From c8f2e2622c5aa8debd2fe8d9da1deff4b7ed0fb0 Mon Sep 17 00:00:00 2001 From: Alberto Cita <100130623+acitatorq@users.noreply.github.com> Date: Wed, 6 Nov 2024 20:09:07 +0100 Subject: [PATCH 01/10] Contributed a new Azure Sentinel solution for Torq which includes a new playbook --- Logos/Torq.svg | 24 +++ .../azuredeploy.json | 165 ++++++++++++++++++ .../playbook_screenshot.png | Bin 0 -> 41077 bytes .../Torq-Sentinel-Incident-Trigger/readme.md | 43 +++++ Solutions/Torq/Playbooks/logo.png | Bin 0 -> 3449 bytes Solutions/Torq/ReleaseNotes.md | 4 + Solutions/Torq/SolutionMetadata.json | 15 ++ 7 files changed, 251 insertions(+) create mode 100644 Logos/Torq.svg create mode 100644 Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json create mode 100644 Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/playbook_screenshot.png create mode 100644 Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/readme.md create mode 100644 Solutions/Torq/Playbooks/logo.png create mode 100644 Solutions/Torq/ReleaseNotes.md create mode 100644 Solutions/Torq/SolutionMetadata.json diff --git a/Logos/Torq.svg b/Logos/Torq.svg new file mode 100644 index 00000000000..8d3e5cc77c4 --- /dev/null +++ b/Logos/Torq.svg @@ -0,0 +1,24 @@ + + + + + + + + + + + + + + + diff --git a/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json new file mode 100644 index 00000000000..d00118e292d --- /dev/null +++ b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json @@ -0,0 +1,165 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Notify Sentinel Incident Creation and Update to Torq Webhook", + "description": "Sends an HTTPS request to a webhook trigger in Torq everytime a new Incident is created or updated in Sentinel", + "documentation": "https://kb.torq.io/en/articles/9024676-configure-microsoft-sentinel-and-torq-to-trigger-torq-workflows-on-incident-creation-and-update", + "lastUpdateTime": "2024-11-06T00:00:00.000Z", + "author": { + "name": "Torq" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Sentinel_Incident_Sync_to_Torq", + "type": "String" + }, + "Torq_Webhook_Enpoint_URL": { + "defaultValue": "https://hooks.torq.io/v1/webhooks/125a9209-9ed6-4216-b5cd-10567f2164f5", + "type": "String" + }, + "Torq_Webhook_Auth_Header_Name": { + "defaultValue": "X-Torq-Auth", + "type": "String" + }, + "Torq_Webhook_Auth_Header_Secret": { + "defaultValue": "secr3tP@ssw0rd", + "type": "String" + } + }, + "variables": { + "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Torq_Webhook_Enpoint_URL": { + "defaultValue": "[parameters('Torq_Webhook_Enpoint_URL')]", + "type": "String" + }, + "Torq_Webhook_Auth_Header_Name": { + "defaultValue": "[parameters('Torq_Webhook_Auth_Header_Name')]", + "type": "String" + }, + "Torq_Webhook_Auth_Header_Secret": { + "defaultValue": "[parameters('Torq_Webhook_Auth_Header_Secret')]", + "type": "String" + }, + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "staticResults": { + "HTTP0": { + "status": "Succeeded", + "outputs": { + "statusCode": "OK" + } + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "path": "/incident-creation" + }, + "conditions": [], + "runtimeConfiguration": { + "concurrency": { + "runs": 10, + "maximumWaitingRuns": 50 + } + } + } + }, + "actions": { + "Send_Notification_to_Torq": { + "runAfter": {}, + "limit": { + "timeout": "PT30S" + }, + "type": "Http", + "inputs": { + "uri": "@parameters('Torq_Webhook_Enpoint_URL')", + "method": "POST", + "headers": { + "@{parameters('Torq_Webhook_Auth_Header_Name')}": "@{parameters('Torq_Webhook_Auth_Header_Secret')}" + }, + "body": "@triggerBody()" + }, + "operationOptions": "DisableAsyncPattern" + }, + "Terminate_Success": { + "runAfter": { + "Send_Notification_to_Torq": [ + "Succeeded" + ] + }, + "type": "Terminate", + "inputs": { + "runStatus": "Succeeded" + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[variables('AzureSentinelConnectionName')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/playbook_screenshot.png b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/playbook_screenshot.png new file mode 100644 index 0000000000000000000000000000000000000000..f1cb5f3ce2cf6076e78986f167d4d754f3c3c8f6 GIT binary patch literal 41077 zcmeFZc{J4j`#)SFNWY>v~*|>v6q;HPjTTjx!xU zbm$P(?OQkR9y&ydIdq65p5iF@Cf`5N2mE)~<*wq5L%Gf8(BQ*0^ZU0gR8o;D}+uXQK5^(6kh1AzeO@8%KiEqC@w0Qki%&WO_W^sHLG1HF`Z@Iecl7kZG&EUIz zLDv7!VG>db8n)kmBsq~JQ0j1;VgLQr!9i?vG{fuce;&Q}6IX`+LT(aOirzo3wfk!z zr0U4Oe0}^1TP3$uZ3g}S8~`}!X9DIw#^rw~;PG(^%<=xKneqn%I`~7@V^ZQ@2Aq^c z@(KA^TyMb(@t`kY`*L# zZx#K_gQPOb&3*4?vEXLioo)`hH(MZadx8{mkygEAD8s1=7rtcQU9GGKSy%6E^5qZ<)Wa{^PW?mny(WFtdrz2lQ`VBYem_5`mbI?U6PXy zAGgA&M(4p4x&%yL8Zz(s?ssxRCc3|po$nSAF7mwcUvLQSJ$G~WW9%gwKb}dyYoeH2 zUUY1-N#>-ZmKs|;cZoGY0dCNk_4(G6>;0ILWL z$mbC5mh_2K32&8~ukRuO))mKL8Cd@vvkzBxk6bJDUuf0|_)jP;dz~y0LT1m{^)Dcw zt#bMNe}ZK;4GnP9>&yzp|40^ywz+pSxk0y29+)`zk49RL)60;u_n1 z%-5tR;&M{EUHNxS`i^XVt%uy4YM#Uos}E1jQm7huH}J6uOa*a7G*-94aFuPu8Fmf9 zl~NP4Y8kaSjW5Si(xu}kpIrPS>xoj5^(ejPeUg)SGCi%;X8j!RT{7<9k9sczOwnDv zb|2#2i=vt8yqq?Tzf2g+-Yrkd)dZfYvm!4heql~Kbx%rewsrb8=gEH4iK3Pu?$jz& zMXDH_?^bxFw6LM*^ftD)ku}Y;3x4L0!8CAyv?v^zMcmd)l=oKik)wV=?-RP`-c-1+ zt3#0UhIjkDo>W=4;B;=$z5jmO%jj=$)i`nF7EbHP?+cyR02}i#^AIn=CbHzGpSR_A zp=K*qr(TP&^h(TC-*&sEbG|jFH_P@3V?x%m*4%;{t5_^V6l~r2*9tEZ<5|4jY+?n> z9Aaf4zDnZb!d8|?h|7<#NTW^x=M#~-Of&}xr2)P;wEd(lAM&Q~>~NaP#+K!VMcx)E zs}{Kj9QmV9$b359J91ToMv({Z&I;#2(<>uT5X=CwAi}kGP2+I~V z`1Y)&M6)VVllUx2LzEPlejmCD;>}yjWLGosCtx{_n73V0XrnkGLDkq5YrS0k$sz}Q zqV>~6Dtv6dN>B3#7dQ2)s4I?@iwYY}j=paa9MTiqm5`V!FI0NfWTIEQ9JN%0y~M^; zO2^9!a)lF={FPTjS){}hJVt}9vvNu@S9@1VmI@pBl&iNU_&X{+mkTqgnS{88JSP*Z z+f#3UP=`xfgC}w9=9OCMHADZ3b5t|?^5Vm>BRxi5b44?`$oKXoeVlISyHZ9KkqwW@ zDBH^(jomGE7;3+gm3?>SO6@ah_0nOeZHT+f(pL^!ds{U12!3Z(lQenJ@Xr3Snv+lZ zInprDcs}D2@%i&VlhnfD@wre}Q|M@9xTcCwTr}A-Luzr>v!3~iw&Q3Ci9Dm3w;t=# zyzA1QOXEB>!7gD;!dK?NlfVLR)0zV7$|#T3hqv&dFjbq~fsi%{`|+=@&@kgIQ)TTe zyGiHJ<4 zSeNXYhPVseTc`K8X&Mi(mAfsmEUvutgSk z>t%IAS@$25lpf^v-gLVk!D@}s8tRx2c}3UJGJh`msk^QdLrYzjQO5jVTHD^05k`Jq z&<$1GOjodAJDKr)LEOwxPFLE-DhB@4WpxN*+;0{xWn+l>NY47bq)r-xS~beCpNw}= zixsxjp6}Vyexf4GT?%c=gU+;@IE&8c7>EE>DS$cFKx`b}#|o^Yo+P z;3nq`Uv%PjbxwOP+~Lia_)<4<-_n3SQig)LkCU9~V|mOSoXeWCh!*L~pUOwJ=OK^K zdK2M(TV~xya;hdH>jVU{i!56bi^IOjRBp~A(UCevx8dGPx2rOBF#`95p|vRd&L&LC zVY>4Jx{kqE#jHN8Dd@dOk&D?R>|MegZDSu?kXqX~jy6z1Z0v<#A=_0}mVp$-@S^RN zf%E|fB(HtxkUK1%A1eOE>DSbpsCh$#d`XX?fMs($_7f$4s_2L}!Xm?Q$Y*-x-dQwAu%K9O;>nAs-yJS2r#_Curpx-^N264XKr%` zuUi4ZB!