diff --git a/Playbooks/AS-Sign-Out-Google-User/CreateGoogleJWT/__init__.py b/Playbooks/AS-Sign-Out-Google-User/CreateGoogleJWT/__init__.py new file mode 100644 index 00000000000..64b9c1e403a --- /dev/null +++ b/Playbooks/AS-Sign-Out-Google-User/CreateGoogleJWT/__init__.py @@ -0,0 +1,44 @@ +import logging +import azure.functions as func +import time +from jwt import encode + + +def create_google_jwt(iss: str, scope: str, aud: str, private_key_id: str, private_key: str) -> str: + iat = time.time() + exp = iat + 3600 + payload = {'iss': iss, + 'scope': scope, + 'aud': aud, + 'iat': iat, + 'exp': exp} + additional_headers = {'kid': private_key_id} + signed_jwt = encode(payload, private_key, headers=additional_headers, algorithm='RS256') + return signed_jwt + + +def main(req: func.HttpRequest) -> func.HttpResponse: + logging.info('Python HTTP trigger function processed a request.') + + try: + req_body = req.get_json() + except ValueError: + return func.HttpResponse( + "Please pass 'iss', 'scope', 'aud', 'private_key_id', and 'private_key' in the request body.", + status_code=400 + ) + + iss = req_body.get('iss') + scope = req_body.get('scope') + aud = req_body.get('aud') + private_key_id = req_body.get('private_key_id') + private_key = req_body.get('private_key') + + if all([iss, scope, aud, private_key_id, private_key]): + jwt = create_google_jwt(iss, scope, aud, private_key_id, private_key) + return func.HttpResponse(jwt) + else: + return func.HttpResponse( + "Please ensure all parameters ('iss', 'scope', 'aud', 'private_key_id', and 'private_key') are in the request body.", + status_code=400 + ) diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Add_Contributor_Role_1.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Add_Contributor_Role_1.png new file mode 100644 index 00000000000..5636fb28116 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Add_Contributor_Role_1.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Add_Contributor_Role_2.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Add_Contributor_Role_2.png new file mode 100644 index 00000000000..3067ba580ab Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Add_Contributor_Role_2.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Add_Contributor_Role_3.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Add_Contributor_Role_3.png new file mode 100644 index 00000000000..8d7476d106c Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Add_Contributor_Role_3.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Add_Contributor_Role_4.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Add_Contributor_Role_4.png new file mode 100644 index 00000000000..fde483d6a91 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Add_Contributor_Role_4.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_1.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_1.png new file mode 100644 index 00000000000..7922695e927 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_1.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_10.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_10.png new file mode 100644 index 00000000000..345cc8e9283 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_10.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_11.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_11.png new file mode 100644 index 00000000000..a2610875fbb Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_11.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_12.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_12.png new file mode 100644 index 00000000000..629aa237f20 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_12.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_2.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_2.png new file mode 100644 index 00000000000..93af028a92d Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_2.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_3.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_3.png new file mode 100644 index 00000000000..7c85fcc0b96 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_3.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_4.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_4.png new file mode 100644 index 00000000000..931ff8a6acc Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_4.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_5.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_5.png new file mode 100644 index 00000000000..5743a125a7b Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_5.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_6.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_6.png new file mode 100644 index 00000000000..189a6582fc8 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_6.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_7.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_7.png new file mode 100644 index 00000000000..0d1e966e2b3 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_7.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_8.