-User-Job-Title-to-Incident/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
# AS-Add-Azure-AD-User-Job-Title-to-Incident
Author: Accelerynt

For any technical questions, please contact info@accelerynt.com

[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Add-Azure-AD-User-Job-Title-to-Incident%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Add-Azure-AD-User-Job-Title-to-Incident%2Fazuredeploy.json)

This playbook is intended to be run from a Microsoft Sentinel incident. It will pull the Azure AD user accounts associated with the entities from Microsoft Sentinel incidents and add the Azure AD job titles in an Incident comment.


![AS_Add_Azure_AD_User_Job_Title_to_Incident_Demo_1](Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Demo_1.png)


#
### Deployment

To configure and deploy this playbook:

Open your browser and ensure you are logged into your Microsoft Sentinel workspace. In a separate tab, open the link to our playbook on the Accelerynt Security GitHub Repository:

https://github.com/Accelerynt-Security/AS-Add-Azure-AD-User-Job-Title-to-Incident

[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Add-Azure-AD-User-Job-Title-to-Incident%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Add-Azure-AD-User-Job-Title-to-Incident%2Fazuredeploy.json)

Click the “**Deploy to Azure**” button at the bottom and it will bring you to the custom deployment template.

In the **Project details** section:

* Select the **Subscription** and **Resource group** from the dropdown boxes you would like the playbook deployed to.

In the **Instance details** section:

* **Playbook Name**: This can be left as "**AS-Add-Azure-AD-User-Job-Title-to-Incident**" or you may change it.

Towards the bottom, click on "**Review + create**".

![AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_1](Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_1.png)

Once the resources have validated, click on "**Create**".

![AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_2](Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_2.png)

The resources should take around a minute to deploy. Once the deployment is complete, you can expand the "**Deployment details**" section to view them.
Click the one corresponding to the Logic App.

![AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_3](Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_3.png)

Click on the "**Edit**" button. This will bring us into the Logic Apps Designer.

![AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_4](Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_4.png)

Before the playbook can be run, the Azure AD connection will either need to be authorized in the indicated step, or an existing authorized connection may be alternatively selected. This connection can be found under the third step labeled "**For each**".

![AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_5](Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_5.png)

Expand the "**Connections**" step and click the exclamation point icon next to the name matching the playbook.

![AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_6](Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_6.png)

When prompted, sign in to validate the connection.
![AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_7](Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Deploy_7.png)

#
### Microsoft Sentinel Contributor Role

After deployment, you will need to give the system assigned managed identity the "**Microsoft Sentinel Contributor**" role. This will enable the Logic App to add comments to Incidents. Navigate to the Log Analytics Workspaces page and select the same workspace the playbook is located in:

https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.OperationalInsights%2Fworkspaces

Select the "**Access control (IAM)**" option from the menu blade, then click "**Add role assignment**".

![AS_Add_Azure_AD_User_Job_Title_to_Incident_Add_Contributor_Role_1](Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Add_Contributor_Role_1.png)

Select the "**Microsoft Sentinel Contributor**" role, then click "**Next**".

![AS_Add_Azure_AD_User_Job_Title_to_Incident_Add_Contributor_Role_2](Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Add_Contributor_Role_2.png)

Select the "**Managed identity**" option, then click "**Select Members**". Under the subscription the Logic App is located, set the value of "**Managed identity**" to "**Logic app**". Next, enter "**AS-Sign-Out-Google-User**", or the alternative playbook name used during deployment, in the field labeled "**Select**". Select the playbook, then click "**Select**".

![AS_Add_Azure_AD_User_Job_Title_to_Incident_Add_Contributor_Role_3](Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Add_Contributor_Role_3.png)

Continue on to the "**Review + assign**" tab and click "**Review + assign**".

