diff --git a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json index 3ca80a881cb..2711c50f9b8 100644 --- a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json +++ b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json @@ -158,6 +158,163 @@ } }, "actions": { + "Condition_to_check_if_at_least_one_indicator_to_send": { + "actions": { + "For_each_filtered_indicator": { + "foreach": "@body('Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete')", + "actions": { + "HTTP_appendTags_request": { + "runAfter": {}, + "type": "Http", + "inputs": { + "authentication": { + "type": "ManagedServiceIdentity" + }, + "body": { + "threatIntelligenceTags": [ + "@{parameters('Tag for indicator export completion')}" + ] + }, + "method": "POST", + "uri": "[uriComponentToString(uri(variables('azure'), 'subscriptions/@{parameters(''SubscriptionID'')}/resourceGroups/@{parameters(''ResourceGroup'')}/providers/Microsoft.OperationalInsights/workspaces/@{parameters(''Workspace'')}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/@{items(''For_each_filtered_indicator'')?[''name'']}/appendTags?api-version=2021-10-01'))]" + } + } + }, + "runAfter": { + "HTTP_POST_stix_bundle_to_TAXII_server": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Grouping_Object_Composition": { + "actions": { + "Append_GroupObj_to_Indicators_array": { + "runAfter": { + "Compose_Group_Object": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Indicators", + "value": "@outputs('Compose_Group_Object')" + } + }, + "Compose_Group_Object": { + "runAfter": {}, + "type": "Compose", + "inputs": { + "confidence": 100, + "context": "suspicious-activity", + "created": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", + "created_by_ref": "@variables('CreatedByRefObjId')", + "id": "grouping--@{guid()}", + "modified": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", + "object_marking_refs": "@union(variables('AllMarkingRefObjIds'), variables('MarkingRefsObjIds'))", + "object_refs": "@variables('IndicatorIds')", + "spec_version": "2.1", + "type": "grouping" + } + } + }, + "runAfter": {}, + "type": "Scope" + }, + "HTTP_POST_stix_bundle_to_TAXII_server": { + "runAfter": { + "Set_variable_with_STIX_bundle_JSON": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "authentication": { + "password": "@parameters('TAXIIServerPassword')", + "type": "Basic", + "username": "@parameters('TAXIIServerUsername')" + }, + "body": "@variables('StixBuldle')", + "headers": { + "Accept": "application/taxii+json;version=2.1", + "Content-type": "application/taxii+json;version=2.1" + }, + "method": "POST", + "retryPolicy": { + "type": "none" + }, + "uri": "@{parameters('TAXIIServerRootURL')}/collections/@{parameters('CollectionID')}/objects/" + } + }, + "Identity_Object_Composition": { + "actions": { + "Append_IdentityObj_to_Indicators_array": { + "runAfter": { + "Compose_Identity_Object": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Indicators", + "value": "@outputs('Compose_Identity_Object')" + } + }, + "Compose_Identity_Object": { + "runAfter": {}, + "type": "Compose", + "inputs": { + "confidence": 100, + "created": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", + "id": "@variables('CreatedByRefObjId')", + "identity_class": "organization", + "modified": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", + "name": "CTIS", + "object_marking_refs": "@union(variables('AllMarkingRefObjIds'), variables('MarkingRefsObjIds'))", + "spec_version": "2.1", + "type": "identity" + } + } + }, + "runAfter": { + "Grouping_Object_Composition": [ + "Succeeded" + ] + }, + "type": "Scope" + }, + "Set_variable_with_STIX_bundle_JSON": { + "runAfter": { + "Identity_Object_Composition": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "StixBuldle", + "value": "{\n \"type\": \"bundle\",\n \"id\": \"bundle--1736e032-a96a-41e9-8302-126677d4d781\",\n \"objects\": @{variables('Indicators')}\n}" + } + } + }, + "runAfter": { + "For_each_Indicator": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@length(variables('Indicators'))", + 0 + ] + } + } + ] + }, + "type": "If" + }, "Filter_array_of_indicators_where_tags_contain_Export": { "runAfter": { "Parse_JSON_queryIndicators_response": [ @@ -185,6 +342,18 @@ "For_each_Indicator": { "foreach": "@body('Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete')", "actions": { + "Append_IndicatorId_to_array_IndicatorsIds": { + "runAfter": { + "Set_variable_IndicatorId": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "IndicatorIds", + "value": "@variables('IndicatorId')" + } + }, "Append_MarkingRefObj_to_array_Indicators": { "runAfter": { "Reset_variable_Indicator": [ @@ -210,12 +379,16 @@ } }, "Compose_mandatory_properties": { - "runAfter": {}, + "runAfter": { + "Append_IndicatorId_to_array_IndicatorsIds": [ + "Succeeded" + ] + }, "type": "Compose", "inputs": { "created": "@formatDateTime(string(items('For_each_Indicator')?