From e16abcf3b094afdb6b0ecb715c232f1e58f9aff4 Mon Sep 17 00:00:00 2001 From: loginsoft-integrations <81212299+loginsoft-integrations@users.noreply.github.com> Date: Wed, 13 Sep 2023 20:00:58 +0530 Subject: [PATCH] Add files via upload --- .../Package/3.0.0.zip | Bin 0 -> 32663 bytes .../Package/createUiDefinition.json | 145 + .../Package/mainTemplate.json | 7392 +++++++++++++++++ 3 files changed, 7537 insertions(+) create mode 100644 Solutions/SpyCloud Enterprise Protection/Package/3.0.0.zip create mode 100644 Solutions/SpyCloud Enterprise Protection/Package/createUiDefinition.json create mode 100644 Solutions/SpyCloud Enterprise Protection/Package/mainTemplate.json diff --git a/Solutions/SpyCloud Enterprise Protection/Package/3.0.0.zip b/Solutions/SpyCloud Enterprise Protection/Package/3.0.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..a3d6f7490d01356cfa2b72f3fbaf2cc0e7a22957 GIT binary patch literal 32663 zcmV)jK%u`-O9KQH00008032j3SBAOaiUMtB zX>V>WYIARH?O5Ax8#fxhU!d_^U78aqkT0E@*ML7?IM{Ey#%n)hG*g^=JI6D2IA!669}Ycq2= znG`2sN+n&flt~-Xce!R^q|)-8nH+>q!s$5E?2fbbfdE-ZhY zhW{{1ejSXwtc1!~FzsZ$r z)7-F|Gp#I(ya&zQY95d^k8J|+-+haRgz;5ktEV65axVAx|Bf4n`}^cfFlrdlY{@jS zir9par4mA|xm=M2TPn>6m&Q^d+=+W{l*pa1Lo(N7F3In|{+pb8H+No>t8-Rxcf!o| zpmIjx2yeZQWAXp^qOx}()S@!_qGZ+>{@3Y2V>%uh<0qv&FD^{uVWZwAH!z7@ z-Ac8Vgd3B$)uOk6ubEVCugox>x*#5sjA=^&SLX`nEpAAq;)rCs&P;cG7`g}?Z5F_R z<|&r|7;%W;GH31Xi3Kf3CBEx0~ z?8fqloacfWmuu4z+221xl7o?lJV8o>V3xr>M@mY-SZPoC#F3r}x>+c7>rcLST(3?U z)w1wBU8vlWx+K=(cL43HNrmbm`4`#cQfJxYm+O>>RWuAntqN%JMY{yHiX&cvfy#Bn zkg0bFsV}})Z3@yZ?XQqxJ{0C<-Ag95dwKjjMTPvR3-mWHdri%_`{=igsds zR372hVd10j2(gc&r(B|PnxIX1-8|g4T_#jSd)DSy3?= zku@VLW(l_iP+fWpwE~O_6dF>yqNCk?$Ee_r8@>>%>U$5UUIp}L{ zAzfRwI&U+oewIHf#!Y9fq0w%!5`Ej*4I58qZ)#K8TG>s;x>G_8>u{#iS;moLRx8oH zrIfhj&WhmD)q*7#Za#43rvXn<8=14o)i>wd^U?>zJAoLqo(Q$5!y8pS=G9biwer)7 z9-yeNY%=ILaWD*>g~QRo@H*(a8Wr8xK9D5J%_qUn&o8^k#FS$bFA?$qk3l;*A&AGL zy;e4SYy$m6Gd?cotEZ^&2jhe9#|KaLpm1MwYnA$6o4EQ=`q;rCcxe>ymRCuQqm2{(;xjb;rides#9>(`f&sTI^?Wcc8#X9WwD*2q_(e_wVlG;Qi(5|cMfnhQGVDYGnVLy;&y|0lyrzJ%>JfIJQy87O?AG^Kr!`_5myRP|@z3FB2ylCUN8Sl1Pd%9fnptZPT zmcz1CYv;ByKlIg$(8T5#OEGYdW9Bxku}z$}%{cO->`!kl!!)|#@zXPf-AIgUOK<#; zd(+<1x7E4t9(;!TpM1RMFN$?>=R)nkddhDWP4cW*3yzt6;PyjV=>Gb`wPQeUHhR)e z$B@7F2#yN2?acH;ahXSMRYJx@e*Yrt1Y0N$s%=O!tfbg^&?UVyiapWgW9_#!wNc`` zrXOT?rQdHKZ5>>@6aWAK2mtz!ELTia zOKp*M004cu1ppBM003=aX>L?yZE$R1bY(7Tb8l|!TiI^o%65GZkbfYY0PY4YQ=G|@ zC(Sb@YnB=ZJ{*c7B~Icbi5CszH}ZS=k`y)45;e5bIoA(yH@fAjy?3p>xmKx)EdJwP z{{=yw{@s%`V2V$FAWxd_JKi4{wrhDcMN6Ck6IlMM7zHkPm2Gq1=V3$^=QCL>C2t(`_pr2Y=1RfA;+*@I^)RV+8+*8(@0nm@krjb(>4Mh#zg%6xQJ@I$iW3E!Es&3)jfc8T-yh7Z2J_) z`MDd}5nU0E4uK`cHf&k+cR=?|u+iT*ARf{4UEP`;z{KEns|l=`ufbmY)T{ti3=DrL z8o}1@hYLJAaAi<&?ZEl={q-=)pUGGkh1kdPWLJ0gn4SdNM*nX2e2vJKt-dPR^CKy=IVfvCh$5nlty zUn|>Pc#bH8%mL^WQ;56NT@55%m9sTAjT01KOq9e+s+KX5KmNr)yCU0sw6kkrikp_T$1Fe%$B8hknTOH2;rX=;EL2ZNfjEr_#`89K!*fWX=Kwh-1)kJmQb9*?Jb!qdwciuikHNb831QC+_xS6#XY&ZK?ErVHebG2#JSxw7 zenGC_ObmF0wEv2P3Q+?2SoD3qzPJD%5=qkYh0eyAKfgR1^7HlsvMWGuSAczttL|G@ zI6LTa&T+gQFHW4?cHgVvZqyWp95{JaX2}q(g}1LPw3WfPX9-5w{gWiqVHU~cT_DO@ zrn3*6oMA5dj>Wy@oh0-%yBjhi?#hgK3}d?AO}PWf1PFEQH+Z0AW zq%ismDvW+qVf2?(7=2%1=UIMWTu1agSVQG8o!z!hSKHkYu4?Y4=MCjCca_I{Hna3d zH}%J)>yP@?r zhW^;Q`eQ$vS$d?K`eW1e$No0`u@C8w{et>qAJrfGW%bA2*WY=TN8YtWV2XAtC;*g!o?qp6-5ANPN1G_}?ZZ{vjdp zUr1_n5LhMOR2(n>yzwzZQb3eSoPonZj4WGI5=G7`^_ z861$JN@Qt;;Z9-Rug6KUHr?v^3hG0EboO2lCuacHkNpmuJY)2=!LN+|PkGKPy0@5p zHG>cAPO}+R^>s4PmK*Xe%iN$c;SJMl2x|CXn)pP>82lh|8y|IE|aznSi7 zk7d)ie4h4U^z)QIk+Jvrudv>}zfqlP2;3acZ%Gu;kKXNYs$Nqycmb>kB7bD)?}EXEeG)#)A!wVO8ojhJ4HJ+ zUjR;c#BpPf{o%ReQA6nRV;AZ25ada%X=jX%+Vn8TwL@Kj7YEz(>p00AV8+vjqbE++ z5m|!V9ox+~E(mq7N|?s?S*|T%FTQ9K6+=Fpntl3_I+bKjXC;%43UGj>cx~%ck!|}A zu!b4MuurG4zNJsPx2yDg{Up{4a%<{7XjYUL;_Q6h{-B)ir?a1bo-%`12Lki;cm#G1`q=(3esleiQJuNLTTuIs7Wz!=1#`_FsZ~yeIi6+_SrqH{s?S$Iy4nq)W_~oeu#|jd>US zh1a7gTvYmDpbula2Iq3Enb9pnw{`;FZl)Z^xb@k;==84L+8pp zgAtH0c^fO|=;zDT)OAnt_CQMV$0_T|y7z|f*_#iaef1%6{XW9_uvU(L&X!Oq`=i6p z1;**z zSVHfOVFlh7U~{cMQC2VB5P|b|(9Vnly$Dp@()Wp8i3trA-HY{bctI@JsUZyr<4RoQ zVwcp{0J3-5zR~7ux`)7IZba~H+wgTK_U`O<%E$(?3%NfwtSHPIE2?l=^d%fDUClbS)UsrkL?fM7qcD;PqS;7nQ>h0gTd(~|Woc3HHk&;F#f|M(NkX`!wgou3HJBvpA zkPH!JIEQ%g%bo|%|NhVa@~(J8KD;9FD5o%xTedqBEj8rUWEt>Y5Z#iE_?^ZX9KwbHx7&W;y0+`Rrjhhq zOP`&gU?d%;JaF|miUPk>|Ikfw1~A8({f8uafT3RWVZPm6WgC^5or6C@Z=jV1Gx(`J zf&UcELT>wiUJOkZerWIuqx3fHQdXN(n&ZAiYiyNMu^<5Qpt026D*7@zc=L^6Men#m zKHrr6f)MDla&@_=s6wS&pXue5Q}#-&O|j+{SNdvV)XEAfyF?8)2&_|&xR8)3vdydu zXk)R&vYV>Az|`W3>*VcRqt8uwu9>Ukx|6p?p^$IAb?bVr)~c2A`I1?y%~rWVrBryE z>HSjf?f-55xi+nyAY{pGxH1?UQ#Pf-B+xfy22)KU9J|DZBw1Ec(54p&j_JFSPhdVS z`eQy|l>quhc7(B(mp2w>Z{3Q}@x<(J#C}#?;-d{0wJJ7IsdlppJL*q)-4F&`u#pNK zciLZp5j{0VxY3>t%@Hx0Wr1jhfghDr8lc52MjEs!#zb z5T;0YrMO_+?3a5&*K4C{h%eu|MNbyZRexC5#s;r8$w=T~K^X?c#DJU1 za0pOtLp*Ac8W$Of!=h%5p3k+m+7^v@)C|~w8im%B0j{<&%swH7vax76#D>#$xEMObthGW)c zWx`a)Bdmf~EjbLq2pv~AhRw~(t6tt8F8z&BZgN0TX^bc?!}eyuS*3;k=2&vJpRbki zwnH{>NCu4p)h<1f%pNJbOC}IPTby*~?M@R5Q3@k@Om2=zRq3>Nwwha244Jp4HY#+@ zjw8?C#Q9`gRiseSVBt`Vn4-jb9;ylx0xQyp@&xp;4o8cDgVrNb!PF*}<%dn&RPAsM z+9FLsE7Igv6`?D3JuIrap~Cvon3Zf270Vvp4{(#rlM11Pq`O|Tp=C~oh6&llo30r$ zm_`bDXBc@>osBvjei$_^QyE7d)?w9-6>S1VjyWzsZLnC`89H1zK-G>v6xVvxbXu6x zv&Rll*aFVdJW5PMc%^X;6QY3CDX-A2_iP|BxQk%-NS?7Xma|wA=5hF(3%&QZ;VgT9VB3vlt`uz!49+FXiqbg{7PVrXgOv8M8 zGMwXt7>QHba^*LLUcxX07gG?u6WY;RMdI&)@J z916>Z5c-M=PVHC(1Wb2ySgajzGkHPmA|Ebefd z_UJ7_JI(Ic%qo>`T;FiWc7U{@mtNT1;BM76#zoStVJovPyVH84GgNLv)rX|n8u8f) zhK1VPjhARsL20Y~h{T~RB>{VjW^9{nM{rJUX8C@F!m8OK(c-EL)FS+mVidFDe9C6K zIB#v%UTM}JKz$4}HXP%;Tz3PC3JH`X2rnQDl)OTRq+eR;pr^Af+k}@+#!ZiG*yco$ zl#nnR6g|ZA*`7A4P+Z5sd3w&0uE*s!OUvj_%c8Ecb89uyP)`ZU_@>(H#Py>qwUBRj zW-A%bWL=eCVJOJy5>G@0vOXPZ3q6={W4$GgU9{SqwyF|}a+p8LIf2$R zN`(AY!P&3^_kAO_UmjQG30P^~8pVq8+=rE!YMr*KhX68&$D?AO2hy-L;H`=u`ou~k z!_`{|mdm-Bb)zUB!Eq` z+0o?oj0=Z?RWYcyd{JO&oD|v{yw5X&B$<5Zz?8-t#bmW=wXWfeS#DT8tkxlA5}UMr zfYWek1}twecQo2>Z{WPw?iaLfxoBEac_4Hk&2g_jhcg95Ro5+YRQ4)0sV`2-q(Z7h zJm(VuieWhGdQ)!|t{C_=vXo2x(X?Ng5MqO_7vOc1F+0MQ#jLsZoT$Z3bf#`Is;lr> zG0=_PBmngh7&Cy;-9oDo@lrq<^l0pZsW8m0rV2+$f;FEAEY^p#o$y$vTCGMCaV|!E zX0Wodl1IF?MopdILurEx10ujjy05PLO)O6{oxZVN(*YRhYrlb`-cX?OQ^U8a^EK*| zC>PEP#R|oi%Y%MDLZw*%zuK!Uy2UkhE_DB=y?0S=+vXNVUxlN+XPiv!ICkQs>F(DP z*G?KYH#c_L{k6?#XoNqa_0E$VEPwz(5+D|Mk(3x~G80R}bz$8A zEUY!2Bya!v=H>6dKRDidvb%Tw>$kuB7JvHv^DpW3qbJwjetvNE?e-Osj=%i&=+TqC z#o6>B(VCAQJ^%FfDw#f>zWQc9e)8ljelqqSy+4jW?)`L{K6rQ>|9de#o9-pi_Pd+K z!K3#tF24QgG>VST&$qw1d44~B5X8H0j-P$=_`#XKy}kYDF|iqb{MCQ_=BMlHpH8;V z58{uDaPRL2kIoi1q|W2Ly~F5PvvB`-@NCp6`5m=)c=}{_*;o7r!Lo&1YDK z%ioSKl4;^kZYJMEA9p@Ijt+i5|2aJSy!Ycx{Co28#6Np6dPdCp*Z$dj8qKFW)4lB% z@xR}GJf3d9`rlW_egNMF7Fl%CGg&;L6<-rGJ;AN+oGb1`}I?w2R=)PL~l@O^ML`u)|X z^zv*ziEmz>f4h77_?KUPzC7Ez`g{AY=-JM}@BX{vqbGZRQ(JN8_sPcx=YJi{A74ED z<;lDjM`FT(5O^zHsH#A>{F_444&>tBBS@p6B5boA^K7`OWu*B8G$dv@~gi|}y&M`8f~ zd~ooyE3?8f+rPZ|dCx!j_v=w|efA4%XMg~@yDMpE-wD{FXaw7x%MwEf>?hJ zB7Pt27O&-{LSb}1t2=QE(}_jcq)L5vU{ZfzLXiaS3H~UpJ*4DkzGBozWYibztXpxM zEb1+ar(pA0ocfb(aS#T66*aX3e(M}cy*-s{YYqTar)L0ztNe@`{N0tufoe)6_@tL{ zrGq>TUBe;Ku}_2F4N7Ny>I&4mM0L6^N>CgsNBlwEB%IYQSepfhlWGtx%^{dakJ!hH zQOh<69%@dD2is@#+I4&6bH@!m9bN>rbXuIX29sGqKflM@2Cp6MS+Wkn3}h57r$fQ- z^_cMB8t1;LOjSrG3o7ySY?)OP-cyG5Nzwm~gL7#5zqZHXP9)hbIkudz_Uaqcoa-BZ z)CmLtGUMsgk7+15xIriK+WTb@#5Ytb zFl)BpOIAy-CbG#FHE(m9&b4+8>sF#+rw5BTnZ?WQ^@J!}{RI?251qb`Qlb$XGQkJk zPrBPOofa)g?CpQT@qe7yc4Au#eT(g%g0zW*Ce^mz1!)`xS7qT$4BYb>*>Y23oEY0j zhj!u`C#{Qa`pSlT7T8CJYa>nIo^^Xn-CL9Gf7l;Rta!IetWe*}A8#@@=k<{;nRI~R zfjD5p^G*Uk9$i|BoZ7bRqzqQfXr0Cjt@kWyGGF)F#p>Q-It8b#CHLtJQVDwKl+JYc zdNvNvGZ6}MV>NSM{V-05^#bp+mfkOaO1Sin{YkoBRtr6-Bt{GU-`OnQ?X+3wv!}H+ zS?K7xu~_7$x;0oRDs|7t3N80+tgr`fOBQU-ZjhjdPMzK0?1qMdw;#J9oD-uVoI8ub zyPX!p(ec`v3rEME=HYdr5wo$7H`IfvQ2TDX(0tGK!qM@vrI|ApBjz!2fiHgLgX(2Oj=oZOsQhz-|s4O0D%^NYunrDKy@*86o1pELqw)V?u%+ zI(5c`GbS1e;eL#XMHY~W7!&+YXH0mv)0p7Fxz^U0-~;T&m?*W@gE3JP?X1vv&&Gs^ z(zax2=Zpyndg#;{6V8}uD1`elCa$IEiq3+#g%*SembsoL1cXIMR&%!PNGt|FJs@X2gQ#61_&l5j)%E zme?+;sM+gdw`8O9ve9{}u;GRJ3R^|hMo0DuGURxn@t)0-)rqlNrmv5p^I(()OUE-) z)41MiWSj1%=8A(pSY(W_{ZE*UZ#X3ed>92o_b8get<))W|F*U|1xD9ar$8G$=@e*s z#X5xxo8jw>nU}9!RbKx53DZil zQ$-DtDH%fVez(1SeSLke7`j+9QBBkMF&@X^l|Q=i<};$B>hiHEhnlFyN{yZ9W_!+> z-eOJnH-!T~4K8LeBA&KYW!eNJ(wJ3?${RHyg^SoKK8qhR6muJNt_esd$PCe>Osm!T<1pfs6iF+B@R11n92c7UA9 z3n<%gBEB zekQF2NeVIT+3%2vGRfos1h=PN+Fly?Q*S&QkzH1lCZ5krXRVz=)=P-BA5CsN|H=<1 zV9I*emqFxR2j0k!ym6QiahL=&6mwR4OcYBvNjAM1`7*wSApBwKU5As2cj;dRq??N% z3gU2-^@EzWAi7ifhp9%rS_c?#Nj{t}&L&}UIUIwV%CgoC5*k2<1i1vEAwe6#s93ce zo8$v1Y4TG#W2<I*+z;Dl^h&cksK>GK1ZD%jXR zS(OrI-VhchyyQ>3WHgHd!s2t_auNef&wW_`hEELQ-kbb<8@ zmCM2UVGzwgu7&5h!AGzHmsdoV17R}58?x5WbE1^&toHerd4*X7_MV@@-+`Zm#5!am zamMrur0a^KAcd77s3)Cet;ubir$k=|pGFh199MyyV9jzVjHk5#h@~L%f0$8><%+b@ zMxb*DHFH`ecJo2P~m}voE;9m_BA|$T;7{6kTcoLwD zewMrI+}r=v^edt>FY#H7*iRENa2{AhEt@j0q6*mU?xGw9-+_tw5Nb8 z@7hmtG}4@vAh$;0Y>^1`H$W)AM)XcYLl6WGwiwM_y;p+QMHK$MAQU*}Te;3?QJ^mK zfAtWX6#ygxM}(Eq_+|*k-_kL6z&iJ!^Zy|#k(ef2US{KJfH2DZG;po^C1A;BEKbc?p5!+OIEM?X`P*uc&KmPS0wK|TDuO3O2 zK$a$pIpl&3aJC+RM4KX@Y`1a}cxHGO&#n`FR^uvkgz6tzzjTMv04EUY#mn0094ADI z5X1O_5CiNHhO_Hv1qeD}sv;kUN5{bs#>}BbvLKon7#r>oDmD|k=OR|Kj^E`SzoiJk zG={`7G1AUvemovd{ODrgU#x)DL7nhnczhW7K^G{OwxWmXmzB$Y2>) zd_){|8T!Qp<*V89MODU8Z%_J{{clgYL|A5BE*)XqHf?BIWYxRG1P?j6bX4$=cn#2i zil)Z_i3hQfocrnJ(vbl=e=>usFz6mmU_s4Sx86OTd5C@HF(3d_yVe08S;SDlw0IT% zVorlRMASRxF6O;uXOnep)jb%{{iGkAVO-$94}+u6ICPGcn#Q?*Bz-7RNzYnCxagBw z^!coFlQa#iG#Te6St*XCwXC>s0>G5ET&=7M+Dk!lPZ)$pm}aX4m4xtFyfS+4Wa&E^IhOUA1kOorvik7lXodnd0B zH@&k(>Or);oAeTVIM{_Ztis0A4YF#}v)RNFzl_xpxyb?0Xtmqmbbwe9)Le<$3Q8p$ zo(1P{uHOL?(K{pr8WSE9(GG#lH7*arNc|{0exU((L`9EEJ}|f!5l%GBd4p?cKO#tl ztr6A3`^QJ*_rDiJ=unTsAW9Z-zkjiFFMJ2K9JB!2 zxVsIp=pBoho2uL3GsDkvP$}jDO;I2GSsY%35xqFzCTdc27GS$#**}@S{|iER5(wsT zz9i6IBwiy;{pcod_R>!-w}WUD-_X&}5hUK7lNb9to8Ifgy-n}I;j@!XFGxp?SLhTF zWU7f+99wVU4pwHpy@YdIa}VKnuew0Ay`xqKsJ3>{YUrGWn7_SGU?ojdr zG&>Ao@Y>X^w*&Nc?ar&XVzqGPwLupC>bfH|E&a;6>2MC;*x^0Wv2)d+Jvdhl0OzVf%i54#R>iq$I9Cnls_~t3)ev>sqtdx*pccou zYLrLoTs4F?ajqK9RijYFxoV)M;aoK;b-KZ#bJb{$Kj*4ZSH-z%n5#HfjjnL!Ts08K zcv%(as!?CJJyAMW4Lvwl4d<%iTs54lMvv|XoukINY5*Yc;!+*qv@U>)1VYx&^0&?x|CGv}NxK_teQfb#hOgSQUl3 za!;MARTOA)Po28JqI>Gp9DnYqQ(YA`vfNWAxr!P`?x|B<6*bP>QzyhRURLEcI8r(1 z1?RlroEPe=bb?stywD1L>)^cLo;vBkJ#~@+fiLH_;oLT;R&Z_`YAv|}w~cb&UAk@j z=BJ}eVjZT=Z-e&W{5Al-V!w@**w;XuUGdcVTI$cD@VF zcR^dTJ$jw*g1U3kRT;I2xw;I2w#K;X+=mAb1^YSy@`(gHrjmEtPyN-LeWx-31IO@YFPhrv}i3Xv6Lv&QZpcT9zq-#Hj`&RPV@E23H#}3lw7qZnMt-i>a@1v)=`B++73X zQR%Ls3$(h;KEi4;w(B$}-^Hyc_&V9%e=$&h@Q){uJhEDeMEdC%Sf^lXWWN_{gr z>I-zZJIb~cnW2?WDgbl^!O;f zjAx4rB9RD5hVuzHqY-riwotZrGjL;$fp*TcU++$FrOrcdR_{D?o83`w>j`Bi$ZNV~ zX^y&e+p=_m#xE>(VHZ<&X9&HVAyBaz+g^b+$LIm;uZah2R<(;+J10#JHpp^LnmRyW z@hdzaKI!a$*xfTwz+&oFxy;FKtYyEsE-?BrxH+5o@pw4#ql*RXl$VA|ka4_wk9S{u z0`>N!51hW_oxT!tHdRMp(!E_OkGAZ;)Y01|cPy?21oqbLzK8DFv&}lgUv~LZz3MrN zyrYx1-nWnL@6bl*a_~Jzc~eW#ubgbxTid>_e_WiZd=K5B-=m9D)d_X3hAtayoV%kO z=X|Y$+u?jY?hIWn2*FKvK?wFc4np7}Zgd-QBRgarf~Wt|Fv(9^q0|5I#z7ojafy(P z#}YTZ!2_6usUiX^4WC~$$H=XJeow{Ow)k7%Bj)2NH%ih0d3u1-dc>W}rfwCgnthmfEtXihI z7#XCOM74nto3Wq|=NfR#WV52$*oE2^JT&f^#42Wckab_lL%|^V292J6H0G1qy{Z@SO;-u+5o^>13zgi=!} z38&}8F6aTNbVlBlKUv7iF1KXJ?wQ>-Sz?%B$`ZY&hU3NDe20STk6e2EAa#~+=9sH$z*m-YSt=y+qT5#-4B|zfw zk3w)pP%F;KOs5#gQfK$_o8AVi4Sxx#3m?My#s`D&-4xPSW)_gMIiXvN+B}U?d!jXL zdOh=b11XYU`qoPBd1oYlV0>LDNIiRq_yv%7AI}*pv{U<{QH$@BFdE?`OF~P20oX38 zGAaO=L?H$k(Km2(4y>CH3xTe}d=^G2T^XPGuf=|J5qNYa-1EN1+015*D7NqXo50rV z*IS2&cWsyJeUu{4ycV?N*RxzfG+y#zQCzoKEV|mm*RwIP3bKSAhX#ktBDW2va@}#Q z0sX}-s1^TRUk21=*`JV&_V~ujR+dOq$-R_ei+p#7eOX0cozsMxSv`6AsQYIdil8Lb zkRm8Uf7KLW!Q!i+2fBFO(!&YDQ6v`$yzm#k;+bK8<|l!8*~VQ~go6tBuGlP&!Bs@R z0_@o~(r+PuY|jlTFrY5ezTE^{e1dY8~1ubB9o&H1HNw#Ou^vU49k?>_WKmp=7; zjW@l^kZc)(D2-?H8xIiT&A?&vI!rQm!8q6&&7$-0g1!TyCHVOXY(lJ76!2}knACLP z?kc!trB%!afNQhBSe0gFNxj zR9|a6`I2C?0M&R1GYbI;buN7%n_dR>770hZKM$d(X~i#ziB_w*I3@k>7U_Kpn(S`Y z1MMl9ettO)27g@naR}l&xwCN^Oy}?b?b&pm-t0q2r;WQGY=-(lJ=D~{NSgLl>8JEX z89S9pi^Y5$j^Y`-WW4uwP7kPNkv}<#5~6L=WE;FElDR($lI=`8#mP3|A0HkORF@V= z<5%X{4sGw=-`(B1zXSh>cDf3KYef}K1%LcOv==e3??~tn-ETpujk}v0+xd7;vZWS- z-Pp`p*myO&2uJ(#d2&FLq#n$oh_Ki!-rCsoCVrCMN#>KV&=bM>&Dm`B@o2n5yV}-!sfL`b zskTpMGwOtg7}CjXvY^sf%@CXtPUbfU^!ep8GS_$>gN1V(&(dI2Q<)7xfw?5>^k}SM zCDnxdMS7_}kFJaq+id2_h-sG|WohQhqa_Wf^CV;1~ zvUxBGqmNX8r|CTTZhISs>`(3$+HW9|I1m!0f|vpLcM^h6%!J`FLie5Kq>4Qw9L~xBh`WL~=8fN8X zepQPL!E4#?rFrq%Z@9!)ReeJRy|SK>x#c>UC}lxErSU$vcfYtiZGK0s;Z2{+gAuIHZUGYm2;ana6My8F*Rq|$ixex4gE`q%ByXc4I}iQ{K9L#0u-^q- zf!&GoKR2*gB6f{(Jj9II^fqd2CcgHJ!=N14Te7`-f9DA! zm~FCDliAHwqO*H{C9~+iiUOK5rbZB!IAgcOP+t8zs{zMJCL*fJCi9>96?_!xu&Yu- zhTU_GE~Y=1-*=E9@^>9n`oXi8ZP9^f$mn=P}wbJu9S$fuNI!n8T5}ES;6qXuh(+w1m z<6jZUyQ1259&Ozx|8`Usqo99jIyJnawmS=2?hhPAs@mbZzF$>CHEyFzR#K}e$?}%U z%*?NDun*TE5t+)B@MdL21Gz<(4QMpTvfpa+0#L&>=t^1En zG^7`meNqjJ{j9qi6|-mY^Y#RdjmS8PyBbB~llqOkCnJf~-mk&c_HHo2At*0HZ^Hlq0S|0T({l8^7 ziaE!weY0A8hW1Y@QS4-2C4Qcu&e&Cr1 zhPus$C>SrIeTe;Lps6EH*7QZ{Fl$~dbfs!1i_s_u#x-vATCd_d#0&PxPRzp3!LOP4 zZp%FK2BmgxSd#U#m7t$%NQqV|?c*9!tRABp($frUun*%1J`M$PJD{ZZ$8Uxwi}UmF z)6j%sM?Qpn*b>-Mj;Z(+KV*2iaw0pp42T*E&xh${kgLxy8B$3ajE848Lw*!8WJe*j zbZ8WgwA3@OM~Qhh+#3D_VN@8G8iOjU6?Z+lQItaqW}18OG_yT^B%klx{eS-0U=dF@ zK9E0i%aVR%VN}O_IvdK3QlS%!cBTbwG&HTyyOsv1AxZkPY5HVbmovJ{n*$rGTmGQttmut=%S!S4Wc!#h)^FKwBn3|iLfNuKn85qC!!WsI?%$xPbr3`|s4_jCO^SddnYWo9HV zG-=h6m0>EJoStW@S6>*X>IKdClR)o9BI%muQWEV>i2(F3=w!d2|L{GLQ?uye2eyyP{R9%gf0CRpCf{#o zMZVvj|A1HxGqOGWo`)8;-S+@2XYT`G5Yn^=1|@d;AX-K2h4^V;vVFirfN|s|)nYPe z1p5n?4?cxSO4(jMH^8hIUdqwZVCIP9PfX;tLhVMz2d!zt>Ht+E#2h)U2(k?#nGvGB z5p`-Cj)N4Ub__Fl0HT4TW#fa{$^ht!h+%E`NU@l*)I0!M8bB!*04oIpU{o>y7#yvd z1|f*}5Tb~;BF8u&4UK|3{C^dB^7g^i|BpWh8=D*O*PnwA^snv+(^SN~DwZTj$xq3A zSQ4}%KO^ZOCP*wa*!iG!=)jNA{Df!@09>tcoii8&e=qzAYM+tA;AvAqiRA)-!P96l znIM*qfpGyD7zr6!$k-i%Uc`;exnY*3wj@j8dOVy2(M5U*+k*>wnGg>la`cctOXRm3wQI~N&<{-{ z3wMEw7#`qFZia+?!G6CYqnv_Mcd)+q0gh!dFd`G+%VrrQp&FO1F}Ji*cPQd;{DT6= zKMYK5)$VGH%hPOAYqg=RZf4b^HTLSsTUqd+y;Hs-EZzaookHmV-ye^u2d+PXMB1oXirt*_J&?a zoWg|!_9Dm8SyRuZwUu7RcQIe$(qMcQ8$T3Kh3Uz>IEW6&{3X_AeKGg+)}rGL!ui^0|Fb1g_jXiHj(g|R%Ia0i?c80FP=^a|Wx)Q{4YVNy40)3b><;4%j(weon;W)3i- zfC&X-{vU)S?p41N!>_2<73FVsYVwKLSlvSFX|M}kG;RtlxR8l)VnJ{M@k=RZ{2eRw zv5mXc1F33CaM-SVSv|?xaF1&_t5J|T7ef;q*kBk1)3qOp5H0G zuEE;1QJM)8u_n&wcbh=gX&#JPR5WeCFY8{u-PAh(4c&Si(aacyAD%}uR?F)994RMl zYVuf8Q~v~T?AG6uI@IoW)AvR@ zp7s@-^h%gxoe2t4Tr4vZH|8aY3EMW`w~uRjq|oMATr1;VlB@cq)vzWmmT=4`8MkKN za^VF>X_bG4~O>2-~=VSkwtm%#3RqCuIItmM4Y=9&Fe2Ev2dH4RITpt$WWoYvgeV0u(%nErU%{siaotOI9zl1c2pn`3Yjc!>-c_5JQTE-PRQ7S`-SLLZ5?SsRDW=d_!H3Y0V>>dwUm><2|A* z&BsYd#t@0Sx#AYi#!2vMi#dPUkWWBK6A9h<**Kobk!Q)2E)t_$rD`|{A6`mkhasHY zF@lpfFV2+(u}*cQQuKXdZRih?S|OyV^Mco73H34?I=i7h-yFxMR~O_Dg4c;!ovvUK zgVE6kzH{MC_4~x^I#bJchGjz7Gt@?c=ndil#2`VKW&vR4dr&RhnHOM1$;L3oMkHuR z7lg~zR?vKzwae8;wEY->UJ(E^SBzjm!#NcmYkq~uOe&H1z+a$`I?zh(LYvp$J2vTUP5990k^d2vBGANC@M z9%|+&3kO4%gs9FAjqKT*&Zu|T&UriuNe6V6CP|v&ysr|79(5+-m44qZJ_-iV>6#2$ zx4V1#pX-@SBqW1byGoEFx}Srx%elB`Ta z2&_diiCT5y?#MB(rjd4JPEPf%t?kYbof~2AYw;#+58g$!f3Aw4ut9;_I|^V9+JS-9 z(oCBc33RjMi237+Ch&<;FE6IlR@U%+fY)$=e%0>7>1Cin_mJS(qjo8Fro8ed9n-K~<~{1NtO zN-N0xMAywh-RBNqFU&)U2?V8BrgjavJ#Zhlqo_(yBR zO8UMyR*t88jS@id1U3J{KFeoT8GymH)CWmvqBP4_CponXX)rtxN1@4!$%6SyerSI# z=d=~d$ zTmfG8Oa?NmkrNC(&ML3;ZDzgC^OOaAxpc@V?^QB}hm5{NcWbeV*J81eR_FWf?O%zD zjctmok=(m$0~At!&;TbRbv1FZGjC+5J0gU?kS4{WZ6&@lGF#-j2{igE&9AW+&xQ-i zK~~GNvV`WO;luQTJLVfnT{z|&ET}t#Y zBy)%?Q_(=C1P<*#bwH;2Ll~2Lg_6fW8*KDV*0nSPbg4S_=07~vjujP5HkP`eEpN(6 zb6TgljX(MBbDkE27n#n~7g6}<1Dc``6_Lze?Mg%JCVdu5LzK`=Py_8Ek~XOC6yh>faSokel@`s43Yl&IKXkb7Sd@Feb4Rt-M_$zm^T)hpg0s>AUCNLD zO0wVvAzQ^5Z(fteLBqzqht1zTJUBBmL`;Y=v6NttQDaNu2+!rkj7uRwaEJ^t{zyD) zUy!>MKMA1o)v_p&Iui@XRkomtxTl{~6jc_pilZr0z@%&>98usQWtTPcw_Q^k%`Yqt z_fYEz1b$13;!TO4R1lq2gJ|YZTQtOy@|TLg8Xj?)`pkWU1nAE1h^ z{w8S`k!O%c&q%R?Z4r?Vd!JM=b=TF(qgrH6mi&RHeH|UnVR_+lN0tg-v4RYGV|EXl)@`k# zt*eL9_laHWHdQo&EzH^JWZ@q*75*oFRqLcp$C6U6swsHg105pmSY$iB&9__(fxu zF;IL0xr5i}$Mom8u0;z;ls<^qNBS6OP381e|j#zOm2 zD}$*v6hpJCz~1DVEKvT4b4yTB>81-*spm6fXn#ui3rE!I)gVMb%PO$%KrZ z1Z~lB;S`AD2GkLiS&~WSBI$!LS+{AqfFh5Z(;0}h7T!Cyp2JE`UzaZ8#Fcz=cd_R@ zR#^4sy6*s&vT*)mLwY6Mpz!3#H%15DTUfU@<;jqgiD;8soH4GtJPB-AV9+h-di`DX6@ZJo=5 zJZ-i1L%M#-^sEKtv-1J(IjLIr_Sp z++c-lRVK2TeS5793rHtQZ+tw^nF;`ucEL@mgVw}=DD6`5D%C(0 zso*p!;7mDXvTf@+K%DEXWRh^!r{Rj%Dicn4z6i|A7&=pm6p~yzeDo~7P>b&AOdr|v zhS|PVRhDurMO@}z-09y^#8Y}3`bJp4r$i}aB7(X-S1TYg#EN$nCOh%D=GuFP9VE{tlrbggkKO0?_QfklG5PMZ zoK61$XW|bjLZjY22Rs!G4h`5!M?3`|Rtf^ktlb(Gy$JM>q&80Tce&&x>`HrXG^_a` zZUTC~!5tkCG=@Qa_FF9pcA&kRlb7cm?qyQy_!(PwF62B7y)y4gHAW3^531jJ6hYfT zIAvqzaASp>!)X*@wZn+Chnz$D{3@P%T=_5_w+yjL`lXaL@*#&f;qfdbR%2EwKezdd zfNa#Pa<}gXPi7*Fy(h-(F7i>O zGVwW?UbNupVK{==arMw_JNOZc{}-VJje`_{7}Wz9ps*0-3K0G1LQiod6^{E=0n!;? z8v+I#a3WIWZK&VBb{1+XF+KjR6!kB>GM;OQjtAn}!Soc6Yug&=fMPec88)N1P-v9C zwh|a)1a71H*n&l4>pFZ^jcE_%Hfgsz!5zR5kbx7BpNgi$J4rjYkzG zB+uxSJdGE)oQJR}K=orw$pL}pxyPMb_MLQR_Y9@?uQlP- z-!lBmxT$^QpPzG?^pv)W-b(jy$gD{MN=>ZBy5DZ++3@jGMs|c-+r}5jd=vRc@`j8p z${K7M5Hw6JgbL)$vx-VtG$L4Kz5u(^K?!&C)v7NJCd=FqJ|;P<=tTYturi8YfE8i~ z&JXf*vit&fWS($hKA7W*}16-&xY`n*c-jFK;w4^NUwv@AU+tGmx zVR8uAcOU2!%!e(Lw3bbuez@PVY!=59f~?EGUC@$p->~O<|=Lg2N3h#&pW8-@q0WSOoak zz$6&ka0X>X6}jjqE{OSB(>?Ds#AGUS-CpX$-UFp4-*Zq5l$FF4sp&U~Le;uK2F{0& zi0m^0nQ@c%5_e)U&`CJTdox?*#~W0>UVA(j|WIGE~Tw?p)-w6~gS%ERpllc8$9 z`f;+yl$k^9_ger&905(W-8h5qr-JazHIYxoTHhhX#zZk#TtbLY7CdbMU#c2Nm-XK& z71F$8qmzo^oABs!>p~Wf=;KWw>lFcsJ4e{=#b&YT-yzN|0+!gP_y9LXV!tO;f7d6B z7SB?_c2BsKO~abYZ{VjoLa~>H5XYBnoKL8rj!)=`?b&`C)*N#lj+-S07lx)Y8Yju0@p@K41COz&kpqw|h{B_iFPoF8+>vQQqCCpmk@NTYp z*Epa$5qI87l@s&65x8#lJ+;K@B)M@G-7*xUi(2qEMMtUa}ctYR0SHA^wZ$k z+oubNANGMGsc=1ElR&RCcpr^l=C#7~jG?ej&S)54G}7(l{wJbJB2V2(EW3-aa$v%Z z&vZltDc>0%l+*CFtEpKM!kx)q)z*|vkJp!xdUe2kA$+Ls3*iR(UkIvImVp_f`W2{ZPFZzR+2`rp}$}| zk#aM?gtAPqzkzB{=;zYreux?VK;K-Z0X=cG;CPPe+*Nz!Yz^eFkMqiEW&cza9L!^5 z5P1Eh^PGAjm5={TxkbrP|6rS(ev@K60%X~oZ0nD6G6>`BVAZkLDn_yEqf8-B9V(~ zq^9NKyFsG~kqjd%VEwzD0q<^I+K^Q{pD~GJJWYu|X-oExUoB>`RmM z<)y&5PaG=$6>5V=>+0iex2%OvPbFf{p8w_E3UGru>UZV*AuUfxD#~eA2ou6xXRJr7 zEy5R>h!VssrGb73Y#{tu??=wY0*hN5SZ5xOjEkc2=JV12Wb}&cF8M#yOMO7z#Q&jQ zg8b!+GMybn+VxWF+6lpRC2;F|_2HqF`XI8-)AV_XF$#)c!f^eZZ|HRBEdFFtsS@cT z_eOtNdYPT?o$wWq%S)Syr4dALl1IRMQANSCPzs{*7lhGq4y6$avIEJsB4qk&g4e3Q zP=vBP!oCN(L(Wc*z({gG%_Cn_}m{)sC1CS3Oexmxs15 zQ|GamLvv=pH7Ku80{%Np=LiC%GTa6lyhzu=hu%Q<$MYDR)C@Gn)3aU>e!|ZHLk;{0`q05x zVU)dm(a=h;u#2(uMr*@Cl98*i^kA4HKs+Ke;cFIF1_7OejF897!OT6dyI5d!#L3J( zbGz7J_c-%k>+GXIJi@KvXMTDa`dwCJZlDXAoAb=$=SWr&`T5*Ifc&S~MgP<62){JD zwTwdq(3++uPFCn9GQiC;Pom<&jujWtdC^_EqI7NiJBS5|FV zi)4kVocdIWr$G>}6c^?+)|~0KKL$&JqfIckPEwRFMO1J7)v_qaEzcn5i{E9xw9&Ce zwB5RJbbtMz``DR2o}3uxP3SnP7iH}VaWeRh!VX0%&R(5Ho6#&{%APMW4!aX;cr|y} z=wKln*(LtVx?XYcQVxa8;4E)`i*Go#2&%`5@xItmZoOTD(WgE;z&yyhfg{y!j=07i zB_*!~mrA0+LIh66(mo6=QJdlkglQCgJ{TnPI3!tx;&lgh;rBVEYGdQohJ~r}I4`+F zl_}a8A4t~77%q_1;10~eFXpn9&Lj%cMsZVSzS7+U6Bo{NFk9mcQ zLaB3rWEzTwBqvVubvsoVGI9;hMwsOpJ$NJS{bO+(CuP#MyW!P$0sx(m4UY?u7*DioMVxO%tf2jkK^GoKO~?o;>lwDF;@ZPXgKjF^!~QQi zhN)D++HU?IS;SNq1@aLuu!|UEO4J6>qw-~|R7ydwZ=m?