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_8.png new file mode 100644 index 00000000000..be493bda375 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_8.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_9.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_9.png new file mode 100644 index 00000000000..abc0ced4e6c Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Configure_VSCode_9.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_1.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_1.png new file mode 100644 index 00000000000..bfe3bffbb91 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_1.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_2.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_2.png new file mode 100644 index 00000000000..b5fa9a2a2b8 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_2.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_3.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_3.png new file mode 100644 index 00000000000..1bfb92d1e58 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_3.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_4.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_4.png new file mode 100644 index 00000000000..ff2d61bc3d5 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_4.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_5.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_5.png new file mode 100644 index 00000000000..b32c1a3dd19 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_5.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_6.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_6.png new file mode 100644 index 00000000000..16a450f0b47 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_6.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_7.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_7.png new file mode 100644 index 00000000000..19c4aabf824 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_Google_Service_Account_7.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_a_Private_Key_1.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_a_Private_Key_1.png new file mode 100644 index 00000000000..5f5669eb392 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_a_Private_Key_1.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_a_Private_Key_2.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_a_Private_Key_2.png new file mode 100644 index 00000000000..160a2d9041a Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Create_a_Private_Key_2.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Demo_1.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Demo_1.png new file mode 100644 index 00000000000..822a584c9de Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Demo_1.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_1.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_1.png new file mode 100644 index 00000000000..40184a68e2c Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_1.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_2.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_2.png new file mode 100644 index 00000000000..ea335440f2c Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_2.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_3.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_3.png new file mode 100644 index 00000000000..1c3e522ed85 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_3.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_4.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_4.png new file mode 100644 index 00000000000..29316eba55e Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_4.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_Azure_Function_1.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_Azure_Function_1.png new file mode 100644 index 00000000000..37825d1252a Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_Azure_Function_1.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_Azure_Function_2.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_Azure_Function_2.png new file mode 100644 index 00000000000..24d9bc5828b Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_Azure_Function_2.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_Azure_Function_3.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_Azure_Function_3.png new file mode 100644 index 00000000000..5b9e512aa5c Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_Azure_Function_3.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_Azure_Function_4.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_Azure_Function_4.png new file mode 100644 index 00000000000..ef72007d41d Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Deploy_Azure_Function_4.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Access_1.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Access_1.png new file mode 100644 index 00000000000..80f357bb049 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Access_1.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Access_2.