![AS_Add_Azure_AD_User_Job_Title_to_Incident_Add_Contributor_Role_4](Images/AS_Add_Azure_AD_User_Job_Title_to_Incident_Add_Contributor_Role_4.png)
252 changes: 252 additions & 0 deletions Playbooks/AS-Add-Azure-AD-User-Job-Title-to-Incident/azuredeploy.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,252 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "AS-Add-Azure-AD-User-Job-Title-to-Incident",
"description": "This playbook is intended to be run from a Microsoft Sentinel incident. It will pull the Azure AD user accounts associated with the entities from Microsoft Sentinel incidents and add the Azure AD job titles in an Incident comment.",
"lastUpdateTime": "2023-08-08T18:44:57Z",
"entities": ["Account"],
"tags": ["Microsoft Sentinel", "Incident", "Azure Active Directory", "User Job Title"],
"support": {
"tier": "partner"
},
"author": {
"name": "Accelerynt"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "AS-Add-Azure-AD-User-Job-Title-to-Incident",
"type": "string"
}
},
"variables": {
"azuread": "[concat('azuread-', parameters('PlaybookName'))]",
"azuresentinel": "[concat('azuresentinel-', parameters('PlaybookName'))]"

},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuread')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azuresentinel')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"LogicAppsCategory": "security"
},
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('azuread'))]",
"[resourceId('Microsoft.Web/connections', variables('azuresentinel'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Condition_-_Azure_AD_User_Info_Found": {
"actions": {
"Add_comment_to_incident_(V3)": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p><strong>Azure AD User Job Titles:</strong><br>\n@{variables('Azure AD Users')}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
}
},
"runAfter": {
"For_each_-_Account": [
"Succeeded"
]
},
"expression": {
"and": [
{
"not": {
"equals": [
"@variables('Azure AD Users')",
""
]
}
}
]
},
"type": "If"
},
"Entities_-_Get_Accounts": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/account"
}
},
"For_each_-_Account": {
"foreach": "@body('Entities_-_Get_Accounts')?['Accounts']",
"actions": {
"Condition_-_Azure_AD_User_Job_Title_Exists": {
"actions": {
"Append_to_string_variable": {
"runAfter": {},
"type": "AppendToStringVariable",
"inputs": {
"name": "Azure AD Users",
"value": "User: @{body('Get_user')?['userPrincipalName']}\nJob Title: @{body('Get_user')?['jobTitle']}\n"
}
}
},
"runAfter": {
"Get_user": [
"Succeeded",
"Failed"
]
},
"expression": {
"and": [
{
"not": {
"equals": [
"@body('Get_user')?['jobTitle']",
"@null"
]
}
}
]
},
"type": "If"
},
"Get_user": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuread']['connectionId']"
}
},
"method": "get",
"path": "/v1.0/users/@{encodeURIComponent(items('For_each_-_Account')?['AadUserId'])}"
}
}
},
"runAfter": {
"Initialize_variable_-_Azure_AD_Users": [
"Succeeded"
]
},
"type": "Foreach"
},
"Initialize_variable_-_Azure_AD_Users": {
"runAfter": {
"Entities_-_Get_Accounts": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Azure AD Users",
"type": "string"
}
]
}
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"azuread": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('azuread'))]",
"connectionName": "[variables('azuread')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
},
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('azuresentinel'))]",
"connectionName": "[variables('azuresentinel')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
}
}
]
}
39 changes: 39 additions & 0 deletions Playbooks/AS-Make-GitHub-Repository-Private/CreateJWT-Function/CreateJWT.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
const { sign } = require('jsonwebtoken');
const { add, getUnixTime } = require('date-fns');

module.exports = async function (context, req) {
context.log(`Http function processed request for url "${req.url}"`);

// Get private key from request body
const privateKey = req.body.private_key;
// Get GitHub App ID from request body
const appId = req.body.app_id;

if (privateKey && appId) {
// Create payload
const now = new Date();
const payload = {
// Issued at time
iat: getUnixTime(now),
// JWT expiration time (5 minutes from now)
exp: getUnixTime(add(now, { minutes: 5 })),
// GitHub App ID
iss: appId
};

// Sign the JWT
const token = sign(payload, privateKey, { algorithm: 'RS256' });
// Success response body
context.res = {
// Status defaults to 200
body: token
};
}
else {
// Failure response body
context.res = {
status: 400,
body: "Missing private key and/or GitHub App ID."
};
}
};
Loading

0 comments on commit 99d3cb6

Please sign in to comment.