-DkXYlxYPJc+ZaSt&mXq(|lbYVapnTY~slgL5NSLk{~IKn2g>u8!N-Um@J zN3k;w+98_SX%)}iK^T(;EWW4&uqfR&x16)CwasHi&uFyI%4@#dvft#{`Sy3uSYn?V zK1!q@QC1Fwj%;+779P8}GT>O9-SglCZK&l!jd8c`_iU)?)kZT znVm->4@E>iFE5xHRw{Y@itN5@>^qqNDXiP-^IYH9LfQ7@TG#j=Uay}PF?xyXgl%9- z1{^L!zdUWjZ~Ec$v_0H6=SnSm!c9sSD?jzhY>l3UK4bOu2&v&!DjKkqUVdvQM$%e2 zyvTBW(hxEfnX_5Ty7O|54nID()Nh+--V?q8g9a)}ZfT>Zm)X8dxxqA@5R;I-0cTX$+#JD6BkLE! zoG^}loB9BP57@OVRs$4JHv<`LM!^HVLdFSe5tOxIjh zKG6o4cP^KWg*8@=z706O7h;o8$9Z;2Q7cfLX;mVk>EvEOSCXNF1z0Tyx{XpGs!ouO z4%YXYc|O9FIMcBpTfXS|jg6oWkX1gk*X9W&ycdq!`U|!koi;r=BA?$Ad(q-fC=Ji2 z_l!G?EjM6BMk8xqMDJq1+bVhPtWP3-@ZE@`@LrnyAm5Td7A_-A30YeH9wWfvWi)&q zGWbf>pSD&hWwj3kzi2Ad3l>jihcc5AFO>?KkGd-Ck3Nzyq;ls~{v9VT{3-Lk@y1pe z#SXh<$U=_Tq{Poay23sUj!Kx(b6VetG@U#nUB+Tuw|;t_-}cPs-@DUVf<)mlssvy^4IIt zVc5)E<#IE69*I%wNLOzO`mDfq_UDjIR!;Xgw0@oA1?&MI#{TT#>D8)L)a;R0=`wNGm#fL z1z&hc`}Jlx(t}e!P*lLK@WaK&Wn8pQ6CVwI?E+N!8mK?IaL)$LDc1G&^XrG&B{%Jbd&hxQMQf`m~lAWvH_36CKTPe|| zSV8`g!BLC=cCi}2S>2&3Iut==9-8O@i)&4CAT#pY#@Tg!VRkftbg+YA8cGMtRS6`% zqrdn#Z$k;Y5n{Pi=i64x9rXUo^6aRmhw<7chC;W+cz~$rn_CCsmvbtY8gPcrAG+oF zkse`2*lcEDn|si$#d^eoK=+Uzep@%MxGX&;iCyW07#~%WsiCyB{0U9_>~T4t6dg0= zD9Ptdmsq~doRVTSvvL?Z_0!~pe%J%ypsp(i{*xlrao`w zqn;lX;ucysfn@2T(-}7}H>YRmK+Jq{V{MAjmwMssTUD+#T)h;T_wb#v%9_*oD@BnR zrnU}VB^Q$FcFLR7#a!Ik`8Uwhu@l}tq;hvm-3O<(g)P3v*p=CzP#pqjrqIZw098H- zGt*1C$#^y@+6Zc0u{!LfiRF3W&kJYc_>|wAAdzk!rOU~je6BWPSw}LD@6$Ko?)xci znO#(J%u-3g5}i_x(w7ymD~&U{8!U7NHxtZy3vcYFOL-*F;o_bsO~+l--FhN`k~J|V ztna6cU`Q0pMjvh?b*S|I_qtJ5uX(> z#U8)(v7c?#g3X4ZGdb8cMOO1Se+fNIvNsl zf&+?>zqUeH6@4n1O;X10?bs1iQk%_K>;i(d1e#;kYaxl@g9Zzien$LC{`~oj z@?8L@Oq|x+mHE58JgTbZUAm7_F+~udg6p@7(GN}TpF4->8sr%oBlF6Ye9&ciYc*7ybHPH`DY=*f7nBBY@RefoA!6d1 z!Qq5H;+THcWtw$bFJUB&PNvkRVxiTo9Y0rXp;r~~gHM5VXKjAkGVzS}>Cr^5`L{#c zdA_);2pLx1$>)jYi{DG@A}OAlD)dz2w=w8GOL$JPt)$>QIvuXoHo*NUkD_9l^4PMj zso5<{mu8(AQ#a{x6Mbo(vgThPiu_Dxf>J_OZr zu#^7Mz~j?~6X#_O_t-4XV=C|!>;CP+Hnig<$A}7TnN5e=4R32lRPf%`KVP<86syV! z>$8ZnFJy5Nn3=us?A+^yxpjAao=Xn6cm_-ck{8kpOaKb97FMc zB?xcjxDHQ}iz1JTN{U?`TDXO~d6Ep{7Cq8Sh}0q=UfT8A^GsfZcFN!Cx*zOgS~Ad~ zCc!%s9ED*OY&3HENOt)~J{PlH{`C;2DPV<$M7L;6={L@}RMxE@%A+RW^L-FCLt`&6PAv-5Nj z7HK2Wk{1j&z81;f`(juA;?9DVFnpKcr$)0$d)GBdGqbdo%`FV)8^eIRk2Z5tz; zCv1&R5Yf9}=!0$LoExB*kk|igmnX1(Q|0T+meT|Aw)Km&l68ogrFU6w;o(1%FqO+{ z-O9W{E`&vJ*-yc6$S2OZs-ix^w>j?&W^oWjfn(xcG(7R7%stTU5x<+IV~$tY)FV-o zPl0xvJrv(!of9f1Gd9I6sKb^O^lws^NAdim#U+T?>xl&4s`lO1Tf)w*7zn;sS8tJ7 zRbeXJ3F-szaPSL6(2w3kZluHAtM&>p{$5c5;rO_%MyVVz9J4#km|@aNr4!#cY%D=9 zb7tQ+Sg(_FOgA3Z+>S@O>#@f?zshT*tY<3H=fRtMlO~GV)^O0bAm{R={-D^BEw2N- zVt_p(_yTJEM9!|ug5rv?*$CQ@4$?_c%14jo

wKr#TRu;dza4I1-Dk_hovxjXM2erTlN(h zi?6$L{}|31J+CSKrhBR*2g*3~$;ji)`=;B9J3qUy?QyV^i@ZzQ8O(d&7)-wsUF&jg zyI$uuk$|!|{+Xu;F0pEiwiOL;3acD#gLH(+cqusbs3;=;AO)!ix0dS?Ba*)oboZ}1 zUT2b?-Y#;-Y4odGHrrYj>lps#&?31(z@I3|ks#*zP4qN_!g1dZ@9ju18a*vQvSn7P z5oe`e?ZKkUml6}Hkh`x+kmfqS$<8rAhyfYDHj8LAm~zHo6! zX#di(b;s74szzfwss6Jh{7*&{R4F*G0&X9>P)nVj4)?97YewJvZKtT4fMNa1CTve{ zqId7X+QLtCj9J+29s?IuSYj#mVIFEl&pi~7ObAyuRHMtU@3-q&yzIomo|_&Te$Ab( z^7b_WPzZrvq9k)%4hD4ZIbddQFtytgSHcR<)kmYBg`CH~@_e?**^H6)fx3r+4B~w; zU%}1E&>H7xL-*V2Qn=1j=P_*iGab-C50IYSR1^LHUQ;b1n!?EpAb$otyPIET-xVuCB2UH&f1ue`)qGf!Ic%*hS_7|TUEHOuJcNX_tQcCnHE&P4{)9<#J^?a(8*p+CdTw1>%sGwO zx`@IGS9JSD3CnO6DJDrryXVVaY@398?689{saK%~<~^?lR^iXsK`LU_GJ0&#t;Y}@ zp{aJ8z$kUxQ9K{1weUi)`Bv$mv+_mOcO8V1LU4uKTz@{Lbicb;97o<4746w%_lg6I>RO`czTf%499=)5%T{Fzqq z;pTbYwV&wVONn2j!lgH+W~Fxe0N8E67;SKOxsT*v8P=bn8Fm{iflLx(Un`;H_H~+p zPB9xeVl=n$x{^rt3J9(0fUa`s2RWkcjeK>PZ6SFY5h!+wCkaqCLwD2F5(+H`<)6f7^6YmVL8!-D#OtqgL$XgKG90ry16*Gmc0%4&hl?3KfyX8)bLK>ji z_^DVVuOS_Fs%~A(-mewVOgVu~ezIrWA!c{k6!8a4nL_}<_1@dc2CFn+n}=!#Y4;tv zD0wdWkA|~e&0>?O%?S+6-`u9&J+nX!M*-d(>bUWklJ6_@>-MxxwG!>x#Duc(#@&98 zvC!r4J}=Us78$&Eh>@4T$D2m({nqJ4AYVv_f_jaUjk30%lU#YSM>W?$#fJ9cC)5`u-_SGK_b(*4w%>-$vh;+XdSi4GQxT*j z9p`Z3gVug-OG+Um4>r*0i<`SHvOq z)w?yjLIH!~>Ughei!H12*|eyAM1F$tWs}vw)M4d(IqB>5r_N2&9Jr?A^b6mS#~lnx z6?Q|t_+wc@385z7h^FKbe&|=>;+r%K6U9A7w%C_b_6#jZm=AE3?Nd8VeHZ)`jIpzt zzaO&`Y@@C-i+h8#f{+Mk+MY;2jlWiI-&$X`?ZSg(Eyq*Z2pt5-d2Y&W7SHilSb%4v z9F#Z|US#0Jq|X6tZQY%%i{4spX$flW9{Rbni7`%o;5ZSf)2wEG3RaOUeK1*p{w9bj za-x@#MKWCb6=T*uS2~hNpe$x}-32ynN$u4o7jISopVtn2-`ge)eQ1h6=gQhxxVmM6 zoA$<1bag!Yp%=RL9J5|4eU{3Qrl@eqrLVJ+0tov+A3`lB*I!jfK=#jW#B=y@B71D`@p1AL0Vf;*uS4T5ev8M`YI zuu=%4N3^3-TMM;)y!9{p0WcMf`);~2+XuUP4m$O&PY}ab_T#ZDs9c#35Y|2xIkL^? zGr?{Aq1aF5HSNzIj=sxruD~OvFE>l%S$G9{)SrhKG{94I5busrf^F?CzB!BN01W?_ z>(8eQ7K#MwU-eo$-*0DrJxLQ+`-;Iekl8JqI5u9gC4A)39+mXWtEYZzt7O}0rnuT;BQcg$`&=8W&UZnbFLyN3?`BwWPNuf zq=qlCoI$XSPc?X>3b-cgx8_l|7bUB{Oy>*rINQ~qiV^UELU+n7+h5{DzgHOp_uscF zj1S|TgOr+CSLhSb%L;)iK$UavLAo3+8aWMeYL>xl?#~)sfYd4aR)4d%t=bPi+co}# zsZW5j?)l`xAC*!iGL`#xGEIK(m4i(q8vr&9nav5Uf6=9C5agm=`M)c|d&~uxJ6YgM zNrZzk_qOkWDZw9HV97_?-2Ve!?VqN>1`5OhOmcs?frIlSKn|`X%yY1k4}PHGdI_Sv zZ0NgvK)k=42#=ryYU*iBQNLa0!D**&$$ID{ebLxY@(&&u{E-F*f0t^XqyO`I$NvIP ztYMb1&k663oRI$91%v+(WWMhu{y2>cRA$d)2;AE%Mjb>PLKXM}82r83zyCOT&sG5> z$AGf7lQDCj5BlS@qeA&Fab!fJCXIo8 zD(*0VblEp@fXHb^DX1$H1dDc6(UI5CmD%#Ik!GJ~IpgeJ`#xH%L;D|DQ7310zBN5k zjc4D~B?@pTTzSBLs<&~3DDPWYgEIg?#LM=Gxf0w_2&)hFPQ}iKOd7>n)%KiYdZ@^T zN;f5@O%eZUXT8^~?-3~E`4NOjZ*4Gz#3_?4CzZUFVz88ZaLLwpq#G-9al>#S>sMZh zS53Udu`i!=kYlQihsNgpJM%^wx@s*(R15H+RQ{@D#N-*aM*<(Kw*Eyl^HNz%>DNW= zz10=T%T}2+yW$2R-U%!hGFnh~FAd}dqF#JP*fQj312^KwJU?VBt-C;a|JwYZMmSMgAVJU~?M^S3e~oh^Z?x~y z8~FPUb-Wr=<*!(4@Vx5A8||;GJIBJ)0d0#{X26doW5?g9zqf{~C^Hx=EO!>$_QdMd zJN2Pf`%1;vnBT7C%_pSq-R8U^KwOXd`x6d$fe76Ph$c~h;GJ!uOTm}gFLlV=P7rr% zFruVSEm~^W?$D`*8uUA7(?22`BV~_?_Mc3sf(X=Pj(y8;DaH7i&I1UtbS{_G`QU}Y) zlrny04wGsYCVeH8RaAQJnq7Toieii2nXq6U2NW)<6GXY9o?)+^{$G3I7>#w{RvH}5 zAbYYg8a9mw0U-NJWp=2%OgW|Sg7FpL_3vbraO<>4d#%wbrVc?yINU_+N}@ukiT;KI z5Pjk|xRHtn!?;2D`60c)SoXem&fxwLT6P4o@xI$hm_(p zAOmz>25C_J%N5-~4E^7Hu%cvHkm~6z&Z_NIP6?E*yH5P{UA7xYkDOkF z@`ai7yQCENa%({0{pFCsj!T9!rZZueTnK15oss!{z*&blE0rXRic3JnQ&__{oZ>n^ zC}v;nj_HJyhj##RK}WYO_7-zaM7wxn)9nw80v~!BumxLSXDaJ|Ct{d>wXDLVX?V>sq6sI&);igQ0 za24KOXn}Rl{WPlX6yVP8&%F~NJebBil0|Z7Y~>8dc%}`v6|sL0A=B5pP?*s(@>V+U zs77v-3j1t)7jhW<9E-?7H2;V-rzD*|J|1AO^*vaJ)O`_gDQel?Eqp(#;K~L2u*^Qi zV)x>Qfhx6OQPE|%kq=sZ(=mo(KG6M4>sNaxN|#B#6Q0Y;xT!V{W2{=z^?)tB&~v!x zx--j<37I%1$=;*H)sb`+?59scPeb-*@iS|E+E0V6wsRLT_6&X+lLO1EN`g)@yc{%A z=}O8&EolQhbYGv8Z%O&CjOX1=08cKyhpl86Np0|)_bWH{ZM_OqwrtTW{=qeBRz34^ zrK%2WRibI~1h7+nAz-cVP4yCfnGHYKD$u=$1nWTi)0sTg&gX>ne&rV1jz*Y2-|+Hl zJS}foqkN?(r-s(WO55*WS2oC&;8Ikm9>0j<-PPkS`wDC@c^fJ>0CxAK%gsoCG}4u?G7gbuns!(?hHgV&Oa{OS_XE}BMz_M z*Ew*^Trltx&n%zPK2rJZbdv~b^D%{$gJXaHp+OIR((N^j_=h2O2lfAW!U!FNp%{w; zGX|8Ljsdj{CJA@DSc1%RG9lP{uq3ku|7;!AJmw(*mLYJ3E54sX^X2xG|h<9okT*$p3f}p?GXzyVkRIY>IcZF zoge}Iky|y8Am!!WErN2*b`0;uK9CA|Ys3D@H@O+rPgR>;Pi6S0#hajcFA#;W9hdh5#4dmp=fsR2=7> zY7Q&ANs}L>s}aUvVeN=$?5Tm1jvRk+R*=)sd$GDoEJnLCA;?8UUl) z5_3hG8>0->y{40H?EBjypoAgAW>dL>eb1ChW|W^@=6r!9(o(R_ch1&WSqh4^y7Q6| zIsiyJSMa!6EouYYbAXrOh58<7BWbK8z}g$oMeeEBW!dP;R{CubPIJ9x;r7l>qSH-h z(QUwLb3L<>B`kx8JKqRwG5U?V^liY^Dt03s5ltetSVoD1-Edkx$z?G!RbkI|0S#vu z1x#;30SVRqN|B{6Ti3*Ir6$$24fQ6L3<2c0X@HdwilZ@Wju&eZ@BYK&fCD;{a=!EN zfyo6BvjmEiP#{iyC-9#Cp~#V0fU%4^LJyv zO=pG(Di?N8=-@$t1_U%!!oHlpHKS&#Ev2K#x}#lN-@a?AiWemZiiqtB%=Qt9z8mN$ z>Eh*slZy($YK;s?AcAEYHX4$=stucIAeqv$%_(jmIrVd>k-s|LqA6A@YUa0tu6Ye$ zQ`GmSJNuTlI0h;Q%+?8R-PYX#yyY$|Oku1tRTtG~3=Y@?K!5vn$N*> znkp=Ja@z@rYJEQvtvY(1-AJXKr{CjX9O^R4hI z0aTT$@Ju2j!pUp4r?