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Access_2.png new file mode 100644 index 00000000000..79fe0c36770 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Access_2.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Access_3.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Access_3.png new file mode 100644 index 00000000000..4811057664a Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Access_3.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Access_4.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Access_4.png new file mode 100644 index 00000000000..4671148e326 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Access_4.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Create_Secret_1.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Create_Secret_1.png new file mode 100644 index 00000000000..8fd40ad0371 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Create_Secret_1.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Create_Secret_2.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Create_Secret_2.png new file mode 100644 index 00000000000..d1d58d6fe99 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Create_Secret_2.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Create_Secret_3.png b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Create_Secret_3.png new file mode 100644 index 00000000000..a4bb8b72ab0 Binary files /dev/null and b/Playbooks/AS-Sign-Out-Google-User/Images/SignOutGoogleUser_Key_Vault_Create_Secret_3.png differ diff --git a/Playbooks/AS-Sign-Out-Google-User/README.md b/Playbooks/AS-Sign-Out-Google-User/README.md new file mode 100644 index 00000000000..8d6cab59536 --- /dev/null +++ b/Playbooks/AS-Sign-Out-Google-User/README.md @@ -0,0 +1,299 @@ +# AS-Sign-Out-Google-User + +Author: Accelerynt + +For any technical questions, please contact info@accelerynt.com + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Sign-Out-Google-Userazuredeploy.json) +[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Sign-Out-Google-Userazuredeploy.json) + +This playbook is intended to be run from a Microsoft Sentinel Incident. It will look up the Google Users associated with the Incident Account Entities and sign them out of all Google web and device sessions. This action also resets user sign-in cookies and forces them to reauthenticate. A comment noting the affected Google Users will be added to the Incident. + +![SignOutGoogleUser_Demo_1](Images/SignOutGoogleUser_Demo_1.png) + +> **Note** +> Please note that this method may not work with all user types. In some cases, actions executed by service accounts could be restricted, particularly when attempting to operate on super admin accounts or accounts with higher privileges. + + +# +### Requirements + +The following items are required under the template settings during deployment: + +* A [Google Service Account](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Sign-Out-Google-User#create-a-google-service-account) with the proper scope and role configurations +* A [Private Key](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Sign-Out-Google-User#create-a-private-key) in JSON format for your Google Service Account +* An [Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Sign-Out-Google-User#create-an-azure-key-vault-secret) containing your private key +* Install [Visual Studio Code](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Sign-Out-Google-User#configure-visual-studio-code) and configure it to deploy an Azure Function to your Azure tenant +* An [Azure Function App](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Sign-Out-Google-User#deploy-the-azure-function-app) that supports Python to deploy an Azure function to + + +# +### Setup + +#### Create a Google Service Account: + +A Google Service Account with User Management Admin role and user.security scope is needed in order to perform the [users.signOut](https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/signOut) action. A Google Cloud project is required to use Google Workspace requirements.txts and is where the Service Account will be housed. If you do not have an existing project, you can create one here: https://console.cloud.google.com/projectcreate + +To create a Google Service Account, navigate to the Google Cloud console sign into an account that has administrator access, or have your administrator grant you the necessary [roles](https://cloud.google.com/iam/docs/service-accounts-create#permissions) to create Service Accounts, then navigate to the following page and select the appropriate project: + +https://console.cloud.google.com/iam-admin/serviceaccounts/create + +Enter a name for your Google Service Account, such as "**Microsoft-Sentinel**", then click "**Done**". + +![SignOutGoogleUser_Create_Google_Service_Account_1](Images/SignOutGoogleUser_Create_Google_Service_Account_1.png) + +Take note of the client ID and the email address that are generated for your Service Account upon creation, which can be found at https://console.cloud.google.com/iam-admin/serviceaccounts by selecting the project housing your Service Account. + +Next you will need to add your newly