#bQ1c)?3NBD`|*trKi6yV zI^EdhGhR`94ywx%591pvz3ZBWJ1H&8i_}NTqOVtV8?2pDD`eI~fJ?!aOXQY{4@dEh z)Lkl8uw|zO&!RhfA$@-GqifHr&p2e3XjxACil{RyGP~@5?h=gHVTqS0#yj`K30zUM z5`NnVx`dSE9sjSi-@tY5M({Ws<-eoXf9N2n{41u0*EkB=bLdMgE_K&w8B3+V?NdJ8 z1-~~`7cku)l9aKN#SL(4xbLw0gTb_O+h!@r63&pvOswSV15l#UtZ;T_oxXGYWyva2d#U*_3;e)m%+wZ({cADu78St~p=h33 z$^*h(-ikAR{ zJ=G+?5NC>*25U_0@X`KH|CQ$j|E0kePEa%LTfk|F;PA3XaFH{Uv<%#1W=gb+zrK#f zOz7tW$Q8T&yiu~s@;RWcq;fh!;OMGLQ7o3E5;~aRr&-r+W)&9(S z@6(b@1_LJ2DC?DbabWYLkvMMeI5DF2_cf551Jn?WzXQD@$MESRwDOp=&73*#XxJ}s zAA606pN>o!FLz`&h+uXn!_H+!WFLK;8+sN4vQ#Y9FOu`FTfCb4p##kkA7?i(h3<`;-l&9M7{cmRUl-_bt$`c2ht6J`z4aSTisMTt`0vH0@#R zFaQu7byqx`fqX^5;ZXoc>_ks*8E0|;mQvr!E^WSe5TX41J5t~cKR1C1d%3d7GH## zV_zoaN6^R|07*>?GP4^9lCA`xgUt`o7xY(gr39=rS?>QxFIkhU6Jx0;ytg1}jz#yQ z3D(SngoG^G0g3n^?ij5}wbj#4#ao%_8(!-WU?zstgcyHoa!;77BE`_APLl~xN9UdV zSROW10I@X5=8;2KX~&It33HNtAnE8~0tMK(^Bo}v(^B#T($9Pd!1^*RfFlQRU@%Wl zC=?+$J+-K*n~)DjvcNO{&|F^}G7)8kni*&mo9f8#4buiJM0333UOGUJ$Pd z(h;s*es5G3Zyj=OI6$>fyj@Q|e=&D+3MKa|{4OaBVOzLSnJ7&P5unJRO*sfAz!c#A z4HgzMjwogcd5qjKKu`TPl`)V@JZsK&GnN6Vhe>x{%ksIuWnuDB!zGdCQAPPawf&YA z=5YX*@P_jU;SysY@VqViOtnv_;zS34bAYXpyg0_(&wKqk&=zc=L%d{Ae0&$|)8C9_ zjr+jyVaI;=9FoD=#><*G$@Gj)vSl&%a-3ymeuEeJ_>H2Uu8!vvKf?^-=Px|i;;DPC zrZ`Bh9P_vU`DW160(>w_Vf3CMtbdumnQMTPABrCrd~7JB05L8g*BV6bf*2FYIv7-M z4Sm(nQDrb*^gDut<(iowAQvX+s5jOp;IuLaI->f3U{R5uZLiJXN(X{*bDZx)l-VqC#d$#xVeHy;u}ACc+A(=Q+G0(TG9d z#~K@}CI+bK&|zgD1taAmg~M(amP63c%~&ftz#q&Pha|1E2&n*f=V2YQcw@e$db(WgF2*(Oat-9PkUMXZg zOk(P5cr8e9YldeoXOmPfL;HDeuZy|wlt}okQ%_tpI(Xl6hWTdqfrzNX|J=jGNqbYOuk%rXZZu!~_*)ylF<06|yP6-!{^x z-={*>uCBvpe0w0&I%{|`e&Mn&0@o93JZ522J8(`wX?=8vDj$&nR% z26)%(x)}Fw$vsgv@fi5=9FE`1km(DF@iVi(an?9XDl#?{@E973C_08SN%O=&oR+MB zVcp`x3Ucn#+o2K&2>9SjGSD*rPyuDbf>+rjeH z=w=M?pwQ$ZXM6t~(YKASkmVrBRz^yhcrR2E!9O+J(vO^op)Xlfu&nx$*%l(I7wehEa!&Js&f)S@qiY*JR}J{% z)Mly)9?gs(S|4Rn<^c=cGj=oEEO=<~e|Ck$3%U;W3wEDe{Rfo((gDF}kcwGCf1_C@ z+=g$VnTLr~U7!9QKcRPZZN9wf>2}A{3hHglgH@gRJ;TZs!ofi{#|a|_=QhAF)LJ__ zns_uExUr7*L-Go_o|&#gX>au`=F9hQ0+UIlKKVO04nC9AW>`RJF&_cqWb}u zj?g;f^f7JSY&opH0WL1K!WwmIKBKWb+h?ZIRXEM^V8mv#pA6{8Zn2}oIXU^?ett^;x zZ*ex6s3Nz~6pgHY3Yk>@XGQ~zIEprcDMu#~;;TjOvbaKC3jNRCWaEn12aGX%4c<<8 zv=}&oEAHRY9rZoqcys}^t}^FBNVmo}v32tmratCZaWCpcqn=4qp-rIy-I%ezf<=8) zV4~mmNUx0T6e|%7vIh@#dLz?FJnEc%ukJtIua3L_&@TF)tCxkVLA^pj+5YL~qOZIQ zallQRs$TNN7~DBlh-)pK6Ty=P{Q}vMAPC8~aJ-nf^auCYI8Fo^X z7G(lEB`Z%I>lW0(z>sw!fAwpf*ii~vbp*Za(1YfflzP7iLJVepTWu1YN-$PaNd#Ks zpRqjld ztf!WA?iG2+cu8v>bXXm=S-EV^Gd#NHQrFt*vgCwKnxcjR|Y((QF4y_vC9Aumsbf zSbP7*QgqjePsQ99qQ{02r6(Dfu(bE=hF;y$EeF(Tv#c_q~G-a3g6%s6lRU!X?rW$C(ZcYLghtMGCgI1j`>Prut~ zU*Lqq0Xp)w+dxAC3ZPyvm zH8z|GRA?BsEM|jjPl=5$LQAlh1lIb_rhG-z3%=9JkE{qyCwR450=|?}D3tNQKRhv`2=|kEDR(w>+DV(-qvqdeCSi!zYx)RVE*hlkOP) z>=^Dwx9XLPl<_Bl@5t!CZe{&?yk04M#_o{z4VGb3X56z1BvvjS*c8a@nnD-XUKmKl z9i{{GXlo>8x*Dhk*evNGT1v=ZsF<7Ve=ME|hmcKUXK559R8u3k7%UO~V)-uJF$1_g z2{-TH^xrsV&ZMlZ8ST+g7rjt!I>&&$kjx zLUXPDMurA)Vub_cz8?`aBGbeERyXm&*o5O`>!BzREv4~exVDU=gQSO@ku<148>pb* zij>^_>TaPdl*)@eflaQH40ovEYpq-M@kA1ef)r}Dio%fzOA_QA5l0a~7AYnuc6UyP zMS=u=fU(14C^zNNyD0|^0A``B;sBt=9)E^d{n#A>RGyJ2e~nO*Y-q+DJ{JBW(!>j1n2Y{Z++KG;TUtB` z2~$aVL^GxcpI(WNbD449n40Q{F&jOjm|OUCWJeCQp}fP>72c9u!5Jew^h*K9tS`{k zgxc_dk!n=VCIf`~r)lDx{cq~E9tWzBq2FV@Z%&=?0sm?TU4wO!Z=MLXg&rgAhSl9A z?4EXhto)jd?#abkg+gz%{J{3*HnGa&XQ{X3r8Hd%AVa)U6c{lzm^C6dCq(=#6A5r} z+(E!IWoPID)`a7_3{{_BXBH9zRRgciSAND@_A!+B9IEe_Xv4=)@@uKj&2T|?xjvlmMwR!-oo+rI4WcUMWUF|FYK@nBf@ zfU7Z*o49C35?wbXi(&fsP99N@q21;CG*(nEYDEnv8p>%8uXidb!kQnQ{+QXx*X#Nn zc+OLk4xJ5F1=U{)(S|%^CYY*2Ro^qU1&&1)7#m8`(8vgK&cV;3mZ1hfu(>vh{W*T} zSQo!lTrnrY5vv1{_5cqM!~&EUV8N0&!fg`)qGUW3N>Smu1!~Rn=~r3FelHd5v9(x? zf;3J6M*K?*)Y@uW8h89UJ9qr7FnZW$@%#=D}je7cr_<$t(T_#QAj$R+nZF82B7pLYa7O^ zSOIFJ$b!oOa5!?K$H7!%>$>Y&!7V(vey@i@CfFN)NOB{~*Iru#Deenp?MghMaKo!_ zu$ihZ6wEd}KEqTzk`cY;qUX|oe`icMTyAd5w(xSc7XctO{Q|$HjnQzv2w#S8A)18z zxyo>Z$fwkk64*hl8`gBYzqJJ;vLnJM3>KDO5p%wQ_SZ1$Qxl z(lx)JsXFi1JNP7Hx0&r~>+{!kA75*}!N|DXsA`X`^Hz5)$X8@3ciS+)5@a%wWg(kA zBUKp^eQ!)}Asv8)HkaVaMB8$hvIMuBw0wr(`}y?hy>;n3>iP=oUe(?0{BW>&NO3Ff z9>9J7xVlU6%INlQe>>RPXS^ZsRd0R41_l{GgUnG zef|4>0_d;wZ&aTzLAybXJ?vASummcZ{}n4?C7aMqS#s%3TXPX*K&T~*d%8MTgML*o z$)<2&4VzvzoRxe2m9R`}epCZ(;$~%LsDQyo^;zFq1)35Johi)MtT=aeD2=z3swND3 zRBzNVo_ymJBFJxfb$9*oxwtuPxDTem-q70GQ2SV;Lf~Ka+L7t%dPmOmBQW`jpsig+ zabS>n`4-0p`hqoavy!{gpmXy~9;Y(g^5RjMfetZ5<8okxb)IGYm{MuEzAZ*J|nc}U%)vjwMe{f4)5O5T=bdgLzEN??9m zuf^9Z(1pED{T1h>jqNO^{shNe%4LtzoFrM}U<12U%?8#6;jh}WK0PT#{AKZ@Y-7`G zwH#c9w$_p2`bcpyRN(Ryc>7uqV5eN&v{qT;vuA>}EH&))ua}kK*pK&+ih*3;gbnqA ze2)4vp1{0j7xvC5Tu{wwUE8Q(T*z*JoUmM7Y~WmdSZZXUka}a<(%5XS_c zHn^5nH7~H*rZx76YDEOCjZM+J@>wAWOazt72$t&(h-0kbXm4UEQ0ny?IH;Ad5h(MW zm_{tlyhB#OE&R~EZE6-XGq@E5X^BUNE`Sx;oK_P#xb$Ib)Sys({59V6OEm^(mw1PZ zn!wQt-m^!x&J>_orb-R%Sos~QwBkky4P>jH^Be0gg%>Kx@{&=)ZWp}@YlsY_^cHYR zvZD!e`hRmSwci7*Fr#0b>z3=+d9=O<=|9c|lW4lTNg~2_lW;G~k{wv;g~~Q9g%_1Q zV*(REtv>M^I{AN*uD3z7s{cj0hK6HbAmN`AlY**l59AP-HR-JhBM-ld*pPON*wv41 z-3D!i7eB|`%@@n1vIgvit{C{j00{Y*x_4%IXK4t;dm zPRLOf3;|FgC|^{Jc(8V;XGzoQcY|5@-uqu(eb0{#v-xr-KF3;i-rq06Ura2F?>{C6 z`@d_;{$pYSp(L5;e=j*^V(wWc0=T!5i}glX#6~pWk`OC1b%Mi&gQ8vWWhn?&o#G(- zM<x=;z7S=ORS4Vc-bcOg7IH#ja?|jr3cC8vkBedweZUjm$frMj8Vcw|E zlGi55Wq(B|>hP7jF1)@i!sL9zVLJo%I=tnK?R6$cB!<=txXnSSlOeNlzDP*drLeX6 zrTkT%lov`g?M^uyw1j(AQC6-U-Fb*?6Rt{ti9t(O)W*3AaNxdY=l;Fyt)AZpwa4@; zcq>t9Zs`nLeL%f~oS~^15x9h9n{~W&W1z&*=g>PQ(2wD4e|r~3_v1Ux-aYwBVN_>& zR6@3d)Nr=4=fi(Y%#*EIu`uo0d$@g&YY;e{U{AG!2_CqSoMFV*T?xQA~7>BO!kWrzG^{@T{h$)DIr7niEjMG^$ zo9`^yNIjpiws!9@Uedg^I}h96XBGc3vxtF%Y}Eq`w}a{BI=ULD&rG>mrdTVg$4R~> z`XD>nr{gMgtJ3pkBhROgDKs&)bt5jy`ixSMn5PdZlUd(y2b`vQQ5}gVvQ0wa*67pA z;VN1?KDlqW#Uw$fy;fwjfptHK$La1ucOm;mbcNPbOr_4so3boaFq8)_gXrc{opNi& zaPKP3dRiis)K&TQCU9p>G4>TjCh}2GOyp0$8eO1xF+Wf)8@-;?(&EP~U_B)#L z#G)3-&mt?XwsR|!YAQ$0cYKY=ZDxliQR5Pzc^Far1_CvQ+lsctR8qrRwAow!BmWc3 zk^KAqjdF04KT>jL_AkaB-F9hq;a|p%Bc9Ay~qHO%D&G_pWzILes+ar@DUBE(;c? zoboPrjGd6595}H5I#kx-wTnn(C`sz}6~&Nnqm$Q_pc#gWF%nyg zSndTmfs?&_8~rc?XW&{?IIsp(ienwIz>e;oX7F#WuCMnuK^aQe>U?t9kPjg_Nxx8oB@J&pKI?!w9&!b1|@%uWytDRQ}Lp9tY5wRtlj}C5w_&Z6XxD}YB zs_Lm!_X%$7-sl1Bx?Bquu597DGXhijFLAMXHMAAwZAg51wWA%;suX9a(j0}DI_?52 zt)=o1_c#>vGW{~XFmIf=QnFsPQ-R`Z^Gs?ii-MTt-GkW=qg(hEex=n%^~w#-h3GA? z0MEypNGob%O=DA4d%%Q}7D*<|ezRS&%B+2*l^4s72 zDzpt}A&{jNO7eCPnQkJX&7Sk8p5FV@u_l#KXUVQ1}9vsP8JD zX__BKC~W%fDja6Hv?*t@Z9}EGDVL00JC8fICcNvSnwVs-sUxp)syW7>Q$I{A<&%_* zG=CUecOnz?L2_9ZeSQjF5Ai?}Dn;K7rG7X=#9zTGkK$KX=MyJe3iz)8MiOT_FM@D8 z?!fiS#hu-86>x%7e1EEc`p3=m*Hh<}_E7KN?hkZ_$(!+;XRMb;>*rlcQ5^9PDSy*zC6$F>hzrE2@l2Rlj1PH zIQl{0E*KxI*b+ee=b1V~Q~D|OT#Dv1b7fCbpe-{F8-${WNl=0M_QUgO%kYYh?Cy7O zQVLYlSGyjPGnUi|G$g9*$S!UcHw?U2d6ok)UTN| zx=Yks-(yA^V1i^!K2mqX;D3ofwNPTD%~PjLE(A-Hg>P=&yQQ5Maz}0L&T?E6@cK_@ zSB*co+^T&fXQjT%_B+l3)?OoyKu58FW`dr59Q1T_xO;?F$pXN`)2m)mQ*ocBLsIg z3hLU9XyRN4!7PYAVoel8tiE%E6zV+O@Rx;PJ>KxG4Lt~SiK`CWF%gcY8s02KW+g0O zIOeYGMm3}jUY?rVD8|~<1{m@aw@6(XsUWHF(0Wv_{4F4;a#8rIQ=c}oZT!9~ewaCZ zHfwP-cooZ&y}Y+LNy}q#Y=rZt$_{5NmCl;tu3*v#UcBoCJGWz}UhJBZu~NyR*>Scd zbN47uq2gA2vy}p2M6)f|5K8dpNOzv|WX*7#oUaC=&97H9t=#*4+b&1NMx5pXkFS^@Wao3a0iS7mh2^+p z_0!xJzjMuF57;2jW2;BIKMCc4AfV^~^sia9&;UFmdez|8op5Mq03ZyGPkw)Z>sJ8xyk?E7~KE83E$V&|DU0_azF^ke@j5W NzJXuYcb|X1{xA26IV=DG literal 0 HcmV?d00001 diff --git a/Solutions/SpyCloud Enterprise Protection/Package/createUiDefinition.json b/Solutions/SpyCloud Enterprise Protection/Package/createUiDefinition.json new file mode 100644 index 00000000000..05c5e6f4610 --- /dev/null +++ b/Solutions/SpyCloud Enterprise Protection/Package/createUiDefinition.json @@ -0,0 +1,145 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SpyCloud%20Enterprise%20Protection/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nCybercriminals continue to utilize stolen corporate credentials as the number one technique for account takeover (ATO). In fact, the FBI estimated that this resulted in estimated losses totaling more than $2.7 billion in 2022. SpyCloud helps prevent account takeover and ransomware attacks by identifying exposed credentials related to a company’s domains, IP addresses and emails. Through this integration, breach and malware data from SpyCloud can be loaded into Sentinel.\n\n**Analytic Rules:** 2, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "SpyCloud Enterprise Breach Detection", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This alert creates an incident when an malware record is detected in the SpyCloud watchlist data" + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "SpyCloud Enterprise Malware Detection", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This alert creates an incident when an malware record is detected in the SpyCloud watchlist data" + } + } + ] + } + ] + }, + { + "name": "playbooks", + "label": "Playbooks", + "subLabel": { + "preValidation": "Configure the playbooks", + "postValidation": "Done" + }, + "bladeTitle": "Playbooks", + "elements": [ + { + "name": "playbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." + } + }, + { + "name": "playbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/SpyCloud Enterprise Protection/Package/mainTemplate.json b/Solutions/SpyCloud Enterprise Protection/Package/mainTemplate.json new file mode 100644 index 00000000000..13e3260d7f2 --- /dev/null +++ b/Solutions/SpyCloud Enterprise Protection/Package/mainTemplate.json @@ -0,0 +1,7392 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "SpyCloud", + "comments": "Solution template for SpyCloud Enterprise Protection" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } + }, + "variables": { + "_solutionName": "SpyCloud Enterprise Protection", + "_solutionVersion": "3.0.0", + "solutionId": "spycloudinc1680448518850.azure-sentinel-solution-spycloudenterprise", + "_solutionId": "[variables('solutionId')]", + "Custom Connector": "Custom Connector", + "_Custom Connector": "[variables('Custom Connector')]", + "TemplateEmptyArray": "[json('[]')]", + "playbookVersion1": "1.0", + "playbookContentId1": "Custom Connector", + "_playbookContentId1": "[variables('playbookContentId1')]", + "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-lc-',uniquestring(variables('_playbookContentId1'))))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','lc','-', uniqueString(concat(variables('_solutionId'),'-','LogicAppsCustomConnector','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", + "blanks": "[replace('b', 'b', '')]", + "SpyCloud-Breach-Playbook": "SpyCloud-Breach-Playbook", + "_SpyCloud-Breach-Playbook": "[variables('SpyCloud-Breach-Playbook')]", + "playbookVersion2": "1.0", + "playbookContentId2": "SpyCloud-Breach-Playbook", + "_playbookContentId2": "[variables('playbookContentId2')]", + "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", + "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]", + "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", + "SpyCloud-Get-Domain-Breach-Data-Playbook": "SpyCloud-Get-Domain-Breach-Data-Playbook", + "_SpyCloud-Get-Domain-Breach-Data-Playbook": "[variables('SpyCloud-Get-Domain-Breach-Data-Playbook')]", + "playbookVersion3": "1.0", + "playbookContentId3": "SpyCloud-Get-Domain-Breach-Data-Playbook", + "_playbookContentId3": "[variables('playbookContentId3')]", + "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", + "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", + "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", + "SpyCloud-Get-Email-Breach-Data-Playbook": "SpyCloud-Get-Email-Breach-Data-Playbook", + "_SpyCloud-Get-Email-Breach-Data-Playbook": "[variables('SpyCloud-Get-Email-Breach-Data-Playbook')]", + "playbookVersion4": "1.0", + "playbookContentId4": "SpyCloud-Get-Email-Breach-Data-Playbook", + "_playbookContentId4": "[variables('playbookContentId4')]", + "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]", + "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]", + "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]", + "SpyCloud-Get-IP-Breach-Data-Playbook": "SpyCloud-Get-IP-Breach-Data-Playbook", + "_SpyCloud-Get-IP-Breach-Data-Playbook": "[variables('SpyCloud-Get-IP-Breach-Data-Playbook')]", + "playbookVersion5": "1.0", + "playbookContentId5": "SpyCloud-Get-IP-Breach-Data-Playbook", + "_playbookContentId5": "[variables('playbookContentId5')]", + "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]", + "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]", + "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]", + "SpyCloud-Get-Password-Breach-Data-Playbook": "SpyCloud-Get-Password-Breach-Data-Playbook", + "_SpyCloud-Get-Password-Breach-Data-Playbook": "[variables('SpyCloud-Get-Password-Breach-Data-Playbook')]", + "playbookVersion6": "1.0", + "playbookContentId6": "SpyCloud-Get-Password-Breach-Data-Playbook", + "_playbookContentId6": "[variables('playbookContentId6')]", + "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]", + "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]", + "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]", + "SpyCloud-Get-Username-Breach-Data-Playbook": "SpyCloud-Get-Username-Breach-Data-Playbook", + "_SpyCloud-Get-Username-Breach-Data-Playbook": "[variables('SpyCloud-Get-Username-Breach-Data-Playbook')]", + "playbookVersion7": "1.0", + "playbookContentId7": "SpyCloud-Get-Username-Breach-Data-Playbook", + "_playbookContentId7": "[variables('playbookContentId7')]", + "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]", + "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]", + "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]", + "SpyCloud-Malware-Playbook": "SpyCloud-Malware-Playbook", + "_SpyCloud-Malware-Playbook": "[variables('SpyCloud-Malware-Playbook')]", + "playbookVersion8": "1.0", + "playbookContentId8": "SpyCloud-Malware-Playbook", + "_playbookContentId8": "[variables('playbookContentId8')]", + "playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]", + "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]", + "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]", + "SpyCloud-Monitor-Watchlist-Data": "SpyCloud-Monitor-Watchlist-Data", + "_SpyCloud-Monitor-Watchlist-Data": "[variables('SpyCloud-Monitor-Watchlist-Data')]", + "playbookVersion9": "1.0", + "playbookContentId9": "SpyCloud-Monitor-Watchlist-Data", + "_playbookContentId9": "[variables('playbookContentId9')]", + "playbookId9": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId9'))]", + "playbookTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9'))))]", + "_playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]", + "analyticRuleVersion1": "1.0.0", + "analyticRulecontentId1": "cb410ad5-6e9d-4278-b963-1e3af205d680", + "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", + "analyticRuleVersion2": "1.0.0", + "analyticRulecontentId2": "7ba50f9e-2f94-462b-a54b-8642b8c041f5", + "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]", + "operationId-Breach_Catalog_ID": "Breach_Catalog_ID", + "_operationId-Breach_Catalog_ID": "[variables('operationId-Breach_Catalog_ID')]", + "source": "Source_Id_s", + "_source": "[variables('source')]", + "Document_Id": "Document_Id_g", + "_Document_ID": "[variables('Document_Id')]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Custom Connector Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "SpyCloudConnectorName": { + "defaultValue": "SpyCloud-Enterprise-Protection", + "type": "String" + } + }, + "variables": { + "operationId-Breach_Catalog": "Breach_Catalog", + "_operationId-Breach_Catalog": "[[variables('operationId-Breach_Catalog')]", + "operationId-Breach_Catalog_Domain": "Breach_Catalog_Domain", + "_operationId-Breach_Catalog_Domain": "[[variables('operationId-Breach_Catalog_Domain')]", + "operationId-Breach_Data_Email": "Breach_Data_Email", + "_operationId-Breach_Data_Email": "[[variables('operationId-Breach_Data_Email')]", + "operationId-Breach_Data_IP_Address": "Breach_Data_IP_Address", + "_operationId-Breach_Data_IP_Address": "[[variables('operationId-Breach_Data_IP_Address')]", + "operationId-Breach_Data_Password": "Breach_Data_Password", + "_operationId-Breach_Data_Password": "[[variables('operationId-Breach_Data_Password')]", + "operationId-Breach_Data_Username": "Breach_Data_Username", + "_operationId-Breach_Data_Username": "[[variables('operationId-Breach_Data_Username')]", + "operationId-Breach_Data_Watchlist": "Breach_Data_Watchlist", + "_operationId-Breach_Data_Watchlist": "[[variables('operationId-Breach_Data_Watchlist')]", + "operationId-Compass_Devices_List": "Compass_Devices_List", + "_operationId-Compass_Devices_List": "[[variables('operationId-Compass_Devices_List')]", + "operationId-Compass_Devices_Data": "Compass_Devices_Data", + "_operationId-Compass_Devices_Data": "[[variables('operationId-Compass_Devices_Data')]", + "operationId-Compass_Applications_Data": "Compass_Applications_Data", + "_operationId-Compass_Applications_Data": "[[variables('operationId-Compass_Applications_Data')]", + "operationId-Compass_Data": "Compass_Data", + "_operationId-Compass_Data": "[[variables('operationId-Compass_Data')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "playbookContentId1": "Custom Connector", + "playbookId1": "[[resourceId('Microsoft.Web/customApis', parameters('SpyCloudConnectorName'))]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/customApis", + "apiVersion": "2016-06-01", + "name": "[[parameters('SpyCloudConnectorName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "connectionParameters": { + "api_key": { + "type": "securestring", + "uiDefinition": { + "displayName": "API Key", + "description": "The API Key for this api", + "tooltip": "Provide your API Key", + "constraints": { + "tabIndex": 2, + "clearText": false, + "required": "true" + } + } + } + }, + "backendService": { + "serviceUrl": "https://api.spycloud.io/enterprise-v2" + }, + "description": "The SpyCloud Enterprise Protection connector allows access to SpyCloud’s Enterprise Protection API. The connector is organized around the SpyCloud Enterprise Protection API endpoints. JSON is returned by all API responses, including those with