diff --git a/Solutions/Microsoft Defender Threat Intelligence/Data/Solution_MicrosoftDefenderThreatIntelligence.json b/Solutions/Microsoft Defender Threat Intelligence/Data/Solution_MicrosoftDefenderThreatIntelligence.json
index b9b2c95f077..ff585df7db2 100644
--- a/Solutions/Microsoft Defender Threat Intelligence/Data/Solution_MicrosoftDefenderThreatIntelligence.json
+++ b/Solutions/Microsoft Defender Threat Intelligence/Data/Solution_MicrosoftDefenderThreatIntelligence.json
@@ -6,14 +6,18 @@
"Playbooks": [
"Playbooks/MDTI-Automated-Triage/azuredeploy.json",
"Playbooks/MDTI-Base/azuredeploy.json",
+ "Playbooks/MDTI-Data-Cookies/azuredeploy.json",
"Playbooks/MDTI-Data-WebComponents/azuredeploy.json",
- "Playbooks/MDTI-Intel-Reputation/azuredeploy.json"
+ "Playbooks/MDTI-Intel-Reputation/azuredeploy.json",
+ "Playbooks/MDTI-PassiveDns/azuredeploy.json",
+ "Playbooks/MDTI-PassiveDnsReverse/azuredeploy.json",
+ "Playbooks/MDTI-Trackers/azuredeploy.json"
],
"Workbooks": [
"Workbooks/MicrosoftThreatIntelligence.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Microsoft Defender Threat Intelligence",
- "Version": "2.0.4",
+ "Version": "3.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": true
diff --git a/Solutions/Microsoft Defender Threat Intelligence/Package/3.0.1.zip b/Solutions/Microsoft Defender Threat Intelligence/Package/3.0.1.zip
new file mode 100644
index 00000000000..0b60f1e109d
Binary files /dev/null and b/Solutions/Microsoft Defender Threat Intelligence/Package/3.0.1.zip differ
diff --git a/Solutions/Microsoft Defender Threat Intelligence/Package/createUiDefinition.json b/Solutions/Microsoft Defender Threat Intelligence/Package/createUiDefinition.json
index d601d928b9d..635e9151cf7 100644
--- a/Solutions/Microsoft Defender Threat Intelligence/Package/createUiDefinition.json
+++ b/Solutions/Microsoft Defender Threat Intelligence/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nMicrosoft centralizes numerous data sets into a single platform, Microsoft Defender Threat Intelligence [(MDTI)](https://learn.microsoft.com/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti), making it easier for Microsoft’s community and customers to conduct infrastructure analysis. Microsoft’s primary focus is to provide as much data as possible about Internet infrastructure to support a variety of security use cases and enabling automation for Incident management in Microsoft Sentinel.\n\n**Workbooks:** 1, **Playbooks:** 4\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nMicrosoft centralizes numerous data sets into a single platform, Microsoft Defender Threat Intelligence [(MDTI)](https://learn.microsoft.com/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti), making it easier for Microsoft’s community and customers to conduct infrastructure analysis. Microsoft’s primary focus is to provide as much data as possible about Internet infrastructure to support a variety of security use cases and enabling automation for Incident management in Microsoft Sentinel.\n\n**Workbooks:** 1, **Playbooks:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/Microsoft Defender Threat Intelligence/Package/mainTemplate.json b/Solutions/Microsoft Defender Threat Intelligence/Package/mainTemplate.json
index 132d0b230b1..f59dd1038ba 100644
--- a/Solutions/Microsoft Defender Threat Intelligence/Package/mainTemplate.json
+++ b/Solutions/Microsoft Defender Threat Intelligence/Package/mainTemplate.json
@@ -41,7 +41,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Microsoft Defender Threat Intelligence",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "azuresentinel.azure-sentinel-solution-microsoftdefenderthreatint",
"_solutionId": "[variables('solutionId')]",
"MDTI-Automated-Triage": "MDTI-Automated-Triage",
@@ -62,22 +62,55 @@
"playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]",
"playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]",
"_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]",
- "MDTI-Data-WebComponents": "MDTI-Data-WebComponents",
- "_MDTI-Data-WebComponents": "[variables('MDTI-Data-WebComponents')]",
+ "MDTI-Data-Cookies": "MDTI-Data-Cookies",
+ "_MDTI-Data-Cookies": "[variables('MDTI-Data-Cookies')]",
+ "blanks": "[replace('b', 'b', '')]",
"playbookVersion3": "1.0",
- "playbookContentId3": "MDTI-Data-WebComponents",
+ "playbookContentId3": "MDTI-Data-Cookies",
"_playbookContentId3": "[variables('playbookContentId3')]",
"playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]",
"playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]",
"_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]",
- "MDTI-Intel-Reputation": "MDTI-Intel-Reputation",
- "_MDTI-Intel-Reputation": "[variables('MDTI-Intel-Reputation')]",
+ "MDTI-Data-WebComponents": "MDTI-Data-WebComponents",
+ "_MDTI-Data-WebComponents": "[variables('MDTI-Data-WebComponents')]",
"playbookVersion4": "1.0",
- "playbookContentId4": "MDTI-Intel-Reputation",
+ "playbookContentId4": "MDTI-Data-WebComponents",
"_playbookContentId4": "[variables('playbookContentId4')]",
"playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]",
"playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]",
"_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]",
+ "MDTI-Intel-Reputation": "MDTI-Intel-Reputation",
+ "_MDTI-Intel-Reputation": "[variables('MDTI-Intel-Reputation')]",
+ "playbookVersion5": "1.0",
+ "playbookContentId5": "MDTI-Intel-Reputation",
+ "_playbookContentId5": "[variables('playbookContentId5')]",
+ "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]",
+ "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]",
+ "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]",
+ "MDTI-PassiveDns": "MDTI-PassiveDns",
+ "_MDTI-PassiveDns": "[variables('MDTI-PassiveDns')]",
+ "playbookVersion6": "1.0",
+ "playbookContentId6": "MDTI-PassiveDns",
+ "_playbookContentId6": "[variables('playbookContentId6')]",
+ "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]",
+ "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]",
+ "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]",
+ "MDTI-PassiveDnsReverse": "MDTI-PassiveDnsReverse",
+ "_MDTI-PassiveDnsReverse": "[variables('MDTI-PassiveDnsReverse')]",
+ "playbookVersion7": "1.0",
+ "playbookContentId7": "MDTI-PassiveDnsReverse",
+ "_playbookContentId7": "[variables('playbookContentId7')]",
+ "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]",
+ "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]",
+ "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]",
+ "MDTI-Trackers": "MDTI-Trackers",
+ "_MDTI-Trackers": "[variables('MDTI-Trackers')]",
+ "playbookVersion8": "1.0",
+ "playbookContentId8": "MDTI-Trackers",
+ "_playbookContentId8": "[variables('playbookContentId8')]",
+ "playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]",
+ "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]",
+ "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]",
"workbookVersion1": "1.0.0",
"workbookContentId1": "MicrosoftThreatIntelligenceWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
@@ -96,7 +129,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MDTI-Automated-Triage Playbook with template version 3.0.0",
+ "description": "MDTI-Automated-Triage Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@@ -648,7 +681,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MDTI-Base Playbook with template version 3.0.0",
+ "description": "MDTI-Base Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@@ -882,13 +915,13 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MDTI-Data-WebComponents Playbook with template version 3.0.0",
+ "description": "MDTI-Data-Cookies Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
"parameters": {
"PlaybookName": {
- "defaultValue": "MDTI-Data-WebComponents",
+ "defaultValue": "MDTI-Data-Cookies",
"type": "String"
}
},
@@ -909,7 +942,9 @@
"properties": {
"api": {
"id": "[[variables('_connection-1')]"
- }
+ },
+ "parameterValueType": "Alternative",
+ "displayName": "[variables('blanks')]"
}
},
{
@@ -922,6 +957,9 @@
"Source": "MDTI",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
+ "identity": {
+ "type": "SystemAssigned"
+ },
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
@@ -991,9 +1029,9 @@
"For_each_Host": {
"foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
"actions": {
- "Add_comment_to_incident_(V3)": {
+ "Add_comment_to_incident_(V3)_4": {
"runAfter": {
- "Create_Host_HTML_table": [
+ "Condition": [
"Succeeded"
]
},
@@ -1001,7 +1039,7 @@
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
- "message": "MDTI Web Components for Indicator : @{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}
\n@{body('Create_Host_HTML_table')}
"
+ "message": "MDTI Cookies for Indicator: @{items('For_each_host')?['HostName']}.@{items('For_each_host')?['DnsDomain']}
\n@{variables('Domain_comment')}
"
},
"host": {
"connection": {
@@ -1012,42 +1050,57 @@
"path": "/Incidents/Comment"
}
},
- "Create_Host_HTML_table": {
+ "Condition": {
+ "actions": {
+ "Create_Cookies_HtmlTable": {
+ "type": "Table",
+ "inputs": {
+ "format": "HTML",
+ "from": "@variables('result_output_host')"
+ }
+ },
+ "Set_domain_comment": {
+ "runAfter": {
+ "Create_Cookies_HtmlTable": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Domain_comment",
+ "value": "@body('Create_Cookies_HtmlTable')"
+ }
+ }
+ },
"runAfter": {
- "For_each_host_component": [
+ "For_each": [
"Succeeded"
]
},
- "type": "Table",
- "inputs": {
- "format": "HTML",
- "from": "@variables('result_output_host')"
- }
- },
- "For_each_host_component": {
- "foreach": "@body('Parse_host_components')",
- "actions": {
- "Append_to_array_variable": {
- "type": "AppendToArrayVariable",
- "inputs": {
- "name": "result_output_host",
- "value": {
- "Category": "@items('For_each_host_component')['category']",
- "LastSeenDateTime": "@items('For_each_host_component')['lastSeenDateTime']",
- "Name": "@items('For_each_host_component')['name']",
- "Version": "@items('For_each_host_component')['version']"
+ "else": {
+ "actions": {
+ "Set_domain_comment_empty": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Domain_comment",
+ "value": "No results found."