created Service Account to the User Management Admin role. Navigate to https://admin.google.com/ac/roles and click "**Assign Admin**" for the "**User Management Admin**" role. + +![SignOutGoogleUser_Create_Google_Service_Account_2](Images/SignOutGoogleUser_Create_Google_Service_Account_2.png) + +Click "**Assign Service Accounts**". + +![SignOutGoogleUser_Create_Google_Service_Account_3](Images/SignOutGoogleUser_Create_Google_Service_Account_3.png) + +Enter the email generated for your Service Account and click "**ASSIGN ROLE**". + +![SignOutGoogleUser_Create_Google_Service_Account_4](Images/SignOutGoogleUser_Create_Google_Service_Account_4.png) + +Next, you will need to add the necessary scopes to the Service Account. Go to the admin console API controls: https://admin.google.com/ac/owl, and click "**MANAGE DOMAIN WIDE DELEGATION**". + +![SignOutGoogleUser_Create_Google_Service_Account_5](Images/SignOutGoogleUser_Create_Google_Service_Account_5.png) + +Click "**Add new**", then enter the client ID generated for your Service Account and paste "**https://www.googleapis.com/auth/admin.directory.user.security**" in the OAuth scopes field. Click "**AUTHORIZE**". + +![SignOutGoogleUser_Create_Google_Service_Account_6](Images/SignOutGoogleUser_Create_Google_Service_Account_6.png) + +Before this Service Account can successfully use the Google API, you will also need to enable admin SDK for your project. Navigate to https://console.cloud.google.com/apis/api/admin.googleapis.com/metrics and click "**ENABLE**". + +![SignOutGoogleUser_Create_Google_Service_Account_7](Images/SignOutGoogleUser_Create_Google_Service_Account_7.png) + + +#### Create a Private Key: + +Returning to your Google Service Account at https://console.cloud.google.com/iam-admin/serviceaccounts, select your Google Project and Service Account, then navigate to the "**Keys**" tab. Click "**ADD KEY**" and select the "**Create new key**" option. + +![SignOutGoogleUser_Create_a_Private_Key_1](Images/SignOutGoogleUser_Create_a_Private_Key_1.png) + +Select the "**JSON**" option, then click "**CREATE**". + +![SignOutGoogleUser_Create_a_Private_Key_2](Images/SignOutGoogleUser_Create_a_Private_Key_2.png) + +The JSON file containing your private key will download to your computer. Copy the JSON body in the file and save it for the next step. + + +#### Create an Azure Key Vault Secret: + +Navigate to the Azure Key Vaults page: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults + +Navigate to an existing Key Vault or create a new one. From the Key Vault overview page, click the "**Secrets**" menu option, found under the "**Settings**" section. Click "**Generate/Import**". + +![SignOutGoogleUser_Key_Vault_Create_Secret_1](Images/SignOutGoogleUser_Key_Vault_Create_Secret_1.png) + +Choose a name for the secret, such as "**Google-App-Private-Key--Sign-Out-User**", and enter the Google private key JSON copied from the [previous step](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Sign-Out-Google-User#encode-the-private-key-for-storage-compatibility-in-azure-key-vault) in the "**Value**" field. All other settings can be left as is. Click "**Create**". + +![SignOutGoogleUser_Key_Vault_Create_Secret_2](Images/SignOutGoogleUser_Key_Vault_Create_Secret_2.png) + +Once your secret has been added to the vault, navigate to the "**Access policies**" menu option on the Key Vault page menu. Leave this page open, as you will need to return to it once the playbook has been deployed. See [Granting Access to Azure Key Vault](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Sign-Out-Google-User#granting-access-to-azure-key-vault). + +![SignOutGoogleUser_Key_Vault_Create_Secret_3](Images/SignOutGoogleUser_Key_Vault_Create_Secret_3.png) + + +#### Configure Visual Studio Code: + +This playbook utilizes an Azure Function to create a JSON Web Token (JWT), which is a required step in authenticating to Google as a Service Account. The Azure Function is included in this repository and will need to be deployed to your Azure tenant before it can be used. This Azure Function relies on the Python libraries "**azure-functions**", "**PyJWT**", and "**cryptography**". These libraries are not included in Python by default, which is why they must be installed in an IDE housing the CreateGoogleJWT project and then deployed to Azure. + +> **Note** +> Simply recreating the file structure from this repository in Azure will not actually install the libraries required for the Azure Function; the function must be deployed from an IDE, so that the dependent library packages are recreated and properly installed. Any IDE can be used for this, but this documentation will outline the process using Visual Studio Code (VS Code). + +If you have not already, download and install VS Code from the official website: https://code.visualstudio.com/download + +Once VS Code has been installed, open it, and navigate to the Extensions view by clicking on the Extensions icon on the left menu blade. + +![SignOutGoogleUser_Configure_VSCode_1](Images/SignOutGoogleUser_Configure_VSCode_1.png) + +In the Extensions view, search for the following extensions and install them: +* **Azure Account**: This extension provides a single Azure login and subscription filtering experience for all other Azure extensions. It makes Azure's Cloud Shell service available in VS Code's integrated terminal. +* **Azure Functions**: This extension helps in creating, testing, and deploying Azure Functions directly from VS Code. This includes the creation of new Function Apps within your Azure account. + +![SignOutGoogleUser_Configure_VSCode_2](Images/SignOutGoogleUser_Configure_VSCode_2.png) + +After the extensions have been installed, sign in to your Azure Account. Click on the Azure icon that now appears in the Activity Bar. Under the "**Resources**" section, click "**Sign in to Azure...**". + +![SignOutGoogleUser_Configure_VSCode_3](Images/SignOutGoogleUser_Configure_VSCode_3.png) + +You will be prompted to sign in to your account via web browser. Follow the prompts and use your Azure credentials to log in. + +![SignOutGoogleUser_Configure_VSCode_4](Images/SignOutGoogleUser_Configure_VSCode_4.png) + +Once you have successfully authenticated, your Azure email will be displayed in the bottom left corner of the VS Code window. + +Next, you will need to create an Azure Function project using the code included in this Google repo. Create a folder on your computer for the Azure Function to be housed and label it "**CreateGoogleJWT**". Next, in VS Code, hover your mouse over the "**Workspace**" section in the Azure pane on the left. Click the "**Create Function**" icon. Select the "**CreateGoogleJWT**" folder you just created from the open dialogue window. + +![SignOutGoogleUser_Configure_VSCode_5](Images/SignOutGoogleUser_Configure_VSCode_5.png) + +From the command palette in the top-center area of the window, select "**Python**" as the programming language, then select "**Python 3.10.11**" or later for your Python interpreter. + +![SignOutGoogleUser_Configure_VSCode_6](Images/SignOutGoogleUser_Configure_VSCode_6.png) + +Select "**HTTP trigger**" for the project's function and enter "**CreateGoogleJWT**" for the function name. + +![SignOutGoogleUser_Configure_VSCode_7](Images/SignOutGoogleUser_Configure_VSCode_7.png) + +Select "**Function**" for the Authorization level, then after selecting the window to open your project in and granting trust, you will be able to view the "**CreateGoogleJWT**" project in the explorer pane of the left side of the window. The "**__init__.py**" file should be opened by default. + +![SignOutGoogleUser_Configure_VSCode_8](Images/SignOutGoogleUser_Configure_VSCode_8.png) + +>**Note** +> If you decide to use a different name for the function, you will need to do a -Find + Replace All- for "**CreateGoogleJWT**" in the azuredeploy.json file before deployment. + +Replace the contents of "**__init__.py**" in VS Code with the contents of "**CreateGoogleJWT.js**" located in the CreateGoogleJWT-Function folder of this repository. + +![SignOutGoogleUser_Configure_VSCode_9](Images/SignOutGoogleUser_Configure_VSCode_9.png) + +Finally, the Python packages used in __init__.py need to be installed. Download and install the latest versions of Python and pip from the official website: https://www.python.org/downloads/ + +Next, in VS Code, click "**Terminal**" from the top menu and select "**New Terminal**". + +![SignOutGoogleUser_Configure_VSCode_10](Images/SignOutGoogleUser_Configure_VSCode_10.png) + +In the terminal window, run the command "**python.exe -m pip install --upgrade pip**" to verify that the latest versions were properly installed. + +Next, run the commands "**pip3 install azure-functions**", "**pip3 install cryptography**" and "**pip3 install pyjwt**". The packages will be automatically added to the dependencies in the "**requirements.txt**" file once they have been successfully installed. + +![SignOutGoogleUser_Configure_VSCode_11](Images/SignOutGoogleUser_Configure_VSCode_11.png) + +Check the "**requirements.txt**" file to ensure all three dependencies have been added. You may have to add them manually, which is fine, as long as the install commands have already been run. Be sure to save the file if you are updating it manually. + +![SignOutGoogleUser_Configure_VSCode_12](Images/SignOutGoogleUser_Configure_VSCode_12.png) + +After installing the required packages, the Azure Function can be deployed. + + +#### Deploy the Azure Function App: + +In order to deploy an Azure Function, there must be an existing Azure Function App supporting the language used in the Azure function. If there is an existing Function App that supports Python in your Azure subscription, you can skip the first part of this step. Otherwise, you need to create a new Function App in your Azure subscription before deploying your Function. + +Click on the Azure icon in the left side Activity Bar in VS Code. Select the resource you will deploy this playbook to, and then right click on "**Azure Function**" and select "**Create Function App in Azure...