errors.", + "displayName": "[[parameters('SpyCloudConnectorName')]", + "iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAOYAAADmCAYAAADBavm7AAAK9klEQVR4nO3dLXTb5h7H8f/uuecUKqhQGiq0UQtlVGiPrNBBLctCNuigFHqkGfNGFJgiFwpFsEMyDIrDwiwYlIFd+cr2I1l2/PJz8v2c43O6xC+Kkq/0yHrk/fDw8PBoAKT8Z98LAGARYQKCCBMQRJiAIMIEBBEmIIgwAUGECQgiTEAQYQKCCBMQRJiAIMIEBBEmIIgwAUGECQgiTEAQYQKCCBMQRJiAIMIEBBEmIIgwAUGECQgiTEAQYQKCCBMQRJiAIMIEBBEmIIgwAUGECQgiTEAQYQKCCBMQRJiAIMIEBBEmIIgwAUGECQgiTEAQYQKCCBMQRJiAIMIEBBEmIIgwAUGECQgiTEAQYQKCCBMQRJiAIMIEBBEmIIgwAUGECQgiTEAQYQKCCBMQRJiAIMIEBBEmIIgwAUGECQgiTEAQYQKCCBMQRJiAIMIEBBEmIIgwAUGECQgiTEAQYQKCCBMQRJiAIMIEBBEmIIgwAUGECQgiTEAQYQKCCBMQRJiAIMIEBBEmIIgwAUGECQgiTEAQYQKCCBMQRJiAIMIEBBEmIIgwMSNN030vwl6o/dyECYuiyF6/fm2vXr2y3377bd+LszNpmtrbt2/t1atX9u7du30vzoz/7nsBlkmSxMz+XYmTyaT0fq1Wy8zMGo2GHR0d7WTZ9ilNU8uybCPrZTweW5ZlW1lOZVmW2Wg02vdiOEmGORwO7fz8fKWV9vnz5+m/wzC0fr9vzWZzG4u3N2ma2sXFhV1eXtZ+zPx6ubq6ehEbrkMnN5T9+PGjffjw4UlbsiRJ7Pz8fINLtX9RFNm7d+9WinJekiRPejx2R2qPuck/nOc0NBuPx85jvzAMLQzDWs+RD31xGKTCjKKo9Hue5y0dmk4mE9ljhqf48uXLTFSNRsO+fv1qQRDscamwTVJhXl9fL3zN933766+/au8ZcuPxeFOLtXfD4XD6b8/zLI5jjhOfOaljzLu7u4WvnZ6erhylmT2bvclkMplZL91ulyhfAKkwXZ7bO6urmh+a56c/8LxJDWV3Yf5NkOL5vTRNLUkS53nBZrNpYRgu7K3y86xFdY6HXW/G1HncvveW+XG867AjFwSBtVqtylFL8edf5/2DqvOyk8nEkiQpnc0TBIF1Op3K19u7h4eHR5WbmS3crq6uNvoaYRjOPL/v+4/39/cLX3fdPM97HAwGlc9nZo+NRmPpcjQajYXHdbvdhfv1+/2Z+2xjvfd6venzh2FYeT/P85aup+Jz3d/fL/09VL1mfovjeOa54zh23m8wGNRaRs/zHrvd7tbX7bo3+aFs1Tu1m3B3d2dv3rxx7vnmZVlmnz59mrmv6/h3NBpVzsbJ7zPP9VzLnmdXzs/P7fPnzyudckmSxN6/f7/FpVp8vU+fPtVaxizLpM/pSoXped7C1759+2Zv37618/Nzu7i4sCRJSoeb61r1/F5xY1E2JKoKvex7ysOri4uLmf/u9XoWx7Hd39/bw8ODPTw8WBzHNhgMrNFoTO83Go22vnHNffnyZea/2+22xXFsNzc3M8t4dXVl3W53J8u0LqljzGaz6fyjHY1Glecn8z1NEATTY8FV3zTyfd+Oj49nvpZvBOYVj12azaZ5nrcQd5qmpaG5js+U5/gmSTLz8/X7ffvll18W7pdPeOh0OvbmzZvpY4bD4cK63YZv375N/91ut+3r16/OZTT7/0ZQda8pFWan06k1pJxXfEy+oleZFxqGocVx7Pzezz//PPMLN1schnY6nYVf8Kp7zHVOCe3K/IZk2d7m6OhoZp3s4pKq+deosyE4Pj6WDVNqKNvtdmeGQU+RJEntS5iqhpB1fsGuqFYN86efflr6Ogp836+1sSu+I+s6P71p8yOWQz+PLRXm0dGRxXFsvV7Peby5qsvLy1rHolXD3rI/wmJcrZJzi64Ay4JV3mMW90Y//vhjrceUrZNdOfTz31JDWbN/Qzg7O7OzszNL09TG4/H0D2M8Hk+n2tWdlD0ajZ70R19nyxsEgTUajYUh7vX19cJru44v2+322su3C4cw+V3tEwieSi7Momazac1ms3KomYdbdv2mK45V1B0ShWG48Pp195j73rs8ByqnlTZFaii7jnwWh+sduF1yHSPWDVN5GIv9OPgwc/s+2C+LqxiiK0rf9w/+eAib92zC3JZVhkiuY8XiMaXr+HLZMHb++8/tWApuhLlE2cQG17vGrsiW7TFXHcYewhsx+/DcjtOfTZhPOfivemzZ91zDT9ebVMU9nGtvt2wa3vwQveqqjm0pbjzqrud979kP/UJ5qTCf8sssm0xQ5/it+AkBq3xvXhAE5vv+zNeyLLPhcOg8vVNnGl4QBDN7513NOy1T96Nbbm9vp/+eXydm7hHHJh16mFKnS/IP3c3/YOte15imaenskjph5tOyOp3OTChRFDmnbFUNP1ut1sJjPnz44HxM3WFsGIbTaYF3d3f266+/2u+//17rsZswvw6jKKqcETWZTGY2aK5JCc1mc/oz1dkgLxspzM8Yi6Jo6frd90auilSYueJWeX6e6irCMKz9bu3l5WXteZNV0wZd82bNnjYN7/T0dGY9/PHHHzYajazT6Uwn0bs2QMWLi29vby1NU2u1WitfxTL/B56PTlxx5ueUixtK1+sVN4BZltnHjx+t3+8vjCDG47FFUTTz+bguR0dHM5M8Li8vrdlsOj+KZZ3P5925fV8QWrxZzQtw69w8z3v8/v175QW6695ubm4qf466FxOvsm7mL+pd99br9da6UPrk5GTt34PrYumbm5sn/RyuC6UHg8GTnnPff/+yF0r3er2NPE+73ba///679vnBVa7NGwwGS/fCrkui5q36buyff/755DnEnuetffnV2dnZylMHfd8v/US/IAjs5OSk1vN4nmeDwWDpz358fFz7d5l/2qCqH/63p5IxHo/t+vp6OtWuzumB/Ji07HN5it6/f78wrIzj2IIgsCiKKieZHx8f1x4aR1Fkw+HQsiyz29vbhWPgsmsalyl+nk1x7nCZfJibz5ByrZskSabHcEEQVMabpmnpm1m5/HrYOkPm/LXLPjspH3oHQTB9XbN/N35VFxiUPWd+zW4+xC0+59nZ2dLl3RW5MLetLMxtTotzXdP5/ft3ZvyglNRQ9rma3xDUebcZLxthbplryKf82T7QQJhb5vq/jnE1CZaRPI95qF6/fm1Zlk3fjCp7g4Q9JpYhzA3KI6yattZut2U/DQ86GMpuUJ1zjKenpztYEhy6Fxum7/sWhqGdnJxs7CLrfr9fGqfv+3Z1dcXxJWp5cecx0zTd+qmKqv9xEVDHiwsTOAQvdigLKCNMQBBhAoIIExBEmIAgwgQEESYgiDABQYQJCCJMQBBhAoIIExBEmIAgwgQEESYgiDABQYQJCCJMQBBhAoIIExBEmIAgwgQEESYgiDABQYQJCCJMQBBhAoIIExBEmIAgwgQEESYgiDABQYQJCCJMQBBhAoIIExBEmIAgwgQEESYgiDABQYQJCCJMQBBhAoIIExBEmIAgwgQEESYgiDABQYQJCCJMQBBhAoIIExBEmIAgwgQEESYgiDABQYQJCCJMQBBhAoIIExBEmIAgwgQEESYgiDABQYQJCCJMQBBhAoIIExBEmIAgwgQEESYgiDABQYQJCCJMQBBhAoIIExBEmIAgwgQEESYgiDABQYQJCCJMQBBhAoIIExBEmIAgwgQEESYgiDABQYQJCCJMQBBhAoIIExBEmIAgwgQE/QNJ5aSYMcswbQAAAABJRU5ErkJggg==", + "swagger": { + "swagger": "2.0", + "info": { + "title": "SpyCloud Enterprise Protection", + "description": "The SpyCloud Enterprise Protection connector allows access to SpyCloud’s Enterprise Protection API. The connector is organized around the SpyCloud Enterprise Protection API endpoints. JSON is returned by all API responses, including those with errors.", + "contact": { + "name": "SpyCloud Integrations", + "url": "https://portal/spycloud.com/", + "email": "integrations@spycloud.com" + }, + "version": "1.0" + }, + "host": "api.spycloud.io", + "basePath": "/enterprise-v2", + "schemes": [ + "https" + ], + "consumes": "[variables('TemplateEmptyArray')]", + "produces": "[variables('TemplateEmptyArray')]", + "paths": { + "/breach/catalog": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Catalog_Schema" + } + } + }, + "summary": "List or Query the Breach Catalog", + "description": "List or Query the Breach Catalog.", + "operationId": "[[variables('_operationId-Breach_Catalog')]", + "parameters": [ + { + "$ref": "#/parameters/Query" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + } + ] + } + }, + "/breach/catalog/{id}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Catalog_Schema" + } + } + }, + "summary": "Get Catalog", + "description": "Get/Retrieve Breach Catalog Information by ID.", + "operationId": "[variables('_operationId-Breach_Catalog_ID')]", + "parameters": [ + { + "$ref": "#/parameters/ID" + } + ] + } + }, + "/breach/data/domains/{domain}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Data_By_Domain_Schema" + } + } + }, + "summary": "Get Breach Data by Domain Search", + "description": "Get Breach Data by Domain Search.", + "operationId": "[[variables('_operationId-Breach_Catalog_Domain')]", + "parameters": [ + { + "$ref": "#/parameters/Domain" + }, + { + "$ref": "#/parameters/Type" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Modification_Date" + }, + { + "$ref": "#/parameters/Until_Modification_Date" + }, + { + "$ref": "#/parameters/Severity" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/breach/data/emails/{email}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Data_By_Email_Schema" + } + } + }, + "summary": "Get Breach Data by Email Search", + "description": "Get Breach Data by Email Search.", + "operationId": "[[variables('_operationId-Breach_Data_Email')]", + "parameters": [ + { + "$ref": "#/parameters/Email" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Modification_Date" + }, + { + "$ref": "#/parameters/Until_Modification_Date" + }, + { + "$ref": "#/parameters/Severity" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/breach/data/ips/{ip}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Data_By_IP_Schema" + } + } + }, + "summary": "Get Breach Data by IP Address", + "description": "Get Breach Data by IP Address.", + "operationId": "[[variables('_operationId-Breach_Data_IP_Address')]", + "parameters": [ + { + "$ref": "#/parameters/IP" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Modification_Date" + }, + { + "$ref": "#/parameters/Until_Modification_Date" + }, + { + "$ref": "#/parameters/Severity" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/breach/data/passwords/{password}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Data_By_Password_Schema" + } + } + }, + "summary": "Get Breach Data by Password Search", + "description": "Get Breach Data by Password Search.", + "operationId": "[[variables('_operationId-Breach_Data_Password')]", + "parameters": [ + { + "$ref": "#/parameters/Password" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Modification_Date" + }, + { + "$ref": "#/parameters/Until_Modification_Date" + }, + { + "$ref": "#/parameters/Severity" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/breach/data/usernames/{username}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Data_By_Username_Schema" + } + } + }, + "summary": "Get Breach Data by Username Search", + "description": "Get Breach Data by Username Search.", + "operationId": "[[variables('_operationId-Breach_Data_Username')]", + "parameters": [ + { + "$ref": "#/parameters/Username" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Modification_Date" + }, + { + "$ref": "#/parameters/Until_Modification_Date" + }, + { + "$ref": "#/parameters/Severity" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/breach/data/watchlist": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Data_By_Watchlist_Schema" + } + } + }, + "summary": "Get Breach Data for Entire Watchlist", + "description": "Get Breach Data for Entire Watchlist.", + "operationId": "[[variables('_operationId-Breach_Data_Watchlist')]", + "parameters": [ + { + "$ref": "#/parameters/Type" + }, + { + "$ref": "#/parameters/Watchlist_Type" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Modification_Date" + }, + { + "$ref": "#/parameters/Until_Modification_Date" + }, + { + "$ref": "#/parameters/Severity" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/compass/devices": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Compass_Devices_List_Schema" + } + } + }, + "summary": "Get Compass Devices List", + "description": "Get Compass Devices List.", + "operationId": "[[variables('_operationId-Compass_Devices_List')]", + "parameters": [ + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Infected" + }, + { + "$ref": "#/parameters/Until_Infected" + } + ] + } + }, + "/compass/data/devices/{infected_machine_id}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Compass_Devices_Data_Schema" + } + } + }, + "summary": "Get Compass Devices Data", + "description": "Get Compass Devices Data.", + "operationId": "[[variables('_operationId-Compass_Devices_Data')]", + "parameters": [ + { + "$ref": "#/parameters/Infected_Machine_Id" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/compass/data/applications/{target_application}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Compass_Applications_Data_Schema" + } + } + }, + "summary": "Get Compass Applications Data", + "description": "Get Compass Applications Data.", + "operationId": "[[variables('_operationId-Compass_Applications_Data')]", + "parameters": [ + { + "$ref": "#/parameters/Target_Application" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/compass/data": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Compass_Applications_Data_Schema" + } + } + }, + "summary": "Get Compass Data", + "description": "Get Compass Data.", + "operationId": "[[variables('_operationId-Compass_Data')]", + "parameters": [ + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Infected" + }, + { + "$ref": "#/parameters/Until_Infected" + }, + { + "$ref": "#/parameters/Compass_Type" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + } + }, + "x-ms-connector-metadata": [ + { + "propertyName": "Website", + "propertyValue": "http://www.spycloud.com/" + }, + { + "propertyName": "Privacy policy", + "propertyValue": "https://www.spycloud.com/company/privacy-policy/" + }, + { + "propertyName": "Categories", + "propertyValue": "Security;Website" + } + ], + "definitions": { + "Breach_Catalog_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "title": { + "type": "string", + "description": "Breach title. For each ingested breach our security research team documents a breach title. This is only available when we can disclose the breach details, otherwise it will have a generic title.", + "title": "Title" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "description": { + "type": "string", + "description": "Breach description. For each ingested breach our security research team documents a breach description. This is only available when we can disclose the breach details, otherwise it will have a generic description.", + "title": "Description" + }, + "site_description": { + "type": "string", + "description": "Description of the breached organization, when available.", + "title": "Site Description" + }, + "site": { + "type": "string", + "description": "Website of breached organization, when available.", + "title": "Site" + }, + "confidence": { + "type": "number", + "description": "Numerical score representing the confidence in the source of the breach.", + "title": "Confidence" + }, + "id": { + "type": "number", + "description": "Numerical breach ID. This number correlates to source_id data point found in breach records.", + "title": "Id" + }, + "premium_flag": { + "type": "string", + "description": "premium flag.", + "title": "Premium Flag" + }, + "acquisition_date": { + "type": "string", + "description": "The date on which our security research team first acquired the breached data.", + "title": "Acquisition Date" + }, + "uuid": { + "type": "string", + "description": "UUID v4 encoded version of breach ID. This is relevant for users of Firehose, where each deliverable (records file) is named using the breach UUID.", + "title": "UUID" + }, + "type": { + "type": "string", + "description": "Denotes if a breach is considered public or private. A public breach is one that is easily found on the internet, while a private breach is often exclusive to SpyCloud.", + "title": "Type" + }, + "num_records": { + "type": "number", + "description": "Number of records we parsed and ingested from this particular breach. This is after parsing, normalization and deduplication take place.", + "title": "Number of Records" + }, + "assets": { + "type": "object", + "properties": { + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target Url" + }, + "av_softwares": { + "type": "number", + "description": "List of AV software found installed on the infected user's system.", + "title": "AV Softwares" + }, + "infected_time": { + "type": "number", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "infected_machine_id": { + "type": "number", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "country_code": { + "type": "number", + "description": "Country code; derived from country.", + "title": "Country Code" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addresses" + }, + "user_browser": { + "type": "string", + "description": "Browser name.", + "title": "User Browser" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "User System Registered Owner" + }, + "keyboard_languages": { + "type": "string", + "description": "The keyboard language found in the OS. This usually comes from Botnet data.", + "title": "Keyboard Languages" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "email": { + "type": "string", + "description": "Email address.", + "title": "Password" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "User OS" + }, + "country": { + "type": "string", + "description": "Country name.", + "title": "Country" + }, + "username": { + "type": "string", + "description": "Username.", + "title": "Username" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + } + } + } + }, + "description": "Catalog Breach Results Object" + } + } + }, + "description": "Catalog Breach Data Response" + }, + "Breach_Data_By_Domain_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "email": { + "type": "string", + "description": "Email address.", + "title": "Email Address." + }, + "full_name": { + "type": "string", + "description": "Full name.", + "title": "Full Name" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "severity": { + "type": "number", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document ID" + } + } + }, + "description": "Domain Breach Results Object" + } + }, + "description": "Domain Breach Data Response" + }, + "Breach_Data_By_Email_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "email": { + "type": "string", + "description": "Email address.", + "title": "Email Address." + }, + "username": { + "type": "string", + "description": "User name.", + "title": "Username" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plaintext" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "Password Type" + }, + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target URL" + }, + "user_browser": { + "type": "string", + "description": "Browser name.", + "title": "User Browser" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addressess" + }, + "infected_machine_id": { + "type": "string", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "user_sys_domain": { + "type": "string", + "description": "System domain. This usually comes from Botnet data.", + "title": "User System Domain" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "User OS Name" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "System Registered Owner Name" + }, + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "domain": { + "type": "string", + "description": "Domain name.", + "title": "Domain" + }, + "target_domain": { + "type": "string", + "description": "SLD extracted from 'target_url' field.", + "title": "Target Domain" + }, + "target_subdomain": { + "type": "string", + "description": "Subdomain and SLD extracted from 'target_url' field.", + "title": "Target Sub Domain" + }, + "severity": { + "type": "number", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document ID" + } + } + }, + "description": "Email Breach Results Object" + } + }, + "description": "Email Breach Data Response" + }, + "Breach_Data_By_IP_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "email": { + "type": "string", + "description": "Email address.", + "title": "Email Address." + }, + "username": { + "type": "string", + "description": "User name.", + "title": "Username" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plaintext" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "Password Type" + }, + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target URL" + }, + "user_browser": { + "type": "string", + "description": "Browser name.", + "title": "User Browser" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addressess" + }, + "infected_machine_id": { + "type": "string", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "user_sys_domain": { + "type": "string", + "description": "System domain. This usually comes from Botnet data.", + "title": "User System Domain" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "User OS Name" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "System Registered Owner Name" + }, + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "domain": { + "type": "string", + "description": "Domain name.", + "title": "Domain" + }, + "target_domain": { + "type": "string", + "description": "SLD extracted from 'target_url' field.", + "title": "Target Domain" + }, + "target_subdomain": { + "type": "string", + "description": "Subdomain and SLD extracted from 'target_url' field.", + "title": "Target Sub Domain" + }, + "severity": { + "type": "number", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document ID" + } + } + }, + "description": "IP Address Breach Results Object" + } + }, + "description": "IP Address Breach Data Response" + }, + "Breach_Data_By_Password_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "email": { + "type": "string", + "description": "Email address.", + "title": "Email Address." + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "Password Type" + }, + "full_name": { + "type": "string", + "description": "Full name.", + "title": "Full