}
}
}
},
- "runAfter": {
- "Set_Result_Host": [
- "Succeeded"
+ "expression": {
+ "and": [
+ {
+ "greater": [
+ "@length(variables('result_output_host'))",
+ 0
+ ]
+ }
]
},
- "type": "Foreach"
+ "type": "If"
},
- "Get_components_for_host": {
+ "Cookies_by_Hostname": {
"type": "Http",
"inputs": {
"authentication": {
@@ -1061,70 +1114,96 @@
"Content-Type": "application/json"
},
"method": "GET",
- "queries": {
- "$count": "true",
- "$top": "25"
- },
- "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}')/components"
+ "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}')/cookies?$count=true"
}
},
- "Parse_host_components": {
+ "For_each": {
+ "foreach": "@body('Parse_results_from_Get_request_for_Cookies')?['value']",
+ "actions": {
+ "Append_to_array_variable": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "result_output_host",
+ "value": {
+ "First": "@{items('For_each')?['firstSeenDateTime']}",
+ "Last": "@{items('For_each')?['lastSeenDateTime']}",
+ "Name": "@{items('For_each')?['name']}",
+ "domain": "@{items('For_each')?['domain']}"
+ }
+ }
+ }
+ },
"runAfter": {
- "Get_components_for_host": [
+ "Parse_results_from_Get_request_for_Cookies": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Parse_results_from_Get_request_for_Cookies": {
+ "runAfter": {
+ "Cookies_by_Hostname": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
- "content": "@body('Get_components_for_host')?['value']",
+ "content": "@body('Cookies_by_Hostname')",
"schema": {
- "items": {
- "properties": {
- "category": {
- "type": "string"
- },
- "firstSeenDateTime": {
- "type": "string"
- },
- "host": {
+ "properties": {
+ "@@odata.context": {
+ "type": "string"
+ },
+ "@@odata.count": {
+ "type": "integer"
+ },
+ "value": {
+ "items": {
"properties": {
+ "domain": {
+ "type": "string"
+ },
+ "firstSeenDateTime": {
+ "type": "string"
+ },
+ "host": {
+ "properties": {
+ "id": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
"id": {
"type": "string"
+ },
+ "lastSeenDateTime": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
}
},
+ "required": [
+ "id",
+ "firstSeenDateTime",
+ "lastSeenDateTime",
+ "domain",
+ "name",
+ "host"
+ ],
"type": "object"
},
- "id": {
- "type": "string"
- },
- "lastSeenDateTime": {
- "type": "string"
- },
- "name": {
- "type": "string"
- },
- "version": {
- "type": "string"
- }
- },
- "required": [
- "id",
- "firstSeenDateTime",
- "lastSeenDateTime",
- "name",
- "version",
- "category",
- "host"
- ],
- "type": "object"
+ "type": "array"
+ }
},
- "type": "array"
+ "type": "object"
}
}
},
- "Set_Result_Host": {
+ "Set_variable": {
"runAfter": {
- "Parse_host_components": [
+ "Add_comment_to_incident_(V3)_4": [
"Succeeded"
]
},
@@ -1136,7 +1215,7 @@
}
},
"runAfter": {
- "Init_Result_Host": [
+ "intialize_domain_comment": [
"Succeeded"
]
},
@@ -1152,7 +1231,7 @@
"actions": {
"Add_comment_to_incident_(V3)_2": {
"runAfter": {
- "Create_IP_HTML_table": [
+ "Condition_2": [
"Succeeded"
]
},
@@ -1160,7 +1239,7 @@
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
- "message": "MDTI Web Components for Indicator: @{items('For_each_IP_Address')?['Address']}
\n@{body('Create_IP_HTML_table')}
"
+ "message": "MDTI Cookies for Indicator: @{items('For_each_IP_Address')?['Address']}
\n@{variables('IPcomment')}
"
},
"host": {
"connection": {
@@ -1171,42 +1250,57 @@
"path": "/Incidents/Comment"
}
},
- "Create_IP_HTML_table": {
+ "Condition_2": {
+ "actions": {
+ "Cookies_for_IP_address_Results_HTML_Table": {
+ "type": "Table",
+ "inputs": {
+ "format": "HTML",
+ "from": "@variables('result_output_ip')"
+ }
+ },
+ "Set_variable_2": {
+ "runAfter": {
+ "Cookies_for_IP_address_Results_HTML_Table": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "IPcomment",
+ "value": "@body('Cookies_for_IP_address_Results_HTML_Table')"
+ }
+ }
+ },
"runAfter": {
- "For_each_component": [
+ "For_each_2": [
"Succeeded"
]
},
- "type": "Table",
- "inputs": {
- "format": "HTML",
- "from": "@variables('result_output_ip')"
- }
- },
- "For_each_component": {
- "foreach": "@body('Parse_components')",
- "actions": {
- "Append_to_Result_IP": {
- "type": "AppendToArrayVariable",
- "inputs": {
- "name": "result_output_ip",
- "value": {
- "Category": "@items('For_each_component')?['category']",
- "LastSeenDateTime": "@items('For_each_component')?['lastSeenDateTime']",
- "Name": "@items('For_each_component')?['name']",
- "Version": "@items('For_each_component')?['version']"
+ "else": {
+ "actions": {
+ "Set_variable_3": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "IPcomment",
+ "value": "No results found."
}
}
}
},
- "runAfter": {
- "Set_Result_IP": [
- "Succeeded"
+ "expression": {
+ "and": [
+ {
+ "greater": [
+ "@length(variables('result_output_ip'))",
+ 0
+ ]
+ }
]
},
- "type": "Foreach"
+ "type": "If"
},
- "Get_components": {
+ "Cookies_by_IP_Address": {
"type": "Http",
"inputs": {
"authentication": {
@@ -1220,70 +1314,96 @@
"Content-Type": "application/json"
},
"method": "GET",
- "queries": {
- "$count": "true",
- "$top": "25"
- },
- "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_IP_Address')?['Address']}')/components"
+ "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_IP_Address')?['Address']}')/cookies?$count=true"
}
},
- "Parse_components": {
+ "For_each_2": {
+ "foreach": "@body('Parse_results_from_Get_request_for_Cookies_')?['value']",
+ "actions": {
+ "Append_to_array_variable_2": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "result_output_ip",
+ "value": {
+ "First": "@{items('For_each_2')?['firstSeenDateTime']}",
+ "Last": "@{items('For_each_2')?['lastSeenDateTime']}",
+ "Name": "@{items('For_each_2')?['name']}",
+ "domain": "@{items('For_each_2')?['domain']}"
+ }
+ }
+ }
+ },
"runAfter": {
- "Get_components": [
+ "Parse_results_from_Get_request_for_Cookies_": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Parse_results_from_Get_request_for_Cookies_": {
+ "runAfter": {
+ "Cookies_by_IP_Address": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
- "content": "@body('Get_components')?['value']",
+ "content": "@body('Cookies_by_IP_Address')",
"schema": {
- "items": {
- "properties": {
- "category": {
- "type": "string"
- },
- "firstSeenDateTime": {
- "type": "string"
- },
- "host": {
+ "properties": {
+ "@@odata.context": {
+ "type": "string"
+ },
+ "@@odata.count": {
+ "type": "integer"
+ },
+ "value": {
+ "items": {
"properties": {
+ "domain": {
+ "type": "string"
+ },
+ "firstSeenDateTime": {
+ "type": "string"
+ },
+ "host": {
+ "properties": {
+ "id": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
"id": {
"type": "string"
+ },
+ "lastSeenDateTime": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
}
},
+ "required": [
+ "id",
+ "firstSeenDateTime",
+ "lastSeenDateTime",
+ "domain",
+ "name",
+ "host"
+ ],
"type": "object"
},
- "id": {
- "type": "string"
- },
- "lastSeenDateTime": {
- "type": "string"
- },
- "name": {
- "type": "string"
- },
- "version": {
- "type": "string"
- }
- },
- "required": [
- "id",
- "firstSeenDateTime",
- "lastSeenDateTime",
- "name",
- "version",
- "category",
- "host"
- ],
- "type": "object"
+ "type": "array"
+ }
},
- "type": "array"
+ "type": "object"
}
}
},
- "Set_Result_IP": {
+ "Reset_IP_variable": {
"runAfter": {
- "Parse_components": [
+ "Add_comment_to_incident_(V3)_2": [
"Succeeded"
]
},
@@ -1295,7 +1415,7 @@
}
},
"runAfter": {
- "Init_Result_IP": [
+ "Initializa_IP_Comment": [
"Succeeded"
]
},
@@ -1317,8 +1437,7 @@
"variables": [
{
"name": "result_output_host",
- "type": "array",
- "value": "[variables('TemplateEmptyArray')]"
+ "type": "array"
}
]
}
@@ -1334,22 +1453,53 @@
"variables": [
{
"name": "result_output_ip",
- "type": "array",
- "value": "[variables('TemplateEmptyArray')]"
+ "type": "array"
}
]
}
},
- "MDTI-Base": {
- "type": "Workflow",
+ "Initializa_IP_Comment": {
+ "runAfter": {
+ "Init_Result_IP": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
"inputs": {
- "host": {
+ "variables": [
+ {
+ "name": "IPcomment",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "MDTI-Base": {
+ "type": "Workflow",
+ "inputs": {
+ "host": {
"triggerName": "manual",
"workflow": {
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/MDTI-Base')]"
}
}
}
+ },
+ "intialize_domain_comment": {
+ "runAfter": {
+ "Init_Result_Host": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Domain_comment",
+ "type": "string"
+ }
+ ]
+ }
}
}
},
@@ -1359,7 +1509,12 @@
"azuresentinel": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[[variables('AzureSentinelConnectionName')]",
- "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]"
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
}
}
}
@@ -1395,12 +1550,12 @@
],
"metadata": {
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on MDTI Internet data.",
- "title": "MDTI-Data-WebComponents",
- "description": "This playbook uses the MDTI Components data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook in order to enrich your incidents with [Webcomponents](https://learn.microsoft.com/en-us/defender/threat-intelligence/data-sets#components) data hosted by the indicators found within the incident. These components allow a user to understand the makeup of a webpage or the technology and services driving a specific piece of infrastructure. Pivoting on unique components can find actors' infrastructure or other sites that are compromised. Users can also understand if a website might be vulnerable to a specific attack or compromise based on the technologies that it is running.",
+ "title": "MDTI-Data-Cookies",
+ "description": "This playbook uses the MDTI Components data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook in order to enrich your incidents with [Cookies](https://learn.microsoft.com/en-us/defender/threat-intelligence/data-sets#cookies) data hosted by the indicators found within the incident. These values sometimes contain a state for the application or little bits of tracking data. Defender TI highlights and indexes cookie names observed when crawling a website and allows users to dig into everywhere we have observed specific cookie names across its crawling and data collection.",
"prerequisites": [
"This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) prior to deploying this playbook. If you have trouble accessing your account or your credentials contact your account representative (mdtidiscussion[@]microsoft.com)."