+Y#uaDbas?4&fpdkPI-;EFRJmwRBPmM2#7<1`4oqOKSDxE~2 z!!{xp^oV$o%XmGw+fZ8$g>dP5f(4=^-Bn$-y=dEwypW3rs)%l6lhVNkFa`N#NFSfg zUcd3Zm$K1(hJ{FLu4@C2a*Qq;!MOeWe4z9T_Qh&ro85D6(QwgRW37pv>cQH5qA^K| zVr?!*s_3=&UT~PxBQ)g@99ds$--g4uA7ol*WLj^Ay%M&Rkf3Aq@RnW9dFHjNUMsV9 z@B4t%xFkU8cX^O2+5Z@KNbi+tVjBv@y?9v_?M0Bzd9L?vx+}}UV~c=oQGB>idH<{+pflrC zPmCwj-wGeR03vw+1jRpCw)7)fqtgEV9g12Xf}Q^6!|Zwj zf-FIp)Whe_scCUrcXZdaSmB+5Pr*pY@&#@BlTt?m~~ zs9Ay1#-%hu)7hF&D3JLZg3_Tip~MLa4Nfrl$gu+;)2{#|10|2#_Z^XJXbmVLbb#7h z3}Da8UD0XL@71N(Q!VtBd0w0o`O|~PzxojZU#8j`^Fi~To4_vejk zp|pCNcN>@IrwaUgY8b~^g@ z#Ye*n_T8#%k`M5C{W@MBc!_aO<0A>78ogLq;kUC42Z-iTUxEUE<<9n|rJSt&)6+230GJ^>hAqZ-5%Uk2NQB}SYG!VMw}0Rma!)cEhs{y%3%S*`7?oP(6Z z$~Hie^?aoC+5=~%zaJ*dYK`DVJST_bwI}Q6@@qw`>(1!he~3JDu!`n%2s+>acbh$e z{$7kMDddikr@6|C&FqTw)9SXmM(Mu?-Dd(xUDGm4x3t3RK$ zQ92IY)9NyR6_?BZL;q1-6>Qd$Y=6nfZqiQ`B~=t*^fkQpJ+(Q-P4x;LBTrstaeb)b z6LM-5$11TZi!LQ@oZ&-w9aV9TSnF@q0FnUwk(`<)dz-DDY9p=Yso3q^`h=yhE?%9Ak zke|{&F(dTpQqWjk4rp)9eK!$R5w(0Tu_i_!Plw#Y48g2#opz>OWWY|>QxqMhXOJY6 zZEICt$3Gpox2#}b z3IcC6kw>wxM8ogL-`BN=?Elf)ne;d5^ifEMrEk2iOHZ)%aHXd;t_psed*!|$?|^w^ zXR%9oLzxNaT$Q~*wt>}^&XIU%ML!JG>^nwZk7u1GPM-$HgHIt$$0>J*ndG+L6%4#) zIJSA*vXBxbid&DR+}T=-E}ZZliKU_kz9T<^B(G9P94JdK*0m&MWvFnPk#LU87aJ+xL;mz8#yp1&(oS8!aZsP5ncC~ zC};t8T@-9+iBI!)BQg(G90AStuIHnPf$98RHq33E<#?p$vP9~WI8NE5Et2(?cUzNp z*KJde?ipGWAWGFcg~SrjeWidkGqD{fqkN!hiikLQN%p}pGWwkpdijBh5-*5Olq(uI z$9?wyyaF3$;&nA7h8dCq_)jG^{Mpl(JvOEFA7HirmF!Oaqa7Bl7QB;#V(Gg~Kq9^b zz2b_GY}010Olc1h&&uEeu}@w&J#LpyN#Hca>(O>-pv zOw{@Ks*)Bh>pJPI$p6{&i>=K1qv z+apBr%OCeMP(sX81})n9SN_PFe;dh43RrihPh4={7yXWl0cilF@}7Y|+4mg8^|529K@ZSbg0yV}Us;K8TBW4jkeBJN!g1e9*s02u2f4e_VJX#4mtKTg*SH_`c4MhGmZYU zr}b_3KYLo+(|9T&!=9EE1nmgM55HLi#Nm7;CkeooAm=FbIeG1efA+8&b=g!htR0Z+ zF+jl-UlGT&EeXJs5NM$7Ojm~&Z7ntS^y5LJp$h0pR0GYUrv0FG$EL&(sP53w)m!GV zqK-x-4y{So(QzYN78Sr91Nrh?L>N$k#QNwv{{+PoRYKG75%QBN2@-hAn)-#Gwffur zp+ofqu3ol8ztq7RG!j_bK?e4x%pAmp$k5@ZyPst}$(DZ1SEc*GaYeBHn~q3SiL?~u z;;0L$m;IR^+Y8TRRDjOI&_Dz?Hy}E5e&sWrdMX7r7q!xlMZmXtzE^U8!l` zunRQ~*OuRbw>bsrJStRtxBt zvz8AJYf4L&D2B7_RvihMMZW`bZW;wW(ez^2e33=&0)q~r#emGFZHAZihTg~yt-riu z!IT(7qw?J_nVq%Ma(^p7%MzK8Y~z?si#BS=J&&_jLyuJZg(zPUY)l-Rt(rL2rwZDX7_Tt5l*3+= zd(i%x7)XW~*+x@5P8K?y;WpPVOa<~FZDAI_t;JbSdypC_KVyMfHH;X8Y$Y90JQEA~UVzku!z8z=#UONg30i%CCYJVW)Gd_SQL_B#3b2v87*V~z1RV>B2x z|4`2DM$qD}x587-*Z>9n(IU|AK(re>`qr(DV;*!td%Mp~U4{@^I?G)qE$ZuCR!zU! zMRXbnxZ6_q+>S8T1W2&~CW~35@iVPze8)p>yJG=qcRS87NS= z3VFy9xS%Bc|S+*)iS*XZ!n&P6HU*q8Tq7JpjL=5EXg=Y^(0)SvxP?#S2MPs(b z`EI-%P9dwnH6n!S8r~Or|t?P)w6|y|?1IpRLr1YZ6`#wD{uFir| zck|=i4s{u+xWghOSro%zV!vW|&RvnJCzRf)YC|=yBrej+-R8Kz@lDZ&gKBA6Gp>$LqEi zZaNaxvwevKm7!>d@9(LK(v|10^9VAIA+%HV-DIY9_E|x|Rc*5i6uOz`Sn+F$^z-u6 zl^(tZ*lUs#5t@bH6xmy0(9acIw6PNxjL|qapb2>LVZ%{v?*a5~=Hx2}?i=y)>hx9D zsZT!#JgFOjc2~r9GtYa1`*ILo;XX56qFvd~AoO#NFfJ*doQW8F(ZsWihpn*MJU$9P zl(=&u2(nu2Q-1FYS(5~natUCVPMa8!CM=?0Kflp3a_@!9fD)PvyeO)qtk8BZYMRqM z&*vklXs^kA*Kjkh()+o++$PW52E`zIMu?H>;tM2&CZQFXCmwb+z366MF2&Gjxre|< zc@~4Z*-YBX&wm{Q0#(hB){FdY%iNrmU%fDOIQL=CNmuatfOK?6x}}L$pdV=dAU!IO zWoNy{Ag9dXZ|e|j*&;8sOMv%;7(K*AP93BFI0VRqSGc0aOJ&cuQ&x3)y+IFl=2`J` z0S2T>#`uk%841ItifbaE!OepK_q;Xp-Kl^sg8c6^>Rjywl8Q=iT$Zsaq1Lb>5XI5U z%}eXrL}jEQc2OK9vDcA^(gCqtr6HH|!K@h&}a1u*j|; z5m4VzMk4azWrX(6iIGgUPdG*YsICibeAH3MqYo7I?6WUkuO>B0-^0`WoLpNR>uBK4i_Zy}_!aeN>`NL! zfXx^Z2RdoRMkQ$M&&;vlxOv+)d8y}3eLB5BL8m2AU8lm>C7Pr1#RI-iAKOn&o`g@C zFrugqNHTqjDbF7IhFoGb^EfAs+yj2`pA&Y;A@}(b;@R_TvRmK*I^v&2Muyuli`k`9 zCiE?$Ft$sH)(iov*)Ypy`J_{|oMxl`Tmqj(f;_u*mVBlMqVgJ_y;KM<;35=wR*Xa? z8?^cAWZG=`gIW|Eb18n9_Sz1elG9B2{BpR$9K1@SSzErQEB0cZoFpc%;M8^F!A6d7 z$--MnQ8Mtn0+$Gf@T($9fn~TztJU4gll}6`{HkqJLzSRc@Vs|E^rg~O)U<5%3&ZUX zuF7yyi!2ArF5wQ8-8qC;74hm$5-9;PhUdXtqq^?vFACkBwJIbr4473{4CpO)v)2Uo zfZEDiTnOwP%=0Cxi_L7h1jX-UKBd;s#1^Y%l zt=l$ptKK2nHu<5069J}ZVfGgxuUBb!hPq!jdj2Q|)h)i2A{~QA@*<>SP`WRI3(2aV zHVK{g^!a=%KaPqh+^08xdPX|~67KEeBRJA6#Rk>lQ~j3L_EOF$y0Tf>g|~jc>KY5G zu(lzueTY$(?D#mHMtm7&qEB#cX&53vXD>;|Pd&f1-Ecjh(2?QjJ;to-0rrG8 zgmA4O2Mz4)1O3dK_vugrqkWE^54!J8hAjgb{-Zv-!nQa04#Ar*G?qYN(rCP2GhMC8 zJ={kR@%b~=9niUua+II$qqd~P)#+1oa^v-%52wk+%_OqHA0*FjY`F}_Ie=p2dZr%6 zGhy^?5U=5MH*d89%V-zM$SAtqD-Rid&>0zZ8pyq)I$imQD7_gVH{@0`9YU|(1;hTe z5&nolYQFzUnHTU=%n^-G61*wQzTaS)0EGItVf|@%myWTNgqE~-Nm_Fp{E~%CsO5Wk z3=$}yC$kW%TZvy@oYl1T@&4LV_dWNHxZ89DivQa}=WNZC>Pzc&Twc;xjN4aHT@-*shs!rS%hbTa;fgV2C0aUYzp5? zctgyEI06_?d3`(o?EO}`JMAxds~+u-h8psWr|Gmi6Iw4o06KeKE!E_dih!EGl3NDeLbpUo%t* zq+Rs}-5;IeUf2qln?Mm1=-={+n+RkBAt1@x9%B?4&?{^vYW+YGPrx#$xo%zi8M|^` zxC?_+d===wP4`ID`_2c1gfr;{X7%p@pyP^@eDI?t0OSX14bx{@p2B?8#U>(lUvq)* zbIAXA^fDA8zd(1P<1qO-4M7PTcMZCoJ_4rFbujzYLt)LX67tgi^K)9`C2d*%S;F!p^<*87A~rEI*a61PDLT6=Y@) z-xySaQK7RD&3fa|CS6(-iP`-nu&Cai1n>5kefxwqvyPM8X$@+A{-j`pK8N0rCFkX`lei zrgC&+(GJCEde+UL|CHR{9M}+O4=>@3PzcLWLmylhn(&e#k$N0QktDz}w(jA_&h7?e zLN8CRsFI|nqjfFvS_?QT9_IktAhha)Xz2#C*@F$N4n$fF7ERl~M62I69Xf|NRPXf5 zBhff8^bvL1MT_pxcO`B5ypO+dQIQ!73@m``Dxw$%z@@QEEXafTks}nY`W1mDDxI{e zw0TyO6ly8ah)As0!Ypi=*M$&}xE{`MSxWK ztYu2QVW7K!uDrGN{6b&oQB1;)W%#cyj%p(h`Ih%F-vmEZc;wz6(luH3SzdiBXlWtG zS}V4~Pqn_}6T8VGcNsv~?INH9u#~$U=e5;7%ZlnqzGNslz;^>dab|{Fpi_{u{Q0T} z{a|}@q24M}+Z(=SR;i`w=3xmSinDthQs&+%@F}-0(z@e)nn$k52~m41`kwZ&lx>cC zuob&+?+Vj;xD3Ne!h)}xvWHP{DJ!e6pPHjZd>5J6ybraz6J@CaPfYZie=GEGo2ujQ zMxHlM+ZVSR;G5AhiUnLatvyvsQVHlcDwguz1L$m{Os~| z>8wng^Y+xb@WZb!-_Q1s`%+=(}bfyt32%*Ns6LlV4I;Ju1*y9JU-}pyqRQ51g>_B6# ze`%7^9zF(hdqt_n4soU{-XZ8WS+zgquK{@(*%>>(uf9Ggp~)sCgP;C4&k`>Ldds@C z7U<;T&J+$mhQa;Px4-NJ#p$uqt%gO{OS=P2vLngLD>CZKHH7{Y*6GW}ru^B!5Oo8v zsi!?o5`l>Psa~grd?C9Ovqrr%-fpRD+dW^NMHips+bcW(x102uH1i7DVvut8Ij5#b z$mc!uLZT030KhMs1Nf$Mc5aG~NH^>mWH&3n0^X0O6A(Hb^)EkxcUt~mo>e1=xsrcp zh)5+`sgn?#Et8;y%9|{2;7C(JPr@gmv){uGW@b*W#qSLJB2g{4+M?r6`dS2y{5}~H8XPp*lV?P73 z$efma?KU_igHVCLSeom#*T^cH1Um0woqw~^gFw*uegcSnUd11H#Z6gq{z^ z)xNm-j)+Lj_bRsu)$ZwmQb#5sD-G~UF-^^rh~Hfg0U|&gS9}Zs+snatFJ1-Rm9C(* zunVd-3=~xDfFz0;mEyOIf22?WZq-gGxRd!1&>eVjKzchN9pXvd1eM)(LTH(<#_w#s zEFwfhka49G5IZ0iM7kJwx@YYU%CY{k%%D=zf2i*waiRjEXgxsK+I?*oxcw_NnQg2P z5H;|8MuK#-BY>PG1}L+;giv~E8HH_1 zU4ptr&I{++tG>u;>a>S!;JatkD!krWeV2LS`AdH6<+sBUu_d8*g6V8Ni(N^|5P1BU zJ(=Wi;Anxm^R%&6rxUC~Yjs!?j_7Vet;YMTEcB(OR?WIJe+gwq{IB-DJeGlQ&*Bu@JZ$syt;Zg8 zzH|QiUDxlg@AOw!^6q!P@AIr@t$W?~y(TOOy;{Ry9w(8d)cW=L-o5=gS+-_xL5DdE zXy<3k!d=^h4NAWYwgdo2A^K4Ki5xZRGDdw?q5u#S%`yXosfZ;}idFVq6LREpGX*k} znY_QKfXUp~y-OWNZBRZ0P zbwG7stX2lKLuGauJ#~R-;SIzyRTZ5k>XOBM!;n>K0kJ&>SyaNWc0p-zH#?+r1%n33 zhJ8uMVQymq;Er1%2R54zlnN;}y7X)U_z0vL7oDZeblD$ANVSo5rT>-h|r@6G=NC^h<3dbFw6;?8%>GE~L z0x(DcJBx9L?(%ofG1-)m2GwXaGuvi5qXeF54QRKb!y3xBQ8UEg(?n}860Gt<5W{jI zU@ZDJ`Q%nF$?+>YAt`wtUv8orT;hvBbYM1ak)9v+(%J=wrlPHMw%Tz5gF(Tqd~&&x ze=K)y7;R|`taSze?kV#0Cju&!*?z?R3cOx-5Q28V;81Ikmn1O}BzJ*8eN!#o%F-xEu79JnW-h!5G zACMvT)x2Y21Yu$>OGHzKQSajiDb(_M`Xz2Ys4grlOg5;hN})>M&rW(cIm2Lnq4h~e zrB#HrU*~gL-4-?)lJM*^}c) z@_zp`aQwp*bz7iQRbun422+_M;|zM$Z)+w27V5_>!49;F;P*p#*V+uzw7olKXs^r# zZ1=p?Z%*)9=ViHw&#j`X6e1*G+0`hxZ=fwZZ`SQcZpiNQuM=H*Vrm#cf3t!gOQB-v zM?DanRm-k+uVwrb<1a*HF0Honw|&K6b3|~$hmL)B3tajtjGq}IWZ?hwhf!7#NhFfX zp$n%OYA8rMuENv2eLm{p;ybq9^Xya>#W;ei{5WJ5gIm; z!&_eO?;Y*G_$w53B1LWlof7$iIpMLnxl(BylA&zh()Lbxtlc~DMBgHt)1)rO9X5hm zA=>*mrInRRL1I3F?kDf9HjutILaHo_NclN9@&D{wL{>81YT!j&EJ!zha*^jk7mE{-M zDAnscZB=!9OKWQNQ087DC7H(+ktK58TlLWhGEqv9ZW65iltFi=%uS>`zRlEK>6H63 z?+o+6?M;LDwMRvn21!S5XA_9C21+u6{XzOd)XlA|0AIz}Z~fv4K|IBjvaLOo_-lq) z-0&V>G>$VnuIGx(g5Fx+DoA%;hJ;;@e)nN z?NL1CUf9O@Y;qy%18S;ntO;MQsw#YR@$2}YpOPq>84lsNA*cqfIMg-$7PlX?u?4_lSjDU##av7=6 zHraa8(Zi+lkEI*#xGweiX2yLj{e=%O#^^O!=cuv#Zx^%%Rc3Fa?Am`h0oYJ%zK;j) z$3JeLv=wX!%tBWF?NW>Xi|7G)FW<+wf789-f%iiaRiW|Lm%cBo=d-AyyI%Ki8XF|= z!E^Bbn=)q)tRs&ElYf(k)WMJ9JYW6(A+*y?c@w;ov-KkXCPn#wd|f!by0c3k74a&+ z$eUkpxZ`Z1X+v)!R0t8#CLVP;~nz{uVvyWNpWARy{$LGN+WzaR00$+zq4^q`MD{9&WZq5TSemsKp( z;a#t}A?<>(kB$Ru>qvOr`Ni`wYP%tYkNwCu9;Y11^^AwHsKs%)L{9`( zHnQ1+CuS$WcwUfv=eBg_Bnrn4_#e@~&Rlj zet=1*;-nm;J09)rfRg(WmU%1Xyc0X4N;nV%x9jX?l*meN1XP`INj_o-k zx&#|Qa0r|drzSRVdcDArOl^RF?hfJ^pUb(;ZisJh-xXlDCw5s1<9Sv;g&VZ}bwP=i z60>i;l45ufNH81NI6i=nQ&8$0EE(09jqLR90!w!;{L0MDQhFG&*1Fb^q<i1dXygWy6Z4NTk)a**Ht!a16NkZ#9_N1QMO*G zEmOnAI>uQh$%A5Vlda@~GNyiJl3%olnADo8wKD2DVh>xwNStHWxw3x-^65;dnqX$f zogcKkB}b^dzJ5EDxQ}Y0)zh2mJs0Xe+fJl6zlksHHB`kHC+#9=ry8q1j9!qCD0E>g z+ajhb4(b}Nv9znqo#Ad76l|G@Q_&*TwLsFS2fB&K%iEShUji21fdI~muFee3!jR7= zBN7J5Nwc9S4}7{b@ZfzRq!qwNUlA947Rr#PX6y=_!)hRfa};*9W@JPa#DW zoImg46==7X?*m~bt-16KJy^cLhA9U4c@tpC%Sna5#ez(#q8@q^#Tua`#`BrR!6IJ$ z)sOz(o`7kl${jJlaHR_EK?1S2Wpv=qiVfYPX(Dvh2zR+K++5l0TY6=5K%*U&#$z|; zZRd32a}l7S2Wd^Q_C7ncrR^RCq7~JGqusQVw47@t;=I&@6sr?JFLLsaR%l;nT(kdv zxR9dZ&(3%f|JW?Nw?I-+@aNgb9bp<`HX3Q+SZ%=hCmYIKwgP1H1n}mu6p1cI4R{$B zY~C3bi|IFhK|2=9EwBSnU}u0(s`F*g>lc3r= zkkPv~%!V+@1D3aKVm{lhg=rbEHADluJZ#++M9;6L{nAg*$y zly%geB~T=#;YR250zGN3GGaFoA(Ac=S#1SC>FR{;s#$s$nVg860k;kzrQ>1U&yQ@2 z8yHGx19x%HUf_ zj#@3@2GkP}om|?$eH>$t^`I{n#_%8esAhFb{|=k_ zzYk-SDAd3F|9^}vTkJ|QZsv(F`38}5p6r<#nd&<0K1_NRa(0y8113pG$<5OC0!k9A%s;K z&f1@lf?J4T?Xzygk3X0Uudyw&;7iY*8j85sbkucx>EpM<`q%yb{vvIaU|D3Z<8wU( z*Yhl#aG9-FdvB82C@2k$15r4;BW9!R7#sWUnrgG=6t)`&AJ9+h2nXW$-ORXEH4RKT zaium?6DYWDFbP4slG4;#6uWK6!VnwO&be+dvrF4h+o4WFgv@Ez-@*}}Y_+qO3u9wr zGp84Pj=Dve1OZLBtCa9#vG})HyQVkFL@Fv%EURBsyjRyR6*?66DA`yZ zZD(Z>jM=>`NEL-z10;{D2{`RlGfOv%;W(URJRP+c{3l=!jV zFJ0UbL>G`J_ZGgi=tj?~+z!M0x!A?BwZ7WU(-<9C0xK)ag46i#YV91Sc}zwiuQhMQ zC+3SQ#&YFIjop-!<++=GtXxz50yi%#dq-U^IV^rLl5(H2?^2=`kKI_}tZ(P6q{#Dy zj%MbPNOYv&nNsE)UMU)8#uqcO(lVmo5ryEqwUgM)ypoLJ%@K+)$t}uCn?kh%u-*@M zEnj$;zFQa(eL02=wQpE-supkH@4-j{qP8BnLvri_bA@zUoIE`S_O$J zOGYWSbWI!<%g$e)MsGeGVUEe^@VK(D;Bs7-ETuUcI8G7b4sV1Hb(B=G05$t}3-%*{-0opc1o7^x&!hE5)DF?|y3wV-e;~++U@< zxKCV}WAgf4qcGRzN)}Yv=E{EqTh1aa|Mjh&)JXIPG1VmM)AbUr==WTX^mqbGdKugW zM*h#;wCMEPGh@93RqJ;L5x##s5h4bF7^Xw+4}LpiX{il$5?@zM1iHJW=Y)RB#0{Px z`G2r8^k}qSfvs{F!dJmt_4m{qRO^pJ-M$+O6ZRT{nkdRa>Vzkd75iN6uge`zH8hQx)wwR1`PU2kUvCULgoCE!o!eJ% z9mrg05da(d`NL?!Mm=b_^?)$cBAF91!Xaw<$lsjAixjLS1yKI#K~wm!Sz`(+^>u-v zA{5E##`tPQLdsKlQ$DWp#x%r0f<-pEr?!j`((=AnFek&owR2%w(e$;Ij_F&-RfPyT z3pJzuUcRHBR%|@M0$0=draIr7H*cbP-ww+DvS|V|g?*YQ1b8PwRq;7oYAkXRhLdq1 z1$BCehhmuqlt*tZzw8(WuJz5I$iwzZx;efXQu>BoL}Ept%=7Uk#tlwuL-d;XrAfU# zwk@(BS{ggU?V9Ji@~WLpyOmryq1J*ZL*U??HyfS5?K(MNm&XAGp@nKc;>IJ%NC%Xk zUKQ_U(j`O<%Y)V0_{a9eF1wn1QvobA!c_1FPjeZk!+pukK6`SBD;;R* z_H8q*bpsmYNhlipG}70bjc&QH!+>2qipN`F)JJ=4ELLc>P^f%s82v=Y?Zav=2!y?m zte_>Ldp8jtt0BsDgRv1TY-N-)YOq=s!2>Yo(&pstsDN9h2>3E|JHTdnoR)n?btP}L z+&lGLk{O8LpRay`2neTAK;6I3gdflT_G1pKa@cT~WoTLCT*^=WEm@rv+OAcn52-Yf ziQA>;$V#0S@XExr-qp4`gbv6pH%w|m^ZQ7bSYCgupxk<5EtGd-N_t^bx*=z_(&H0i zOK62oqA6ggK1DjHPVgi4QYjP%%mQc>%zN;`%oIOU9%aU$qZZLz&Ui}Yvrc171{dmI{8$M!$ z{R>olFWusdYII0lt#_8MND@~VnDRMQmvZEYS?E(?w;&_A=sjTB(B5Y?ZT0+a3oCnA z?5iUhCl{!LDj;XxjIt^D`{s)WCee74Z1g}5$}y`t}vy7$}a^d z!##?c*S$~uc_R2**6V@2b|4M1-hL`HAx0kuYyv0!lNzLEk&Oc?c*Mt!x(Xnow#~yq z2$VX}?SgFbAGDYTD+%=@vHG`sKjr{d%~P2(h-@10Dt>nhXK&ZczV#W@>Zll*owXuS zj^RaTU{a{C)2*}f)eR|pgYok{@ky{kpY;v+V5(9=^ADGtE*6NrBOjlVBk<0NcIo|}^t$(DcTR6U!ZES^sqv>|XntTPl6tpzO8!Bo8EW;9n#zgR|0tQ50tBHq^ zE^+%=gueP#?8v|-?m@A^e)A-CbSKVxjrG>=BJ=TspC5=%sK$hojY5s&e6NH#eN1gx zoY150BAu01C^yx5vAnKgUZqD~zcDcARKB%_sbi&y;|nuQh1Y6yQP*PLm%l0TMj7T8bh-rt5>1hHR0t%PmUs7`{+ywTV7iU1g zE451mVA2e@U{$TZ07)kZYiGoEg{gOh%{B5dVz8Z;>^JkGBzRITw=GP1Eqo39tLaE~ zZ}+zpf#ZQ{S)n{bxj@R*FsvQ9GB56CWF)6A(MUR8N~vz7ST|TtS!kZOpBt+)Q1VkC z8YLz0a+u71%5h_i==M>^1voi8?^I$dSwT0@Dp+g51V9SuMwDqvH0s9Lt{* zhFWH{hh!%jdizw`Q#Kzmo6`R@6$U1v;T{d+BeBV)+RR~wC~Gg(&VbTpdx z*2WfdidNXVinx@WP5{nydJk}-Mw5y!YYlu~kurOvdiIL=32h)O9)sBzoroD7ZRVnM zvaSrAQ~G8ggG!p9Tzi(XI5f#=UK)JN>`%b#T&Vx%fIw8znm3U%c-Aq>6gJscIo}Sj z>k@W4^cA^*$r6k*L#--TTp$UTQo8;$+y3Sh>Beh8X2p$h2VkSQOwxV9BT^7*DY>GN zwp=f4oh(w%eIcp5yG3X~EN@C7MA@i5;kriqSlhx}+w;J7M?ibMuj+&{g%#@y0ZDT5 z$41xf!9J^KcgLEBf*LZi*72=hEW2wb4%2 zERshAj@09!5pBCB}sE3QRdcmZfW>a&4%;SGYqgzF5D)OR2y z^f;x#c^P^6E@&25hCGzH3fOqV03;z2%!7_Shhcu~GJat?-gM&iVZA-EadIE@n3T25x8bcXB64HyOv~W8>9-c- zciYK?agy^nNRGThIa^+)GAioq$>FS`1FUA zkt?gWY1{A4+NRCaP|25Fnnqb5UY>y5KH1x8ugp`^^hpmk{-ncCfu&fvLa4Fn!j3K^ zsEaj}zpkgrTi;scF2`G?J(HSYF&3pdoE0AUh}TKJ_}9TXaXBmhGA)_WtB>_+45-z| z88~(~8PvQ+Q82gzQ^VdmwpO0Y&5m$nt0&8WJFrZay);~dVq$qbR${@R(nUdU=(jSI zUf=TZLx(UXul8R6Wa|TfQ9S$dPp|=q9bj#)TC3ChFBg;m_`*iElTjTn{e@VBFpA!I z8|pU@C6fB>4r<{gBO}bi&r6E8Wd3%w6l7VJKSYIWs+02bh08p)izIfO-fll2&Ng^& z1O5JCB!CA_@8T-mor}L6oX31rK9KeFz}qdo=6-A(ZC6{ncG_s=2(6m^X<3obWKL*J zTeb9ESz+Fjdi5KTMRiuUFJ=t3_r0>2t9d)KPA=i*0LK;Ie0(hW3(cf$>9e_&!8aYh zJFJ46ei|)(2M>6B{2ejuR7aTK;RM`nC?wrppS$<_KT@C5-;lq*BM@!~5Yc5{|4))g z@FPG$_LN2)re~{5H^T~ftNJ6Oqig<&g6x5};X(gWs{G38>guV4s^1Z*zZ02oMApX8 zx-UQWG98mRy$2WUhgFNQ=kL`9k7d7^C=2Qr&;Nz-^dC&3a_LyQBXL^+1fC4fH?MMP z?CI@&Z$3?_PZ-;9F@3zH{#Ln+Zi%*2!SR*pSGmamoC#%Kd zw?KIC*LLNrI-$9sVIDR_Tt+l!O364V?RI-?%wOAP?6CdUXWPL%bluKlhZuY~l^q~8 z^JJrb-0$fH^pi%~f#Vk}h_xq=LDOCTWNXmJtgv-^y%XWt2k*ocC9Q6bPmN&Hy_F9jkTqBhh8BEZ*8U2#n(-|2?R5%;#-1qm2cDF4GGMh3g9Yh zOI|ULUV*m z=sXF0wg5evJV_Z3E3?OMW6mPi?=BNah1s=bf|w<&Kfww*g>ks%>o?eK|4Z@=>IbbGr(x9lI56G7=Ruf zkXd=@A3r0y?1vZWBKqS2t!r2PARp4F4#WikY+xUP=dM6&7oj((`}fz^=Z9f*;A=?d zP1e{F7h3>XsgM_{(7 zjy`|y2FT&+LBp5iZ4JFB#}{?3sz< zUGh-+gNTHL`~!$yl(gC|avp&gNPDpe$O4z@LY65b;ERBTUv!0gl^OMg28#l<9r3jq z7dZ>iNI&4fA|^R(>)fv{r#JsXWM9C`KpdjiOH?xDfuh&f`spdg#cFuqV!7fKdubQT z$DmPYsE9;`w7KU++(p;`}cp1vM$lU{ud`4 zyA82((wGK7ifQ-+>|T}5IelEq^BG{oJ(6EP(oLJW!KV#c-~Pgqw4&GeayvM9xTD+< z`SnO~d;llLPDu1U;cW{PZo5thCy7M7C0_ZL#McBzQa5a?VAKmni&tcKXHS3qu{15^t{VdAUIUE+PF zLAN|z-@KI0Be9m_#u^~1UwSF8!4LN>JU43uw6inb)uS-V#j9~S5j_)r`;3C zl|$nnFmXTQy!<@v!Gl_&rc_F_%goL1ep!1K8p$)Ec`i9so#bmwgN;q>>>PWr?sUWB zWyD6HwbqngCG%2KKIQiqB

    1;T}`%&lKfE?V}u>}`_t8JwNQ$IECECZ@cec;2() z^cggt$mx&D%2qaZ1rqm^I*rB-=Z^?u_@i_L})9pL>)l%|E19MI51s(42 zX82248h-mZdY7EkV$)lTpz={XgHE~97?;0--}u@KYkK>RKs4hqUBpxhR=r42S@?-Afmdsp00 zpeJ{>;3UxJo(zqR_%&aE4#);*wfe)2B@wdWM;Qd!@=%C4a(l4!giCT;JyZ$0loBilKYBnBT&?WeiK{zcYFz)8$4FlUy%R3PSqe%C-$YyF z%ZMXPM}5*ImZGlp{%3*#3L9fHU`V|ljKfT9v2C(Z%bu!VAbg+f8=Xn#XwHt0-dLyO zN*KT2B;@>q8PE1x@Bac8I`Eb574)0Qz`#~_d;;FLf_bwepiURNz;4LYPukLqEYcB^ zr~sV@pl;-iT)))J`dh9FC;A6$C1DT*oNwW&oJN{U)OPW)`3%8P4_wy;EK$V!@sLZq zmZZvvc;)FB8xAouLQ_aB{aLMifz!0HLjs>4Ej&`g?#F9{f(UMh5>;I#j9=h#?; zup%87WTD#mKVi_WOyA(9?W(OUND$!*(O^VLHng(()%1&f1Rg`(39bp9Pq#y($2PJL zs7_g`4?i;2WDPIuo>GSjsuTei9JDs%;gx1+@HBinh{(!lE@dC^brZpx_A>-yv8pRc zH_pS1X68jT*cPP|n-E`7@2U9yr;r>N8XDHeWba~JJ{4WQ#G#7rUK@<&a6Up(L1d_V zCCAZ5v0kiy+ER)Y>Wf~j++DsfFBiOiH!7wzK_>blVFe58YnL;m3{P|F+uUm-&f84&xSha z&DIPW6IPAUn6v+V)PD~U)k*&?3;N#qZ(lLu(tpc>ail;I_J1$j4lS&BPWs+lfAP|) QW$@?xS;aGPr>@=oACeSgd;kCd literal 0 HcmV?d00001 diff --git a/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/readme.md b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/readme.md new file mode 100644 index 00000000000..955b4b98091 --- /dev/null +++ b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/readme.md @@ -0,0 +1,43 @@ +# Torq-Sentinel-Incident-Trigger + +## Summary + +When a new Sentinel Incident is created or updated, this playbook gets triggered and sends a notification (HTTPS POST Request) to a Microsoft Sentinel Webhook in Torq + +
    + +### Prerequisites + +1. Prior to the deployment of this playbook, create a new Microsoft Sentinel Trigger integration in Torq. +2. Take note of the endpoint URL, the authentication header name, and the authentication header secret configured in the Microsoft Sentinel Trigger integration. + + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required paramteres: + * Playbook Name: Enter the playbook name here + * Torq_Webhook_Enpoint_URL: Enter the endpoint URL for the Microsoft Sentinel Trigger integration previously created in Torq. + * Torq_Webhook_Auth_Header_Name: Enter the authentication header name for the Microsoft Sentinel Trigger integration previously created in Torq. + * Torq_Webhook_Auth_Header_Secret: Enter the authentication header secret for the Microsoft Sentinel Trigger integration previously created in Torq. + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FTorq%2FPlaybooks%2FPlaybooks%2FTorq-Sentinel-Incident-Trigger%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FTorq%2FPlaybooks%2FPlaybooks%2FTorq-Sentinel-Incident-Trigger%2Fazuredeploy.json) + +### Post-Deployment instructions + +1. Browse to your Microsoft Sentinel workspace > Configuration > Automation +2. Click "+ Create" and select "Automation rule" to create a new automation rule meant to send a notification to Torq when a new Sentinel Incident is **created**. +3. Give the automation rule a meaningful name, like "Notify Torq when new Sentinel Incident is created". +4. From the "Trigger" drop-down menu, select **"When incident is created"**. +5. Leve "Conditions" to its default values. +6. From the "Actions" drop-down menu, select "Run playbook". +7. From the playbook selection drop-down, select the playbook "Sentinel_Incident_Sync_to_Torq" +8. Click the "Apply" button. +9. Click "+ Create" again and select "Automation rule" to create a new automation rule meant to send a notification to Torq when an existing Sentinel Incident is **updated**. +10. Give the automation rule a meaningful name, like "Notify Torq when a Sentinel Incident is updated". +11. From the "Trigger" drop-down menu, select **"When incident is updated"** +12. Leve "Conditions" to its default values. +13. From the "Actions" drop-down menu, select "Run playbook". +14. From the playbook selection drop-down, select the playbook "Sentinel_Incident_Sync_to_Torq" +15. Click the "Apply" button. + diff --git a/Solutions/Torq/Playbooks/logo.png b/Solutions/Torq/Playbooks/logo.png new file mode 100644 index 0000000000000000000000000000000000000000..cc5d3be7328bb4453610b79ee2aafc62e53e59ee GIT binary patch literal 3449 zcmZ{ncQhQ%7RQ$;OC(x^MB7!f5)!?)Rf6a&(M4Y+646;*bXG}p!f%yW-69B^qC{tf z6L4}}cd{?^VcbYIk{RH;fk21; z$uN4+bMfJwJcZ*Fd35&rdLY_0Fc3U3IG5h06^3Y002td0hs)MbQqF2|6ltbt)xK$0HFYYe`=cWOl_oK`n0g?r95I8 z+up&RxrN1V0qlgI_LLt?+Z>GZj)fzO(I7F8%WV(xl9hV;uPGi2tvt1>VQ^XN#t@mc zNxjUf$>QWm3G{-(M3v1PtD+4i)HARH`MK(z7=^TRtIkBnd^`ceJsMo0BBs3IzChw8 z8-60cCpYus^OjWaq;3+ngDS;Oz15DpoU?#lvPo73QOT{jR>Nzx!ZfS5ln|(b$M6PHWf(}l=q zfld{23sTqOVL|!n@yx#hx(^GT9m>WMx4bW+Ou%4X6e8socq@|)JzPeHhVxzxNNWir zFl0GLPr}=@5Zd}w5O9+4Ar)Ma1P+V4_K5jwWQ4oC9?Pl__2KCFtdhD06+GhU+++}H zw&^-Ec&qf4!uHzx53fB%X?te&th>pFw`NbJJa+8e%~QjiLVM}Khz@$@SB)w=X!B&1 zi`+Ezt;V5ug!X}Ht*7SMDb>dD8l8#A?V*t4MrZNH+HYOiF91UApVregWkVk_%`X`Q zrBoQHMkBXP4#dX4!C8jfxLLca9{lhvsns9%j?5TBlO!N(8nd^UP6~P8WmW z44x_+F*0mqTQjF=9ef`rITsLD1aLIjecqw9JpxyP5>;lm`c`~t53@-@DCq}ok!jjT zJp+n9wboggoFj8&K)5egtL;n5F7Fp#ZQT!5+S^JBxr@^j!jKH3q-H#HMmzBg2E>7Z z-S0$K?}2628z7V_MqM~**L_>B^rEk{U00O^nxo^Sr&{=Mo|4G$01$pt zJ96y#@9*W5i@74`$U9+{&nC8;-(-jm1~g?xQ}>s81r83%=b`#(;{c4pa9`)7 zkH{EMv99{0E|%H6WbfASgOSV)M^SE?O+H1)acW*dA$>+IS5{)N&B5P83oX9;1@t)M zWsf&Go>wLJ7x9ir%BNT|f06psez`8S_4rJEar)Lr>6v-hYBiIzap){hi1dK-{>O;O z?j+tuGSK(PoE;%f|m|OG>up~g5ES}SS4PCQbTk6Y;*Xm z6Cu{cdhB`CGOa5`)N69PGbR4x1W@F1I1*~x8nYixj`VW8gH1qPK<2uPQIKUb zzB$>FO4k1ZA9vpS?g+f&7n19CnqZ-%mXn+{Zfe?QY)^NZy#@&#tdBIrowUCdFk*sG zuxE9rGS6ThD8{m9sh^3XrF&24I}vP*hA1bOs@bfq&QkfNdjkqO{hO7zlRK{@Q$xz& zyVz?d3K8#8K9k~a8KcykkL#vd(fZq&(sms+{(Ux_`3c~i5rkG5gkVoa3}KP_^!k_N zk8Px)r(1o?I~rK=MzV(5VaI7@$SWV!LUIa0)L3l7Z`3o3_LK}@r}k4V9uteBT2hNa zm6`mN51?r8`*z~yG8MQ*p3r{%VbN|sO9}`JE~eeySOL#u{MR&W%>YHV(q3{r=89lj z^mBEMlW^OS%4kzubY`QpVui}oZeCP!1z9y8jU5e{D|6*rO}skURM(~z*pGbs11YHj z-|D8GxHNWZW;qgVqTvl;-wWReLmsMBn&^3i!_87%GP>^;H!u!fUv}HR0yTGfV{PKn z>=WC-=;Z)WZ|?QED{?|C9JFg7KtZVbg(6|6h}AfoK~^sy1PCwsdOM4Z z_kubMS>X?aZ0iS6sucsES{fu8H~v#5>Wu(h!j7bLxTm}C9sJl{>+{?50f28m+@S0^ z+BF448Qb<*YBbJaS6b5obfSf*fpFSN!MVzvjnLP2zdDPZ>PFQ_z+2%gD_s+T1G9Jg zJKx{z{`xBd={wxmm3x2?Bqk^EwuNhUNdbhKWkkbFEFM87Wfp-@DTA7@XbrnsYfhn$dJTevXrkTH_Gb+AW1&4`%@-5u(iZ#CAF#h{TkT) zdFl#WR`xkgMB6pjtlXY*r`#$C0ImYrrU;a4*~9*-tEe`NgH>^w+M<^hKooSiJ9%oA zT0PNIF2%Rm^RT*C^)5=4EtsRkZeOZaYB3Y-28+QNS`A}z6Hb+XLDR8LRry{_bhzIl zXNC=DOLRK{-+Y#d*Pb?&{4M6tB@RymH4lEtDeBJ|<7It6OYLR|S59F*Us2^sNy5Sn zZih~tVQzls`IKka=_P?>>|HO0Z+w!&m|o;rOZJQ{AgMHjLrVkvz>ye46Zys&B8{^X0inBBKc>N&Sdg6~v6Cp({!%1xXl ze#6nNVVL*{T3n=Ma1X}p&YD^%Sdt1y|B|EG7>Q%%wFwq#TQqDW=-zF+oKeS@{h(=V zY|EG0ML)s#4pTZ!bDenH&1Dk_jXvI4yB6Iq5&6(h?A3gb6JU=4r+1}Ug}d0ZC6cEE zl(XzGND~$>)_l+A$5+9a;75CuG@2TY%{B#yd)Y;dx)F!=^Oj9aieWTSn2*j?9Y0N& z#x=tf9bURn^;3xg0)T6jgyT$|{(%?mvueM@Pt{7^YGn=pP|UbTuO>|=I+YjunO6=;!f?1I3DWegn4p{(<>hyjn>l5Hb9}Cg1L`qDOYw-ALO7Pfr5{tKB z|3YJQTcygyN=@m4YF9yH)>IrV4+HL{pU6~DWIE5%)xixxUBSL-oB2IcP(E@BaZ(#b z(?ac5v9CzBT6{KcF2qc(^AXxgl{Mw7=o}z>!T1s{6T~TZUnsRWzjXQYO zK}AAH&ax4E?Z6ZBjRzLPfG$37%>JA+y_@R~vtYmwI($ZgpEaXAeRUZpokL`+p;q%0 z?%OLMl~A_dM;dKE@k@PY-W;Qfgwz!`#bXXQY?GPm=2#SotAT;-ZO8SPC=6>i)A2@e zdrH=Yu-*ex@lGbF`Qrm|$G`Hs1zwQwqR0-wBvob_Fmm%}35S8*?Uc! zqt?TB7%#J&=^nXO=_V{k`=`2t#XbhsoU^J7Of2?q&<^_kcH+0~m6bfb+1hXGx96Mo zehZxr#0DUGO!2Zj=7>F^E5frvw$^GnnJhP2Hgb>z#!5bqH^1ANCU%oa+vaW;PKT+o zjFi>re%c-$m+Y82UM(9LTw#mhLV-}LwWMv==MK~qxN=+9`BAZbkNECH@G`yuRG$dE z{NkxiL<%A#{1X8Fsp*LH^EV{?(SNhWKlLA;_}l(}nB&h9e}_RTUNYMP2+Ge}1KG7N QiQxg7YPzb`P}_)q0mm|KLjV8( literal 0 HcmV?d00001 diff --git a/Solutions/Torq/ReleaseNotes.md b/Solutions/Torq/ReleaseNotes.md new file mode 100644 index 00000000000..3ca4764b9eb --- /dev/null +++ b/Solutions/Torq/ReleaseNotes.md @@ -0,0 +1,4 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------------| +| 1.0.0 | 06-11-2023 | New **Playbook** Torq_Sentinel_Incident_Trigger | + diff --git a/Solutions/Torq/SolutionMetadata.json b/Solutions/Torq/SolutionMetadata.json new file mode 100644 index 00000000000..a1e4c6151f0 --- /dev/null +++ b/Solutions/Torq/SolutionMetadata.json @@ -0,0 +1,15 @@ +{ + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-torq", + "firstPublishDate": "2024-11-06", + "providers": ["Torq"], + "categories": { + "domains" : ["Application"] + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } +} \ No newline at end of file From a097fc60dfc6110da7a90927713425a5bee06f9f Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Tue, 19 Nov 2024 11:43:42 +0530 Subject: [PATCH 02/10] Update Torq.svg --- Logos/Torq.svg | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/Logos/Torq.svg b/Logos/Torq.svg index 8d3e5cc77c4..e0383fc1e44 100644 --- a/Logos/Torq.svg +++ b/Logos/Torq.svg @@ -1,22 +1,20 @@ - - - - - - + + + - - + - + From 78b58013eefa49975106df46ef89c80def683af8 Mon Sep 17 00:00:00 2001 From: Alberto Cita <100130623+acitatorq@users.noreply.github.com> Date: Tue, 19 Nov 2024 20:46:51 +0100 Subject: [PATCH 03/10] Updating PR #11383 as per the comments received --- Logos/Torq.svg | 18 ++++++++------- Solutions/Torq/Data/Solution_Torq.json | 16 ++++++++++++++ Solutions/Torq/Data/parameters.json | 0 .../azuredeploy.json | 22 +++++++++++++++++-- .../Torq-Sentinel-Incident-Trigger/readme.md | 10 ++++----- Solutions/Torq/SolutionMetadata.json | 14 ++++++------ 6 files changed, 58 insertions(+), 22 deletions(-) create mode 100644 Solutions/Torq/Data/Solution_Torq.json create mode 100644 Solutions/Torq/Data/parameters.json diff --git a/Logos/Torq.svg b/Logos/Torq.svg index e0383fc1e44..8d3e5cc77c4 100644 --- a/Logos/Torq.svg +++ b/Logos/Torq.svg @@ -1,20 +1,22 @@ - - - - + + + + + - - + - + diff --git a/Solutions/Torq/Data/Solution_Torq.json b/Solutions/Torq/Data/Solution_Torq.json new file mode 100644 index 00000000000..956ee3e45e0 --- /dev/null +++ b/Solutions/Torq/Data/Solution_Torq.json @@ -0,0 +1,16 @@ +{ + "Name": "Torq", + "Author": "Torq - support@torq.io", + "Logo": "", + "Description": "[Torq](https://www.recordedfuture.com/) is the AI-Driven Hyperautomation Platform that helps security teams automate more, faster", + "Analytic Rules": [], + "Playbooks": [ + "Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json" + ], + "Workbooks": [], + "BasePath": "Users\\acitatorq\\git\\github\\Azure-Sentinel\\Solutions\\Torq", + "Version": "1.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1Pconnector": false + } \ No newline at end of file diff --git a/Solutions/Torq/Data/parameters.json b/Solutions/Torq/Data/parameters.json new file mode 100644 index 00000000000..e69de29bb2d diff --git a/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json index d00118e292d..5956c73c22d 100644 --- a/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json +++ b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json @@ -5,10 +5,28 @@ "title": "Notify Sentinel Incident Creation and Update to Torq Webhook", "description": "Sends an HTTPS request to a webhook trigger in Torq everytime a new Incident is created or updated in Sentinel", "documentation": "https://kb.torq.io/en/articles/9024676-configure-microsoft-sentinel-and-torq-to-trigger-torq-workflows-on-incident-creation-and-update", - "lastUpdateTime": "2024-11-06T00:00:00.000Z", + "prerequisites": [ + "Prior to the deployment of this playbook, create a new Microsoft Sentinel Trigger integration in Torq", + "Take note of the endpoint URL, the authentication header name, and the authentication header secret configured in the Microsoft Sentinel Trigger integration" + ], + "postDeployment": [ + "After deployment browse to your Microsoft Sentinel workspace > Configuration > Automation, Click Create and select Automation rule to create a new automation rule meant to send a notification to Torq when a new Sentinel Incident is created.", + "Give the automation rule a meaningful name", + "From the Trigger drop-down menu, select When incident is created or updated", + "From the Actions drop-down menu, select Run playbook", + "From the playbook selection drop-down, select the playbook Sentinel_Incident_Sync_to_Torq and click the Apply button" + ], + "lastUpdateTime": "2024-11-19T00:00:00.000Z", "author": { "name": "Torq" - } + }, + "releaseNotes": [ + { + "version": "1.0", + "title": "Torq Sentinel Incident Trigger", + "notes": [ "Initial version" ] + } + ] }, "parameters": { "PlaybookName": { diff --git a/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/readme.md b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/readme.md index 955b4b98091..55ff9f9e548 100644 --- a/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/readme.md +++ b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/readme.md @@ -2,7 +2,7 @@ ## Summary -When a new Sentinel Incident is created or updated, this playbook gets triggered and sends a notification (HTTPS POST Request) to a Microsoft Sentinel Webhook in Torq +When a new Sentinel Incident is created or updated, this playbook gets triggered and sends a notification (HTTPS POST Request) to a Microsoft Sentinel Webhook in Torq.
    @@ -15,13 +15,13 @@ When a new Sentinel Incident is created or updated, this playbook gets triggered ### Deployment instructions 1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. -2. Fill in the required paramteres: +2. Fill in the required paramters: * Playbook Name: Enter the playbook name here * Torq_Webhook_Enpoint_URL: Enter the endpoint URL for the Microsoft Sentinel Trigger integration previously created in Torq. * Torq_Webhook_Auth_Header_Name: Enter the authentication header name for the Microsoft Sentinel Trigger integration previously created in Torq. * Torq_Webhook_Auth_Header_Secret: Enter the authentication header secret for the Microsoft Sentinel Trigger integration previously created in Torq. -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FTorq%2FPlaybooks%2FPlaybooks%2FTorq-Sentinel-Incident-Trigger%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FTorq%2FPlaybooks%2FPlaybooks%2FTorq-Sentinel-Incident-Trigger%2Fazuredeploy.json) +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FTorq%2FPlaybooks%2FPlaybooks%2FTorq-Sentinel-Incident-Trigger%2Fazuredeploy.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FTorq%2FPlaybooks%2FPlaybooks%2FTorq-Sentinel-Incident-Trigger%2Fazuredeploy.json) ### Post-Deployment instructions @@ -29,14 +29,14 @@ When a new Sentinel Incident is created or updated, this playbook gets triggered 2. Click "+ Create" and select "Automation rule" to create a new automation rule meant to send a notification to Torq when a new Sentinel Incident is **created**. 3. Give the automation rule a meaningful name, like "Notify Torq when new Sentinel Incident is created". 4. From the "Trigger" drop-down menu, select **"When incident is created"**. -5. Leve "Conditions" to its default values. +5. Leave "Conditions" to its default values. 6. From the "Actions" drop-down menu, select "Run playbook". 7. From the playbook selection drop-down, select the playbook "Sentinel_Incident_Sync_to_Torq" 8. Click the "Apply" button. 9. Click "+ Create" again and select "Automation rule" to create a new automation rule meant to send a notification to Torq when an existing Sentinel Incident is **updated**. 10. Give the automation rule a meaningful name, like "Notify Torq when a Sentinel Incident is updated". 11. From the "Trigger" drop-down menu, select **"When incident is updated"** -12. Leve "Conditions" to its default values. +12. Leave "Conditions" to its default values. 13. From the "Actions" drop-down menu, select "Run playbook". 14. From the playbook selection drop-down, select the playbook "Sentinel_Incident_Sync_to_Torq" 15. Click the "Apply" button. diff --git a/Solutions/Torq/SolutionMetadata.json b/Solutions/Torq/SolutionMetadata.json index a1e4c6151f0..62d26f325cc 100644 --- a/Solutions/Torq/SolutionMetadata.json +++ b/Solutions/Torq/SolutionMetadata.json @@ -1,15 +1,15 @@ { - "publisherId": "azuresentinel", - "offerId": "azure-sentinel-solution-torq", - "firstPublishDate": "2024-11-06", + "publisherId": "torq", + "offerId": "torq_sentinel_solution", + "firstPublishDate": "2024-11-19", "providers": ["Torq"], "categories": { "domains" : ["Application"] }, "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" + "name": "Torq Support Team", + "email": "support@torq.io", + "tier": "Partner", + "link": "https://support.torq.io" } } \ No newline at end of file From 60649a344aa4418cd1a4a3653e3966103b3ed5c4 Mon Sep 17 00:00:00 2001 From: Alberto Cita <100130623+acitatorq@users.noreply.github.com> Date: Wed, 20 Nov 2024 19:08:07 +0100 Subject: [PATCH 04/10] Correcting logo and json file validation errors --- Logos/Torq.svg | 3 +-- Solutions/Torq/Data/parameters.json | 0 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 Solutions/Torq/Data/parameters.json diff --git a/Logos/Torq.svg b/Logos/Torq.svg index 8d3e5cc77c4..cbfaba88df5 100644 --- a/Logos/Torq.svg +++ b/Logos/Torq.svg @@ -1,7 +1,6 @@ - + - + - + - - + + - + From 90f7aba981e5c8f3941cac5343d4e7659268b8f1 Mon Sep 17 00:00:00 2001 From: Alberto Cita <100130623+acitatorq@users.noreply.github.com> Date: Wed, 20 Nov 2024 22:18:55 +0100 Subject: [PATCH 08/10] continued fixing id in raw logo file --- Logos/Torq.svg | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Logos/Torq.svg b/Logos/Torq.svg index 5694ddc01d1..1a091ae4d10 100644 --- a/Logos/Torq.svg +++ b/Logos/Torq.svg @@ -2,14 +2,14 @@ - - + - - + ", - "Description": "[Torq](https://www.recordedfuture.com/) is the AI-Driven Hyperautomation Platform that helps security teams automate more, faster", + "Description": "[Torq](https://www.recordedfuture.com/) is the AI-Driven Hyperautomation Platform that helps security teams automate more faster", "Analytic Rules": [], "Playbooks": [ "Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json" ], "Workbooks": [], "BasePath": "Users\\acitatorq\\git\\github\\Azure-Sentinel\\Solutions\\Torq", - "Version": "1.0.0", + "Version": "3.0.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/Torq/Package/3.0.0.zip b/Solutions/Torq/Package/3.0.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..6f5160c8517d1616d0b76e0c7b361fef6725b87a GIT binary patch literal 5354 zcmZ{oRa6uXx5bCI=t`U@G=?=t#$0> zt!?aG>^<#WUAP^ft}cxbXV+gs#7~lD&mpInKM9@Kxp(e7KjKOIsOg;Hq}>k2X{ve&vi&nt^A&AUgZ_KMar{V1-SKMmNrI+ z;PmaY4*O0nCCIp-J=M+=%LB_#RDEg1ap~3Y2z*e5*3&Uv)|=CI6QYdt^3T_F*eiXL zF}i3{gFtX$L-r|4oD8Q9(nMXwS3+=+m7GX}Tfznz1=fEAbWJIZF7P>V^ZVb3_Vy`n zN9*}u`Ld21o+Tbo5s`5ds3J07fSAvb-Y`D6a%}J7*C2}JjF)uT+`kU(I&l_zi?_=J z^JWT)@HJeFSQkz%sfiQ_`TMQ%lh-2*ILIbb0~z3LS03F$%uVcNk7uwAG|6Jd#Zu?o zT+R#YK+ntaIyVo`e(qOpXsU9k8TtcGxSSfAW%0vHP8iX%-SRG+X-OaUkZk&zRBz%u zA0Ky34@bAFeMTrC>c3xW?byuA>nr#QbC#oI{H$`c)(J4LoMFeW^Htq>xtv=P>|zrT zOJ6_WTqPtzHki_B92nazkY9Qv7)brb80U*V3c>@OTH)OYapYS`RlVBGawm`iieDpR zkl3%xiPzJ_>~wNjDNP{{RN0>3%#N%aM|UidkF^SvzV@H!rWkZqzir$SG{HQ5L6=R3eI-d*K z1l1UGIp@;{w!ZhTC~#M3&Y&wcy1P7$3QPMgohlltQh6+IL;_t`;my6SW)GVjEpM6% zue4s>&!=n+NT;!g#{s=t%?MR8>n*6I_i%c9U6yj1(3FD}U2!!qJ?<59rA} zUa!yPFJrVu8OeqNt+1azMP8G!>*!~EW8*C-jcvXY;b*8Ws~us zs)A`Ayhf*G%Va^sj2lPU0Vgq{rG&;-`Y@8--n3$cb&dt+4pCfaLaMYG%uK8Hc?cx& zf*NUQTYoQ|1k5lF+nw6^WVM0bP+A{#O+wF-n`NimpPWAw$@6Mj%OuKP;-eY^gOp?r z{j;D%prAbLM#tw|{RPNWuUjD1x`jW>Q76kX^8~EYi3;AhpHWv92dDN^f%gy#F!wK* zMEQ)0v3&9Q@d-)bvbND8EF2<|9Vyvfy?BAqjK}_vTY@w_4@h?$Wg%`tVGMntc`l&O z-A!qOOm{4P`8Szj8&(D{OF6fCVbw{^`6iCzB7deeT!x~s_{c)o?5v}NYfZOX1iSDkI7o876d3f}xv7=X%NOaLn9;bJl*kAXEk-EJh zQvW~nAkPo*+#~=1a-;zOlE3tDHn(@twsv-N`pc02=Ej2I%uXz&x>IuVQ^qG(GFxtfHIzI8;QF401Cu_v$Za{;<*|F)M&mIK?t4Cg?(y znPCEbcen1sPY**s)l0$u_`lQdLpaeX0@c8;K9yotezeV_ zTrM7=WGvs8&OJ)5pDg81 z98+$U#H6c?)8I@A=#ClbnQEo6*Q0&%@v!6Co{E+CXpT6ah$<28eh3Q%Zg9j&I+Oa3 zX-akH*j$hyDwJzv!}E!?Jg`)_?drbvt!A+Z$T&bA?h2mr$q8iV!QOMOI*A|452#fM zDa7}?hE(i{aWsWu;7ueQAbdYFV?DhHUMi+s8wwL8VdCd~BHVJ3{ezRo&CSe}x-@y0 z#ENBvX!L_jHO#_H+u$kFDtgjV3gJP@`%^`g?@u(kp!rB>A$to!v^#54nt4vqTMf>V z)(iHtU6Q6xm<51n)**sU5doH}iHE|@fMu+SbaQ_-B!Kr1$zKA z5`ODA=z&5IA^QI9z)sbzMLnDFc|&h|tS}>!xGyAyGwo-1=~oh)?UfWK7lcxp@VFeZ z+-tOXH|38ZSS5VD@aZaEf_%_<7wnPA;hBWBg}9*vI+=zie?s@1YKkcP;^toR#zCqB z`^%p}Uziz!l?sQ!P<|xx3d?Q?_4A8{(PDPO@Zawbht2QX+_#_3@}z)p_y%KPxGRr^ z;#ZDI#mAniWfN+@M;VIbRsIUv$6#RC;0 z4>1Cj{S}~4Y131df`vUoNU4bi|B=vG+vK)DoQ`K3;hKCXo#XflDnal(?*JMU z|H)P~Lgy=GU1(&CNQS32KBVZ8+*<{lONS`%6y1Jai+`)lT2aiX0oCNtO>s9oLD)}V z`lq}>rR{bfMh-+MZrwXRh$*xF3d81&`joFHRohtq%3_p|KVf#i$=!|XpBI?hFBX(es8HQE>>A?!H`oUD# z5+1Q{8-K9KYqlIdo3rU@Ch3s9C0%sBjBAjNC@wpu@hj!`>t-As+;>J4S9V zXErg!C5^I>)%d$^hnXFbmN>=rlkc9&-_%CK?~htgKt*t$4Oq`K*2B4oWhNiNjm=0P z=f$q<`p&ObH+pB+1UySGj~VzM1a0)UG<&B*o!%7Zbs<9DG4#kf5c?cmt&AW4s7 znZdZ8Mua_EG7}fTs3X;BU*ec#AxB}KZrBqE3zaL`z%VQt-{jT8LQDtkBej$mdQov7 z4dK1xr51SDs+PAw8&nSSb|)^e)xzY45igfkIA;}hzxI2m1-jQFQd%a06L=H5kw}=b zcUf}c0dN&|fsO2E9HsM~L|tiH4s&G%3DeYQOO#61lAqD?l*#;vCD56K89VLOf&$ye zA~WQ+n;WR3X#vba@Cfi5!|!{QQ!j5l;`%ZQ${n0Adv-pGcnbR4iRd;M6!Zab_Yf;& zR1n7c8z4owXi~-K80+hWGE4j6oSOO6>Xah=;J05C25)hNjDiI#)jXjU<`iBO}O zkfYXzNz0%_rzn17Mz#6~`WOkMwAWWW4EfC`Fg z&wbqj9BN|k39m{Q$xeFkMA$C@Oei%Znj0wS5?jJzba5PwjR=9`j!Wtswo=X6eNEF( zXI^(~^Ife?W>WJIBR%U~n-R5m1YmFn+_J(|#-IRY15EG(PtzA1gUKY9b6NNl#G#fR3Hv4Yjb+}e<6@iL>% zOp``JnD&Lak9;!X&;2Czd;)Z?q<9)iBURw?)y_043Wt%Su7 zgn3+gyps49c#SZ`tkdKSLb`7_z!L6UT@xP0GGWojj9nVDoQZ+n`oNkVcQ36 zhuUwR`L147%5~fHVV_0~yUPx(?0$4|HjlTADqpouO5%VBjEfeT#jsZBeETxgAVN!U zAwj$!ECu=4#Wz1cWjb(eO)Is|m0J!9d@9W)+8$aaD-qqkUSn}>J?O{IDC^n7y+1HE zdV6`U6B%|iYSO5Zd)~75R2CO{>0=121S0-a-6fO*?rV*NUF?#_m$wtOVe;X>3a&Iv z#|kO$NT}}IqXIvK5PA;0uJfUKJ1CjHw_+oo6Fl&8Nn#}1c7Sf?H3o`-((Z-ndm!L2x>=sbrFn+gxi~g((3Q!$+L|DUCNjxnTxof92xrTD!nZm0PGsFt z(YN1G^+b-cyb5L6mhNOPB>MINR=4iW$W`JOXNTKO`_g%Ag1oP-*7z)SKO4*wfr?Nm z1eO?V*N!aiX7xUS1y*I_JozkUSw-cFe&CDuF}>9vgQ577B(CY+5r6epkDptllCM|h z)W3MnWzi)zeDr6 z42yOq*pgJ?o)bjGtTLajG_g-7;g&*(e|tP!PiLyOk0h6$-IhK)yEaP8gec{jV=o^I zpS9AZ=+R9a8|7(QPJ{vpCW>0!$#~8WB3iaDSXP*Km0dw%vxdLht|lS@077fawJ%)Q z;4k)jq2)KR$QGN-iyX(Y&ES&Vqke67Cyh<#jw8-&ZjtR2RSCFVoNWEbFa#_-Yhj)v7#g67WlRb-3IZq1WSfrQ3?9Zl`Nr8%6_*Ed16mzm-GUDw_A0{$6G_LD58&@JpDfQFy-$aOl zN)GtXjpE-}_`l{q^o##)^6$a&e;g$LmX-f6W~!@T{FMO!)V~}4_p1NbJAi)y%Bnp) literal 0 HcmV?d00001 diff --git a/Solutions/Torq/Package/createUiDefinition.json b/Solutions/Torq/Package/createUiDefinition.json new file mode 100644 index 00000000000..30aca97e864 --- /dev/null +++ b/Solutions/Torq/Package/createUiDefinition.json @@ -0,0 +1,89 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Torq/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Torq](https://www.recordedfuture.com/) is the AI-Driven Hyperautomation Platform that helps security teams automate more faster\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "playbooks", + "label": "Playbooks", + "subLabel": { + "preValidation": "Configure the playbooks", + "postValidation": "Done" + }, + "bladeTitle": "Playbooks", + "elements": [ + { + "name": "playbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." + } + }, + { + "name": "playbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/Torq/Package/mainTemplate.json b/Solutions/Torq/Package/mainTemplate.json new file mode 100644 index 00000000000..21be638114c --- /dev/null +++ b/Solutions/Torq/Package/mainTemplate.json @@ -0,0 +1,343 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Torq - support@torq.io", + "comments": "Solution template for Torq" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } + }, + "variables": { + "email": "support@torq.io", + "_email": "[variables('email')]", + "_solutionName": "Torq", + "_solutionVersion": "3.0.0", + "solutionId": "torq.torq_sentinel_solution", + "_solutionId": "[variables('solutionId')]", + "Torq-Sentinel-Incident-Trigger": "Torq-Sentinel-Incident-Trigger", + "_Torq-Sentinel-Incident-Trigger": "[variables('Torq-Sentinel-Incident-Trigger')]", + "TemplateEmptyArray": "[json('[]')]", + "playbookVersion1": "1.0", + "playbookContentId1": "Torq-Sentinel-Incident-Trigger", + "_playbookContentId1": "[variables('playbookContentId1')]", + "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", + "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Sentinel_Incident_Sync_to_Torq Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Sentinel_Incident_Sync_to_Torq", + "type": "String" + }, + "Torq_Webhook_Enpoint_URL": { + "defaultValue": "https://hooks.torq.io/v1/webhooks/125a9209-9ed6-4216-b5cd-10567f2164f5", + "type": "String" + }, + "Torq_Webhook_Auth_Header_Name": { + "defaultValue": "X-Torq-Auth", + "type": "String" + }, + "Torq_Webhook_Auth_Header_Secret": { + "defaultValue": "secr3tP@ssw0rd", + "type": "String" + } + }, + "variables": { + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Torq_Webhook_Enpoint_URL": { + "defaultValue": "[[parameters('Torq_Webhook_Enpoint_URL')]", + "type": "String" + }, + "Torq_Webhook_Auth_Header_Name": { + "defaultValue": "[[parameters('Torq_Webhook_Auth_Header_Name')]", + "type": "String" + }, + "Torq_Webhook_Auth_Header_Secret": { + "defaultValue": "[[parameters('Torq_Webhook_Auth_Header_Secret')]", + "type": "String" + }, + "$connections": { + "type": "Object" + } + }, + "staticResults": { + "HTTP0": { + "status": "Succeeded", + "outputs": { + "statusCode": "OK" + } + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "path": "/incident-creation" + }, + "conditions": "[variables('TemplateEmptyArray')]", + "runtimeConfiguration": { + "concurrency": { + "runs": 10, + "maximumWaitingRuns": 50 + } + } + } + }, + "actions": { + "Send_Notification_to_Torq": { + "limit": { + "timeout": "PT30S" + }, + "type": "Http", + "inputs": { + "uri": "@parameters('Torq_Webhook_Enpoint_URL')", + "method": "POST", + "headers": { + "@{parameters('Torq_Webhook_Auth_Header_Name')}": "@{parameters('Torq_Webhook_Auth_Header_Secret')}" + }, + "body": "@triggerBody()" + }, + "operationOptions": "DisableAsyncPattern" + }, + "Terminate_Success": { + "runAfter": { + "Send_Notification_to_Torq": [ + "Succeeded" + ] + }, + "type": "Terminate", + "inputs": { + "runStatus": "Succeeded" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "Playbook", + "version": "[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Torq", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Torq", + "email": "[variables('_email')]" + }, + "support": { + "name": "Torq Support Team", + "email": "support@torq.io", + "tier": "Partner", + "link": "https://support.torq.io" + } + } + } + ], + "metadata": { + "title": "Notify Sentinel Incident Creation and Update to Torq Webhook", + "description": "Sends an HTTPS request to a webhook trigger in Torq everytime a new Incident is created or updated in Sentinel", + "documentation": "https://kb.torq.io/en/articles/9024676-configure-microsoft-sentinel-and-torq-to-trigger-torq-workflows-on-incident-creation-and-update", + "prerequisites": [ + "Prior to the deployment of this playbook, create a new Microsoft Sentinel Trigger integration in Torq", + "Take note of the endpoint URL, the authentication header name, and the authentication header secret configured in the Microsoft Sentinel Trigger integration" + ], + "postDeployment": [ + "After deployment browse to your Microsoft Sentinel workspace > Configuration > Automation, Click Create and select Automation rule to create a new automation rule meant to send a notification to Torq when a new Sentinel Incident is created.", + "Give the automation rule a meaningful name", + "From the Trigger drop-down menu, select When incident is created or updated", + "From the Actions drop-down menu, select Run playbook", + "From the playbook selection drop-down, select the playbook Sentinel_Incident_Sync_to_Torq and click the Apply button" + ], + "lastUpdateTime": "2024-11-19T00:00:00Z", + "releaseNotes": [ + { + "version": "1.0", + "title": "Torq Sentinel Incident Trigger", + "notes": [ + "Initial version" + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "Playbook", + "displayName": "Sentinel_Incident_Sync_to_Torq", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Torq", + "publisherDisplayName": "Torq Support Team", + "descriptionHtml": "

    Note: Please refer to the following before installing the solution:

    \n

    • Review the solution Release Notes

    \n

    • There may be known issues pertaining to this Solution, please refer to them before installing.

    \n

    Torq is the AI-Driven Hyperautomation Platform that helps security teams automate more faster

    \n

    Playbooks: 1

    \n

    Learn more about Microsoft Sentinel | Learn more about Solutions

    \n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "Torq", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Torq", + "email": "[variables('_email')]" + }, + "support": { + "name": "Torq Support Team", + "email": "support@torq.io", + "tier": "Partner", + "link": "https://support.torq.io" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Playbook", + "contentId": "[variables('_Torq-Sentinel-Incident-Trigger')]", + "version": "[variables('playbookVersion1')]" + } + ] + }, + "firstPublishDate": "2024-11-19", + "providers": [ + "Torq" + ], + "categories": { + "domains": [ + "Application" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/Torq/Package/testParameters.json b/Solutions/Torq/Package/testParameters.json new file mode 100644 index 00000000000..e55ec41a9ac --- /dev/null +++ b/Solutions/Torq/Package/testParameters.json @@ -0,0 +1,24 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } +} diff --git a/Solutions/Torq/ReleaseNotes.md b/Solutions/Torq/ReleaseNotes.md index 3ca4764b9eb..3f82c05deba 100644 --- a/Solutions/Torq/ReleaseNotes.md +++ b/Solutions/Torq/ReleaseNotes.md @@ -1,4 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| -| 1.0.0 | 06-11-2023 | New **Playbook** Torq_Sentinel_Incident_Trigger | +| 3.0.0 | 21-11-2023 | Initial Solution Release | From 36f8ea8f9d351debe6e9ba7748fb1701029181db Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Thu, 21 Nov 2024 14:48:42 +0530 Subject: [PATCH 10/10] Solution packaged --- Solutions/Torq/Package/3.0.0.zip | Bin 5354 -> 5355 bytes Solutions/Torq/Package/mainTemplate.json | 2 +- .../azuredeploy.json | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Solutions/Torq/Package/3.0.0.zip b/Solutions/Torq/Package/3.0.0.zip index 6f5160c8517d1616d0b76e0c7b361fef6725b87a..46b0eafb58afb9b89a67b9a6bdd1f2a00513b540 100644 GIT binary patch delta 1230 zcmV;<1Tp*SDeEZ=P)h>@6aWAK2mt$au?##068m*^S!f7TpyUkz0H{C!01*I_!4wm- zZ3c=7f9n04b-t1y6NPJY_n`HEJ2%(-I3B^)kpQf3^kjVU@X_N(UXY)>v1cv`J#$YC zdhx_$_{+xM%=D$pYSh zigd6UnuRZg|a1C*`LIfea`2ET=9>0-nr zOmv1y6&iSk<7%>&4+HcfBEhZlCM@-!TBxlth-Q&osnLX& ze-k>I<9vSIqYDojI(GO6xZc!zR9e`VOGD{rkwtPl9h3i}o8a~Kgpkm^FxkW~InD-J z=nsNF((2M})Xx=^Z=w#hDdPZbWb~M#o4ufDh?NHJ=nNCv8pwT?T&8KX6~9X0yKPh8 zCKX(-Am-&r?x8oCc#|hr89S z^~!xV2kS=G!+L`cZt!hvgS~4rt+sQ=9u``$pqibe*&Hr(R+zr54{U_%HsE~C*AlKj zOV6G$PLp_fCc@*>XQTWH`gcXl1Q@!&20|^82#^{iH#EnKgsLBb!KIRTBfe|r1TyK_ z#~6tJ`=9?p@8zD92B2p?S^?=le}6RKatUq1*<7|s$eNJ)+ms?koMH@RFlbSsBduLF z5(1CjTk(Ck4nOwJ@;6AndN%UUN(^1eUox$INITfUiGK_28*HSZtLB;A#*py{V*txx z3HgN7qgVk6Yk?MKsSBYl$k&=r=#i{zb6r>B(6CwOYO~o4DGm|}McPHie|1X+-BKkBXwml9aQ;xEK|O-Ch17S! zRc;(Q>M_e+CM~?@8Z8wrf$=xkr?FbdpTk{|12{^#{(-uYG&=<+7#DeCHibpB#r8HI zZjR7RzXa(JpgT{60n&NNe|m`+4J@@#e=}5`lrc~8t7hc+bS zDOd_rUF&V6nDXAN1>;spt65qr-Yr{g`BqaIu~wA>ogQ< zx)x|U7G~NDGJ6zaO1!J~K)79ZR4Vh^K=m8#^S3XnKf{2Kgh5Mne~4VK81F7Ow%BOr zUr1Wi4!}pQ@>7G>7KAc>sS^ClyiKt<=9Jw?W2LH^l>HTN?2{BUhd?nPp{`8{A@)N$ zs%ss(cA#9HL#ZYy3>Yj>)IAl^cmIS*F0RD1+p6F-{Qn@6aWAK2mqOIu?##04ViFtSrnmsbmI*G0G_i|2BHanH0yP4 zk{}c1YIEbDwSGG{m-{##!G@6lY;N>qeDd(o<40bQpSQ7Rt_D4GI}FqR+T!`#{M8-hg6sh#BN6%5~@H zY|Wb!L2n!{RSwdscZB6D=OCqg?8~L0;Iqggxt)&5f6=Y)dV4}h<6f9-VwfCf11(MwLn3Cfk&TV2-)s9@wpw8SRKvoT%b~8&4MZo&84|<6EE`Xg}CMO zBi$nBNN+bg(p%}f_05I=01jni;Eyc`Nsnphf~)t7-neF)^PX#}i~rXmTRr#37GPWLuIS#n*K;-vyBMtXP*?fP3l|5?-2;$+H~ePhK3jry`|4pG z!3VeXHa5TBwV77iX=4uytyoaaPSR`+*ElOoU)BdUf^-{ZzUFHQ(x0Vg&lsmkygU=( z@#(Ws{sdjSB4z^kTwnvC7D)t14U!w0<3&Q%Pru+QNxTu?wQ~ZQ^z35{#Q*)zf1&qs zPf7#OGas#h^q)U}8gRLU=HP5Dni?BK+|g{BQQ($H1&%x+`Ic!V(k3qE#%MPhR6XNrCk3&-AJ09f)k93yfK@?BHChmn-4cf=%(L)bO_L$ zr@{c~ykxz9M2rTOTByGnDo@H7ra7Tzr^@{aI*$_NOG9?I{MbVq67m(0eSDh!4v#A= z!nAol>zGZOb9GZ$s%471%(J7s(^5v+znoLTPVVwe+j^bLHKlbL$}?TdG9Ak??PZuf z$}c6}RZ}3`sXOYE`5mD8W%l{om(?F%KuE%%r8-1^uGfio7a3b@wDa#GEoukgBUjO> zL2C;_8NXBs{$<{rSR8Z8ZltkNRZYtNiZ}L23R*&-7?4ocri2jtAsyAV4!t^1q|TvK zlN1IF7AWeTO6R+OxFi=>V%p7A@EZRA4^T@10u%rg000080GV)gS)Su(JqZQ?0KE_Z j02ct0Zxk~PnQ(Pk6rp@{;|%}+o|CT>HU>}>00000RzXiP diff --git a/Solutions/Torq/Package/mainTemplate.json b/Solutions/Torq/Package/mainTemplate.json index 21be638114c..6b4b45d945e 100644 --- a/Solutions/Torq/Package/mainTemplate.json +++ b/Solutions/Torq/Package/mainTemplate.json @@ -246,7 +246,7 @@ ], "metadata": { "title": "Notify Sentinel Incident Creation and Update to Torq Webhook", - "description": "Sends an HTTPS request to a webhook trigger in Torq everytime a new Incident is created or updated in Sentinel", + "description": "Sends an HTTPS request to a webhook trigger in Torq everytime a new Incident is created or updated in Microsoft Sentinel", "documentation": "https://kb.torq.io/en/articles/9024676-configure-microsoft-sentinel-and-torq-to-trigger-torq-workflows-on-incident-creation-and-update", "prerequisites": [ "Prior to the deployment of this playbook, create a new Microsoft Sentinel Trigger integration in Torq", diff --git a/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json index 5956c73c22d..58eadf8f396 100644 --- a/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json +++ b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "metadata": { "title": "Notify Sentinel Incident Creation and Update to Torq Webhook", - "description": "Sends an HTTPS request to a webhook trigger in Torq everytime a new Incident is created or updated in Sentinel", + "description": "Sends an HTTPS request to a webhook trigger in Torq everytime a new Incident is created or updated in Microsoft Sentinel", "documentation": "https://kb.torq.io/en/articles/9024676-configure-microsoft-sentinel-and-torq-to-trigger-torq-workflows-on-incident-creation-and-update", "prerequisites": [ "Prior to the deployment of this playbook, create a new Microsoft Sentinel Trigger integration in Torq",