Name" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "domain": { + "type": "string", + "description": "Domain name.", + "title": "Domain" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plain Text" + }, + "severity": { + "type": "number", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document ID" + } + } + }, + "description": "Password Breach Results Object" + } + }, + "description": "Password Breach Data Response" + }, + "Breach_Data_By_Username_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "email": { + "type": "string", + "description": "Email address.", + "title": "Email Address." + }, + "username": { + "type": "string", + "description": "User name.", + "title": "Username" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plaintext" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "Password Type" + }, + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target URL" + }, + "user_browser": { + "type": "string", + "description": "Browser name.", + "title": "User Browser" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addressess" + }, + "infected_machine_id": { + "type": "string", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "user_sys_domain": { + "type": "string", + "description": "System domain. This usually comes from Botnet data.", + "title": "User System Domain" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "User OS Name" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "System Registered Owner Name" + }, + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "domain": { + "type": "string", + "description": "Domain name.", + "title": "Domain" + }, + "target_domain": { + "type": "string", + "description": "SLD extracted from 'target_url' field.", + "title": "Target Domain" + }, + "target_subdomain": { + "type": "string", + "description": "Subdomain and SLD extracted from 'target_url' field.", + "title": "Target Sub Domain" + }, + "severity": { + "type": "number", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document ID" + } + } + }, + "description": "Username Breach Results Object" + } + }, + "description": "Username Breach Data Response" + }, + "Breach_Data_By_Watchlist_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "username": { + "type": "string", + "description": "User name.", + "title": "Username" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plaintext" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "Password Type" + }, + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target URL" + }, + "user_browser": { + "type": "string", + "description": "Browser name.", + "title": "User Browser" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addressess" + }, + "infected_machine_id": { + "type": "string", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "user_sys_domain": { + "type": "string", + "description": "System domain. This usually comes from Botnet data.", + "title": "User System Domain" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "User OS Name" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "System Registered Owner Name" + }, + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "target_domain": { + "type": "string", + "description": "SLD extracted from 'target_url' field.", + "title": "Target Domain" + }, + "target_subdomain": { + "type": "string", + "description": "Subdomain and SLD extracted from 'target_url' field.", + "title": "Target Sub Domain" + }, + "severity": { + "type": "number", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document ID" + } + } + }, + "description": "Watchlist Breach Results Object" + } + }, + "description": "Watchlist Breach Data Response" + }, + "Compass_Devices_List_Schema": { + "type": "object", + "properties": { + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "infected_device_id": { + "type": "string", + "description": "Infected Device Id.", + "title": "Infected Device Id" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "User OS" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addresses" + }, + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "application_count": { + "type": "string", + "description": "Application Count.", + "title": "Application Count" + } + } + }, + "description": "Compass Devices List Results Object" + } + }, + "description": "Compass Devices List Data Response" + }, + "Compass_Devices_Data_Schema": { + "type": "object", + "properties": { + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "cursor": { + "type": "string", + "description": "Token used for iterating through multiple pages of results.", + "title": "Cursor" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "user_browser": { + "type": "string", + "description": "Browser Name.", + "title": "User Browser" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document Id" + }, + "source_id": { + "type": "string", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source Id" + }, + "email": { + "type": "string", + "description": "Email address.", + "title": "Email" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addresses" + }, + "country": { + "type": "string", + "description": "Country name.", + "title": "Country" + }, + "infected_machine_id": { + "type": "string", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "USer OS" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "User System Registered Owner" + }, + "keyboard_languages": { + "type": "string", + "description": "The keyboard language found in the OS. This usually comes from Botnet data.", + "title": "Keyboard Languages" + }, + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target URL" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which this record was ingested into our systems. In ISO 8601 datetime format. This correlates with spycloud_publish_date field in Breach Catalog objects.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "domain": { + "type": "string", + "description": "Domain name.", + "title": "Domain" + }, + "target_domain": { + "type": "string", + "description": "SLD extracted from 'target_url' field.", + "title": "Target Domain" + }, + "target_subdomain": { + "type": "string", + "description": "Subdomain and SLD extracted from 'target_url' field.", + "title": "Target Subdomain" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "PAssword Type" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plaintext" + }, + "country_code": { + "type": "string", + "description": "Country code; derived from country.", + "title": "Country Code" + }, + "severity": { + "type": "string", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + } + } + }, + "description": "Compass Devices Data Results Object" + } + }, + "description": "Compass Devices Data Response" + }, + "Compass_Applications_Data_Schema": { + "type": "object", + "properties": { + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "cursor": { + "type": "string", + "description": "Token used for iterating through multiple pages of results.", + "title": "Cursor" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "user_browser": { + "type": "string", + "description": "Browser Name.", + "title": "User Browser" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document Id" + }, + "source_id": { + "type": "string", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source Id" + }, + "email": { + "type": "string", + "description": "Email address.", + "title": "Email" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addresses" + }, + "country": { + "type": "string", + "description": "Country name.", + "title": "Country" + }, + "infected_machine_id": { + "type": "string", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "USer OS" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "User System Registered Owner" + }, + "keyboard_languages": { + "type": "string", + "description": "The keyboard language found in the OS. This usually comes from Botnet data.", + "title": "Keyboard Languages" + }, + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target URL" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which this record was ingested into our systems. In ISO 8601 datetime format. This correlates with spycloud_publish_date field in Breach Catalog objects.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "domain": { + "type": "string", + "description": "Domain name.", + "title": "Domain" + }, + "target_domain": { + "type": "string", + "description": "SLD extracted from 'target_url' field.", + "title": "Target Domain" + }, + "target_subdomain": { + "type": "string", + "description": "Subdomain and SLD extracted from 'target_url' field.", + "title": "Target Subdomain" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "PAssword Type" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plaintext" + }, + "country_code": { + "type": "string", + "description": "Country code; derived from country.", + "title": "Country Code" + }, + "severity": { + "type": "string", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + } + } + }, + "description": "Compass Application Data Results Object" + } + }, + "description": "Compass Application Data Response" + } + }, + "parameters": { + "Infected_Machine_Id": { + "name": "infected_machine_id", + "in": "path", + "required": true, + "type": "string", + "description": "One or more comma delimited Infected Machine ID to search for compass breach records.", + "x-ms-summary": "Infected Machine Id" + }, + "Target_Application": { + "name": "target_application", + "in": "path", + "required": true, + "type": "string", + "description": "One or more comma delimited Compass target application (subdomain or domain) to search for.", + "x-ms-summary": "Target Application" + }, + "ID": { + "name": "id", + "in": "path", + "required": true, + "type": "string", + "description": "Numerical ID of the breach. Both integer and UUIDv4 ID formats are supported. You may also use a comma delimiter to request more than one breach at a time.", + "x-ms-summary": "ID" + }, + "Domain": { + "name": "domain", + "in": "path", + "required": true, + "type": "string", + "description": "Domain or Subdomain name to search for.", + "x-ms-summary": "Domain" + }, + "Email": { + "name": "email", + "in": "path", + "required": true, + "type": "string", + "description": "Email address to search for.", + "x-ms-summary": "Email Address" + }, + "IP": { + "name": "ip", + "in": "path", + "required": true, + "type": "string", + "description": "IP address or network CIDR notation to search for. For CIDR notation, use an underscore instead of a slash.", + "x-ms-summary": "IP Address" + }, + "Password": { + "name": "password", + "in": "path", + "required": true, + "type": "string", + "description": "Password you wish to search for.", + "x-ms-summary": "Password" + }, + "Username": { + "name": "username", + "in": "path", + "required": true, + "type": "string", + "description": "Username you wish to search for.", + "x-ms-summary": "Username" + }, + "Query": { + "name": "query", + "in": "query", + "required": false, + "type": "string", + "description": "Query value to search the breach catalog for.", + "x-ms-summary": "Query" + }, + "Type": { + "name": "type", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter lets you filter results by several types. The allowed values are 'corporate' for corporate records, and 'infected' for infected user records, email_domain to just match against email domains, and target_domain to just match against target domains or subdomains. If no value has been provided the API function will, by default, return all record types.", + "x-ms-summary": "Type", + "enum": [ + "corporate", + "infected", + "email_domain", + "target_domain" + ] + }, + "Compass_Type": { + "name": "type", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter will return records that are verified or unverified, meaning those that matched the watchlist or not. By default if type is not used, both types will be returned.", + "x-ms-summary": "Type", + "enum": [ + "verified", + "unverified" + ] + }, + "Watchlist_Type": { + "name": "watchlist_type", + "in": "query", + "required": false, + "type": "string", + "description": "This parameters lets you filter results for only emails or only domains on your watchlist. The allowed values are: ['email', 'domain', 'subdomain', 'ip']. If no value has been provided, the API will return all watchlist types.", + "x-ms-summary": "Watchlist Type", + "enum": [ + "email", + "domain", + "subdomain", + "ip" + ] + }, + "Cursor": { + "name": "cursor", + "in": "query", + "required": false, + "type": "string", + "description": "Token used for iterating through multiple pages of results.", + "x-ms-summary": "Cursor" + }, + "Since": { + "name": "since", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to define the starting point for a date range query on the spycloud_publish_date field.", + "x-ms-summary": "Since(YYYY-MM-DD)" + }, + "Until": { + "name": "until", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to define the ending point for a date range query on the spycloud_publish_date field.", + "x-ms-summary": "Until(YYYY-MM-DD)" + }, + "Since_Modification_Date": { + "name": "since_modification_date", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to define the starting point for a date range query on the when an already published record was modified (record_modification_date).", + "x-ms-summary": "Since Modification Date(YYYY-MM-DD)" + }, + "Until_Modification_Date": { + "name": "until_modification_date", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to define the ending point for a date range query on the when an already published record was modified (record_modification_date).", + "x-ms-summary": "Until Modification Date(YYYY-MM-DD)" + }, + "Severity": { + "name": "severity", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to filter based on the numeric severity code.", + "x-ms-summary": "Severity" + }, + "Source_Id": { + "name": "source_id", + "in": "query", + "required": false, + "type": "number", + "description": "This parameter allows you to filter based on a particular breach source.", + "x-ms-summary": "Source Id" + }, + "Salt": { + "name": "salt", + "in": "query", + "required": false, + "type": "string", + "description": "If hashing is enabled for your API key, you have the option to provide a 10 to 24 character, high entropy salt otherwise the pre-configured salt will be used.", + "x-ms-summary": "Salt" + }, + "Since_Infected": { + "name": "since_infected", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to define the starting point for a date range query on the infected_time..", + "x-ms-summary": "Since Infected(YYYY-MM-DD)" + }, + "Until_Infected": { + "name": "until_infected", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to define the ending point for a date range query on the infected_time field.", + "x-ms-summary": "Until Infected(YYYY-MM-DD)" + } + }, + "securityDefinitions": { + "API Key": { + "type": "apiKey", + "in": "header", + "name": "X-API-Key" + } + }, + "security": [ + { + "API Key": "[variables('TemplateEmptyArray')]" + } + ], + "tags": "[variables('TemplateEmptyArray')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('LogicAppsCustomConnector-', last(split(variables('playbookId1'),'/'))))]", + "properties": { + "parentId": "[[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "LogicAppsCustomConnector", + "version": "[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "SpyCloud Enterprise Protection", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SpyCloud" + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + } + } + } + ], + "metadata": { + "comments": "SpyCloud Enterprise Protection Custom Connector", + "lastUpdateTime": "2023-09-12T17:32:15.907Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "LogicAppsCustomConnector", + "displayName": "Custom Connector", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SpyCloud-Breach-Playbook Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion2')]", + "parameters": { + "PlaybookName": { + "defaultValue": "SpyCloud-Breach-Playbook", + "type": "string", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + } + }, + "variables": { + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident_2": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Account_Name": { + "runAfter": { + "Incident_Email_Account": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "account_name", + "type": "string" + } + ] + } + }, + "Astriek_Variable": { + "runAfter": { + "UPN_Suffix_": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "astriek", + "type": "string", + "value": "@" + } + ] + } + }, + "Check_if_the_incident_is_created_by_SpyCloud_Breach": { + "actions": { + "Entities_-_Get_Accounts": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "For_each_account": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Set__upn_suffix": { + "runAfter": { + "Set_account_name": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "upn_suffix", + "value": "@items('For_each_account')?['UPNSuffix']" + } + }, + "Set_account_name": { + "type": "SetVariable", + "inputs": { + "name": "account_name", + "value": "@items('For_each_account')?['Name']" + } + }, + "set_email_address": { + "runAfter": { + "Set__upn_suffix": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "incident_email_address", + "value": "@{concat(variables('account_name'),concat(variables('astriek'),variables('upn_suffix')))}" + } + } + }, + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_incident_alert": { + "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Check_if_the_exposed_password_is_in_use_on_the_network": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Breach Playbook successful