],
- "lastUpdateTime": "2023-03-09T00:00:00Z",
+ "lastUpdateTime": "2023-04-24T00:00:00Z",
"postDeployment": [
"After deploying the playbook, you must authorize the connections leveraged.",
"1. Visit the playbook resource.",
@@ -1410,10 +1565,10 @@
],
"releaseNotes": [
{
- "version": "1.0.0",
- "title": "MDTI Data WebComponents",
+ "version": "1.0.1",
+ "title": "MDTI Data Cookies",
"notes": [
- "Initial version"
+ "Updated version with Secure Inputs for HTTP REST and Secure Output for MDTI-Base actions"
]
}
]
@@ -1426,7 +1581,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId3')]",
"contentKind": "Playbook",
- "displayName": "MDTI-Data-WebComponents",
+ "displayName": "MDTI-Data-Cookies",
"contentProductId": "[variables('_playbookcontentProductId3')]",
"id": "[variables('_playbookcontentProductId3')]",
"version": "[variables('playbookVersion3')]"
@@ -1441,13 +1596,13 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MDTI-Intel-Reputation Playbook with template version 3.0.0",
+ "description": "MDTI-Data-WebComponents Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
"parameters": {
"PlaybookName": {
- "defaultValue": "MDTI-Intel-Reputation",
+ "defaultValue": "MDTI-Data-WebComponents",
"type": "String"
}
},
@@ -1560,7 +1715,7 @@
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
- "message": "MDTI Reputation: @{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}
\nClassification: @{body('Get_reputation_for_host')?['classification']} (@{body('Get_reputation_for_host')?['score']})
\n@{body('Create_Host_HTML_table')}
"
+ "message": "MDTI Web Components for Indicator : @{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}
\n@{body('Create_Host_HTML_table')}
"
},
"host": {
"connection": {
@@ -1573,7 +1728,7 @@
},
"Create_Host_HTML_table": {
"runAfter": {
- "Set_host_variable": [
+ "For_each_host_component": [
"Succeeded"
]
},
@@ -1583,7 +1738,30 @@
"from": "@variables('result_output_host')"
}
},
- "Get_reputation_for_host": {
+ "For_each_host_component": {
+ "foreach": "@body('Parse_host_components')",
+ "actions": {
+ "Append_to_array_variable": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "result_output_host",
+ "value": {
+ "Category": "@items('For_each_host_component')['category']",
+ "LastSeenDateTime": "@items('For_each_host_component')['lastSeenDateTime']",
+ "Name": "@items('For_each_host_component')['name']",
+ "Version": "@items('For_each_host_component')['version']"
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "Set_Result_Host": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Get_components_for_host": {
"type": "Http",
"inputs": {
"authentication": {
@@ -1597,25 +1775,70 @@
"Content-Type": "application/json"
},
"method": "GET",
- "path": "/reputation",
- "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}')/reputation"
+ "queries": {
+ "$count": "true",
+ "$top": "25"
+ },
+ "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}')/components"
}
},
- "Set_host_variable": {
+ "Parse_host_components": {
"runAfter": {
- "Get_reputation_for_host": [
+ "Get_components_for_host": [
"Succeeded"
]
},
- "type": "SetVariable",
+ "type": "ParseJson",
"inputs": {
- "name": "result_output_host",
- "value": "@body('Get_reputation_for_host')?['rules']"
+ "content": "@body('Get_components_for_host')?['value']",
+ "schema": {
+ "items": {
+ "properties": {
+ "category": {
+ "type": "string"
+ },
+ "firstSeenDateTime": {
+ "type": "string"
+ },
+ "host": {
+ "properties": {
+ "id": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "id": {
+ "type": "string"
+ },
+ "lastSeenDateTime": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "version": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id",
+ "firstSeenDateTime",
+ "lastSeenDateTime",
+ "name",
+ "version",
+ "category",
+ "host"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
}
},
- "Reset_host_variable": {
+ "Set_Result_Host": {
"runAfter": {
- "Add_comment_to_incident_(V3)": [
+ "Parse_host_components": [
"Succeeded"
]
},
@@ -1631,7 +1854,12 @@
"Succeeded"
]
},
- "type": "Foreach"
+ "type": "Foreach",
+ "runtimeConfiguration": {
+ "concurrency": {
+ "repetitions": 1
+ }
+ }
},
"For_each_IP_Address": {
"foreach": "@body('Entities_-_Get_IPs')?['IPs']",
@@ -1646,7 +1874,7 @@
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
- "message": "MDTI Reputation: @{items('For_each_IP_Address')?['Address']}
\nClassification: @{body('Get_reputation')?['classification']} (@{body('Get_reputation')?['score']})
\n@{body('Create_IP_HTML_table')}
"
+ "message": "MDTI Web Components for Indicator: @{items('For_each_IP_Address')?['Address']}
\n@{body('Create_IP_HTML_table')}
"
},
"host": {
"connection": {
@@ -1659,7 +1887,7 @@
},
"Create_IP_HTML_table": {
"runAfter": {
- "Set_ip_variable": [
+ "For_each_component": [
"Succeeded"
]
},
@@ -1669,7 +1897,30 @@
"from": "@variables('result_output_ip')"
}
},
- "Get_reputation": {
+ "For_each_component": {
+ "foreach": "@body('Parse_components')",
+ "actions": {
+ "Append_to_Result_IP": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "result_output_ip",
+ "value": {
+ "Category": "@items('For_each_component')?['category']",
+ "LastSeenDateTime": "@items('For_each_component')?['lastSeenDateTime']",
+ "Name": "@items('For_each_component')?['name']",
+ "Version": "@items('For_each_component')?['version']"
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "Set_Result_IP": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Get_components": {
"type": "Http",
"inputs": {
"authentication": {
@@ -1683,25 +1934,70 @@
"Content-Type": "application/json"
},
"method": "GET",
- "path": "/reputation",
- "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_IP_Address')?['Address']}')/reputation"
+ "queries": {
+ "$count": "true",
+ "$top": "25"
+ },
+ "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_IP_Address')?['Address']}')/components"
}
},
- "Set_ip_variable": {
+ "Parse_components": {
"runAfter": {
- "Get_reputation": [
+ "Get_components": [
"Succeeded"
]
},
- "type": "SetVariable",
+ "type": "ParseJson",
"inputs": {
- "name": "result_output_ip",
- "value": "@body('Get_reputation')?['rules']"
+ "content": "@body('Get_components')?['value']",
+ "schema": {
+ "items": {
+ "properties": {
+ "category": {
+ "type": "string"
+ },
+ "firstSeenDateTime": {
+ "type": "string"
+ },
+ "host": {
+ "properties": {
+ "id": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "id": {
+ "type": "string"
+ },
+ "lastSeenDateTime": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "version": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id",
+ "firstSeenDateTime",
+ "lastSeenDateTime",
+ "name",
+ "version",
+ "category",
+ "host"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
}
},
- "Reset_IP_variable": {
+ "Set_Result_IP": {
"runAfter": {
- "Add_comment_to_incident_(V3)_2": [
+ "Parse_components": [
"Succeeded"
]
},
@@ -1717,7 +2013,12 @@
"Succeeded"
]
},
- "type": "Foreach"
+ "type": "Foreach",
+ "runtimeConfiguration": {
+ "concurrency": {
+ "repetitions": 1
+ }
+ }
},
"Init_Result_Host": {
"runAfter": {
@@ -1807,9 +2108,9 @@
}
],
"metadata": {
- "comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on MDTI Reputation data.",
- "title": "MDTI-Intel-Reputation",
- "description": "This playbook uses the MDTI API to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the MDTI platform for more information.",
+ "comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on MDTI Internet data.",
+ "title": "MDTI-Data-WebComponents",
+ "description": "This playbook uses the MDTI Components data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook in order to enrich your incidents with [Webcomponents](https://learn.microsoft.com/en-us/defender/threat-intelligence/data-sets#components) data hosted by the indicators found within the incident. These components allow a user to understand the makeup of a webpage or the technology and services driving a specific piece of infrastructure. Pivoting on unique components can find actors' infrastructure or other sites that are compromised. Users can also understand if a website might be vulnerable to a specific attack or compromise based on the technologies that it is running.",
"prerequisites": [
"This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) prior to deploying this playbook. If you have trouble accessing your account or your credentials contact your account representative (mdtidiscussion[@]microsoft.com)."
],
@@ -1824,7 +2125,7 @@
"releaseNotes": [
{
"version": "1.0.0",
- "title": "MDTI Intel Reputation",
+ "title": "MDTI Data WebComponents",
"notes": [
"Initial version"
]
@@ -1839,7 +2140,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId4')]",
"contentKind": "Playbook",
- "displayName": "MDTI-Intel-Reputation",
+ "displayName": "MDTI-Data-WebComponents",
"contentProductId": "[variables('_playbookcontentProductId4')]",
"id": "[variables('_playbookcontentProductId4')]",
"version": "[variables('playbookVersion4')]"
@@ -1848,27 +2149,2502 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('workbookTemplateSpecName1')]",
+ "name": "[variables('playbookTemplateSpecName5')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MicrosoftThreatIntelligenceWorkbook Workbook with template version 3.0.0",
+ "description": "MDTI-Intel-Reputation Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('workbookVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.Insights/workbooks",
- "name": "[variables('workbookContentId1')]",
- "location": "[parameters('workspace-location')]",
- "kind": "shared",
- "apiVersion": "2021-08-01",
- "metadata": {
- "description": "Gain insights into threat indicators ingestion and search for indicators at scale across Microsoft 1st Party, 3rd Party, On-Premises, Hybrid, and Multi-Cloud Workloads. Indicators Search facilitates a simple interface for finding IP, File, Hash, Sender and more across your data. Seamless pivots to correlate indicators with Microsoft Sentinel: Incidents to make your threat intelligence actionable."
