![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Torq.svg\")
",
+ "Description": "[Torq](https://www.recordedfuture.com/) is the AI-Driven Hyperautomation Platform that helps security teams automate more faster",
+ "Analytic Rules": [],
+ "Playbooks": [
+ "Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json"
+ ],
+ "Workbooks": [],
+ "BasePath": "Users\\acitatorq\\git\\github\\Azure-Sentinel\\Solutions\\Torq",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1Pconnector": false
+ }
\ No newline at end of file
diff --git a/Solutions/Torq/Package/3.0.0.zip b/Solutions/Torq/Package/3.0.0.zip
new file mode 100644
index 00000000000..46b0eafb58a
Binary files /dev/null and b/Solutions/Torq/Package/3.0.0.zip differ
diff --git a/Solutions/Torq/Package/createUiDefinition.json b/Solutions/Torq/Package/createUiDefinition.json
new file mode 100644
index 00000000000..30aca97e864
--- /dev/null
+++ b/Solutions/Torq/Package/createUiDefinition.json
@@ -0,0 +1,89 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Torq/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Torq](https://www.recordedfuture.com/) is the AI-Driven Hyperautomation Platform that helps security teams automate more faster\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "playbooks",
+ "label": "Playbooks",
+ "subLabel": {
+ "preValidation": "Configure the playbooks",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Playbooks",
+ "elements": [
+ {
+ "name": "playbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
+ }
+ },
+ {
+ "name": "playbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
diff --git a/Solutions/Torq/Package/mainTemplate.json b/Solutions/Torq/Package/mainTemplate.json
new file mode 100644
index 00000000000..6b4b45d945e
--- /dev/null
+++ b/Solutions/Torq/Package/mainTemplate.json
@@ -0,0 +1,343 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Torq - support@torq.io",
+ "comments": "Solution template for Torq"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ }
+ },
+ "variables": {
+ "email": "support@torq.io",
+ "_email": "[variables('email')]",
+ "_solutionName": "Torq",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "torq.torq_sentinel_solution",
+ "_solutionId": "[variables('solutionId')]",
+ "Torq-Sentinel-Incident-Trigger": "Torq-Sentinel-Incident-Trigger",
+ "_Torq-Sentinel-Incident-Trigger": "[variables('Torq-Sentinel-Incident-Trigger')]",
+ "TemplateEmptyArray": "[json('[]')]",
+ "playbookVersion1": "1.0",
+ "playbookContentId1": "Torq-Sentinel-Incident-Trigger",
+ "_playbookContentId1": "[variables('playbookContentId1')]",
+ "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
+ "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Sentinel_Incident_Sync_to_Torq Playbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion1')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Sentinel_Incident_Sync_to_Torq",
+ "type": "String"
+ },
+ "Torq_Webhook_Enpoint_URL": {
+ "defaultValue": "https://hooks.torq.io/v1/webhooks/125a9209-9ed6-4216-b5cd-10567f2164f5",
+ "type": "String"
+ },
+ "Torq_Webhook_Auth_Header_Name": {
+ "defaultValue": "X-Torq-Auth",
+ "type": "String"
+ },
+ "Torq_Webhook_Auth_Header_Secret": {
+ "defaultValue": "secr3tP@ssw0rd",
+ "type": "String"
+ }
+ },
+ "variables": {
+ "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
+ "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+ "_connection-1": "[[variables('connection-1')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('AzureSentinelConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[[variables('AzureSentinelConnectionName')]",
+ "parameterValueType": "Alternative",
+ "api": {
+ "id": "[[variables('_connection-1')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[[parameters('PlaybookName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
+ ],
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "Torq_Webhook_Enpoint_URL": {
+ "defaultValue": "[[parameters('Torq_Webhook_Enpoint_URL')]",
+ "type": "String"
+ },
+ "Torq_Webhook_Auth_Header_Name": {
+ "defaultValue": "[[parameters('Torq_Webhook_Auth_Header_Name')]",
+ "type": "String"
+ },
+ "Torq_Webhook_Auth_Header_Secret": {
+ "defaultValue": "[[parameters('Torq_Webhook_Auth_Header_Secret')]",
+ "type": "String"
+ },
+ "$connections": {
+ "type": "Object"
+ }
+ },
+ "staticResults": {
+ "HTTP0": {
+ "status": "Succeeded",
+ "outputs": {
+ "statusCode": "OK"
+ }
+ }
+ },
+ "triggers": {
+ "Microsoft_Sentinel_incident": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "path": "/incident-creation"
+ },
+ "conditions": "[variables('TemplateEmptyArray')]",
+ "runtimeConfiguration": {
+ "concurrency": {
+ "runs": 10,
+ "maximumWaitingRuns": 50
+ }
+ }