['properties']?['created']), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", - "id": "indicator--@{guid()}", - "modified": "@formatDateTime(string(items('For_each_Indicator')?['properties']?['lastUpdatedTimeUtc']), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", + "id": "@variables('IndicatorId')", + "modified": "@addSeconds(formatDateTime(string(items('For_each_Indicator')?['properties']?['lastUpdatedTimeUtc'])), 5, 'yyyy-MM-ddTHH:mm:ss.ffffffK')", "pattern": "@items('For_each_Indicator')?['properties']?['pattern']", "pattern_type": "@if(contains(createArray('stix', 'pcre', 'sigma', 'snort', 'suricata', 'yara'), string(items('For_each_Indicator')?['properties']?['patternType'])), string(items('For_each_Indicator')?['properties']?['patternType']), 'stix')", "spec_version": "2.1", @@ -303,6 +476,27 @@ "Succeeded" ] }, + "else": { + "actions": { + "Compose_default_'created_by_ref'_property": { + "runAfter": {}, + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'created_by_ref', 'identity--02073f98-86a4-44c8-9fff-f92c2e0fceae')" + }, + "Set_variable_indicator_with_default_'created_by_ref'_property": { + "runAfter": { + "Compose_default_'created_by_ref'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_default_''created_by_ref''_property')" + } + } + } + }, "expression": { "and": [ { @@ -823,14 +1017,44 @@ }, "type": "Scope" }, - "Compose_'labels'_property": { + "Condition_to_check_if_any_lable_exist": { + "actions": { + "Compose_'labels'_property": { + "runAfter": {}, + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'labels', variables('Lables'))" + }, + "Set_variable_Indicator_with_'labels'_property": { + "runAfter": { + "Compose_'labels'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''labels''_property')" + } + } + }, "runAfter": { "Add_Incidet_ID_to_Description": [ "Succeeded" ] }, - "type": "Compose", - "inputs": "@addProperty(variables('Indicator'), 'labels', variables('Lables'))" + "expression": { + "and": [ + { + "not": { + "equals": [ + "@length(variables('Lables'))", + 0 + ] + } + } + ] + }, + "type": "If" }, "Filter_Export_tag": { "actions": { @@ -858,18 +1082,6 @@ "runAfter": {}, "type": "Scope" }, - "Set_variable_Indicator_with_'labels'_property": { - "runAfter": { - "Compose_'labels'_property": [ - "Succeeded" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "Indicator", - "value": "@outputs('Compose_''labels''_property')" - } - }, "TLP_tag_processing": { "actions": { "Condition_to_check_if_TLP_tag_is_present_and_valid": { @@ -1257,7 +1469,7 @@ }, "Reset_variable_Indicator": { "runAfter": { - "Append_to_array_Indicators": [ + "Reset_variable_IndicatorId": [ "Succeeded" ] }, @@ -1267,6 +1479,18 @@ "value": {} } }, + "Reset_variable_IndicatorId": { + "runAfter": { + "Append_to_array_Indicators": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "IndicatorId", + "value": "@{null}" + } + }, "Reset_variable_MarkingRefObject": { "runAfter": { "Append_MarkingRefObj_to_array_Indicators": [ @@ -1279,6 +1503,14 @@ "value": {} } }, + "Set_variable_IndicatorId": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "IndicatorId", + "value": "indicator--@{guid()}" + } + }, "Set_variable_Indicator_with_mandatory_properties": { "runAfter": { "Compose_mandatory_properties": [ @@ -1293,6 +1525,19 @@ }, "TLP_Marking_Ref_definition": { "actions": { + "Append_MarkingRefObjID_to_array_AllMarkingRefsObjectIds": { + "runAfter": { + "Append_MarkingRefObjID_to_array_MarkingRefsObjectIds": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "AllMarkingRefObjIds", + "value": "@variables('MarkingRefObjId')" + }, + "description": "This array is used in Identity Object creation." + }, "Append_MarkingRefObjID_to_array_MarkingRefsObjectIds": { "runAfter": { "Set_variable_MarkingRefObj_with_default_TLP_Marking_definition": [ @@ -1328,7 +1573,7 @@ }, "Reset_variable_MarkingRefObjId": { "runAfter": { - "Append_MarkingRefObjID_to_array_MarkingRefsObjectIds": [ + "Append_MarkingRefObjID_to_array_AllMarkingRefsObjectIds": [ "Succeeded" ] }, @@ -1446,59 +1691,6 @@ } } }, - "For_each_filtered_indicator": { - "foreach": "@body('Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete')", - "actions": { - "HTTP_appendTags_request": { - "runAfter": { - }, - "type": "Http", - "inputs": { - "authentication": { - "type": "ManagedServiceIdentity" - }, - "body": { - "threatIntelligenceTags": [ - "@{parameters('Tag for indicator export completion')}" - ] - }, - "method": "POST", - "uri": "https://management.azure.com/subscriptions/@{parameters('SubscriptionID')}/resourceGroups/@{parameters('ResourceGroup')}/providers/Microsoft.OperationalInsights/workspaces/@{parameters('Workspace')}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/@{items('For_each_filtered_indicator')?