+ "contentVersion": "[variables('playbookVersion5')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "MDTI-Intel-Reputation",
+ "type": "String"
+ }
+ },
+ "variables": {
+ "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
+ "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+ "_connection-1": "[[variables('connection-1')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('AzureSentinelConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "properties": {
+ "api": {
+ "id": "[[variables('_connection-1')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[[parameters('PlaybookName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "tags": {
+ "LogicAppsCategory": "security",
+ "Source": "MDTI",
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
+ ],
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "type": "Object"
+ }
+ },
+ "triggers": {
+ "When_Azure_Sentinel_incident_creation_rule_was_triggered": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "path": "/incident-creation"
+ }
+ }
+ },
+ "actions": {
+ "Entities_-_Get_Hosts": {
+ "runAfter": {
+ "MDTI-Base": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/entities/host"
+ }
+ },
+ "Entities_-_Get_IPs": {
+ "runAfter": {
+ "MDTI-Base": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/entities/ip"
+ }
+ },
+ "For_each_Host": {
+ "foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
+ "actions": {
+ "Add_comment_to_incident_(V3)": {
+ "runAfter": {
+ "Create_Host_HTML_table": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "message": "MDTI Reputation: @{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}
\nClassification: @{body('Get_reputation_for_host')?['classification']} (@{body('Get_reputation_for_host')?['score']})
\n@{body('Create_Host_HTML_table')}
"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/Incidents/Comment"
+ }
+ },
+ "Create_Host_HTML_table": {
+ "runAfter": {
+ "Set_host_variable": [
+ "Succeeded"
+ ]
+ },
+ "type": "Table",
+ "inputs": {
+ "format": "HTML",
+ "from": "@variables('result_output_host')"
+ }
+ },
+ "Get_reputation_for_host": {
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "@body('MDTI-Base')?['resource']",
+ "clientId": "@body('MDTI-Base')?['clientId']",
+ "secret": "@body('MDTI-Base')?['clientSecret']",
+ "tenant": "@body('MDTI-Base')?['tenantId']",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "headers": {
+ "Content-Type": "application/json"
+ },
+ "method": "GET",
+ "path": "/reputation",
+ "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}')/reputation"
+ }
+ },
+ "Set_host_variable": {
+ "runAfter": {
+ "Get_reputation_for_host": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "result_output_host",
+ "value": "@body('Get_reputation_for_host')?['rules']"
+ }
+ },
+ "Reset_host_variable": {
+ "runAfter": {
+ "Add_comment_to_incident_(V3)": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "result_output_host",
+ "value": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ },
+ "runAfter": {
+ "Init_Result_Host": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "For_each_IP_Address": {
+ "foreach": "@body('Entities_-_Get_IPs')?['IPs']",
+ "actions": {
+ "Add_comment_to_incident_(V3)_2": {
+ "runAfter": {
+ "Create_IP_HTML_table": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "message": "MDTI Reputation: @{items('For_each_IP_Address')?['Address']}
\nClassification: @{body('Get_reputation')?['classification']} (@{body('Get_reputation')?['score']})
\n@{body('Create_IP_HTML_table')}
"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/Incidents/Comment"
+ }
+ },
+ "Create_IP_HTML_table": {
+ "runAfter": {
+ "Set_ip_variable": [
+ "Succeeded"
+ ]
+ },
+ "type": "Table",
+ "inputs": {
+ "format": "HTML",
+ "from": "@variables('result_output_ip')"
+ }
+ },
+ "Get_reputation": {
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "@body('MDTI-Base')?['resource']",
+ "clientId": "@body('MDTI-Base')?['clientId']",
+ "secret": "@body('MDTI-Base')?['clientSecret']",
+ "tenant": "@body('MDTI-Base')?['tenantId']",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "headers": {
+ "Content-Type": "application/json"
+ },
+ "method": "GET",
+ "path": "/reputation",
+ "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_IP_Address')?['Address']}')/reputation"
+ }
+ },
+ "Set_ip_variable": {
+ "runAfter": {
+ "Get_reputation": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "result_output_ip",
+ "value": "@body('Get_reputation')?['rules']"
+ }
+ },
+ "Reset_IP_variable": {
+ "runAfter": {
+ "Add_comment_to_incident_(V3)_2": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "result_output_ip",
+ "value": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ },
+ "runAfter": {
+ "Init_Result_IP": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Init_Result_Host": {
+ "runAfter": {
+ "Entities_-_Get_Hosts": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "result_output_host",
+ "type": "array",
+ "value": "[variables('TemplateEmptyArray')]"
+ }
+ ]
+ }
+ },
+ "Init_Result_IP": {
+ "runAfter": {
+ "Entities_-_Get_IPs": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "result_output_ip",
+ "type": "array",
+ "value": "[variables('TemplateEmptyArray')]"
+ }
+ ]
+ }
+ },
+ "MDTI-Base": {
+ "type": "Workflow",
+ "inputs": {
+ "host": {
+ "triggerName": "manual",
+ "workflow": {
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/MDTI-Base')]"
+ }
+ }
+ }
+ }
+ }
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+ "connectionName": "[[variables('AzureSentinelConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]"
+ }
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]",
+ "properties": {
+ "parentId": "[variables('playbookId5')]",
+ "contentId": "[variables('_playbookContentId5')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion5')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Microsoft Defender Threat Intelligence",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ }
+ ],
+ "metadata": {
+ "comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on MDTI Reputation data.",
+ "title": "MDTI-Intel-Reputation",
+ "description": "This playbook uses the MDTI API to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the MDTI platform for more information.",
+ "prerequisites": [
+ "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) prior to deploying this playbook. If you have trouble accessing your account or your credentials contact your account representative (mdtidiscussion[@]microsoft.com)."
+ ],
+ "lastUpdateTime": "2023-03-09T00:00:00Z",
+ "postDeployment": [
+ "After deploying the playbook, you must authorize the connections leveraged.",
+ "1. Visit the playbook resource.",
+ "2. Under 'Development Tools' (located on the left), click 'API Connections'.",
+ "3. Ensure each connection has been authorized.",
+ "**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**"
+ ],
+ "releaseNotes": [
+ {
+ "version": "1.0.0",
+ "title": "MDTI Intel Reputation",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ ]
+ }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId5')]",
+ "contentKind": "Playbook",
+ "displayName": "MDTI-Intel-Reputation",
+ "contentProductId": "[variables('_playbookcontentProductId5')]",
+ "id": "[variables('_playbookcontentProductId5')]",
+ "version": "[variables('playbookVersion5')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName6')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MDTI-Data-PassiveDns Playbook with template version 3.0.1",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion6')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "MDTI-Data-PassiveDns",
+ "type": "String"
+ }
+ },
+ "variables": {
+ "MicrosoftSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
+ "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+ "_connection-1": "[[variables('connection-1')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('MicrosoftSentinelConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "properties": {
+ "api": {
+ "id": "[[variables('_connection-1')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[[parameters('PlaybookName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "tags": {
+ "LogicAppsCategory": "security",
+ "Source": "MDTI",
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]"
+ ],
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "type": "Object"
+ }
+ },
+ "triggers": {
+ "When_Azure_Sentinel_incident_creation_rule_was_triggered": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "path": "/incident-creation"
+ }
+ }
+ },
+ "actions": {
+ "Entities_-_Get_Hosts": {
+ "runAfter": {
+ "MDTI-Base": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/entities/host"
+ }
+ },
+ "Entities_-_Get_IPs": {
+ "runAfter": {
+ "MDTI-Base": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/entities/ip"
+ }
+ },
+ "For_each_Host": {
+ "foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
+ "actions": {
+ "Add_comment_to_incident_(V3)_4": {
+ "runAfter": {
+ "Condition": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "message": "Passive DNS for @{items('For_each_host')?['HostName']}.@{items('For_each_host')?['DnsDomain']}
\n@{variables('Domain_comment')}
"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/Incidents/Comment"
+ }
+ },
+ "Condition": {
+ "actions": {
+ "Create_passiveDns_HtmlTable": {
+ "type": "Table",
+ "inputs": {
+ "format": "HTML",
+ "from": "@variables('result_output_host')"
+ }
+ },
+ "Set_domain_comment": {
+ "runAfter": {
+ "Create_passiveDns_HtmlTable": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Domain_comment",
+ "value": "@body('Create_passiveDns_HtmlTable')"
+ }
+ }
+ },
+ "runAfter": {
+ "For_each": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Set_domain_comment_empty": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Domain_comment",
+ "value": "No results found."
