diff --git a/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/Images/illumio-get-ven-details-playbook.png b/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/Images/illumio-get-ven-details-playbook.png new file mode 100644 index 00000000000..2fa02b1c521 Binary files /dev/null and b/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/Images/illumio-get-ven-details-playbook.png differ diff --git a/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/README.md b/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/README.md new file mode 100644 index 00000000000..e69de29bb2d diff --git a/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/azuredeploy.json b/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/azuredeploy.json new file mode 100644 index 00000000000..c28be9c2538 --- /dev/null +++ b/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/azuredeploy.json @@ -0,0 +1,545 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Illumio Get Ven Details Playbook", + "description": "This playbook leverages Illumio workloads API to enrich IP, Hostname and Labels, found in Microsoft Sentinel alerts. .", + "prerequisites": [ + "To use this playbook, ensure that you have valid API key and secret, org id and pce fqdn. Ensure that you deploy the template with the required context." + ], + "postDeployment": [ + "After deployment open the playbook in edit mode and configure/authorize all connections and press save. " + ], + "prerequisitesDeployTemplateFile": "", + "lastUpdateTime": "2024-11-21T00:00:00.000Z", + "entities": [ + "ip", + "host" + ], + "tags": [ "Enrichment" ], + "support": { + "tier": "Partner" + }, + "author": { + "name": "Illumio" + }, + "releaseNotes": [ + { + "version": "1.0", + "title": "Illumio Get Ven Details", + "notes": [ "Initial version" ] + } + ] + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Illumio-Ven-Details", + "type": "String", + "metadata": { + "description": "PlayBook Name" + } + }, + "DeployersUserName": { + "defaultValue": "@", + "type": "string" + }, + "FunctionAppName": { + "defaultValue": "IllumioVenDetails", + "type": "String", + "metadata": { + "description": "Function app Name" + } + }, + "PCE_FQDN": { + "type": "String", + "metadata": { + "description": "FQDN of PCE" + } + }, + "PORT": { + "type": "String", + "metadata": { + "description": "Port that PCE connects to, like 443" + } + }, + "ORG_ID": { + "type": "String", + "metadata": { + "description": "Customer's org id" + } + }, + "API_KEY": { + "type": "String", + "metadata": { + "description": "API key" + } + }, + "API_SECRET": { + "type": "String", + "metadata": { + "description": "API secret" + } + } + }, + "variables": { + "location": "[resourceGroup().location]", + "hostingPlanName": "[parameters('FunctionAppName')]", + "storageAccountName": "vendetailsstorage", + "functionAppName": "[parameters('FunctionAppName')]", + "applicationInsightsName": "[parameters('FunctionAppName')]", + "pceFQDN": "[parameters('PCE_FQDN')]", + "port": "[parameters('PORT')]", + "orgId": "[parameters('ORG_ID')]", + "apiKey": "[parameters('API_KEY')]", + "apiSecret": "[parameters('API_SECRET')]", + "o365ConnectionName": "[concat('o365-', parameters('PlaybookName'))]", + "sentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('o365ConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[parameters('DeployersUserName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('sentinelConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[parameters('DeployersUserName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2020-06-01", + "name": "[variables('hostingPlanName')]", + "location": "[variables('location')]", + "sku": { + "name": "Y1", + "tier": "Dynamic" + }, + "properties": { + "name": "[variables('hostingPlanName')]", + "computeMode": "Dynamic" + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[variables('storageAccountName')]", + "location": "[variables('location')]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "accessTier": "Hot", + "minimumTlsVersion": "TLS1_2", + "supportsHttpsTrafficOnly": "true", + "allowBlobPublicAccess": "false", + "allowSharedKeyAccess": "true", + "networkAcls": { + "bypass": "AzureServices", + "defaultAction": "Allow", + "ipRules": [] + } + } + }, + { + "type": "Microsoft.Insights/components", + "apiVersion": "2020-02-02", + "name": "[variables('applicationInsightsName')]", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-link:', resourceId('Microsoft.Web/sites', variables('applicationInsightsName')))]": "Resource" + }, + "properties": { + "Application_Type": "web" + }, + "kind": "web" + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2020-06-01", + "name": "[variables('functionAppName')]", + "location": "[variables('location')]", + "kind": "functionapp,linux", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]" + ], + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "siteConfig": { + "appSettings": [ + { + "name": "AzureWebJobsStorage", + "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value)]" + }, + { + "name": "FUNCTIONS_EXTENSION_VERSION", + "value": "~4" + }, + { + "name": "FUNCTIONS_WORKER_RUNTIME", + "value": "node" + }, + { + "name": "WEBSITE_NODE_DEFAULT_VERSION", + "value": "~20" + }, + { + "name": "APPINSIGHTS_INSTRUMENTATIONKEY", + "value": "[reference(resourceId('microsoft.insights/components', variables('applicationInsightsName')), '2020-02-02-preview').InstrumentationKey]" + }, + { + "name": "WEBSITE_RUN_FROM_PACKAGE", + "value": "https://raw.githubusercontent.com/illumio-shield/Azure-Sentinel/illumio-sentinel-playbook/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/illumio-ven-details.zip" + }, + { + "name": "PCE_FQDN", + "value": "[variables('pceFQDN')]" + }, + { + "name": "PORT", + "value": "[variables('port')]" + }, + { + "name": "ORG_ID", + "value": "[variables('orgId')]" + }, + { + "name": "API_KEY", + "value": "[variables('apiKey')]" + }, + { + "name": "API_SECRET", + "value": "[variables('apiSecret')]" + } + ] + }, + "cors": { + "allowedOrigins": [ + "https://functions.azure.com", + "https://functions-staging.azure.com", + "https://functions-next.azure.com" + ], + "supportCredentials": false + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "location": "[variables('location')]", + "name": "[parameters('PlaybookName')]", + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]", + "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]", + "[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_alert": { + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "body": { + "callback_url": "@listCallbackUrl()" + }, + "path": "/subscribe" + } + } + }, + "actions": { + "IllumioVenDetails-fetchVenDetails": { + "type": "Function", + "inputs": { + "body": "@triggerBody()", + "function": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/fetchVenDetails')]" + } + }, + "runAfter": { + } + }, + "Initialize_variable": { + "runAfter": { + "IllumioVenDetails-fetchVenDetails": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "varStyle", + "type": "object", + "value": { + "cellStyle": "style=\"font-family: Calibri; padding: 5px; border: 1px solid black;\"", + "headerStyle": "style=\"font-family: Helvetica; padding: 5px; border: 1px solid black;\"", + "numcellStyle": "style=\"font-family: Calibri; padding: 5px; border: 1px solid black;text-align: center;\"", + "rowStyleHighValues": "style=\"font-size:110%;background-color:#b32400; padding: 5px; border: 1px solid black;text-align: center;\"", + "rowStyleInfoValues": "style=\"background-color:#a6a6a6; padding: 5px; border: 1px solid black;text-align: center;\"", + "rowStyleLowValues": "style=\"background-color:#ffcc00; padding: 5px; border: 1px solid black;text-align: center;\"", + "rowStyleMedValues": "style=\"background-color:#ff6600; padding: 5px; border: 1px solid black;text-align: center;\"", + "tableStyle": "style=\"border-collapse: collapse;\"" + } + } + ] + } + }, + "Initialize_variable_1": { + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "varHTMLTable", + "type": "string", + "value": "\n \n \n \n \n \n \n \n " + } + ] + } + }, + "Initialize_variable_2": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "varSeverityColour", + "type": "string", + "value": "@triggerBody()?['Severity']" + } + ] + }, + "runAfter": { + "Initialize_variable_3": [ + "Succeeded" + ] + } + }, + "Parse_JSON": { + "runAfter": { + "Initialize_variable_2": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('IllumioVenDetails-fetchVenDetails')", + "schema": { + "type": "object", + "properties": { + "response": { + "type": "array", + "items": { + "type": "object", + "properties": { + "public_ip": { + "type": [ + "string", + "null" + ] + }, + "hostname": { + "type": [ + "string", + "null" + ] + }, + "labels": { + "type": "array", + "items": { + "type": "object", + "properties": { + "href": { + "type": "string" + }, + "key": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "href", + "key", + "value" + ] + } + } + }, + "required": [ + "public_ip", + "hostname", + "labels" + ] + } + } + } + } + } + }, + "For_each": { + "type": "Foreach", + "foreach": "@body('Parse_JSON')?['response']", + "actions": { + "Append_to_string_variable": { + "type": "AppendToStringVariable", + "inputs": { + "name": "EntityTable", + "value": "\n \n \n \n" + } + } + }, + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + } + }, + "Append_to_string_variable_1": { + "type": "AppendToStringVariable", + "inputs": { + "name": "EntityTable", + "value": "
Incident NumberCreated TimeTitleVen DetailsDescriptionIncident URL
@{item()?['public_ip']}@{item()?['hostname']}@{item()?['labels']}
" + }, + "runAfter": { + "Append_to_string_variable_2": [ + "Succeeded" + ] + } + }, + "Condition": { + "type": "If", + "expression": { + "and": [ + { + "greater": [ + "@length(body('Parse_JSON')?['response'])", + 0 + ] + } + ] + }, + "actions": { + "Send_an_email_(V2)": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "body": { + "To": "[parameters('DeployersUserName')]", + "Subject": "Test Alert details", + "Body": "

In the following, is more information, about the new Azure Sentinel incident:


@{variables('varHTMLTable')}


Illumio

", + "Importance": "Normal" + }, + "path": "/v2/Mail" + } + } + }, + "else": { + "actions": {} + }, + "runAfter": { + "Append_to_string_variable_1": [ + "Succeeded" + ] + } + }, + "Initialize_variable_3": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "EntityTable", + "type": "string", + "value": "\n \n \n \n \n " + } + ] + }, + "runAfter": { + "Initialize_variable_1": [ + "Succeeded" + ] + } + }, + "Append_to_string_variable_2": { + "type": "AppendToStringVariable", + "inputs": { + "name": "varHTMLTable", + "value": "
IP AddressHostnameLabels
" + }, + "runAfter": { + "For_each": [ + "Succeeded" + ] + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('sentinelConnectionName'))]", + "connectionName": "[variables('sentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + }, + "office365": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]", + "connectionName": "[variables('o365ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]" + } + } + } + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/illumio-ven-details.zip b/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/illumio-ven-details.zip new file mode 100644 index 00000000000..c0d6d926594 Binary files /dev/null and b/Solutions/IllumioSaaS/Playbooks/Illumio-Get-Ven-Details/illumio-ven-details.zip differ diff --git a/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/Images/illumio-port-blocking-switch-playbook.png b/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/Images/illumio-port-blocking-switch-playbook.png new file mode 100644 index 00000000000..8e7e86c9db3 Binary files /dev/null and b/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/Images/illumio-port-blocking-switch-playbook.png differ diff --git a/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/README.md b/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/README.md new file mode 100644 index 00000000000..e69de29bb2d diff --git a/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/azuredeploy.json b/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/azuredeploy.json new file mode 100644 index 00000000000..c50d1922fa1 --- /dev/null +++ b/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/azuredeploy.json @@ -0,0 +1,371 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Illumio Containment Switch Playbook", + "description": "This playbook leverages Illumio workloads API to contain and isolate a workload based on user inputs. .", + "prerequisites": [ + "To use this playbook, ensure that you have valid API key and secret, org id and pce fqdn. Ensure that you deploy the template with the required context." + ], + "postDeployment": [ + "After deployment open the playbook in edit mode and configure/authorize all connections and press save. " + ], + "prerequisitesDeployTemplateFile": "", + "lastUpdateTime": "2024-11-21T00:00:00.000Z", + "entities": [ + + ], + "tags": [ "Remediation" ], + "support": { + "tier": "Partner" + }, + "author": { + "name": "Illumio" + }, + "releaseNotes": [ + { + "version": "1.0", + "title": "Illumio Containment Switch", + "notes": [ "Initial version" ] + } + ] + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Illumio-Port-Blocking-Switch", + "type": "String", + "metadata": { + "description": "PlayBook Name" + } + }, + "FunctionAppName": { + "defaultValue": "IllumioPortBlockingApp", + "type": "String", + "metadata": { + "description": "Function app Name" + } + }, + "PCE_FQDN": { + "type": "String", + "metadata": { + "description": "FQDN of PCE" + } + }, + "PORT": { + "type": "String", + "metadata": { + "description": "Port that PCE connects to, like 443" + } + }, + "ORG_ID": { + "type": "String", + "metadata": { + "description": "Customer's org id" + } + }, + "API_KEY": { + "type": "String", + "metadata": { + "description": "API key" + } + }, + "API_SECRET": { + "type": "String", + "metadata": { + "description": "API secret" + } + } + }, + "variables": { + "location": "[resourceGroup().location]", + "hostingPlanName": "[parameters('FunctionAppName')]", + "storageAccountName": "portblockstorage", + "functionAppName": "[parameters('FunctionAppName')]", + "applicationInsightsName": "[parameters('FunctionAppName')]", + "pceFQDN": "[parameters('PCE_FQDN')]", + "port": "[parameters('PORT')]", + "orgId": "[parameters('ORG_ID')]", + "apiKey": "[parameters('API_KEY')]", + "apiSecret": "[parameters('API_SECRET')]", + "sentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2020-06-01", + "name": "[variables('hostingPlanName')]", + "location": "[variables('location')]", + "sku": { + "name": "Y1", + "tier": "Dynamic" + }, + "properties": { + "name": "[variables('hostingPlanName')]", + "computeMode": "Dynamic" + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[variables('storageAccountName')]", + "location": "[variables('location')]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "accessTier": "Hot", + "minimumTlsVersion": "TLS1_2", + "supportsHttpsTrafficOnly": "true", + "allowBlobPublicAccess": "false", + "allowSharedKeyAccess": "true", + "networkAcls": { + "bypass": "AzureServices", + "defaultAction": "Allow", + "ipRules": [] + } + } + }, + { + "type": "Microsoft.Insights/components", + "apiVersion": "2020-02-02", + "name": "[variables('applicationInsightsName')]", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-link:', resourceId('Microsoft.Web/sites', variables('applicationInsightsName')))]": "Resource" + }, + "properties": { + "Application_Type": "web" + }, + "kind": "web" + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2020-06-01", + "name": "[variables('functionAppName')]", + "location": "[variables('location')]", + "kind": "functionapp,linux", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]" + ], + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "siteConfig": { + "appSettings": [ + { + "name": "AzureWebJobsStorage", + "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value)]" + }, + { + "name": "FUNCTIONS_EXTENSION_VERSION", + "value": "~4" + }, + { + "name": "FUNCTIONS_WORKER_RUNTIME", + "value": "node" + }, + { + "name": "WEBSITE_NODE_DEFAULT_VERSION", + "value": "~20" + }, + { + "name": "APPINSIGHTS_INSTRUMENTATIONKEY", + "value": "[reference(resourceId('microsoft.insights/components', variables('applicationInsightsName')), '2020-02-02-preview').InstrumentationKey]" + }, + { + "name": "WEBSITE_RUN_FROM_PACKAGE", + "value": "https://raw.githubusercontent.com/illumio-shield/Azure-Sentinel/illumio-sentinel-playbook/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/illumio-containment-switch.zip" + }, + { + "name": "PCE_FQDN", + "value": "[variables('pceFQDN')]" + }, + { + "name": "PORT", + "value": "[variables('port')]" + }, + { + "name": "ORG_ID", + "value": "[variables('orgId')]" + }, + { + "name": "API_KEY", + "value": "[variables('apiKey')]" + }, + { + "name": "API_SECRET", + "value": "[variables('apiSecret')]" + } + ] + }, + "cors": { + "allowedOrigins": [ + "https://functions.azure.com", + "https://functions-staging.azure.com", + "https://functions-next.azure.com" + ], + "supportCredentials": false + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[variables('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]", + "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_a_HTTP_request_is_received": { + "type": "Request", + "kind": "Http", + "inputs": { + "method": "POST", + "schema": { + "type": "object", + "properties": { + "protocol": { + "type": "integer" + }, + "port": { + "type": "integer" + } + } + } + } + } + }, + "actions": { + "PortBlockingFunction-runTrafficQuery": { + "runAfter": {}, + "type": "Function", + "inputs": { + "body": "@triggerBody()", + "function": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/runTrafficQuery')]" + } + } + }, + "PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults": { + "runAfter": { + "PortBlockingFunction-runTrafficQuery": [ + "Succeeded" + ] + }, + "type": "Function", + "inputs": { + "body": "@body('PortBlockingFunction-runTrafficQuery')", + "function": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/fetchVisibilityOnlyWorkloadsFromTrafficResults')]" + } + } + }, + "PortBlockingFunction-createVirtualService": { + "runAfter": { + "PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults": [ + "Succeeded" + ] + }, + "type": "Function", + "inputs": { + "body": "@body('PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults')", + "function": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/createVirtualService')]" + } + } + }, + "PortBlockingFunction-bindWorkloadsToVirtualService": { + "runAfter": { + "PortBlockingFunction-createVirtualService": [ + "Succeeded" + ] + }, + "type": "Function", + "inputs": { + "body": "@body('PortBlockingFunction-createVirtualService')", + "function": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/bindWorkloadsToVirtualService')]" + } + } + }, + "PortBlockingFunction-createAllowRuleForVirtualService": { + "runAfter": { + "PortBlockingFunction-bindWorkloadsToVirtualService": [ + "Succeeded" + ] + }, + "type": "Function", + "inputs": { + "body": "@body('PortBlockingFunction-bindWorkloadsToVirtualService')", + "function": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/createAllowRuleForVirtualService')]" + } + } + }, + "PortBlockingFunction-changeWorkloadEnforcementState": { + "runAfter": { + "PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults": [ + "Succeeded" + ] + }, + "type": "Function", + "inputs": { + "body": "@body('PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults')", + "function": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/changeWorkloadEnforcementState')]" + } + } + }, + "PortBlockingFunction-createDenyRule": { + "runAfter": { + "PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults": [ + "Succeeded" + ] + }, + "type": "Function", + "inputs": { + "body": "@body('PortBlockingFunction-fetchVisibilityOnlyWorkloadsFromTrafficResults')", + "function": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/',parameters('Functionappname'), '/functions/createDenyRule')]" + } + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('sentinelConnectionName'))]", + "connectionName": "[variables('sentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + } + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/illumio-containment-switch.zip b/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/illumio-containment-switch.zip new file mode 100644 index 00000000000..236e9adc689 Binary files /dev/null and b/Solutions/IllumioSaaS/Playbooks/Illumio-Port-Blocking-Switch/illumio-containment-switch.zip differ diff --git a/Solutions/IllumioSaaS/data/Solution_IllumioSaaS.json b/Solutions/IllumioSaaS/data/Solution_IllumioSaaS.json index d24dcf39032..0272894a8a0 100644 --- a/Solutions/IllumioSaaS/data/Solution_IllumioSaaS.json +++ b/Solutions/IllumioSaaS/data/Solution_IllumioSaaS.json @@ -19,8 +19,12 @@ "Analytic Rules/Illumio_VEN_Deactivated_Query.yaml", "Analytic Rules/Illumio_VEN_Suspend_Query.yaml" ], + "Playbooks": [ + "Playbooks/Illumio-Port-Blocking-Switch/azuredeploy.json", + "Playbooks/Illumio-Get-Ven-Details/azuredeploy.json" + ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\IllumioSaaS", - "Version": "3.2.2", + "Version": "3.3.2", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false