['name']}/appendTags?api-version=2021-10-01" - } - } - }, - "runAfter": { - "HTTP_POST_stix_bundle_to_TAXII_server": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "HTTP_POST_stix_bundle_to_TAXII_server": { - "runAfter": { - "Initialize_variable_for_STIX_bundle_JSON": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "authentication": { - "password": "@parameters('TAXIIServerPassword')", - "type": "Basic", - "username": "@parameters('TAXIIServerUsername')" - }, - "body": "@variables('StixBundle')", - "headers": { - "Accept": "application/taxii+json;version=2.1", - "Content-type": "application/taxii+json;version=2.1" - }, - "method": "POST", - "retryPolicy": { - "type": "none" - }, - "uri": "@{parameters('TAXIIServerRootURL')}/collections/@{parameters('CollectionID')}/objects/" - } - }, "HTTP_queryIndicators_request": { "runAfter": { "Initialize_variable_IncidentTag": [ @@ -1527,10 +1719,43 @@ "uri": "[uriComponentToString(uri(variables('azure'),'subscriptions/@{parameters(''SubscriptionID'')}/resourceGroups/@{parameters(''ResourceGroup'')}/providers/Microsoft.OperationalInsights/workspaces/@{parameters(''Workspace'')}/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2022-06-01-preview'))]" } }, - "Initialize_array_Indicators": { + "Initialize_array_AllMarkingRefObjIds": { + "runAfter": { + "Initialize_array_MarkingRefsObjIds": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "AllMarkingRefObjIds", + "type": "array", + "value": [] + } + ] + } + }, + "Initialize_array_IndicatorIds": { "runAfter": { + "Initialize_variable_IndicatorId": [ + "Succeeded" + ] }, "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "IndicatorIds", + "type": "array", + "value": [] + } + ] + } + }, + "Initialize_array_Indicators": { + "runAfter": {}, + "type": "InitializeVariable", "inputs": { "variables": [ { @@ -1568,8 +1793,7 @@ { "name": "MarkingRefsObjIds", "type": "array", - "value": [ - ] + "value": [] } ] } @@ -1614,9 +1838,27 @@ ] } }, + "Initialize_variable_IdentityObjId_or_CreatedByRefObjId": { + "runAfter": { + "Initialize_array_IndicatorIds": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "CreatedByRefObjId", + "type": "string", + "value": "identity--02073f98-86a4-44c8-9fff-f92c2e0fceae" + } + ] + }, + "description": "Default CreatedByRefObjId or IdenityObjId" + }, "Initialize_variable_IncidentTag": { "runAfter": { - "Initialize_array_MarkingRefsObjIds": [ + "Initialize_variable_StixBundle": [ "Succeeded" ] }, @@ -1642,8 +1884,24 @@ { "name": "Indicator", "type": "object", - "value": { - } + "value": {} + } + ] + } + }, + "Initialize_variable_IndicatorId": { + "runAfter": { + "Initialize_array_AllMarkingRefObjIds": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "IndicatorId", + "type": "string", + "value": "@{null}" } ] } @@ -1660,8 +1918,7 @@ { "name": "MarkingRefObj", "type": "object", - "value": { - } + "value": {} } ] } @@ -1682,9 +1939,9 @@ ] } }, - "Initialize_variable_TLPLabel": { + "Initialize_variable_StixBundle": { "runAfter": { - "Initialize_array_TLPLables": [ + "Initialize_variable_IdentityObjId_or_CreatedByRefObjId": [ "Succeeded" ] }, @@ -1692,15 +1949,15 @@ "inputs": { "variables": [ { - "name": "TLPLabel", + "name": "StixBuldle", "type": "string" } ] } }, - "Initialize_variable_for_STIX_bundle_JSON": { + "Initialize_variable_TLPLabel": { "runAfter": { - "For_each_Indicator": [ + "Initialize_array_TLPLables": [ "Succeeded" ] }, @@ -1708,9 +1965,8 @@ "inputs": { "variables": [ { - "name": "StixBundle", - "type": "string", - "value": "{\n \"type\": \"bundle\",\n \"id\": \"bundle--1736e032-a96a-41e9-8302-126677d4d781\",\n \"objects\": @{string(variables('Indicators'))}\n}" + "name": "TLPLabel", + "type": "string" } ] } @@ -1759,8 +2015,7 @@ "properties": { "sentinel-ext": { "properties": { - "severity": { - } + "severity": {} }, "type": "object" },