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "greater": [
+ "@length(variables('result_output_host'))",
+ 0
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "For_each": {
+ "foreach": "@body('Parse_results_from_Get_request_for_PassiveDns')?['value']",
+ "actions": {
+ "Append_to_array_variable": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "result_output_host",
+ "value": {
+ "First seen date": "@{items('For_each')?['firstSeenDateTime']}",
+ "Last seen date": "@{items('For_each')?['lastSeenDateTime']}",
+ "Type": "@{items('For_each')?['recordType']}",
+ "Value": "@{items('For_each')?['artifact']?['id']}"
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "Parse_results_from_Get_request_for_PassiveDns": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Parse_results_from_Get_request_for_PassiveDns": {
+ "runAfter": {
+ "PassiveDns_by_Hostname": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('PassiveDns_by_Hostname')",
+ "schema": {
+ "properties": {
+ "@@odata.context": {
+ "type": "string"
+ },
+ "@@odata.count": {
+ "type": "integer"
+ },
+ "value": {
+ "items": {
+ "properties": {
+ "artifact": {
+ "properties": {
+ "@@odata.type": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "collectedDateTime": {
+ "type": "string"
+ },
+ "firstSeenDateTime": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ },
+ "lastSeenDateTime": {
+ "type": "string"
+ },
+ "parentHost": {
+ "properties": {
+ "id": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "recordType": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id",
+ "firstSeenDateTime",
+ "lastSeenDateTime",
+ "collectedDateTime",
+ "recordType",
+ "parentHost",
+ "artifact"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ }
+ },
+ "PassiveDns_by_Hostname": {
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "@body('MDTI-Base')?['resource']",
+ "clientId": "@body('MDTI-Base')?['clientId']",
+ "secret": "@body('MDTI-Base')?['clientSecret']",
+ "tenant": "@body('MDTI-Base')?['tenantId']",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "headers": {
+ "Content-Type": "application/json"
+ },
+ "method": "GET",
+ "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}')/passiveDns?$count=true"
+ }
+ },
+ "Set_variable": {
+ "runAfter": {
+ "Add_comment_to_incident_(V3)_4": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "result_output_host",
+ "value": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ },
+ "runAfter": {
+ "intialize_domain_comment": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach",
+ "runtimeConfiguration": {
+ "concurrency": {
+ "repetitions": 1
+ }
+ }
+ },
+ "For_each_IP_Address": {
+ "foreach": "@body('Entities_-_Get_IPs')?['IPs']",
+ "actions": {
+ "Add_comment_to_incident_(V3)_2": {
+ "runAfter": {
+ "Condition_2": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "message": "Passive DNS for .@{items('For_each_IP_Address')?['Address']}
\n@{variables('IPcomment')}
"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/Incidents/Comment"
+ }
+ },
+ "Condition_2": {
+ "actions": {
+ "Passive_Dns_for_IP_address_Results_HTML_Table": {
+ "type": "Table",
+ "inputs": {
+ "format": "HTML",
+ "from": "@variables('result_output_ip')"
+ }
+ },
+ "Set_variable_2": {
+ "runAfter": {
+ "Passive_Dns_for_IP_address_Results_HTML_Table": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "IPcomment",
+ "value": "@body('Passive_Dns_for_IP_address_Results_HTML_Table')"
+ }
+ }
+ },
+ "runAfter": {
+ "For_each_2": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Set_variable_3": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "IPcomment",
+ "value": "No results found."
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "greater": [
+ "@length(variables('result_output_ip'))",
+ 0
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "For_each_2": {
+ "foreach": "@body('Parse_results_from_Get_request_for_PassiveDns2')?['value']",
+ "actions": {
+ "Append_to_array_variable_2": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "result_output_ip",
+ "value": {
+ "First": "@{items('For_each_2')?['firstSeenDateTime']}",
+ "Last": "@{items('For_each_2')?['lastSeenDateTime']}",
+ "Type": "@{items('For_each_2')?['recordType']}",
+ "Value": "@{items('For_each_2')?['artifact']?['id']}"
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "Parse_results_from_Get_request_for_PassiveDns2": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Parse_results_from_Get_request_for_PassiveDns2": {
+ "runAfter": {
+ "PassiveDns_by_IP_Address": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('PassiveDns_by_IP_Address')",
+ "schema": {
+ "properties": {
+ "@@odata.context": {
+ "type": "string"
+ },
+ "@@odata.count": {
+ "type": "integer"
+ },
+ "@@odata.nextLink": {
+ "type": "string"
+ },
+ "value": {
+ "items": {
+ "properties": {
+ "artifact": {
+ "properties": {
+ "@@odata.type": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "collectedDateTime": {
+ "type": "string"
+ },
+ "firstSeenDateTime": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ },
+ "lastSeenDateTime": {
+ "type": "string"
+ },
+ "parentHost": {
+ "properties": {
+ "id": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "recordType": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id",
+ "firstSeenDateTime",
+ "lastSeenDateTime",
+ "collectedDateTime",
+ "recordType",
+ "parentHost",
+ "artifact"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ }
+ },
+ "PassiveDns_by_IP_Address": {
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "@body('MDTI-Base')?['resource']",
+ "clientId": "@body('MDTI-Base')?['clientId']",
+ "secret": "@body('MDTI-Base')?['clientSecret']",
+ "tenant": "@body('MDTI-Base')?['tenantId']",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "headers": {
+ "Content-Type": "application/json"
+ },
+ "method": "GET",
+ "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_IP_Address')?['Address']}')/passiveDns?$count=true"
+ }
+ },
+ "Reset_IP_variable": {
+ "runAfter": {
+ "Add_comment_to_incident_(V3)_2": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "result_output_ip",
+ "value": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ },
+ "runAfter": {
+ "Initializa_IP_Comment": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach",
+ "runtimeConfiguration": {
+ "concurrency": {
+ "repetitions": 1
+ }
+ }
+ },
+ "Init_Result_Host": {
+ "runAfter": {
+ "Entities_-_Get_Hosts": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "result_output_host",
+ "type": "array"
+ }
+ ]
+ }
+ },
+ "Init_Result_IP": {
+ "runAfter": {
+ "Entities_-_Get_IPs": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "result_output_ip",
+ "type": "array"
+ }
+ ]
+ }
+ },
+ "Initializa_IP_Comment": {
+ "runAfter": {
+ "Init_Result_IP": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "IPcomment",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "MDTI-Base": {
+ "type": "Workflow",
+ "inputs": {
+ "host": {
+ "triggerName": "manual",
+ "workflow": {
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/MDTI-Base')]"
+ }
+ }
+ }
+ },
+ "intialize_domain_comment": {
+ "runAfter": {
+ "Init_Result_Host": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Domain_comment",
+ "type": "string"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]"
+ }
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]",
+ "properties": {
+ "parentId": "[variables('playbookId6')]",
+ "contentId": "[variables('_playbookContentId6')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion6')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Microsoft Defender Threat Intelligence",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ }
+ ],
+ "metadata": {
+ "comments": "Get Passive DNS data the Microsoft Sentinels Incident based on MDTI Passive DNS data endpoint.",
+ "title": "MDTI-Data-Passive Dns",
+ "description": "This logic app automatically retrieves and enriches incident indicators generated by Microsoft Sentinel by leveraging data from the MDTI Passive DNS endpoint.",
+ "prerequisites": "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) prior to deploying this playbook. If you have trouble accessing your account or your credentials contact your account representative or (mdtidiscussion[@]microsoft.com).",
+ "postDeployment": [
+ "After deploying the playbook, you must authorize the connections leveraged.",
+ "1. Visit the playbook resource.",
+ "2. Under 'Development Tools' (located on the left), click 'API Connections'.",
+ "3. Ensure each connection has been authorized.",
+ "**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**"
+ ],
+ "lastUpdateTime": "2023-04-09T00:00:00Z",
+ "releaseNotes": {
+ "version": "1.0",
+ "title": "[variables('blanks')]",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId6')]",
+ "contentKind": "Playbook",
+ "displayName": "MDTI-Data-PassiveDns",
+ "contentProductId": "[variables('_playbookcontentProductId6')]",
+ "id": "[variables('_playbookcontentProductId6')]",
+ "version": "[variables('playbookVersion6')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName7')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MDTI-Data-ReverseDnS Playbook with template version 3.0.1",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion7')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "MDTI-Data-ReverseDnS",
+ "type": "string"
+ }
+ },
+ "variables": {
+ "MicrosoftSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
+ "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+ "_connection-1": "[[variables('connection-1')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('MicrosoftSentinelConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "properties": {
+ "api": {
+ "id": "[[variables('_connection-1')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[[parameters('PlaybookName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "tags": {
+ "LogicAppsCategory": "security",
+ "Source": "MDTI",
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]"
+ ],
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "type": "Object"
+ }
+ },
+ "triggers": {
+ "When_Azure_Sentinel_incident_creation_rule_was_triggered": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "path": "/incident-creation"
+ }
+ }
+ },
+ "actions": {
+ "Entities_-_Get_Hosts": {
+ "runAfter": {
+ "MDTI-Base": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/entities/host"
+ }
+ },
+ "Entities_-_Get_IPs": {
+ "runAfter": {
+ "MDTI-Base": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/entities/ip"
+ }
+ },
+ "For_each_Host": {
+ "foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
+ "actions": {
+ "Add_comment_to_incident_(V3)_4": {
+ "runAfter": {
+ "Condition": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "message": "Reverse Dns for @{items('For_each_host')?['HostName']}.@{items('For_each_host')?['DnsDomain']}
\n@{variables('Domain_comment')}
"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/Incidents/Comment"
+ }
+ },
+ "Condition": {
+ "actions": {
+ "Create_PassiveDnsReverse__HtmlTable": {
+ "type": "Table",
+ "inputs": {
+ "format": "HTML",
+ "from": "@variables('result_output_host')"
+ }
+ },
+ "Set_domain_comment": {
+ "runAfter": {
+ "Create_PassiveDnsReverse__HtmlTable": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Domain_comment",
+ "value": "@body('Create_PassiveDnsReverse__HtmlTable')"
+ }
+ }
+ },
+ "runAfter": {
+ "For_each": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Set_domain_comment_empty": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Domain_comment",
+ "value": "No results found."