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Check_if_password_exists_in_the_incident": { + "actions": { + "Set_Incident_Password": { + "type": "SetVariable", + "inputs": { + "name": "incident_password", + "value": "@{variables('incident_custom_details_object')?['Password']}" + } + }, + "Set_variable": { + "runAfter": { + "Set_Incident_Password": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "incident_plain_text_password", + "value": "@{replace(replace(variables('incident_password'),'[\"',''),'\"]','')}" + } + } + }, + "runAfter": { + "Set_custom_details_object": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@variables('incident_custom_details_object')?['Password']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Check_if_pwd_length_is_greater_than_required_length_by_organization": { + "runAfter": { + "Check_if_password_exists_in_the_incident": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "", + "" + ] + } + ] + }, + "type": "If" + }, + "Check_if_the_exposed_password_is_in_use_on_the_network": { + "runAfter": { + "Check_if_the_user_is_currently_an_active_employee": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "", + "" + ] + } + ] + }, + "type": "If" + }, + "Check_if_the_user_is_currently_an_active_employee": { + "runAfter": { + "Check_if_pwd_length_is_greater_than_required_length_by_organization": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "", + "" + ] + } + ] + }, + "type": "If" + }, + "Set_custom_details_object": { + "type": "SetVariable", + "inputs": { + "name": "incident_custom_details_object", + "value": "@json(items('For_each_incident_alert')?['properties']?['additionalData']?['Custom Details'])" + } + } + }, + "runAfter": { + "For_each_account": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + }, + "runAfter": { + "Incident_Custom_Details_Object": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@triggerBody()?['object']?['properties']?['title']", + "@variables('incident_name')" + ] + } + ] + }, + "type": "If" + }, + "IP_address": { + "runAfter": { + "Outputs_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_address", + "type": "string" + } + ] + } + }, + "Incident_Custom_Details_Object": { + "runAfter": { + "IP_address": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_custom_details_object", + "type": "object" + } + ] + } + }, + "Incident_Email_Account": { + "runAfter": { + "Incident_Plain_Text_Password": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_email_address", + "type": "string" + } + ] + } + }, + "Incident_Name": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_name", + "type": "string", + "value": "SpyCloud Enterprise Breach Detection" + } + ] + } + }, + "Incident_Password": { + "runAfter": { + "Incident_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_password", + "type": "string" + } + ] + } + }, + "Incident_Plain_Text_Password": { + "runAfter": { + "Incident_Password": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_plain_text_password", + "type": "string" + } + ] + } + }, + "Outputs_Variable": { + "runAfter": { + "Astriek_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "password_enrich_data", + "type": "array" + } + ] + } + }, + "UPN_Suffix_": { + "runAfter": { + "Account_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "upn_suffix", + "type": "string" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId2')]", + "contentId": "[variables('_playbookContentId2')]", + "kind": "Playbook", + "version": "[variables('playbookVersion2')]", + "source": { + "kind": "Solution", + "name": "SpyCloud Enterprise Protection", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SpyCloud" + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + } + } + } + ], + "metadata": { + "title": "SpyCloud BReach Information - SpyCloud Enterprise", + "description": "This Playbook will be triggered when an spycloud breach incident is created.", + "prerequisites": "SpyCloud Enterprise API Key.", + "lastUpdateTime": "2022-09-05T00:00:00Z", + "entities": [ + "ACCOUNT" + ], + "tags": [ + "Enrichment" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId2')]", + "contentKind": "Playbook", + "displayName": "SpyCloud-Breach-Playbook", + "contentProductId": "[variables('_playbookcontentProductId2')]", + "id": "[variables('_playbookcontentProductId2')]", + "version": "[variables('playbookVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SpyCloud-Get-Domain-Breach-Data-Playbook Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion3')]", + "parameters": { + "PlaybookName": { + "defaultValue": "SpyCloud-Get-Domain-Breach-Data-Playbook", + "type": "string", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + }, + "SpyCloud_Enterprise_Connector_Name": { + "defaultValue": "SpyCloud-Enterprise-Protection", + "type": "String", + "metadata": { + "description": "SpyCloud Enterprise custom connector name" + } + } + }, + "variables": { + "SpyCloudEnterpriseConnectionName": "[[concat('spycloudconnector-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloud_Enterprise_Connector_Name'))]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('SpyCloudEnterpriseConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[variables('SpyCloudEnterpriseConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident_2": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Entities_-_Get_DNS": { + "runAfter": { + "IP_address": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/dnsresolution" + } + }, + "For_Each_Incident_DNS_Domain": { + "foreach": "@body('Entities_-_Get_DNS')?['Dnsresolutions']", + "actions": { + "Check_if_records_exists": { + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Check_number_of_Records": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

SpyCloud Breach Data for Domain @{items('For_Each_Incident_DNS_Domain')?['DomainName']}@{body('Create_HTML_table')}@{variables('more_records_display_text')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Check_number_of_Records": { + "actions": { + "set_more_records_display_text": { + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": "Showing @{variables('min_records')} records out of @{variables('total_records')} records, for more information visit https://portal.spycloud.com/" + } + } + }, + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + "@variables('min_records')" + ] + } + ] + }, + "type": "If" + }, + "Create_HTML_table": { + "runAfter": { + "For_each_response": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('domain_breach_data_array')" + } + }, + "For_each_response": { + "foreach": "@take(body('Get_Breach_Data_by_Domain_Search')?['results'],variables('min_records'))", + "actions": { + "Append_to_array_variable": { + "runAfter": { + "Compose": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Domain_Breach_Data_Array", + "value": "@outputs('Compose')" + } + }, + "Compose": { + "runAfter": { + "Condition": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "Document Id": "@items('For_each_response')?['document_id']", + "Domain": "@items('For_each_response')?['domain']", + "Email": "@items('For_each_response')?['email']", + "IP Addresses": "@substring(variables('ip_address'),0,sub(length(variables('ip_address')),1))", + "Infected Machine Id": "@items('For_each_response')?['infected_machine_id']", + "Infected Path": "@items('For_each_response')?['infected_path']", + "Infected Time": "@items('For_each_response')?['infected_time']", + "Password": "@items('For_each_response')?['password']", + "Password Plaintext": "@items('For_each_response')?['password_plaintext']", + "Severity": "@items('For_each_response')?['severity']", + "Source Id": "@items('For_each_response')?['source_id']", + "Spycloud Publish Date": "@items('For_each_response')?['spycloud_publish_date']", + "Target Domain": "@items('For_each_response')?['target_domain']", + "Target Subdomain": "@items('For_each_response')?['target_subdomain']", + "Target Url": "@items('For_each_response')?['target_url']", + "User Hostname": "@items('For_each_response')?['user_hostname']", + "User OS": "@items('For_each_response')?['user_os']", + "Username": "@items('For_each_response')?['username']" + } + }, + "Condition": { + "actions": { + "For_each_ip": { + "foreach": "@items('For_each_response')?['ip_addresses']", + "actions": { + "Append_to_string_variable": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_address", + "value": "@{items('For_each_ip')}," + } + } + }, + "type": "Foreach" + } + }, + "runAfter": { + "Set_variable": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Set_variable": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": " " + } + } + }, + "runAfter": { + "Set_more_records_to_empty": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Set_array_to_Empty": { + "type": "SetVariable", + "inputs": { + "name": "Domain_Breach_Data_Array", + "value": "[variables('TemplateEmptyArray')]" + } + }, + "Set_more_records_to_empty": { + "runAfter": { + "Set_array_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": " " + } + } + }, + "runAfter": { + "set_total_records": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

SpyCloud Breach Data for Domain @{items('For_Each_Incident_DNS_Domain')?['DomainName']}
\nNo Records Found.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + 0 + ] + } + ] + }, + "type": "If" + }, + "Get_Breach_Data_by_Domain_Search": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['SpyCloud-Enterprise-Connector']['connectionId']" + } + }, + "method": "get", + "path": "/breach/data/domains/@{encodeURIComponent(items('For_Each_Incident_DNS_Domain')?['DomainName'])}" + } + }, + "set_total_records": { + "runAfter": { + "Get_Breach_Data_by_Domain_Search": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "total_records", + "value": "@body('Get_Breach_Data_by_Domain_Search')?['hits']" + } + } + }, + "runAfter": { + "Entities_-_Get_DNS": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "IP_address": { + "runAfter": { + "Outputs_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_address", + "type": "string" + } + ] + } + }, + "Outputs_Variable": { + "runAfter": { + "more_records_desplay_text": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "domain_breach_data_array", + "type": "array" + } + ] + } + }, + "minimum_records": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "min_records", + "type": "integer", + "value": 15 + } + ] + } + }, + "more_records_desplay_text": { + "runAfter": { + "total_records": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "more_records_display_text", + "type": "string" + } + ] + } + }, + "total_records": { + "runAfter": { + "minimum_records": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "total_records", + "type": "integer" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "SpyCloud-Enterprise-Connector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "connectionName": "[[variables('SpyCloudEnterpriseConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloud_Enterprise_Connector_Name'))]" + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId3')]", + "contentId": "[variables('_playbookContentId3')]", + "kind": "Playbook", + "version": "[variables('playbookVersion3')]", + "source": { + "kind": "Solution", + "name": "SpyCloud Enterprise Protection", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SpyCloud" + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_Custom Connector')]", + "version": "[variables('playbookVersion1')]" + } + ] + } + } + } + ], + "metadata": { + "title": "Domain Breach Data - SpyCloud Enterprise", + "description": "The SpyCloud Enterprise API is able to provide breach data for a domain or set of domains associated with an incident.", + "prerequisites": "https://www.spycloud.com/integrations to request a trial key.", + "lastUpdateTime": "2022-09-05T00:00:00Z", + "entities": [ + "DNS" + ], + "tags": [ + "Enrichment" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId3')]", + "contentKind": "Playbook", + "displayName": "SpyCloud-Get-Domain-Breach-Data-Playbook", + "contentProductId": "[variables('_playbookcontentProductId3')]", + "id": "[variables('_playbookcontentProductId3')]", + "version": "[variables('playbookVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SpyCloud-Get-Email-Breach-Data-Playbook Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion4')]", + "parameters": { + "PlaybookName": { + "defaultValue": "SpyCloud-Get-Email-Breach-Data-Playbook", + "type": "string", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + }, + "SpyCloud_Enterprise_Connector_Name": { + "defaultValue": "SpyCloud-Enterprise-Protection", + "type": "String", + "metadata": { + "description": "SpyCloud Enterprise custom connector name" + } + } + }, + "variables": { + "SpyCloudEnterpriseConnectionName": "[[concat('spycloudconnector-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloud_Enterprise_Connector_Name'))]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('SpyCloudEnterpriseConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[variables('SpyCloudEnterpriseConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident_2": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Asterisk_Variable": { + "runAfter": { + "Email_Address_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "asterisk", + "type": "string", + "value": "@" + } + ] + } + }, + "Email_Address_Variable": { + "runAfter": { + "more_records_desplay_text": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "email_address", + "type": "string" + } + ] + } + }, + "Entities_-_Get_Accounts": { + "runAfter": { + "ip_address": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "For_Each_Incident_Emails": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Check_if_records_exists": { + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Check_number_of_Records": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

SpyCloud Breach Data for Email @{variables('email_address')}@{body('Create_HTML_table')}@{variables('more_records_display_text')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Check_number_of_Records": { + "actions": { + "set_more_records_display_text": { + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": "Showing @{variables('min_records')} records out of @{variables('total_records')} records, for more information visit: https://portal.spycloud.com/" + } + } + }, + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + "@variables('min_records')" + ] + } + ] + }, + "type": "If" + }, + "Create_HTML_table": { + "runAfter": { + "For_each_response": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('email_breach_data_array')" + } + }, + "For_each_response": { + "foreach": "@take(body('Get_Breach_Data_by_Email_Search')?['results'],variables('min_records'))", + "actions": { + "Append_to_array_variable": { + "runAfter": { + "Compose": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "email_breach_data_array", + "value": "@outputs('Compose')" + } + }, + "Compose": { + "runAfter": { + "Condition": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "Document Id": "@items('For_each_response')?['document_id']", + "Domain": "@items('For_each_response')?['domain']", + "Email": "@items('For_each_response')?['email']", + "IP Addresses": "@substring(variables('ip_address'),0,sub(length(variables('ip_address')),1))", + "Infected Machine Id": "@items('For_each_response')?['infected_machine_id']", + "Infected Path": "@items('For_each_response')?['infected_path']", + "Infected Time": "@items('For_each_response')?['infected_time']", + "Password": "@items('For_each_response')?['password']", + "Password Plaintext": "@items('For_each_response')?['password_plaintext']", + "Severity": "@items('For_each_response')?['severity']", + "Source Id": "@items('For_each_response')?['source_id']", + "Spycloud Publish Date": "@items('For_each_response')?['spycloud_publish_date']", + "Target Domain": "@items('For_each_response')?['target_domain']", + "Target Subdomain": "@items('For_each_response')?['target_subdomain']", + "Target Url": "@items('For_each_response')?['target_url']", + "User Hostname": "@items('For_each_response')?['user_hostname']", + "User OS": "@items('For_each_response')?['user_os']", + "Username": "@items('For_each_response')?['username']" + } + }, + "Condition": { + "actions": { + "For_each_ip": { + "foreach": "@items('For_each_response')?['ip_addresses']", + "actions": { + "Append_to_string_variable": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_address", + "value": "@{items('For_each_ip')}," + } + } + }, + "type": "Foreach" + } + }, + "runAfter": { + "Set_variable": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Set_variable": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": " " + } + } + }, + "runAfter": { + "Set_more_records_to_empty": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Set_array_to_empty": { + "type": "SetVariable", + "inputs": { + "name": "email_breach_data_array", + "value": "[variables('TemplateEmptyArray')]" + } + }, + "Set_more_records_to_empty": { + "runAfter": { + "Set_array_to_empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": " " + } + } + }, + "runAfter": { + "set_total_records": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

SpyCloud Breach Data for Email @{variables('email_address')}
\nNo Records Found.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + 0 + ] + } + ] + }, + "type": "If" + }, + "Get_Breach_Data_by_Email_Search": { + "runAfter": { + "Set_Email_Address": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['SpyCloud-Enterprise-Connector']['connectionId']" + } + }, + "method": "get", + "path": "/breach/data/emails/@{encodeURIComponent(variables('email_address'))}" + } + }, + "Set_Email_Address": { + "type": "SetVariable", + "inputs": { + "name": "email_address", + "value": "@{items('For_Each_Incident_Emails')?['Name']}@{variables('asterisk')}@{items('For_Each_Incident_Emails')?['UPNSuffix']}" + } + }, + "set_total_records": { + "runAfter": { + "Get_Breach_Data_by_Email_Search": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "total_records", + "value": "@body('Get_Breach_Data_by_Email_Search')?['hits']" + } + } + }, + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Outputs_Variable": { + "runAfter": { + "Asterisk_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "email_breach_data_array", + "type": "array" + } + ] + } + }, + "ip_address": { + "runAfter": { + "Outputs_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_address", + "type": "string" + } + ] + } + }, + "minimum_records": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "min_records", + "type": "integer", + "value": 15 + } + ] + } + }, + "more_records_desplay_text": { + "runAfter": { + "total_records": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "more_records_display_text", + "type": "string" + } + ] + } + }, + "total_records": { + "runAfter": { + "minimum_records": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "total_records", + "type": "integer" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "SpyCloud-Enterprise-Connector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "connectionName": "[[variables('SpyCloudEnterpriseConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloud_Enterprise_Connector_Name'))]" + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId4')]", + "contentId": "[variables('_playbookContentId4')]", + "kind": "Playbook", + "version": "[variables('playbookVersion4')]", + "source": { + "kind": "Solution", + "name": "SpyCloud Enterprise Protection", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SpyCloud" + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_Custom Connector')]", + "version": "[variables('playbookVersion1')]" + } + ] + } + } + } + ], + "metadata": { + "title": "Email Address Breach Data - SpyCloud Enterprise", + "description": "The SpyCloud Enterprise API is able to provide breach data for a Email address or set of Email addresses associated with an incident.", + "prerequisites": "SpyCloud Enterprise API Key.", + "lastUpdateTime": "2022-09-05T00:00:00Z", + "entities": [ + "ACCOUNT" + ], + "tags": [ + "Enrichment" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId4')]", + "contentKind": "Playbook", + "displayName": "SpyCloud-Get-Email-Breach-Data-Playbook", + "contentProductId": "[variables('_playbookcontentProductId4')]", + "id": "[variables('_playbookcontentProductId4')]", + "version": "[variables('playbookVersion4')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName5')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SpyCloud-Get-IP-Breach-Data-Playbook Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion5')]", + "parameters": { + "PlaybookName": { + "defaultValue": "SpyCloud-Get-IP-Breach-Data-Playbook", + "type": "string", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + }, + "SpyCloud_Enterprise_Connector_Name": { + "defaultValue": "SpyCloud-Enterprise-Protection", + "type": "String", + "metadata": { + "description": "SpyCloud Enterprise custom connector name" + } + } + }, + "variables": { + "SpyCloudEnterpriseConnectionName": "[[concat('spycloudconnector-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloud_Enterprise_Connector_Name'))]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('SpyCloudEnterpriseConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[variables('SpyCloudEnterpriseConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident_2": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Entities_-_Get_IPs": { + "runAfter": { + "ip_address": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/ip" + } + }, + "For_Each_Incident_IPS": { + "foreach": "@body('Entities_-_Get_IPs')?['IPs']", + "actions": { + "Check_if_records_exists": { + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Check_number_of_Records": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

SpyCloud Breach Data for IP @{items('For_Each_Incident_IPS')?['Address']}@{body('Create_HTML_table')}@{variables('more_records_display_text')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Check_number_of_Records": { + "actions": { + "set_more_records_display_text": { + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": "Showing @{variables('min_records')} records out of @{variables('total_records')} records, for more information visit https://portal.spycloud.com/" + } + } + }, + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + "@variables('min_records')" + ] + } + ] + }, + "type": "If" + }, + "Create_HTML_table": { + "runAfter": { + "For_each_response": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('ip_breach_data_array')" + } + }, + "For_each_response": { + "foreach": "@take(body('Get_Breach_Data_by_IP_Address')?['results'],variables('min_records'))", + "actions": { + "Append_to_array_variable": { + "runAfter": { + "Compose": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "IP_Breach_Data_Array", + "value": "@outputs('Compose')" + } + }, + "Compose": { + "runAfter": { + "Condition": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "Document Id": "@items('For_each_response')?['document_id']", + "Domain": "@items('For_each_response')?['domain']", + "Email": "@items('For_each_response')?['email']", + "IP Addresses": "@substring(variables('ip_address'),0,sub(length(variables('ip_address')),1))", + "Infected Machine Id": "@items('For_each_response')?['infected_machine_id']", + "Infected Path": "@items('For_each_response')?['infected_path']", + "Infected Time": "@items('For_each_response')?['infected_time']", + "Password": "@items('For_each_response')?['password']", + "Password Plaintext": "@items('For_each_response')?['password_plaintext']", + "Severity": "@items('For_each_response')?['severity']", + "Source Id": "@items('For_each_response')?['source_id']", + "Spycloud Publish Date": "@items('For_each_response')?['spycloud_publish_date']", + "Target Domain": "@items('For_each_response')?['target_domain']", + "Target Subdomain": "@items('For_each_response')?['target_subdomain']", + "Target Url": "@items('For_each_response')?['target_url']", + "User Hostname": "@items('For_each_response')?['user_hostname']", + "User OS": "@items('For_each_response')?['user_os']", + "Username": "@items('For_each_response')?['username']" + } + }, + "Condition": { + "actions": { + "For_each_ip": { + "foreach": "@items('For_each_response')?['ip_addresses']", + "actions": { + "Append_to_string_variable": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_address", + "value": "@{items('For_each_ip')}," + } + } + }, + "type": "Foreach" + } + }, + "runAfter": { + "Set_variable": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Set_variable": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": " " + } + } + }, + "runAfter": { + "Set_more_records_to_empty": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Set_array_to_Empty": { + "type": "SetVariable", + "inputs": { + "name": "ip_breach_data_array", + "value": "[variables('TemplateEmptyArray')]" + } + }, + "Set_more_records_to_empty": { + "runAfter": { + "Set_array_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": " " + } + } + }, + "runAfter": { + "set_total_records": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

SpyCloud Breach Data for IP @{items('For_Each_Incident_IPS')?['Address']}
\nNo Records Found.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + 0 + ] + } + ] + }, + "type": "If" + }, + "Get_Breach_Data_by_IP_Address": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['SpyCloud-Enterprise-Connector']['connectionId']" + } + }, + "method": "get", + "path": "/breach/data/ips/@{encodeURIComponent(items('For_Each_Incident_IPS')?['Address'])}" + } + }, + "set_total_records": { + "runAfter": { + "Get_Breach_Data_by_IP_Address": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "total_records", + "value": "@body('Get_Breach_Data_by_IP_Address')?['hits']" + } + } + }, + "runAfter": { + "Entities_-_Get_IPs": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Outputs_Variable": { + "runAfter": { + "more_records_desplay_text": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_breach_data_array", + "type": "array" + } + ] + } + }, + "ip_address": { + "runAfter": { + "Outputs_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_address", + "type": "string" + } + ] + } + }, + "minimum_records": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "min_records", + "type": "integer", + "value": 15 + } + ] + } + }, + "more_records_desplay_text": { + "runAfter": { + "total_records": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "more_records_display_text", + "type": "string" + } + ] + } + }, + "total_records": { + "runAfter": { + "minimum_records": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "total_records", + "type": "integer" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "SpyCloud-Enterprise-Connector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "connectionName": "[[variables('SpyCloudEnterpriseConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloud_Enterprise_Connector_Name'))]" + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId5')]", + "contentId": "[variables('_playbookContentId5')]", + "kind": "Playbook", + "version": "[variables('playbookVersion5')]", + "source": { + "kind": "Solution", + "name": "SpyCloud Enterprise Protection", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SpyCloud" + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_Custom Connector')]", + "version": "[variables('playbookVersion1')]" + } + ] + } + } + } + ], + "metadata": { + "title": "IP Address Breach Data - SpyCloud Enterprise", + "description": "The SpyCloud Enterprise API is able to provide breach data for a IP address or set of IP addresses associated with an incident.", + "prerequisites": "SpyCloud Enterprise API Key.", + "lastUpdateTime": "2022-09-05T00:00:00Z", + "entities": [ + "IP" + ], + "tags": [ + "Enrichment" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId5')]", + "contentKind": "Playbook", + "displayName": "SpyCloud-Get-IP-Breach-Data-Playbook", + "contentProductId": "[variables('_playbookcontentProductId5')]", + "id": "[variables('_playbookcontentProductId5')]", + "version": "[variables('playbookVersion5')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName6')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SpyCloud-Get-Password-Breach-Data-Playbook Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion6')]", + "parameters": { + "PlaybookName": { + "defaultValue": "SpyCloud-Get-Password-Breach-Data-Playbook", + "type": "string", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + }, + "SpyCloud_Enterprise_Connector_Name": { + "defaultValue": "SpyCloud-Enterprise-Protection", + "type": "String", + "metadata": { + "description": "SpyCloud Enterprise custom connector name" + } + } + }, + "variables": { + "SpyCloudEnterpriseConnectionName": "[[concat('spycloudconnector-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloud_Enterprise_Connector_Name'))]", + "_connection-1": "[[variables('connection-1')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('SpyCloudEnterpriseConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[variables('SpyCloudEnterpriseConnectionName')]", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "manual": { + "type": "Request", + "kind": "Http", + "inputs": { + "method": "GET" + } + } + }, + "actions": { + "Check_if_records_exists": { + "actions": { + "Create_HTML_table": { + "runAfter": { + "For_each_response": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('password_breach_data_array')" + } + }, + "For_each_response": { + "foreach": "@body('Get_Breach_Data_by_Password_Search')?['results']", + "actions": { + "Append_to_array_variable": { + "runAfter": { + "Compose": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "password_breach_data_array", + "value": "@outputs('Compose')" + } + }, + "Check_if_ip_address_exists": { + "actions": { + "For_each_ip": { + "foreach": "@items('For_each_response')?['ip_addresses']", + "actions": { + "Append_to_ip_address_variable": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_address", + "value": "@{items('For_each_ip')}," + } + } + }, + "type": "Foreach" + } + }, + "runAfter": { + "Set_ip_address_to_empty": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Compose": { + "runAfter": { + "Check_if_ip_address_exists": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "Document Id": "@items('For_each_response')?['document_id']", + "Domain": "@items('For_each_response')?['domain']", + "Email": "@items('For_each_response')?['email']", + "IP Addresses": "@substring(variables('ip_address'), 0, sub(length(variables('ip_address')), 1))", + "Infected Machine Id": "@items('For_each_response')?['infected_machine_id']", + "Infected Path": "@items('For_each_response')?['infected_path']", + "Infected Time": "@items('For_each_response')?['infected_time']", + "Password": "@items('For_each_response')?['password']", + "Password Plaintext": "@items('For_each_response')?['password_plaintext']", + "Severity": "@items('For_each_response')?['severity']", + "Source Id": "@items('For_each_response')?['source_id']", + "Spycloud Publish Date": "@items('For_each_response')?['spycloud_publish_date']", + "Target Domain": "@items('For_each_response')?['target_domain']", + "Target Subdomain": "@items('For_each_response')?['target_subdomain']", + "Target Url": "@items('For_each_response')?['target_url']", + "User Hostname": "@items('For_each_response')?['user_hostname']", + "User OS": "@items('For_each_response')?['user_os']", + "Username": "@items('For_each_response')?['username']" + } + }, + "Set_ip_address_to_empty": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": " " + } + } + }, + "runAfter": { + "Set_array_to_Empty": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Set_array_to_Empty": { + "type": "SetVariable", + "inputs": { + "name": "password_breach_data_array", + "value": "[variables('TemplateEmptyArray')]" + } + } + }, + "runAfter": { + "set_total_records": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + 0 + ] + } + ] + }, + "type": "If" + }, + "Get_Breach_Data_by_Password_Search": { + "runAfter": { + "Provide_Password_to_search": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['SpyCloud-Enterprise-Connector']['connectionId']" + } + }, + "method": "get", + "path": "/breach/data/passwords/@{encodeURIComponent(variables('password_to_search'))}" + } + }, + "Outputs_Variable": { + "runAfter": { + "more_records_desplay_text": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "password_breach_data_array", + "type": "array" + } + ] + } + }, + "Provide_Password_to_search": { + "runAfter": { + "ip_address": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "password_to_search", + "type": "string", + "value": "welcome@123" + } + ] + } + }, + "ip_address": { + "runAfter": { + "Outputs_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_address", + "type": "string" + } + ] + } + }, + "minimum_records": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "min_records", + "type": "integer", + "value": 15 + } + ] + } + }, + "more_records_desplay_text": { + "runAfter": { + "total_records": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "more_records_display_text", + "type": "string" + } + ] + } + }, + "set_total_records": { + "runAfter": { + "Get_Breach_Data_by_Password_Search": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "total_records", + "value": "@body('Get_Breach_Data_by_Password_Search')?['hits']" + } + }, + "total_records": { + "runAfter": { + "minimum_records": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "total_records", + "type": "integer" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "SpyCloud-Enterprise-Connector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "connectionName": "[[variables('SpyCloudEnterpriseConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloud_Enterprise_Connector_Name'))]" + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId6')]", + "contentId": "[variables('_playbookContentId6')]", + "kind": "Playbook", + "version": "[variables('playbookVersion6')]", + "source": { + "kind": "Solution", + "name": "SpyCloud Enterprise Protection", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SpyCloud" + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_Custom Connector')]", + "version": "[variables('playbookVersion1')]" + } + ] + } + } + } + ], + "metadata": { + "title": "Password Breach Data - SpyCloud Enterprise", + "description": "The SpyCloud Enterprise API is able to provide breach data for a provided password.", + "prerequisites": "SpyCloud Enterprise API Key.", + "lastUpdateTime": "2022-09-05T00:00:00Z", + "tags": [ + "Enrichment" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId6')]", + "contentKind": "Playbook", + "displayName": "SpyCloud-Get-Password-Breach-Data-Playbook", + "contentProductId": "[variables('_playbookcontentProductId6')]", + "id": "[variables('_playbookcontentProductId6')]", + "version": "[variables('playbookVersion6')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName7')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SpyCloud-Get-Username-Breach-Data-Playbook Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion7')]", + "parameters": { + "PlaybookName": { + "defaultValue": "SpyCloud-Get-Username-Breach-Data-Playbook", + "type": "string", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + }, + "SpyCloud_Enterprise_Connector_Name": { + "defaultValue": "SpyCloud-Enterprise-Protection", + "type": "String", + "metadata": { + "description": "SpyCloud Enterprise custom connector name" + } + } + }, + "variables": { + "SpyCloudEnterpriseConnectionName": "[[concat('spycloudconnector-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloud_Enterprise_Connector_Name'))]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('SpyCloudEnterpriseConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[variables('SpyCloudEnterpriseConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident_2": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Entities_-_Get_Accounts": { + "runAfter": { + "ip_address": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "For_Each_Incident_Emails": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Check_if_records_exists": { + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Check_number_of_Records": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

SpyCloud Breach Data for username @{variables('username')}@{body('Create_HTML_table')}@{variables('more_records_display_text')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Check_number_of_Records": { + "actions": { + "set_more_records_display_text": { + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": "Showing @{variables('min_records')} records out of @{variables('total_records')} records, for more information visit https://portal.spycloud.com/" + } + } + }, + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + "@variables('min_records')" + ] + } + ] + }, + "type": "If" + }, + "Create_HTML_table": { + "runAfter": { + "For_each_response": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('username_breach_data_array')" + } + }, + "For_each_response": { + "foreach": "@take(body('Get_Breach_Data_by_Username_Search')?['results'],variables('min_records'))", + "actions": { + "Append_to_array_variable": { + "runAfter": { + "Compose": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "username_breach_data_array", + "value": "@outputs('Compose')" + } + }, + "Compose": { + "runAfter": { + "Condition": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "Document Id": "@items('For_each_response')?['document_id']", + "Domain": "@items('For_each_response')?['domain']", + "Email": "@items('For_each_response')?['email']", + "IP Addresses": "@substring(variables('ip_address'),0,sub(length(variables('ip_address')),1))", + "Infected Machine Id": "@items('For_each_response')?['infected_machine_id']", + "Infected Path": "@items('For_each_response')?['infected_path']", + "Infected Time": "@items('For_each_response')?['infected_time']", + "Password": "@items('For_each_response')?['password']", + "Password Plaintext": "@items('For_each_response')?['password_plaintext']", + "Severity": "@items('For_each_response')?['severity']", + "Source Id": "@items('For_each_response')?['source_id']", + "Spycloud Publish Date": "@items('For_each_response')?['spycloud_publish_date']", + "Target Domain": "@items('For_each_response')?['target_domain']", + "Target Subdomain": "@items('For_each_response')?['target_subdomain']", + "Target Url": "@items('For_each_response')?['target_url']", + "User Hostname": "@items('For_each_response')?['user_hostname']", + "User OS": "@items('For_each_response')?['user_os']", + "Username": "@items('For_each_response')?['username']" + } + }, + "Condition": { + "actions": { + "For_each_ip": { + "foreach": "@items('For_each_response')?['ip_addresses']", + "actions": { + "Append_to_string_variable": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_address", + "value": "@{items('For_each_ip')}," + } + } + }, + "type": "Foreach" + } + }, + "runAfter": { + "Set_variable": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Set_variable": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": " " + } + } + }, + "runAfter": { + "Set_more_records_to_empty": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Set_array_to_Empty": { + "type": "SetVariable", + "inputs": { + "name": "username_breach_data_array", + "value": "[variables('TemplateEmptyArray')]" + } + }, + "Set_more_records_to_empty": { + "runAfter": { + "Set_array_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": " " + } + } + }, + "runAfter": { + "set_total_records": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

SpyCloud Breach Data for username @{variables('username')}
\nNo Records Found.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + 0 + ] + } + ] + }, + "type": "If" + }, + "Get_Breach_Data_by_Username_Search": { + "runAfter": { + "Set_Username": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['SpyCloud-Enterprise-Connector']['connectionId']" + } + }, + "method": "get", + "path": "/breach/data/usernames/@{encodeURIComponent(variables('username'))}" + } + }, + "Set_Username": { + "type": "SetVariable", + "inputs": { + "name": "username", + "value": "@items('For_Each_Incident_Emails')?['Name']" + } + }, + "set_total_records": { + "runAfter": { + "Get_Breach_Data_by_Username_Search": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "total_records", + "value": "@body('Get_Breach_Data_by_Username_Search')?['hits']" + } + } + }, + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Outputs_Variable": { + "runAfter": { + "Usernames_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "username_breach_data_array", + "type": "array" + } + ] + } + }, + "Usernames_Variable": { + "runAfter": { + "more_records_desplay_text": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "username", + "type": "string" + } + ] + } + }, + "ip_address": { + "runAfter": { + "Outputs_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_address", + "type": "string" + } + ] + } + }, + "minimum_records": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "min_records", + "type": "integer", + "value": 15 + } + ] + } + }, + "more_records_desplay_text": { + "runAfter": { + "total_records": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "more_records_display_text", + "type": "string" + } + ] + } + }, + "total_records": { + "runAfter": { + "minimum_records": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "total_records", + "type": "integer" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "SpyCloud-Enterprise-Connector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "connectionName": "[[variables('SpyCloudEnterpriseConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloud_Enterprise_Connector_Name'))]" + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId7')]", + "contentId": "[variables('_playbookContentId7')]", + "kind": "Playbook", + "version": "[variables('playbookVersion7')]", + "source": { + "kind": "Solution", + "name": "SpyCloud Enterprise Protection", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SpyCloud" + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_Custom Connector')]", + "version": "[variables('playbookVersion1')]" + } + ] + } + } + } + ], + "metadata": { + "title": "Username Breach Data - SpyCloud Enterprise", + "description": "The SpyCloud Enterprise API is able to provide breach data for a username or set of usernames associated with an incident.", + "prerequisites": "SpyCloud Enterprise API Key.", + "lastUpdateTime": "2022-09-05T00:00:00Z", + "entities": [ + "ACCOUNT" + ], + "tags": [ + "Enrichment" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId7')]", + "contentKind": "Playbook", + "displayName": "SpyCloud-Get-Username-Breach-Data-Playbook", + "contentProductId": "[variables('_playbookcontentProductId7')]", + "id": "[variables('_playbookcontentProductId7')]", + "version": "[variables('playbookVersion7')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName8')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SpyCloud-Malware-Playbook Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion8')]", + "parameters": { + "PlaybookName": { + "defaultValue": "SpyCloud-Malware-Playbook", + "type": "string", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + }, + "SpyCloud_Enterprise_Connector_Name": { + "defaultValue": "SpyCloud-Enterprise-Protection", + "type": "String", + "metadata": { + "description": "SpyCloud Enterprise custom connector name" + } + } + }, + "variables": { + "SpyCloudEnterpriseConnectionName": "[[concat('spycloudconnector-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloud_Enterprise_Connector_Name'))]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('SpyCloudEnterpriseConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[variables('SpyCloudEnterpriseConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident_2": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Check_if_the_incident_is_created_by_SpyCloud_Malware_": { + "actions": { + "Entities_-_Get_Hosts": { + "runAfter": { + "For_each_incident_alert": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/host" + } + }, + "For_each_host": { + "foreach": "@body('Entities_-_Get_Hosts')?['Hosts']", + "actions": { + "Check_if_the_records_are_returned": { + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Check_number_of_Records": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

SpyCloud Comapss Devices Data for @{variables('infected_machine_id')}@{body('Create_HTML_table')}@{variables('more_records_display_text')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Check_number_of_Records": { + "actions": { + "set_more_records_display_text": { + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": "Showing @{variables('min_records')} records out of @{variables('total_records')} records, for more information visit https://portal.spycloud.com/" + } + } + }, + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + "@variables('min_records')" + ] + } + ] + }, + "type": "If" + }, + "Create_HTML_table": { + "runAfter": { + "For_each_response": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('compass_device_data')" + } + }, + "For_each_response": { + "foreach": "@take(body('Get_Compass_Devices_Data')?['results'],variables('min_records'))", + "actions": { + "Append_to_array_variable": { + "runAfter": { + "Compose": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "compass_device_data", + "value": "@outputs('Compose')" + } + }, + "Compose": { + "runAfter": { + "Condition": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "Document Id": "@items('For_each_response')?['document_id']", + "Domain": "@items('For_each_response')?['domain']", + "Email": "@items('For_each_response')?['email']", + "IP Addresses": "@substring(variables('ip_address'),0,sub(length(variables('ip_address')),1))", + "Infected Machine Id": "@items('For_each_response')?['infected_machine_id']", + "Infected Path": "@items('For_each_response')?['infected_path']", + "Infected Time": "@items('For_each_response')?['infected_time']", + "Password": "@items('For_each_response')?['password']", + "Password Plaintext": "@items('For_each_response')?['password_plaintext']", + "Severity": "@items('For_each_response')?['severity']", + "Source Id": "@items('For_each_response')?['source_id']", + "Spycloud Publish Date": "@items('For_each_response')?['spycloud_publish_date']", + "Target Domain": "@items('For_each_response')?['target_domain']", + "Target Subdomain": "@items('For_each_response')?['target_subdomain']", + "Target Url": "@items('For_each_response')?['target_url']", + "User Hostname": "@items('For_each_response')?['user_hostname']", + "User OS": "@items('For_each_response')?['user_os']", + "Username": "@items('For_each_response')?['username']" + } + }, + "Condition": { + "actions": { + "For_each_ip": { + "foreach": "@items('For_each_response')?['ip_addresses']", + "actions": { + "Append_to_string_variable": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_address", + "value": "@{items('For_each_ip')}," + } + } + }, + "type": "Foreach" + } + }, + "runAfter": { + "Set_IP_Address_to_Empty": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Set_variable": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": " " + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Set_IP_Address_to_Empty": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": " " + } + } + }, + "type": "Foreach" + }, + "Update_incident": { + "runAfter": { + "Add_comment_to_incident_(V3)": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "owner": "someone@someone.com", + "ownerAction": "Assign", + "severity": "High" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + } + } + }, + "runAfter": { + "Get_Compass_Devices_Data": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@body('Get_Compass_Devices_Data')?['hits']", + 0 + ] + } + ] + }, + "type": "If" + }, + "Get_Compass_Devices_Data": { + "runAfter": { + "Set_Infected_Machine_ID": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['SpyCloud-Enterprise-Connector']['connectionId']" + } + }, + "method": "get", + "path": "/compass/data/devices/@{encodeURIComponent(variables('infected_machine_id'))}" + } + }, + "Set_Infected_Machine_ID": { + "type": "SetVariable", + "inputs": { + "name": "infected_machine_id", + "value": "@items('For_each_host')?['HostName']" + } + } + }, + "runAfter": { + "Entities_-_Get_Hosts": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_incident_alert": { + "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", + "actions": { + "Check_User_Host_Name_exists": { + "actions": { + "Check_if_Host_is_Managed_host": { + "runAfter": { + "Set_variable_2": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "", + "" + ] + } + ] + }, + "type": "If" + }, + "Set_User_Host_Name": { + "type": "SetVariable", + "inputs": { + "name": "user_host_name", + "value": "@{variables('incident_custom_details_object')?['User_Host_Name']}" + } + }, + "Set_variable_2": { + "runAfter": { + "Set_User_Host_Name": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "user_host_name_trim", + "value": "@{replace(replace(variables('user_host_name'),'[\"',''),'\"]','')}" + } + } + }, + "runAfter": { + "Set_custom_details_object": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@variables('incident_custom_details_object')?['User_Host_Name']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Set_custom_details_object": { + "type": "SetVariable", + "inputs": { + "name": "incident_custom_details_object", + "value": "@json(items('For_each_incident_alert')?['properties']?['additionalData']?['Custom Details'])" + } + } + }, + "type": "Foreach" + } + }, + "runAfter": { + "Incident_Custom_Details_Object": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@triggerBody()?['object']?['properties']?['title']", + "@variables('incident_name')" + ] + } + ] + }, + "type": "If" + }, + "IP_address": { + "runAfter": { + "Outputs_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_address", + "type": "string" + } + ] + } + }, + "Incident_Custom_Details_Array": { + "runAfter": { + "Is_Managed_Host": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_custom_details_array", + "type": "array" + } + ] + } + }, + "Incident_Custom_Details_Object": { + "runAfter": { + "Incident_Custom_Details_Array": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_custom_details_object", + "type": "object" + } + ] + } + }, + "Incident_Name": { + "runAfter": { + "more_records_display_text": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_name", + "type": "string", + "value": "SpyCloud Enterprise Malware Detection" + } + ] + } + }, + "Initialize_variable": { + "runAfter": { + "User_Host_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "user_host_name_trim", + "type": "string" + } + ] + } + }, + "Is_Managed_Host": { + "runAfter": { + "IP_address": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "is_managed_host", + "type": "boolean", + "value": "@true" + } + ] + } + }, + "Machine_ID": { + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "infected_machine_id", + "type": "string" + } + ] + } + }, + "Outputs_Variable": { + "runAfter": { + "Machine_ID": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "compass_device_data", + "type": "array" + } + ] + } + }, + "User_Host_Name": { + "runAfter": { + "Incident_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "user_host_name", + "type": "string" + } + ] + } + }, + "minimum_records": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "min_records", + "type": "integer", + "value": 15 + } + ] + } + }, + "more_records_display_text": { + "runAfter": { + "total_records": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "more_records_display_text", + "type": "string" + } + ] + } + }, + "total_records": { + "runAfter": { + "minimum_records": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "total_records", + "type": "integer" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "SpyCloud-Enterprise-Connector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "connectionName": "[[variables('SpyCloudEnterpriseConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloud_Enterprise_Connector_Name'))]" + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId8')]", + "contentId": "[variables('_playbookContentId8')]", + "kind": "Playbook", + "version": "[variables('playbookVersion8')]", + "source": { + "kind": "Solution", + "name": "SpyCloud Enterprise Protection", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SpyCloud" + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_Custom Connector')]", + "version": "[variables('playbookVersion1')]" + } + ] + } + } + } + ], + "metadata": { + "title": "SpyCloud Malware Information - SpyCloud Enterprise", + "description": "This Playbook will be triggered when an spycloud malware incident is created.", + "prerequisites": "SpyCloud Enterprise API Key.", + "lastUpdateTime": "2022-09-05T00:00:00Z", + "entities": [ + "ACCOUNT" + ], + "tags": [ + "Enrichment" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId8')]", + "contentKind": "Playbook", + "displayName": "SpyCloud-Malware-Playbook", + "contentProductId": "[variables('_playbookcontentProductId8')]", + "id": "[variables('_playbookcontentProductId8')]", + "version": "[variables('playbookVersion8')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName9')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SpyCloud-Monitor-Watchlist-Data Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion9')]", + "parameters": { + "PlaybookName": { + "defaultValue": "SpyCloud-Monitor-Watchlist-Data", + "type": "string", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + }, + "SpyCloud_Enterprise_Connector_Name": { + "defaultValue": "SpyCloud-Enterprise-Protection", + "type": "String", + "metadata": { + "description": "SpyCloud Enterprise custom connector name" + } + }, + "SpyCloud_Custom_Log_Table_Name": { + "defaultValue": "SpyCloudBreachDataWatchlist", + "type": "String", + "metadata": { + "description": "SpyCloud Enterprise custom log name" + } + } + }, + "variables": { + "SpyCloudEnterpriseConnectionName": "[[concat('spycloudconnector-', parameters('PlaybookName'))]", + "AzureLogAnalyticsDataConnector": "[[concat('azuredataconnector-', parameters('PlaybookName'))]", + "SpyCloudCustomTableName": "[[parameters('SpyCloud_Custom_Log_Table_Name')]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azureloganalyticsdatacollector')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloud_Enterprise_Connector_Name'))]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureLogAnalyticsDataConnector')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[variables('AzureLogAnalyticsDataConnector')]", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('SpyCloudEnterpriseConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[variables('SpyCloudEnterpriseConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureLogAnalyticsDataConnector'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Day", + "interval": 1, + "startTime": "[variables('blanks')]" + }, + "evaluatedRecurrence": { + "frequency": "Day", + "interval": 1, + "startTime": "2023-05-06T00:00:00Z" + }, + "type": "Recurrence" + } + }, + "actions": { + "Cursor": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "cursor", + "type": "string", + "value": "start" + } + ] + } + }, + "Custom_Log_Name": { + "runAfter": { + "date_": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "custom_log_name", + "type": "string", + "value": "[[variables('SpyCloudCustomTableName')]" + } + ] + } + }, + "IP_address": { + "runAfter": { + "Is_First_Fetch": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_address", + "type": "string" + } + ] + } + }, + "Is_First_Fetch": { + "runAfter": { + "Cursor": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "first_fetch", + "type": "boolean", + "value": "@true" + } + ] + } + }, + "Until_Modified_Records_Exist": { + "actions": { + "Check_if_this_is_first_fetch_for_modified_records": { + "actions": { + "Set_Cursor_to_null_2": { + "type": "SetVariable", + "inputs": { + "name": "cursor", + "value": "@{null}" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('first_fetch')", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Get_Breach_Data_for_Entire_Watchlist_2": { + "runAfter": { + "Set_modified_records_array_to_empty": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['SpyCloud-Enterprise-Connector']['connectionId']" + } + }, + "method": "get", + "path": "/breach/data/watchlist", + "queries": { + "cursor": "@variables('cursor')", + "since_modification_date": "@variables('date')" + } + } + }, + "Set_false_to_first_fetch": { + "runAfter": { + "check_if_data_exist_for_date": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "first_fetch", + "value": "@false" + } + }, + "Set_modified_records_array_to_empty": { + "runAfter": { + "Check_if_this_is_first_fetch_for_modified_records": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "modified_records", + "value": "[variables('TemplateEmptyArray')]" + } + }, + "check_if_data_exist_for_date": { + "actions": { + "For_each_response_2": { + "foreach": "@body('Get_Breach_Data_for_Entire_Watchlist_2')?['results']", + "actions": { + "Append_to_modified_records_variable": { + "runAfter": { + "Check_IP_Address_is_Not_empty_2": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "modified_records", + "value": { + "Document Id": "@{items('For_each_response_2')?['document_id']}", + "Domain": "@{items('For_each_response_2')?['domain']}", + "Email": "@{items('For_each_response_2')?['email']}", + "IP_Address": "@{variables('ip_address')}", + "Infected_Machine_Id": "@{items('For_each_response_2')?['infected_machine_id']}", + "Infected_Path": "@{items('For_each_response_2')?['infected_path']}", + "Infected_Time": "@{items('For_each_response_2')?['infected_time']}", + "Password": "@{items('For_each_response_2')?['password']}", + "Password_Plaintext": "@{items('For_each_response_2')?['password_plaintext']}", + "Severity": "@{items('For_each_response_2')?['severity']}", + "Source Id": "@{items('For_each_response_2')?['source_id']}", + "SpyCloud_Publish_Date": "@{items('For_each_response_2')?['spycloud_publish_date']}", + "Target_Domain": "@{items('For_each_response_2')?['target_domain']}", + "Target_SubDomain": "@{items('For_each_response_2')?['target_subdomain']}", + "Target_URL": "@{items('For_each_response_2')?['target_url']}", + "User_Hostname": "@{items('For_each_response_2')?['user_hostname']}", + "User_OS": "@{items('For_each_response_2')?['user_os']}", + "Username": "@{items('For_each_response_2')?['username']}" + } + } + }, + "Check_IP_Address_is_Not_empty_2": { + "actions": { + "set_ip_variable": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": "@{first(items('For_each_response_2')?['ip_addresses'])}" + } + } + }, + "else": { + "actions": { + "set_ip_variable_to_null": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": "@{null}" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response_2')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + } + }, + "type": "Foreach" + }, + "Modified_Records_Compose": { + "runAfter": { + "For_each_response_2": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@variables('modified_records')" + }, + "Save_Modified_Records_to_Custom_Logs_Table": { + "runAfter": { + "Modified_Records_Compose": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@{outputs('Modified_Records_Compose')}", + "headers": { + "Log-Type": "@variables('custom_log_name')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Get_Breach_Data_for_Entire_Watchlist_2": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@body('Get_Breach_Data_for_Entire_Watchlist_2')?['hits']", + 0 + ] + } + ] + }, + "type": "If" + }, + "set_cursor_value": { + "runAfter": { + "Set_false_to_first_fetch": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "cursor", + "value": "@body('Get_Breach_Data_for_Entire_Watchlist_2')?['cursor']" + } + } + }, + "runAfter": { + "reset_first_fetch": [ + "Succeeded" + ] + }, + "expression": "@equals(empty(variables('cursor')), true)", + "limit": { + "count": 60, + "timeout": "PT1H" + }, + "type": "Until" + }, + "Until_New_Records_Exist": { + "actions": { + "Check_if_data_exists": { + "actions": { + "For_each_response": { + "foreach": "@body('Get_Breach_Data_for_Entire_Watchlist')?['results']", + "actions": { + "Append_to_new_records_array": { + "runAfter": { + "Check_IP_Address_is_Not_empty": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "new_records", + "value": { + "Document Id": "@{items('For_each_response')?['document_id']}", + "Domain": "@{items('For_each_response')?['domain']}", + "Email": "@{items('For_each_response')?['email']}", + "IP_Address": "@{variables('ip_address')}", + "Infected_Machine_Id": "@{items('For_each_response')?['infected_machine_id']}", + "Infected_Path": "@{items('For_each_response')?['infected_path']}", + "Infected_Time": "@{items('For_each_response')?['infected_time']}", + "Password": "@{items('For_each_response')?['password']}", + "Password_Plaintext": "@{items('For_each_response')?['password_plaintext']}", + "Severity": "@{items('For_each_response')?['severity']}", + "Source Id": "@{items('For_each_response')?['source_id']}", + "SpyCloud_Publish_Date": "@{items('For_each_response')?['spycloud_publish_date']}", + "Target_Domain": "@{items('For_each_response')?['target_domain']}", + "Target_SubDomain": "@{items('For_each_response')?['target_subdomain']}", + "Target_URL": "@{items('For_each_response')?['target_url']}", + "User_Hostname": "@{items('For_each_response')?['user_hostname']}", + "User_OS": "@{items('For_each_response')?['user_os']}", + "Username": "@{items('For_each_response')?['username']}" + } + } + }, + "Check_IP_Address_is_Not_empty": { + "actions": { + "Set_Address_to_value": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": "@{first(items('For_each_response')?['ip_addresses'])}" + } + } + }, + "else": { + "actions": { + "Set_Address_to_null": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": "@{null}" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + } + }, + "type": "Foreach" + }, + "New_Records_Compose": { + "runAfter": { + "For_each_response": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@variables('new_records')" + }, + "Save_New_Records_to_Custom_Logs_Table": { + "runAfter": { + "New_Records_Compose": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@{outputs('New_Records_Compose')}", + "headers": { + "Log-Type": "@variables('custom_log_name')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Get_Breach_Data_for_Entire_Watchlist": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@body('Get_Breach_Data_for_Entire_Watchlist')?['hits']", + 0 + ] + } + ] + }, + "type": "If" + }, + "Check_if_this_is_first_fetch_for_new_records": { + "actions": { + "Set_Cursor_to_null_": { + "type": "SetVariable", + "inputs": { + "name": "cursor", + "value": "@{null}" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('first_fetch')", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Get_Breach_Data_for_Entire_Watchlist": { + "runAfter": { + "Set_new_records_array_to_empty": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['SpyCloud-Enterprise-Connector']['connectionId']" + } + }, + "method": "get", + "path": "/breach/data/watchlist", + "queries": { + "cursor": "@variables('cursor')", + "since": "@variables('date')" + } + } + }, + "Set_First_Fetch_to_False": { + "runAfter": { + "Check_if_data_exists": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "first_fetch", + "value": "@false" + } + }, + "Set_cursor_from_the_API_response": { + "runAfter": { + "Set_First_Fetch_to_False": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "cursor", + "value": "@body('Get_Breach_Data_for_Entire_Watchlist')?['cursor']" + } + }, + "Set_new_records_array_to_empty": { + "runAfter": { + "Check_if_this_is_first_fetch_for_new_records": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "new_records", + "value": "[variables('TemplateEmptyArray')]" + } + } + }, + "runAfter": { + "modified_records": [ + "Succeeded" + ] + }, + "expression": "@equals(empty(variables('cursor')), true)", + "limit": { + "count": 60, + "timeout": "PT1H" + }, + "type": "Until" + }, + "date_": { + "runAfter": { + "IP_address": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "date", + "type": "string", + "value": "@{addDays(utcNow(), -1, 'yyyy-MM-dd')}" + } + ] + } + }, + "modified_records": { + "runAfter": { + "new_records_": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "modified_records", + "type": "array", + "value": "[variables('TemplateEmptyArray')]" + } + ] + } + }, + "new_records_": { + "runAfter": { + "Custom_Log_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "new_records", + "type": "array", + "value": "[variables('TemplateEmptyArray')]" + } + ] + } + }, + "reset_cursor": { + "runAfter": { + "Until_New_Records_Exist": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "cursor", + "value": "start" + } + }, + "reset_first_fetch": { + "runAfter": { + "reset_cursor": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "first_fetch", + "value": "@true" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "SpyCloud-Enterprise-Connector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "connectionName": "[[variables('SpyCloudEnterpriseConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloud_Enterprise_Connector_Name'))]" + }, + "azureloganalyticsdatacollector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureLogAnalyticsDataConnector'))]", + "connectionName": "[[variables('AzureLogAnalyticsDataConnector')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azureloganalyticsdatacollector')]" + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId9'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId9')]", + "contentId": "[variables('_playbookContentId9')]", + "kind": "Playbook", + "version": "[variables('playbookVersion9')]", + "source": { + "kind": "Solution", + "name": "SpyCloud Enterprise Protection", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SpyCloud" + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_Custom Connector')]", + "version": "[variables('playbookVersion1')]" + } + ] + } + } + } + ], + "metadata": { + "title": "SpyCloud Watachlist data - SpyCloud Enterprise", + "description": "This Playbook will run daily, gets the watchlist data from SpyCloud API and saved it into the custom logs.", + "prerequisites": "SpyCloud Enterprise API Key.", + "lastUpdateTime": "2022-09-05T00:00:00Z", + "tags": [ + "Feed" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId9')]", + "contentKind": "Playbook", + "displayName": "SpyCloud-Monitor-Watchlist-Data", + "contentProductId": "[variables('_playbookcontentProductId9')]", + "id": "[variables('_playbookcontentProductId9')]", + "version": "[variables('playbookVersion9')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SpyCloudEnterpriseProtectionBreachRule_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId1')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This alert creates an incident when an malware record is detected in the SpyCloud watchlist data", + "displayName": "SpyCloud Enterprise Breach Detection", + "enabled": false, + "query": "SpyCloudBreachDataWatchlist_CL\n| where Severity_s == '20'\n| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, IP_Address_s\n", + "queryFrequency": "PT12H", + "queryPeriod": "PT12H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": "[variables('TemplateEmptyArray')]", + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1555" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Email_s" + } + ] + }, + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Username_s" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IP_Address_s" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "Domain": "Domain_s", + "Source_ID": "[variables('_source')]", + "Document_Id": "[variables('_Document_Id')]", + "Password": "Password_s", + "Password_Plaintext": "Password_Plaintext_s", + "PublishDate": "SpyCloud_Publish_Date_t" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "reopenClosedIncident": false, + "matchingMethod": "AllEntities", + "enabled": true, + "lookbackDuration": "12h" + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "properties": { + "description": "SpyCloud Enterprise Protection Analytics Rule 1", + "parentId": "[variables('analyticRuleId1')]", + "contentId": "[variables('_analyticRulecontentId1')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion1')]", + "source": { + "kind": "Solution", + "name": "SpyCloud Enterprise Protection", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SpyCloud" + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId1')]", + "contentKind": "AnalyticsRule", + "displayName": "SpyCloud Enterprise Breach Detection", + "contentProductId": "[variables('_analyticRulecontentProductId1')]", + "id": "[variables('_analyticRulecontentProductId1')]", + "version": "[variables('analyticRuleVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SpyCloudEnterpriseProtectionMalwareRule_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId2')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This alert creates an incident when an malware record is detected in the SpyCloud watchlist data", + "displayName": "SpyCloud Enterprise Malware Detection", + "enabled": false, + "query": "SpyCloudBreachDataWatchlist_CL\n| where Severity_s == '25'\n| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, Infected_Machine_Id_g, Infected_Path_s, Infected_Time_t, Target_Domain_s, Target_SubDomain_s, User_Hostname_s, User_OS_s, Target_URL_s,IP_Address_s\n", + "queryFrequency": "PT12H", + "queryPeriod": "PT12H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": "[variables('TemplateEmptyArray')]", + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1555" + ], + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "HostName", + "columnName": "Infected_Machine_Id_g" + }, + { + "identifier": "DnsDomain", + "columnName": "User_Hostname_s" + } + ] + }, + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Email_s" + }, + { + "identifier": "Name", + "columnName": "Username_s" + } + ] + }, + { + "entityType": "DNS", + "fieldMappings": [ + { + "identifier": "DomainName", + "columnName": "Target_Domain_s" + } + ] + }, + { + "entityType": "DNS", + "fieldMappings": [ + { + "identifier": "DomainName", + "columnName": "Target_SubDomain_s" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IP_Address_s" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "Domain": "Domain_s", + "User_Host_Name": "User_Hostname_s", + "Source_ID": "[variables('_source')]", + "Infected_Time": "Infected_Time_t", + "Infected_Path": "Infected_Path_s", + "Document_Id": "[variables('_Document_Id')]", + "Password": "Password_s", + "Password_Plaintext": "Password_Plaintext_s", + "PublishDate": "SpyCloud_Publish_Date_t" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "reopenClosedIncident": false, + "matchingMethod": "AllEntities", + "enabled": true, + "lookbackDuration": "12h" + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "properties": { + "description": "SpyCloud Enterprise Protection Analytics Rule 2", + "parentId": "[variables('analyticRuleId2')]", + "contentId": "[variables('_analyticRulecontentId2')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion2')]", + "source": { + "kind": "Solution", + "name": "SpyCloud Enterprise Protection", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SpyCloud" + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId2')]", + "contentKind": "AnalyticsRule", + "displayName": "SpyCloud Enterprise Malware Detection", + "contentProductId": "[variables('_analyticRulecontentProductId2')]", + "id": "[variables('_analyticRulecontentProductId2')]", + "version": "[variables('analyticRuleVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "SpyCloud Enterprise Protection", + "publisherDisplayName": "Spycloud", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Cybercriminals continue to utilize stolen corporate credentials as the number one technique for account takeover (ATO). In fact, the FBI estimated that this resulted in estimated losses totaling more than $2.7 billion in 2022. SpyCloud helps prevent account takeover and ransomware attacks by identifying exposed credentials related to a company’s domains, IP addresses and emails. Through this integration, breach and malware data from SpyCloud can be loaded into Sentinel.

\n

Analytic Rules: 2, Custom Azure Logic Apps Connectors: 1, Playbooks: 8

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "SpyCloud Enterprise Protection", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SpyCloud" + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_Custom Connector')]", + "version": "[variables('playbookVersion1')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_SpyCloud-Breach-Playbook')]", + "version": "[variables('playbookVersion2')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_SpyCloud-Get-Domain-Breach-Data-Playbook')]", + "version": "[variables('playbookVersion3')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_SpyCloud-Get-Email-Breach-Data-Playbook')]", + "version": "[variables('playbookVersion4')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_SpyCloud-Get-IP-Breach-Data-Playbook')]", + "version": "[variables('playbookVersion5')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_SpyCloud-Get-Password-Breach-Data-Playbook')]", + "version": "[variables('playbookVersion6')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_SpyCloud-Get-Username-Breach-Data-Playbook')]", + "version": "[variables('playbookVersion7')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_SpyCloud-Malware-Playbook')]", + "version": "[variables('playbookVersion8')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_SpyCloud-Monitor-Watchlist-Data')]", + "version": "[variables('playbookVersion9')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId1')]", + "version": "[variables('analyticRuleVersion1')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId2')]", + "version": "[variables('analyticRuleVersion2')]" + } + ] + }, + "firstPublishDate": "2023-09-09", + "providers": [ + "Spycloud, Inc" + ], + "categories": { + "domains": [ + "Security - Automation (SOAR)", + "Security - Threat Intelligence" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +}