Azure · v-atulyadav · Nov 21, 2024 · Nov 6, 2024 · Nov 19, 2024 · Nov 19, 2024
@@ -0,0 +1,165 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "metadata": {
+        "title": "Notify Sentinel Incident Creation and Update to Torq Webhook",
+        "description": "Sends an HTTPS request to a webhook trigger in Torq everytime a new Incident is created or updated in Sentinel",
+        "documentation": "https://kb.torq.io/en/articles/9024676-configure-microsoft-sentinel-and-torq-to-trigger-torq-workflows-on-incident-creation-and-update",
+        "lastUpdateTime": "2024-11-06T00:00:00.000Z",
+        "author": {
+            "name": "Torq"
+        }
+    },
+    "parameters": {
+        "PlaybookName": {
+            "defaultValue": "Sentinel_Incident_Sync_to_Torq",
+            "type": "String"
+        },
+        "Torq_Webhook_Enpoint_URL": {
+            "defaultValue": "https://hooks.torq.io/v1/webhooks/125a9209-9ed6-4216-b5cd-10567f2164f5",
+            "type": "String"
+        },
+        "Torq_Webhook_Auth_Header_Name": {
+            "defaultValue": "X-Torq-Auth",
+            "type": "String"
+        },
+        "Torq_Webhook_Auth_Header_Secret": {
+            "defaultValue": "secr3tP@ssw0rd",
+            "type": "String"
+        }
+    },
+    "variables": {
+        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Web/connections",
+            "apiVersion": "2016-06-01",
+            "name": "[variables('AzureSentinelConnectionName')]",
+            "location": "[resourceGroup().location]",
+            "kind": "V1",
+            "properties": {
+                "displayName": "[variables('AzureSentinelConnectionName')]",
+                "customParameterValues": {},
+                "parameterValueType": "Alternative",
+                "api": {
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Logic/workflows",
+            "apiVersion": "2017-07-01",
+            "name": "[parameters('PlaybookName')]",
+            "location": "[resourceGroup().location]",
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "dependsOn": [
+                "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
+            ],
+            "properties": {
+                "state": "Enabled",
+                "definition": {
+                    "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+                    "contentVersion": "1.0.0.0",
+                    "parameters": {
+                        "Torq_Webhook_Enpoint_URL": {
+                            "defaultValue": "[parameters('Torq_Webhook_Enpoint_URL')]",
+                            "type": "String"
+                        },
+                        "Torq_Webhook_Auth_Header_Name": {
+                            "defaultValue": "[parameters('Torq_Webhook_Auth_Header_Name')]",
+                            "type": "String"
+                        },
+                        "Torq_Webhook_Auth_Header_Secret": {
+                            "defaultValue": "[parameters('Torq_Webhook_Auth_Header_Secret')]",
+                            "type": "String"
+                        },
+                        "$connections": {
+                            "defaultValue": {},
+                            "type": "Object"
+                        }
+                    },
+                    "staticResults": {
+                        "HTTP0": {
+                            "status": "Succeeded",
+                            "outputs": {
+                                "statusCode": "OK"
+                            }
+                        }
+                    },
+                    "triggers": {
+                        "Microsoft_Sentinel_incident": {
+                            "type": "ApiConnectionWebhook",
+                            "inputs": {
+                                "host": {
+                                    "connection": {
+                                        "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                                    }
+                                },
+                                "body": {
+                                    "callback_url": "@{listCallbackUrl()}"
+                                },
+                                "path": "/incident-creation"
+                            },
+                            "conditions": [],
+                            "runtimeConfiguration": {
+                                "concurrency": {
+                                    "runs": 10,
+                                    "maximumWaitingRuns": 50
+                                }
+                            }
+                        }
+                    },
+                    "actions": {
+                        "Send_Notification_to_Torq": {
+                            "runAfter": {},
+                            "limit": {
+                                "timeout": "PT30S"
+                            },
+                            "type": "Http",
+                            "inputs": {
+                                "uri": "@parameters('Torq_Webhook_Enpoint_URL')",
+                                "method": "POST",
+                                "headers": {
+                                    "@{parameters('Torq_Webhook_Auth_Header_Name')}": "@{parameters('Torq_Webhook_Auth_Header_Secret')}"
+                                },
+                                "body": "@triggerBody()"
+                            },
+                            "operationOptions": "DisableAsyncPattern"
+                        },
+                        "Terminate_Success": {
+                            "runAfter": {
+                                "Send_Notification_to_Torq": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "Terminate",
+                            "inputs": {
+                                "runStatus": "Succeeded"
+                            }
+                        }
+                    },
+                    "outputs": {}
+                },
+                "parameters": {
+                    "$connections": {
+                        "value": {
+                            "azuresentinel": {
+                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
+                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+                                "connectionName": "[variables('AzureSentinelConnectionName')]",
+                                "connectionProperties": {
+                                    "authentication": {
+                                        "type": "ManagedServiceIdentity"
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    ]
+}
@@ -0,0 +1,43 @@
+# Torq-Sentinel-Incident-Trigger
+
+## Summary
+
+When a new Sentinel Incident is created or updated, this playbook gets triggered and sends a notification (HTTPS POST Request) to a Microsoft Sentinel Webhook in Torq
+
+<img src="./playbook_screenshot.png" width="50%"/><br>
+
+### Prerequisites
+
+1. Prior to the deployment of this playbook, create a new Microsoft Sentinel Trigger integration in Torq.
+2. Take note of the endpoint URL, the authentication header name, and the authentication header secret configured in the Microsoft Sentinel Trigger integration.
+
+
+### Deployment instructions
+
+1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
+2. Fill in the required paramteres:
+    * Playbook Name: Enter the playbook name here
+    * Torq_Webhook_Enpoint_URL: Enter the endpoint URL for the Microsoft Sentinel Trigger integration previously created in Torq.
+    * Torq_Webhook_Auth_Header_Name: Enter the authentication header name for the Microsoft Sentinel Trigger integration previously created in Torq.
+    * Torq_Webhook_Auth_Header_Secret: Enter the authentication header secret for the Microsoft Sentinel Trigger integration previously created in Torq.
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FTorq%2FPlaybooks%2FPlaybooks%2FTorq-Sentinel-Incident-Trigger%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FTorq%2FPlaybooks%2FPlaybooks%2FTorq-Sentinel-Incident-Trigger%2Fazuredeploy.json)
+
+### Post-Deployment instructions
+
+1. Browse to your Microsoft Sentinel workspace > Configuration > Automation
+2. Click "+ Create" and select "Automation rule" to create a new automation rule meant to send a notification to Torq when a new Sentinel Incident is **created**.
+3. Give the automation rule a meaningful name, like "Notify Torq when new Sentinel Incident is created".
+4. From the "Trigger" drop-down menu, select **"When incident is created"**.
+5. Leve "Conditions" to its default values.
+6. From the "Actions" drop-down menu, select "Run playbook".
+7. From the playbook selection drop-down, select the playbook "Sentinel_Incident_Sync_to_Torq"
+8. Click the "Apply" button.
+9. Click "+ Create" again and select "Automation rule" to create a new automation rule meant to send a notification to Torq when an existing Sentinel Incident is **updated**.
+10. Give the automation rule a meaningful name, like "Notify Torq when a Sentinel Incident is updated".
+11. From the "Trigger" drop-down menu, select **"When incident is updated"**
+12. Leve "Conditions" to its default values.
+13. From the "Actions" drop-down menu, select "Run playbook".
+14. From the playbook selection drop-down, select the playbook "Sentinel_Incident_Sync_to_Torq"
+15. Click the "Apply" button.
+
@@ -0,0 +1,4 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                 |
+|-------------|--------------------------------|--------------------------------------------------------------------|
+| 1.0.0       | 06-11-2023                     | New **Playbook** Torq_Sentinel_Incident_Trigger            		|  
+
@@ -0,0 +1,15 @@
+{
+	"publisherId": "azuresentinel",
+	"offerId": "azure-sentinel-solution-torq",
+	"firstPublishDate": "2024-11-06",
+	"providers": ["Torq"],
+	"categories": {
+		"domains" : ["Application"]
+	},
+	"support": {
+	  "name": "Microsoft Corporation",
+	  "email": "support@microsoft.com",
+	  "tier": "Microsoft",
+	  "link": "https://support.microsoft.com"
+	}
+}