**". + +![SignOutGoogleUser_Deploy_Azure_Function_1](Images/SignOutGoogleUser_Deploy_Azure_Function_1.png) + +VS Code will guide you through the process. You will need to provide a globally unique name for your Function App, select a runtime stack, and choose an operating system. When asked for the runtime stack, select the latest available version for Python. + +![SignOutGoogleUser_Deploy_Azure_Function_2](Images/SignOutGoogleUser_Deploy_Azure_Function_2.png) + +The Azure Function can now be deployed to the Azure Function App from VS Code. + +Click the Function App icon in the workspace section of the Azure extension, then select "**Deploy to Function App...**". + +![SignOutGoogleUser_Deploy_Azure_Function_3](Images/SignOutGoogleUser_Deploy_Azure_Function_3.png) + +Follow the prompts to choose your subscription and the Function App to which you want to deploy to. Take note of the name of the Function App, as it will be needed for deployment. + +Once the deployment is complete, the Function can be accessed from your Azure tenant by the playbook. You can view your Function by navigating to https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp and selecting the Function App your Function was deployed to. + +![SignOutGoogleUser_Deploy_Azure_Function_4](Images/SignOutGoogleUser_Deploy_Azure_Function_4.png) + + +# +### Deployment + +To configure and deploy this playbook: + +Open your browser and ensure you are logged into your Microsoft Sentinel workspace. In a separate tab, open the link to our playbook on the Accelerynt Security Google Repository: + +https://Google.com/Accelerynt-Security/AS-Sign-Out-Google-User + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Sign-Out-Google-Userazuredeploy.json) +[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Sign-Out-Google-Userazuredeploy.json) + +Click the "**Deploy to Azure**" button at the bottom and it will bring you to the custom deployment template. + +In the **Project Details** section: + +* Select the "**Subscription**" and "**Resource Group**" from the dropdown boxes you would like the playbook deployed to. + +In the **Instance Details** section: + +* **Playbook Name**: This can be left as "**AS-Sign-Out-Google-User**" or you may change it. + +* **Function App Name**: Enter the name of your Azure Function App noted in [Deploy the Azure Function App](https://github.com/Accelerynt-Security/AS-Block-GitHub-User#deploy-the-azure-function-app) + +* **Key Vault Name**: Enter the name of the Key Vault referenced in [Create an Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Sign-Out-Google-User#create-an-azure-key-vault-secret). + +* **Secret Name**: Enter the name of the Key Vault Secret created in [Create an Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Sign-Out-Google-User#create-an-azure-key-vault-secret). + +Towards the bottom, click on "**Review + create**". + +![SignOutGoogleUser_Deploy_1](Images/SignOutGoogleUser_Deploy_1.png) + +Once the resources have validated, click on "**Create**". + +![SignOutGoogleUser_Deploy_2](Images/SignOutGoogleUser_Deploy_2.png) + +The resources should take around a minute to deploy. Once the deployment is complete, you can expand the "**Deployment details**" section to view them. +Click the one corresponding to the Logic App. + +![SignOutGoogleUser_Deploy_3](Images/SignOutGoogleUser_Deploy_3.png) + + +# +### Granting Access to Azure Key Vault + +Before the Logic App can run successfully, the Key Vault connection created during deployment must be granted access to the Key Vault Secret storing your Google private key. + +From the Key Vault "**Access policies**" page, click "**Create**". + +![SignOutGoogleUser_Key_Vault_Access_1](Images/SignOutGoogleUser_Key_Vault_Access_1.png) + +Select the "**Get**" checkbox in the "**Secret permissions**" section. Then click "**Next**". + +![SignOutGoogleUser_Key_Vault_Access_2](Images/SignOutGoogleUser_Key_Vault_Access_2.png) + +From the "**Principal**" page, paste "**AS-Sign-Out-Google-User**", or the alternative playbook name you used, into the search box and click the option that appears. Click "**Next**". + +![SignOutGoogleUser_Key_Vault_Access_3](Images/SignOutGoogleUser_Key_Vault_Access_3.png) + +Click "**Next**" in the application section. Then from the "**Review + create**" page, click "**Create**". + +![SignOutGoogleUser_Key_Vault_Access_4](Images/SignOutGoogleUser_Key_Vault_Access_4.png) + + +# +### Microsoft Sentinel Contributor Role + +After deployment, you will need to give the system assigned managed identity the "**Microsoft Sentinel Contributor**" role. This will enable the Logic App to add comments to Incidents. Navigate to the Log Analytics Workspaces page and select the same workspace the playbook is located in: + +https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.OperationalInsights%2Fworkspaces + +Select the "**Access control (IAM)**" option from the menu blade, then click "**Add role assignment**". + +![SignOutGoogleUser_Add_Contributor_Role_1](Images/SignOutGoogleUser_Add_Contributor_Role_1.png) + +Select the "**Microsoft Sentinel Contributor**" role, then click "**Next**". + +![SignOutGoogleUser_Add_Contributor_Role_2](Images/SignOutGoogleUser_Add_Contributor_Role_2.png) + +Select the "**Managed identity**" option, then click "**Select Members**". Under the subscription the Logic App is located, set the value of "**Managed identity**" to "**Logic app**". Next, enter "**AS-Sign-Out-Google-User**", or the alternative playbook name used during deployment, in the field labeled "**Select**". Select the playbook, then click "**Select**". + +![SignOutGoogleUser_Add_Contributor_Role_3](Images/SignOutGoogleUser_Add_Contributor_Role_3.png) + +Continue on to the "**Review + assign**" tab and click "**Review + assign**". + +![SignOutGoogleUser_Add_Contributor_Role_4](Images/SignOutGoogleUser_Add_Contributor_Role_4.png) + + +# +### Updating Python Packages for Azure Functions + +As part of maintaining a robust and secure application, it's essential to regularly update the Python packages that your Azure Function relies on. There are several reasons for this: + +* **Security Fixes**: Developers frequently release updates to their packages to address discovered vulnerabilities. Keeping your packages up-to-date ensures you benefit from these fixes and reduces your application's risk exposure. + +* **Bug Fixes and Improved Functionality**: Updates often contain bug fixes or enhancements to functionality, stability, and performance. Regularly updating packages can provide your application with these benefits. + +* **Compatibility**: If you're updating your Python runtime or other packages, you need to keep all packages updated to ensure compatibility and prevent breaking changes. + +As a general guideline, you should review and test for updates at least once per month. More frequent checks can be performed if your function has higher security requirements or is particularly sensitive to bugs in the underlying packages. Automated tools exist to help manage these updates. + +You can update the dependent libraries for your Azure Function in VS Code by executing the commands "**pip3 install --upgrade azure-functions**", "**pip3 install --upgrade cryptography**" and "**pip3 install --upgrade pyjwt**" within your "**CreateGoogleJWT**" project directory in the integrated terminal. Redeploy the Function to Azure afterwards. \ No newline at end of file diff --git a/Playbooks/AS-Sign-Out-Google-User/azuredeploy.json b/Playbooks/AS-Sign-Out-Google-User/azuredeploy.json new file mode 100644 index 00000000000..2b0fcc9e301 --- /dev/null +++ b/Playbooks/AS-Sign-Out-Google-User/azuredeploy.json @@ -0,0 +1,443 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "AS-Sign-Out-Google-User", + "description": "This playbook is intended to be run from a Microsoft Sentinel Incident. It will look up the Google Users associated with the Incident Account Entities and sign them out of all Google web and device sessions. This action also resets user sign-in cookies and forces them reauthenticate. A comment noting the affected Google Users will be added to the Incident.", + "prerequisites": "1. A Google Service Account with proper roles and scopes. 2. A private key for the Google Service Account Must be generated. 3. An Azure Key Vault Secret. 4. Deploy the 'CreateGoogleJWT' Azure Function. Support for the set up and configuration of each of these items can be found here: https://github.com/Accelerynt-Security/AS-Sign-Out-Google-User", + "postDeployment": ["Access to the Azure Key Vault must be granted to the playbook","The Microsoft Sentinel Contributor role must be applied to the playbook"], + "lastUpdateTime": "2023-08-03T18:27:33Z", + "entities": ["Account"], + "tags": ["Microsoft Sentinel", "Incident", "Google API", "Sign Out User"], + "support": { + "tier": "partner" + }, + "author": { + "name": "Accelerynt" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "AS-Sign-Out-Google-User", + "type": "string", + "metadata": { + "description": "Name of the Logic App resource to be created" + } + }, + "FunctionAppName": { + "type": "string", + "metadata" : { + "description" : "Name of the Azure Function App housing the 'CreateGoogleJWT' Function" + } + }, + "KeyVaultName": { + "type": "string", + "metadata" : { + "description" : "Name of the Key Vault that stores the GitHub App's encoded private key" + } + }, + "SecretName": { + "type": "string", + "metadata": { + "description": "Name of Key Vault Secret that contains the GitHub App's encoded private key" + } + } + }, + "variables": { + "azuresentinel": "[concat('azuresentinel-', parameters('PlaybookName'))]", + "keyvault": "[concat('keyvault-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('azuresentinel')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[parameters('PlaybookName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('keyvault')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[parameters('PlaybookName')]", + "parameterValueType": "Alternative", + "alternativeParameterValues": { + "vaultName": "[parameters('KeyVaultName')]" + }, + "customParameterValues": { + }, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "tags": { + "LogicAppsCategory": "security" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('azuresentinel'))]", + "[resourceId('Microsoft.Web/connections', variables('keyvault'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Condition_-_Incident_has_Accounts": { + "actions": { + "Condition_-_Google_Users_Successfully_Signed_Out": { + "actions": { + "Add_comment_to_incident_(V3)_-_Affected_Google_Users": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "
Signed Out the Following Google Users:
\n@{variables('Affected Google Users')}
No Google Users were successfully signed out during this playbook run
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "greater": [ + "@length(variables('Affected Google Users'))", + 0 + ] + } + ] + }, + "type": "If" + }, + "For_each_-_Account": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Condition_-_Sign_Out_Successful": { + "actions": { + "Append_to_string_variable_-_Affected_Users": { + "runAfter": {}, + "type": "AppendToStringVariable", + "inputs": { + "name": "Affected Google Users", + "value": "@{concat(items('For_each_-_Account')?['name'], '@', items('For_each_-_Account')?['UPNSuffix'])}\n" + } + } + }, + "runAfter": { + "HTTP_-_Sign_Out_User": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_-_Sign_Out_User')['statusCode']", + 204 + ] + } + ] + }, + "type": "If" + }, + "HTTP_-_Sign_Out_User": { + "runAfter": {}, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Bearer @{body('Parse_JSON_-_Access_Token')?['access_token']}", + "Host": "https://admin.googleapis.com/" + }, + "method": "POST", + "uri": "https://admin.googleapis.com/admin/directory/v1/users/@{concat(items('For_each_-_Account')?['name'], '@', items('For_each_-_Account')?['UPNSuffix'])}/signOut" + } + } + }, + "runAfter": {}, + "type": "Foreach" + } + }, + "runAfter": { + "Initialize_variable_-_Affected_Google_Users": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@length(body('Entities_-_Get_Accounts')?['Accounts'])", + 0 + ] + } + ] + }, + "type": "If" + }, + "CreateGoogleJWT": { + "runAfter": { + "Parse_JSON-_Google_Service_Account_Private_Key": [ + "Succeeded" + ] + }, + "type": "Function", + "inputs": { + "body": { + "aud": "https://oauth2.googleapis.com/token", + "iss": "@body('Parse_JSON-_Google_Service_Account_Private_Key')?['client_email']", + "private_key": "@body('Parse_JSON-_Google_Service_Account_Private_Key')?['private_key']", + "private_key_id": "@body('Parse_JSON-_Google_Service_Account_Private_Key')?['private_key_id']", + "scope": "https://www.googleapis.com/auth/admin.directory.user.security" + }, + "function": { + "id": "[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name ,'/providers/Microsoft.Web/sites/', parameters('FunctionAppName'), '/functions/CreateGoogleJWT')]" + } + } + }, + "Entities_-_Get_Accounts": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "Get_secret_-_Google_Service_Account_Private_Key": { + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "[concat('/secrets/@{encodeURIComponent(''', parameters('SecretName'), ''')}/value')]" + } + }, + "HTTP_-_Access_Token": { + "runAfter": { + "CreateGoogleJWT": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=@{body('CreateGoogleJWT')}", + "headers": { + "Content-Type": "application/x-www-form-urlencoded", + "Host": "oauth2.googleapis.com" + }, + "method": "POST", + "uri": "https://oauth2.googleapis.com/token" + } + }, + "Initialize_variable_-_Affected_Google_Users": { + "runAfter": { + "Parse_JSON_-_Access_Token": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Affected Google Users", + "type": "string" + } + ] + } + }, + "Parse_JSON-_Google_Service_Account_Private_Key": { + "runAfter": { + "Get_secret_-_Google_Service_Account_Private_Key": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_secret_-_Google_Service_Account_Private_Key')?['value']", + "schema": { + "properties": { + "auth_provider_x509_cert_url": { + "type": "string" + }, + "auth_uri": { + "type": "string" + }, + "client_email": { + "type": "string" + }, + "client_id": { + "type": "string" + }, + "client_x509_cert_url": { + "type": "string" + }, + "private_key": { + "type": "string" + }, + "private_key_id": { + "type": "string" + }, + "project_id": { + "type": "string" + }, + "token_uri": { + "type": "string" + }, + "type": { + "type": "string" + }, + "universe_domain": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Parse_JSON_-_Access_Token": { + "runAfter": { + "HTTP_-_Access_Token": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_-_Access_Token')", + "schema": { + "properties": { + "access_token": { + "type": "string" + }, + "expires_in": { + "type": "integer" + }, + "token_type": { + "type": "string" + } + }, + "type": "object" + } + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('azuresentinel'))]", + "connectionName": "[variables('azuresentinel')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "keyvault": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('keyvault'))]", + "connectionName": "[variables('keyvault')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId,'/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + } + ] +}