+ }
+ },
+ "actions": {
+ "Send_Notification_to_Torq": {
+ "limit": {
+ "timeout": "PT30S"
+ },
+ "type": "Http",
+ "inputs": {
+ "uri": "@parameters('Torq_Webhook_Enpoint_URL')",
+ "method": "POST",
+ "headers": {
+ "@{parameters('Torq_Webhook_Auth_Header_Name')}": "@{parameters('Torq_Webhook_Auth_Header_Secret')}"
+ },
+ "body": "@triggerBody()"
+ },
+ "operationOptions": "DisableAsyncPattern"
+ },
+ "Terminate_Success": {
+ "runAfter": {
+ "Send_Notification_to_Torq": [
+ "Succeeded"
+ ]
+ },
+ "type": "Terminate",
+ "inputs": {
+ "runStatus": "Succeeded"
+ }
+ }
+ }
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+ "connectionName": "[[variables('AzureSentinelConnectionName')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "tags": {
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
+ "properties": {
+ "parentId": "[variables('playbookId1')]",
+ "contentId": "[variables('_playbookContentId1')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Torq",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Torq",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Torq Support Team",
+ "email": "support@torq.io",
+ "tier": "Partner",
+ "link": "https://support.torq.io"
+ }
+ }
+ }
+ ],
+ "metadata": {
+ "title": "Notify Sentinel Incident Creation and Update to Torq Webhook",
+ "description": "Sends an HTTPS request to a webhook trigger in Torq everytime a new Incident is created or updated in Microsoft Sentinel",
+ "documentation": "https://kb.torq.io/en/articles/9024676-configure-microsoft-sentinel-and-torq-to-trigger-torq-workflows-on-incident-creation-and-update",
+ "prerequisites": [
+ "Prior to the deployment of this playbook, create a new Microsoft Sentinel Trigger integration in Torq",
+ "Take note of the endpoint URL, the authentication header name, and the authentication header secret configured in the Microsoft Sentinel Trigger integration"
+ ],
+ "postDeployment": [
+ "After deployment browse to your Microsoft Sentinel workspace > Configuration > Automation, Click Create and select Automation rule to create a new automation rule meant to send a notification to Torq when a new Sentinel Incident is created.",
+ "Give the automation rule a meaningful name",
+ "From the Trigger drop-down menu, select When incident is created or updated",
+ "From the Actions drop-down menu, select Run playbook",
+ "From the playbook selection drop-down, select the playbook Sentinel_Incident_Sync_to_Torq and click the Apply button"
+ ],
+ "lastUpdateTime": "2024-11-19T00:00:00Z",
+ "releaseNotes": [
+ {
+ "version": "1.0",
+ "title": "Torq Sentinel Incident Trigger",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ ]
+ }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId1')]",
+ "contentKind": "Playbook",
+ "displayName": "Sentinel_Incident_Sync_to_Torq",
+ "contentProductId": "[variables('_playbookcontentProductId1')]",
+ "id": "[variables('_playbookcontentProductId1')]",
+ "version": "[variables('playbookVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "version": "3.0.0",
+ "kind": "Solution",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "Torq",
+ "publisherDisplayName": "Torq Support Team",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nTorq is the AI-Driven Hyperautomation Platform that helps security teams automate more faster
\nPlaybooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Torq",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Torq",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Torq Support Team",
+ "email": "support@torq.io",
+ "tier": "Partner",
+ "link": "https://support.torq.io"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_Torq-Sentinel-Incident-Trigger')]",
+ "version": "[variables('playbookVersion1')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2024-11-19",
+ "providers": [
+ "Torq"
+ ],
+ "categories": {
+ "domains": [
+ "Application"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
diff --git a/Solutions/Torq/Package/testParameters.json b/Solutions/Torq/Package/testParameters.json
new file mode 100644
index 00000000000..e55ec41a9ac
--- /dev/null
+++ b/Solutions/Torq/Package/testParameters.json
@@ -0,0 +1,24 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ }
+}
diff --git a/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json
new file mode 100644
index 00000000000..58eadf8f396
--- /dev/null
+++ b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json
@@ -0,0 +1,183 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "Notify Sentinel Incident Creation and Update to Torq Webhook",
+ "description": "Sends an HTTPS request to a webhook trigger in Torq everytime a new Incident is created or updated in Microsoft Sentinel",
+ "documentation": "https://kb.torq.io/en/articles/9024676-configure-microsoft-sentinel-and-torq-to-trigger-torq-workflows-on-incident-creation-and-update",
+ "prerequisites": [
+ "Prior to the deployment of this playbook, create a new Microsoft Sentinel Trigger integration in Torq",
+ "Take note of the endpoint URL, the authentication header name, and the authentication header secret configured in the Microsoft Sentinel Trigger integration"
+ ],
+ "postDeployment": [
+ "After deployment browse to your Microsoft Sentinel workspace > Configuration > Automation, Click Create and select Automation rule to create a new automation rule meant to send a notification to Torq when a new Sentinel Incident is created.",
+ "Give the automation rule a meaningful name",
+ "From the Trigger drop-down menu, select When incident is created or updated",
+ "From the Actions drop-down menu, select Run playbook",
+ "From the playbook selection drop-down, select the playbook Sentinel_Incident_Sync_to_Torq and click the Apply button"
+ ],
+ "lastUpdateTime": "2024-11-19T00:00:00.000Z",
+ "author": {
+ "name": "Torq"
+ },
+ "releaseNotes": [
+ {
+ "version": "1.0",
+ "title": "Torq Sentinel Incident Trigger",
+ "notes": [ "Initial version" ]
+ }
+ ]
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Sentinel_Incident_Sync_to_Torq",
+ "type": "String"
+ },
+ "Torq_Webhook_Enpoint_URL": {
+ "defaultValue": "https://hooks.torq.io/v1/webhooks/125a9209-9ed6-4216-b5cd-10567f2164f5",
+ "type": "String"
+ },
+ "Torq_Webhook_Auth_Header_Name": {
+ "defaultValue": "X-Torq-Auth",
+ "type": "String"
+ },
+ "Torq_Webhook_Auth_Header_Secret": {
+ "defaultValue": "secr3tP@ssw0rd",
+ "type": "String"
+ }
+ },
+ "variables": {
+ "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[variables('AzureSentinelConnectionName')]",
+ "location": "[resourceGroup().location]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[variables('AzureSentinelConnectionName')]",
+ "customParameterValues": {},
+ "parameterValueType": "Alternative",
+ "api": {
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[parameters('PlaybookName')]",
+ "location": "[resourceGroup().location]",
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
+ ],
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "Torq_Webhook_Enpoint_URL": {
+ "defaultValue": "[parameters('Torq_Webhook_Enpoint_URL')]",
+ "type": "String"
+ },
+ "Torq_Webhook_Auth_Header_Name": {
+ "defaultValue": "[parameters('Torq_Webhook_Auth_Header_Name')]",
+ "type": "String"
+ },
+ "Torq_Webhook_Auth_Header_Secret": {
+ "defaultValue": "[parameters('Torq_Webhook_Auth_Header_Secret')]",
+ "type": "String"
+ },
+ "$connections": {
+ "defaultValue": {},
+ "type": "Object"
+ }
+ },
+ "staticResults": {
+ "HTTP0": {
+ "status": "Succeeded",
+ "outputs": {
+ "statusCode": "OK"
+ }
+ }
+ },
+ "triggers": {
+ "Microsoft_Sentinel_incident": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "path": "/incident-creation"
+ },
+ "conditions": [],
+ "runtimeConfiguration": {
+ "concurrency": {
+ "runs": 10,
+ "maximumWaitingRuns": 50
+ }
+ }
+ }
+ },
+ "actions": {
+ "Send_Notification_to_Torq": {
+ "runAfter": {},
+ "limit": {
+ "timeout": "PT30S"
+ },
+ "type": "Http",
+ "inputs": {
+ "uri": "@parameters('Torq_Webhook_Enpoint_URL')",
+ "method": "POST",
+ "headers": {
+ "@{parameters('Torq_Webhook_Auth_Header_Name')}": "@{parameters('Torq_Webhook_Auth_Header_Secret')}"
+ },
+ "body": "@triggerBody()"
+ },
+ "operationOptions": "DisableAsyncPattern"
+ },
+ "Terminate_Success": {
+ "runAfter": {
+ "Send_Notification_to_Torq": [
+ "Succeeded"
+ ]
+ },
+ "type": "Terminate",
+ "inputs": {
+ "runStatus": "Succeeded"
+ }
+ }
+ },
+ "outputs": {}
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
+ "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+ "connectionName": "[variables('AzureSentinelConnectionName')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/playbook_screenshot.png b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/playbook_screenshot.png
new file mode 100644
index 00000000000..f1cb5f3ce2c
Binary files /dev/null and b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/playbook_screenshot.png differ
diff --git a/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/readme.md b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/readme.md
new file mode 100644
index 00000000000..55ff9f9e548
--- /dev/null
+++ b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/readme.md
@@ -0,0 +1,43 @@
+# Torq-Sentinel-Incident-Trigger
+
+## Summary
+
+When a new Sentinel Incident is created or updated, this playbook gets triggered and sends a notification (HTTPS POST Request) to a Microsoft Sentinel Webhook in Torq.
+
+