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "greater": [
+ "@length(variables('result_output_host'))",
+ 0
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "For_each": {
+ "foreach": "@body('Parse_results_from_Get_request_for_PassiveDnsReverse_')?['value']",
+ "actions": {
+ "Append_to_array_variable": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "result_output_host",
+ "value": {
+ "Collected date": "@{items('For_each')?['collectedDateTime']}",
+ "First seen date": "@{items('For_each')?['firstSeenDateTime']}",
+ "Last seen date": "@{items('For_each')?['lastSeenDateTime']}",
+ "Type": "@{items('For_each')?['recordType']}",
+ "Value": "@{items('For_each')?['artifact']?['id']}"
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "Parse_results_from_Get_request_for_PassiveDnsReverse_": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Parse_results_from_Get_request_for_PassiveDnsReverse_": {
+ "runAfter": {
+ "PassiveDnsReverse_by_Hostname": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('PassiveDnsReverse_by_Hostname')",
+ "schema": {
+ "properties": {
+ "@@odata.context": {
+ "type": "string"
+ },
+ "@@odata.count": {
+ "type": "integer"
+ },
+ "value": {
+ "items": {
+ "properties": {
+ "artifact": {
+ "properties": {
+ "@@odata.type": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "collectedDateTime": {
+ "type": "string"
+ },
+ "firstSeenDateTime": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ },
+ "lastSeenDateTime": {
+ "type": "string"
+ },
+ "parentHost": {
+ "properties": {
+ "id": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "recordType": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id",
+ "firstSeenDateTime",
+ "lastSeenDateTime",
+ "collectedDateTime",
+ "recordType",
+ "parentHost",
+ "artifact"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ }
+ },
+ "PassiveDnsReverse_by_Hostname": {
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "@body('MDTI-Base')?['resource']",
+ "clientId": "@body('MDTI-Base')?['clientId']",
+ "secret": "@body('MDTI-Base')?['clientSecret']",
+ "tenant": "@body('MDTI-Base')?['tenantId']",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "headers": {
+ "Content-Type": "application/json"
+ },
+ "method": "GET",
+ "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}')/passiveDnsReverse?$count=true"
+ }
+ },
+ "Set_variable": {
+ "runAfter": {
+ "Add_comment_to_incident_(V3)_4": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "result_output_host",
+ "value": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ },
+ "runAfter": {
+ "intialize_domain_comment": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach",
+ "runtimeConfiguration": {
+ "concurrency": {
+ "repetitions": 1
+ }
+ }
+ },
+ "For_each_IP_Address": {
+ "foreach": "@body('Entities_-_Get_IPs')?['IPs']",
+ "actions": {
+ "Add_comment_to_incident_(V3)_2": {
+ "runAfter": {
+ "Condition_2": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "message": "Reverse Dns for @{items('For_each_IP_Address')?['Address']}
\n@{variables('IPcomment')}
"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/Incidents/Comment"
+ }
+ },
+ "Condition_2": {
+ "actions": {
+ "Passive_DnsReverse_HTML_Results_Table": {
+ "type": "Table",
+ "inputs": {
+ "format": "HTML",
+ "from": "@variables('result_output_ip')"
+ }
+ },
+ "Set_variable_2": {
+ "runAfter": {
+ "Passive_DnsReverse_HTML_Results_Table": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "IPcomment",
+ "value": "@body('Passive_DnsReverse_HTML_Results_Table')"
+ }
+ }
+ },
+ "runAfter": {
+ "For_each_2": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Set_variable_3": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "IPcomment",
+ "value": "No Results found"
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "greater": [
+ "@length(variables('result_output_ip'))",
+ 0
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "For_each_2": {
+ "foreach": "@body('Parse_results_from_Get_request_for_PassiveDnsReverse2')?['value']",
+ "actions": {
+ "Append_to_array_variable_2": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "result_output_ip",
+ "value": {
+ "Collected date": "@{items('For_each_2')?['collectedDateTime']}",
+ "First seen date": "@{items('For_each_2')?['firstSeenDateTime']}",
+ "Last seen date": "@{items('For_each_2')?['lastSeenDateTime']}",
+ "Type": "@{items('For_each_2')?['recordType']}",
+ "Value": "@{items('For_each_2')?['artifact']?['id']}"
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "Parse_results_from_Get_request_for_PassiveDnsReverse2": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Parse_results_from_Get_request_for_PassiveDnsReverse2": {
+ "runAfter": {
+ "PassiveDnsReverse__by_IP_Address": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('PassiveDnsReverse__by_IP_Address')",
+ "schema": {
+ "properties": {
+ "@@odata.context": {
+ "type": "string"
+ },
+ "@@odata.count": {
+ "type": "integer"
+ },
+ "@@odata.nextLink": {
+ "type": "string"
+ },
+ "value": {
+ "items": {
+ "properties": {
+ "artifact": {
+ "properties": {
+ "@@odata.type": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "collectedDateTime": {
+ "type": "string"
+ },
+ "firstSeenDateTime": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ },
+ "lastSeenDateTime": {
+ "type": "string"
+ },
+ "parentHost": {
+ "properties": {
+ "id": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "recordType": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id",
+ "firstSeenDateTime",
+ "lastSeenDateTime",
+ "collectedDateTime",
+ "recordType",
+ "parentHost",
+ "artifact"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ }
+ },
+ "PassiveDnsReverse__by_IP_Address": {
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "@body('MDTI-Base')?['resource']",
+ "clientId": "@body('MDTI-Base')?['clientId']",
+ "secret": "@body('MDTI-Base')?['clientSecret']",
+ "tenant": "@body('MDTI-Base')?['tenantId']",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "headers": {
+ "Content-Type": "application/json"
+ },
+ "method": "GET",
+ "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_IP_Address')?['Address']}')/passiveDnsReverse?$count=true"
+ }
+ },
+ "Reset_IP_variable": {
+ "runAfter": {
+ "Add_comment_to_incident_(V3)_2": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "result_output_ip",
+ "value": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ },
+ "runAfter": {
+ "Initializa_IP_Comment": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach",
+ "runtimeConfiguration": {
+ "concurrency": {
+ "repetitions": 1
+ }
+ }
+ },
+ "Init_Result_Host": {
+ "runAfter": {
+ "Entities_-_Get_Hosts": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "result_output_host",
+ "type": "array"
+ }
+ ]
+ }
+ },
+ "Init_Result_IP": {
+ "runAfter": {
+ "Entities_-_Get_IPs": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "result_output_ip",
+ "type": "array"
+ }
+ ]
+ }
+ },
+ "Initializa_IP_Comment": {
+ "runAfter": {
+ "Init_Result_IP": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "IPcomment",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "MDTI-Base": {
+ "type": "Workflow",
+ "inputs": {
+ "host": {
+ "triggerName": "manual",
+ "workflow": {
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/MDTI-Base')]"
+ }
+ }
+ }
+ },
+ "intialize_domain_comment": {
+ "runAfter": {
+ "Init_Result_Host": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Domain_comment",
+ "type": "string"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]"
+ }
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]",
+ "properties": {
+ "parentId": "[variables('playbookId7')]",
+ "contentId": "[variables('_playbookContentId7')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion7')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Microsoft Defender Threat Intelligence",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ }
+ ],
+ "metadata": {
+ "comments": "Get Reverse Dns data the Microsoft Sentinels Incident based on MDTI Passive DNS Reverse data endpoint.",
+ "title": "MDTI-Data-ReverseDnS",
+ "description": "This logic app automatically retrieves and enriches incident indicators generated by Microsoft Sentinel by leveraging data from the MDTI Passive DNS Reverse endpoint.",
+ "prerequisites": "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) prior to deploying this playbook. If you have trouble accessing your account or your credentials contact your account representative or (mdtidiscussion[@]microsoft.com).",
+ "postDeployment": [
+ "After deploying the playbook, you must authorize the connections leveraged.",
+ "1. Visit the playbook resource.",
+ "2. Under 'Development Tools' (located on the left), click 'API Connections'.",
+ "3. Ensure each connection has been authorized.",
+ "**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**"
+ ],
+ "lastUpdateTime": "2023-04-09T00:00:00Z",
+ "releaseNotes": {
+ "version": "1.0",
+ "title": "[variables('blanks')]",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId7')]",
+ "contentKind": "Playbook",
+ "displayName": "MDTI-Data-ReverseDnS",
+ "contentProductId": "[variables('_playbookcontentProductId7')]",
+ "id": "[variables('_playbookcontentProductId7')]",
+ "version": "[variables('playbookVersion7')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName8')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MDTI-Data-Trackers Playbook with template version 3.0.1",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion8')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "MDTI-Data-Trackers",
+ "type": "string"
+ }
+ },
+ "variables": {
+ "MicrosoftSentinelConnectionName": "[[concat('azursentinel-', parameters('PlaybookName'))]",
+ "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+ "_connection-1": "[[variables('connection-1')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('MicrosoftSentinelConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "properties": {
+ "api": {
+ "id": "[[variables('_connection-1')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[[parameters('PlaybookName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "tags": {
+ "LogicAppsCategory": "security",
+ "Source": "MDTI",
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]"
+ ],
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "type": "Object"
+ }
+ },
+ "triggers": {
+ "When_Azure_Sentinel_incident_creation_rule_was_triggered": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "path": "/incident-creation"
+ }
+ }
+ },
+ "actions": {
+ "Entities_-_Get_Hosts": {
+ "runAfter": {
+ "MDTI-Base": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/entities/host"
+ }
+ },
+ "Entities_-_Get_IPs": {
+ "runAfter": {
+ "MDTI-Base": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/entities/ip"
+ }
+ },
+ "For_each_Host": {
+ "foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
+ "actions": {
+ "Add_comment_to_incident_(V3)_4": {
+ "runAfter": {
+ "Condition": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "message": "Trackers for @{items('For_each_host')?['HostName']}.@{items('For_each_host')?['DnsDomain']}
\n@{variables('Domain_comment')}
"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/Incidents/Comment"
+ }
+ },
+ "Condition": {
+ "actions": {
+ "Create_Trackers_for_Host_HtmlTable": {
+ "type": "Table",
+ "inputs": {
+ "format": "HTML",
+ "from": "@variables('result_output_host')"
+ }
+ },
+ "Set_domain_comment": {
+ "runAfter": {
+ "Create_Trackers_for_Host_HtmlTable": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Domain_comment",
+ "value": "@body('Create_Trackers_for_Host_HtmlTable')"
+ }
+ }
+ },
+ "runAfter": {
+ "For_each": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Set_domain_comment_empty": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Domain_comment",
+ "value": "No results found."
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "greater": [
+ "@length(variables('result_output_host'))",
+ 0
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "For_each": {
+ "foreach": "@body('Parse_results_from_Get_request_for_Trackers_for_Host')?['value']",
+ "actions": {
+ "Append_to_array_variable": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "result_output_host",
+ "value": {
+ "First Seen": "@{items('For_each')?['firstSeenDateTime']}",
+ "Hostname": "@{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}",
+ "Type": "@{items('For_each')?['kind']}",
+ "Value": "@{items('For_each')?['value']}",
+ "last Seen": "@{items('For_each')?['lastSeenDateTime']}"
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "Parse_results_from_Get_request_for_Trackers_for_Host": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Parse_results_from_Get_request_for_Trackers_for_Host": {
+ "runAfter": {
+ "Trackers_for_Hostname": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Trackers_for_Hostname')",
+ "schema": {
+ "properties": {
+ "@@odata.context": {
+ "type": "string"
+ },
+ "@@odata.count": {
+ "type": "integer"
+ },
+ "@@odata.nextLink": {
+ "type": "string"
+ },
+ "value": {
+ "items": {
+ "properties": {
+ "firstSeenDateTime": {
+ "type": "string"
+ },
+ "host": {
+ "properties": {
+ "id": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "id": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "lastSeenDateTime": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id",
+ "firstSeenDateTime",
+ "lastSeenDateTime",
+ "kind",
+ "value",
+ "host"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ }
+ },
+ "Set_variable": {
+ "runAfter": {
+ "Add_comment_to_incident_(V3)_4": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "result_output_host",
+ "value": "[variables('TemplateEmptyArray')]"
+ }
+ },
+ "Trackers_for_Hostname": {
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "@body('MDTI-Base')?['resource']",
+ "clientId": "@body('MDTI-Base')?['clientId']",
+ "secret": "@body('MDTI-Base')?['clientSecret']",
+ "tenant": "@body('MDTI-Base')?['tenantId']",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "headers": {
+ "Content-Type": "application/json"
+ },
+ "method": "GET",
+ "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}')/trackers?$count=true"
+ }
+ }
+ },
+ "runAfter": {
+ "intialize_domain_comment": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach",
+ "runtimeConfiguration": {
+ "concurrency": {
+ "repetitions": 1
+ }
+ }
+ },
+ "For_each_IP_Address": {
+ "foreach": "@body('Entities_-_Get_IPs')?['IPs']",
+ "actions": {
+ "Add_comment_to_incident_(V3)": {
+ "runAfter": {
+ "Condition_2": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "message": "Trackers for .@{items('For_each_IP_Address')?['Address']}
\n@{variables('IPcomment')}
"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/Incidents/Comment"
+ }
+ },
+ "Condition_2": {
+ "actions": {
+ "Create_Trackers_for_IP_address_HtmlTable": {
+ "type": "Table",
+ "inputs": {
+ "format": "HTML",
+ "from": "@variables('result_output_ip')"
+ }
+ },
+ "Set_Ip_Comment": {
+ "runAfter": {
+ "Create_Trackers_for_IP_address_HtmlTable": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "IPcomment",
+ "value": "@body('Create_Trackers_for_IP_address_HtmlTable')"
+ }
+ }
+ },
+ "runAfter": {
+ "For_each_2": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Set_variable_2": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "IPcomment",
+ "value": "No results found"
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "greater": [
+ "@length(variables('result_output_ip'))",
+ 0
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "For_each_2": {
+ "foreach": "@body('Parse_results_from_Get_request_for_Trackers_for_IP_Address')?['value']",
+ "actions": {
+ "Append_to_array_variable_2": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "result_output_ip",
+ "value": {
+ "First Seen": "@{items('For_each_2')?['firstSeenDateTime']}",
+ "IP Address": "@{items('For_each_2')?['host']?['id']}",
+ "Type": "@{items('For_each_2')?['kind']}",
+ "Value": "@{items('For_each_2')?['value']}",
+ "last Seen": "@{items('For_each_2')?['lastSeenDateTime']}"
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "Parse_results_from_Get_request_for_Trackers_for_IP_Address": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Parse_results_from_Get_request_for_Trackers_for_IP_Address": {
+ "runAfter": {
+ "Trackers_for_IP_Address": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Trackers_for_IP_Address')",
+ "schema": {
+ "properties": {
+ "@@odata.context": {
+ "type": "string"
+ },
+ "@@odata.count": {
+ "type": "integer"
+ },
+ "value": {
+ "items": {
+ "properties": {
+ "firstSeenDateTime": {
+ "type": "string"
+ },
+ "host": {
+ "properties": {
+ "id": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "id": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "lastSeenDateTime": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id",
+ "firstSeenDateTime",
+ "lastSeenDateTime",
+ "kind",
+ "value",
+ "host"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ }
+ },
+ "Reset_IP_variable": {
+ "runAfter": {
+ "Add_comment_to_incident_(V3)": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "result_output_ip",
+ "value": "[variables('TemplateEmptyArray')]"
+ }
+ },
+ "Trackers_for_IP_Address": {
+ "type": "Http",
+ "inputs": {
+ "authentication": {
+ "audience": "@body('MDTI-Base')?['resource']",
+ "clientId": "@body('MDTI-Base')?['clientId']",
+ "secret": "@body('MDTI-Base')?['clientSecret']",
+ "tenant": "@body('MDTI-Base')?['tenantId']",
+ "type": "ActiveDirectoryOAuth"
+ },
+ "headers": {
+ "Content-Type": "application/json"
+ },
+ "method": "GET",
+ "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_IP_Address')?['Address']}')/trackers?$count=true"
+ }
+ }
+ },
+ "runAfter": {
+ "Initializa_IP_Comment": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach",
+ "runtimeConfiguration": {
+ "concurrency": {
+ "repetitions": 1
+ }
+ }
+ },
+ "Init_Result_Host": {
+ "runAfter": {
+ "Entities_-_Get_Hosts": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "result_output_host",
+ "type": "array"
+ }
+ ]
+ }
+ },
+ "Init_Result_IP": {
+ "runAfter": {
+ "Entities_-_Get_IPs": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "result_output_ip",
+ "type": "array"
+ }
+ ]
+ }
+ },
+ "Initializa_IP_Comment": {
+ "runAfter": {
+ "Init_Result_IP": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "IPcomment",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "MDTI-Base": {
+ "type": "Workflow",
+ "inputs": {
+ "host": {
+ "triggerName": "manual",
+ "workflow": {
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/MDTI-Base')]"
+ }
+ }
+ }
+ },
+ "intialize_domain_comment": {
+ "runAfter": {
+ "Init_Result_Host": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Domain_comment",
+ "type": "string"
+ }
+ ]
+ }
+ }
+ }
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]"
+ }
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]",
+ "properties": {
+ "parentId": "[variables('playbookId8')]",
+ "contentId": "[variables('_playbookContentId8')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion8')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Microsoft Defender Threat Intelligence",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ }
+ ],
+ "metadata": {
+ "comments": "Get Trackers data the Microsoft Sentinels Incident based on MDTI Trackers data.",
+ "title": "MDTI-Data-Trackers",
+ "description": "This logic app automatically retrieves and enriches incident indicators generated by Microsoft Sentinel by leveraging data from the MDTI tracker endpoint.",
+ "prerequisites": "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) prior to deploying this playbook. If you have trouble accessing your account or your credentials contact your account representative or (mdtidiscussion[@]microsoft.com).",
+ "postDeployment": [
+ "After deploying the playbook, you must authorize the connections leveraged.",
+ "1. Visit the playbook resource.",
+ "2. Under 'Development Tools' (located on the left), click 'API Connections'.",
+ "3. Ensure each connection has been authorized.",
+ "**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**"
+ ],
+ "lastUpdateTime": "2023-04-09T00:00:00Z",
+ "releaseNotes": {
+ "version": "1.0",
+ "title": "[variables('blanks')]",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId8')]",
+ "contentKind": "Playbook",
+ "displayName": "MDTI-Data-Trackers",
+ "contentProductId": "[variables('_playbookcontentProductId8')]",
+ "id": "[variables('_playbookcontentProductId8')]",
+ "version": "[variables('playbookVersion8')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('workbookTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MicrosoftThreatIntelligence Workbook with template version 3.0.1",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('workbookVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Insights/workbooks",
+ "name": "[variables('workbookContentId1')]",
+ "location": "[parameters('workspace-location')]",
+ "kind": "shared",
+ "apiVersion": "2021-08-01",
+ "metadata": {
+ "description": "Gain insights into threat indicators ingestion and search for indicators at scale across Microsoft 1st Party, 3rd Party, On-Premises, Hybrid, and Multi-Cloud Workloads. Indicators Search facilitates a simple interface for finding IP, File, Hash, Sender and more across your data. Seamless pivots to correlate indicators with Microsoft Sentinel: Incidents to make your threat intelligence actionable."
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
@@ -1946,12 +4722,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Microsoft Defender Threat Intelligence",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nMicrosoft centralizes numerous data sets into a single platform, Microsoft Defender Threat Intelligence (MDTI), making it easier for Microsoft’s community and customers to conduct infrastructure analysis. Microsoft’s primary focus is to provide as much data as possible about Internet infrastructure to support a variety of security use cases and enabling automation for Incident management in Microsoft Sentinel.
\nWorkbooks: 1, Playbooks: 4
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nMicrosoft centralizes numerous data sets into a single platform, Microsoft Defender Threat Intelligence (MDTI), making it easier for Microsoft’s community and customers to conduct infrastructure analysis. Microsoft’s primary focus is to provide as much data as possible about Internet infrastructure to support a variety of security use cases and enabling automation for Incident management in Microsoft Sentinel.
\nWorkbooks: 1, Playbooks: 8
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -1988,14 +4764,34 @@
},
{
"kind": "Playbook",
- "contentId": "[variables('_MDTI-Data-WebComponents')]",
+ "contentId": "[variables('_MDTI-Data-Cookies')]",
"version": "[variables('playbookVersion3')]"
},
{
"kind": "Playbook",
- "contentId": "[variables('_MDTI-Intel-Reputation')]",
+ "contentId": "[variables('_MDTI-Data-WebComponents')]",
"version": "[variables('playbookVersion4')]"
},
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_MDTI-Intel-Reputation')]",
+ "version": "[variables('playbookVersion5')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_MDTI-PassiveDns')]",
+ "version": "[variables('playbookVersion6')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_MDTI-PassiveDnsReverse')]",
+ "version": "[variables('playbookVersion7')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_MDTI-Trackers')]",
+ "version": "[variables('playbookVersion8')]"
+ },
{
"kind": "Workbook",
"contentId": "[variables('_workbookContentId1')]",
diff --git a/Solutions/Microsoft Defender Threat Intelligence/Package/testParameters.json b/Solutions/Microsoft Defender Threat Intelligence/Package/testParameters.json
new file mode 100644
index 00000000000..59d943ed014
--- /dev/null
+++ b/Solutions/Microsoft Defender Threat Intelligence/Package/testParameters.json
@@ -0,0 +1,32 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "Threat Intelligence",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ }
+}
diff --git a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Automated-Triage/readme.md b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Automated-Triage/readme.md
index cc4aaaa8677..919ac331a3e 100644
--- a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Automated-Triage/readme.md
+++ b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Automated-Triage/readme.md
@@ -4,7 +4,7 @@
This playbook uses the [Microsoft Defender Threat Intelligence](https://learn.microsoft.com/en-us/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) Reputation data to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with MDTI [Reputation](https://learn.microsoft.com/en-us/defender/threat-intelligence/reputation-scoring) data. If any indicators are labeled as "suspicious", the incident will be tagged as such and its severity will be marked as "medium". If any indicators are labeled as "malicious", the incident will be tagged as such and its severity will be marked as "high". Regardless of the reputation state, comments will be added to the incident outlining the reputation details with links to further information if applicable.
## Prerequisites
-1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com.
+1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com.
2. This playbook requires "Microsoft Sentinel Contributor" role to update Incidents.
@@ -24,4 +24,4 @@ After deploying the playbook, you must authorize the connections leveraged.
2. Under "Development Tools" (located on the left), click "API Connections".
3. Ensure each connection has been authorized.
-**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**
+**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**
diff --git a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Data-Cookies/readme.md b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Data-Cookies/readme.md
index 4d17eae255f..e61f8339e97 100644
--- a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Data-Cookies/readme.md
+++ b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Data-Cookies/readme.md
@@ -4,7 +4,7 @@
This playbook uses the [Microsoft Defender Threat Intelligence](https://learn.microsoft.com/en-us/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) Cookies data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook in order to enrich your incidents with [Cookies](https://learn.microsoft.com/en-us/defender/threat-intelligence/data-sets#cookies) data hosted by the indicators found within the incident. Cookies are small pieces of data sent from a server to a client as the user browses the internet. These values sometimes contain a state for the application or little bits of tracking data. Defender TI highlights and indexes cookie names observed when crawling a website and allows users to dig into everywhere we have observed specific cookie names across its crawling and data collection. Cookies are also used by malicious actors to keep track of infected victims or store data to be used later.
## Prerequisites
-1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach to discussMDTI[@]microsoft.com.
+1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach to discussMDTI[@]microsoft.com.
2. This playbook requires "Microsoft Sentinel Contributor" role to update Incidents.
## Deployment
@@ -23,4 +23,4 @@ After deploying the playbook, you must authorize the connections leveraged.
2. Under "Development Tools" (located on the left), click "API Connections".
3. Ensure each connection has been authorized.
-**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**
\ No newline at end of file
+**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**
\ No newline at end of file
diff --git a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Data-WebComponents/readme.md b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Data-WebComponents/readme.md
index c002848965a..cd24e4ccdd4 100644
--- a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Data-WebComponents/readme.md
+++ b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Data-WebComponents/readme.md
@@ -4,7 +4,7 @@
This playbook uses the [Microsoft Defender Threat Intelligence](https://learn.microsoft.com/en-us/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) components data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook in order to enrich your incidents with [Webcomponents](https://learn.microsoft.com/en-us/defender/threat-intelligence/data-sets#components) data hosted by the indicators found within the incident. These components allow a user to understand the makeup of a webpage or the technology and services driving a specific piece of infrastructure. Pivoting on unique components can find actors' infrastructure or other sites that are compromised. Users can also understand if a website might be vulnerable to a specific attack or compromise based on the technologies that it is running.
## Prerequisites
-1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach to discussMDTI[@]microsoft.com.
+1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach to discussMDTI[@]microsoft.com.
2. This playbook requires "Microsoft Sentinel Contributor" role to update Incidents.
## Deployment
@@ -23,4 +23,4 @@ After deploying the playbook, you must authorize the connections leveraged.
2. Under "Development Tools" (located on the left), click "API Connections".
3. Ensure each connection has been authorized.
-**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**
+**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**
diff --git a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Intel-Reputation/readme.md b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Intel-Reputation/readme.md
index 50774b4be22..c5d7c4bdb5a 100644
--- a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Intel-Reputation/readme.md
+++ b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Intel-Reputation/readme.md
@@ -4,7 +4,7 @@
This playbook uses the [Microsoft Defender Threat Intelligence](https://learn.microsoft.com/en-us/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) Reputation Data to automatically enrich incidents generated by Microsoft Sentinel. [Reputation](https://learn.microsoft.com/en-us/defender/threat-intelligence/reputation-scoring) information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the MDTI platform for more information.
## Prerequisites
-1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com.
+1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com.
2. This playbook requires "Microsoft Sentinel Contributor" role to update Incidents.
## Deployment
@@ -23,4 +23,4 @@ After deploying the playbook, you must authorize the connections leveraged.
2. Under "Development Tools" (located on the left), click "API Connections".
3. Ensure each connection has been authorized.
-**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**
+**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**
diff --git a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-PassiveDns/readme.md b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-PassiveDns/readme.md
index edc57f9e369..3c8d01b3440 100644
--- a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-PassiveDns/readme.md
+++ b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-PassiveDns/readme.md
@@ -3,7 +3,7 @@
## Overview
This playbook uses the [Microsoft Defender Threat Intelligence](https://learn.microsoft.com/en-us/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) Passive Dns data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook in order to enrich your incidents with [Passive Dns ](https://learn.microsoft.com/en-us/defender/threat-intelligence/data-sets#resolutions) data hosted by the indicators found within the incident. Passive DNS (PDNS) is a system of record that stores DNS resolution data for a given location, record, and timeframe. This historical resolution data set allows users to view which domains resolved to an IP address and vice versa. This data set allows for time-based correlation based on domain or IP overlap. PDNS may enable the identification of previously unknown or newly stood-up threat actor infrastructure. Proactive addition of indicators to blocklists can cut off communication paths before campaigns take place. Users will find A record resolution data within the Resolutions data set tab and will find more types of DNS records in the DNS data set tab.
## Prerequisites
-1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com.
+1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com.
2. This playbook requires "Microsoft Sentinel Contributor" role to update Incidents.
@@ -26,4 +26,4 @@ After deploying the playbook, you must authorize the connections leveraged.
2. Under "Development Tools" (located on the left), click "API Connections".
3. Ensure each connection has been authorized.
-**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**
+**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**
diff --git a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-PassiveDnsReverse/readme.md b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-PassiveDnsReverse/readme.md
index ecf451b3c9b..5312614e0e1 100644
--- a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-PassiveDnsReverse/readme.md
+++ b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-PassiveDnsReverse/readme.md
@@ -9,7 +9,7 @@ Our Reverse DNS data includes the following:
- Type: the type of infrastructure associated with the record. Potential options include Mail Servers (MX), text files (TXT), name servers (NS), CNAMES, and Start of Authority (SOA) records.
- Tags: any tags applied to this artifact in the Defender TI system.
## Prerequisites
-1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com.
+1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com.
2. This playbook requires "Microsoft Sentinel Contributor" role to update Incidents.
@@ -32,4 +32,4 @@ After deploying the playbook, you must authorize the connections leveraged.
2. Under "Development Tools" (located on the left), click "API Connections".
3. Ensure each connection has been authorized.
-**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**
+**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**
diff --git a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Trackers/readme.md b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Trackers/readme.md
index e495b7cba66..5202fe72bf0 100644
--- a/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Trackers/readme.md
+++ b/Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Trackers/readme.md
@@ -3,7 +3,7 @@
## Overview
This playbook uses the [Microsoft Defender Threat Intelligence](https://learn.microsoft.com/en-us/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) Trackers data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook in order to enrich your incidents with [Trackers](https://learn.microsoft.com/en-us/defender/threat-intelligence/data-sets#trackers) data hosted by the indicators found within the incident. Trackers are unique codes or values found within web pages and often used to track user interaction. These codes can be used to correlate a disparate group of websites to a central entity. Often, actors will copy the source code of a victim’s website they are looking to impersonate for a phishing campaign. Seldomly will actors take the time to remove these IDs that allow users to identify these fraudulent sites using Microsoft’s Trackers data set. Actors may also deploy tracker IDs to see how successful their cyber-attack campaigns are. This is similar to marketers when they leverage SEO IDs, such as a Google Analytics Tracker ID, to track the success of their marketing campaign.
## Prerequisites
-1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com.
+1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com.
2. This playbook requires "Microsoft Sentinel Contributor" role to update Incidents.
@@ -26,5 +26,5 @@ After deploying the playbook, you must authorize the connections leveraged.
2. Under "Development Tools" (located on the left), click "API Connections".
3. Ensure each connection has been authorized.
-**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**
+**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**
diff --git a/Solutions/Microsoft Defender Threat Intelligence/ReleaseNotes.md b/Solutions/Microsoft Defender Threat Intelligence/ReleaseNotes.md
index 94fd3a32a04..4b4a0780446 100644
--- a/Solutions/Microsoft Defender Threat Intelligence/ReleaseNotes.md
+++ b/Solutions/Microsoft Defender Threat Intelligence/ReleaseNotes.md
@@ -1,4 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------------|
+| 3.0.1 | 01-12-2024 | Added **Playbooks** for enhanced solution workflows. |
| 3.0.0 | 11-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID |