diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SpyCloudBreachDataWatchlist.json b/.script/tests/KqlvalidationsTests/CustomTables/SpyCloudBreachDataWatchlist.json new file mode 100644 index 00000000000..e8af541191a --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/SpyCloudBreachDataWatchlist.json @@ -0,0 +1,117 @@ +{ + "Name": "SpyCloudBreachDataWatchlist_CL", + "Properties": [ + { + "Name": "Document_Id_g", + "Type": "Guid" + }, + { + "Name": "Domain_s", + "Type": "String" + }, + { + "Name": "Email_s", + "Type": "String" + }, + { + "Name": "IP_Address_s", + "Type": "String" + }, + { + "Name": "Infected_Machine_Id", + "Type": "Guid" + }, + { + "Name": "Infected_Path_s", + "Type": "String" + }, + { + "Name": "Infected_Time_t", + "Type": "DateTime" + }, + { + "Name": "Password_s", + "Type": "String" + }, + { + "Name": "Password_Plaintext_s", + "Type": "String" + }, + { + "Name": "Severity_s", + "Type": "String" + }, + { + "Name": "Source_Id_s", + "Type": "String" + }, + { + "Name": "SpyCloud_Publish_Date_t", + "Type": "DateTime" + }, + { + "Name": "Target_Domain_s", + "Type": "String" + }, + { + "Name": "Target_SubDomain_s", + "Type": "String" + }, + { + "Name": "Target_URL_s", + "Type": "String" + }, + { + "Name": "User_Hostname_s", + "Type": "String" + }, + { + "Name": "User_OS_s", + "Type": "String" + }, + { + "Name": "Username_s", + "Type": "String" + }, + { + "Name": "TenantID", + "Type": "String" + }, + { + "Name": "SourceSystem", + "Type": "String" + }, + { + "Name": "TimeGenerated", + "Type": "DateTime" + }, + { + "Name": "Computer", + "Type": "String" + }, + { + "Name": "MG", + "Type": "String" + }, + { + "Name": "ManagementGroupName", + "Type": "String" + }, + { + "Name": "RawData", + "Type": "String" + }, + { + "Name": "Type", + "Type": "String" + }, + { + "Name": "_ResourceId", + "Type": "String" + }, + { + "Name":"Infected_Machine_Id_g", + "Type":"Guid" + } + ] +} diff --git a/Sample Data/Custom/SpyCloudBreachDataWatchlist_CL.json b/Sample Data/Custom/SpyCloudBreachDataWatchlist_CL.json new file mode 100644 index 00000000000..bc4325fb60c --- /dev/null +++ b/Sample Data/Custom/SpyCloudBreachDataWatchlist_CL.json @@ -0,0 +1,81 @@ +[{ + "Document_Id": "a888d0f7-5688-471e-8230-8fd5ab903289", + "Domain": "example.net", + "Email": "sanitized@sanitized.com", + "IP_Address": "82.66.91.250", + "Infected_Machine_Id": "833ca19e-bb6e-4b42-867c-d4da26f5e47e", + "Infected_Path": "C:\\Users\\Pc\\AppData\\Local\\Temp\\Rar$EXb17664.13499\\Setup.exe", + "Infected_Time": "2022-05-26T00:19:15Z", + "Password": "password", + "Password_Plaintext": "password", + "Severity": "25", + "Source_Id": "45775", + "SpyCloud_Publish_Date": "2023-07-21T00:00:00Z", + "Target_Domain": "", + "Target_SubDomain": "", + "Target_URL": "127.0.0.1", + "User_Hostname": "DESKTOP-R9UHSL2", + "User_OS": "Windows 10 Pro [x64]", + "Username": "" + }, + { + "Document_Id": "f4328f85-9d5d-4bdc-bd31-fb21844347eb", + "Domain": "example.net", + "Email": "sanitized@sanitized.com", + "IP_Address": "154.118.62.47", + "Infected_Machine_Id": "04a30194-1e78-4bbe-bbcf-927c5a7ff9a3", + "Infected_Path": "C:\\Windows\\SysWOW64\\explorer.exe", + "Infected_Time": "2021-11-10T21:52:27Z", + "Password": "password", + "Password_Plaintext": "password", + "Severity": "25", + "Source_Id": "45775", + "SpyCloud_Publish_Date": "2023-07-21T00:00:00Z", + "Target_Domain": "sidjisanggarrias.my.id", + "Target_SubDomain": "", + "Target_URL": "sidjisanggarrias.my.id", + "User_Hostname": "DESKTOP-I2737MG", + "User_OS": "Windows 10 Pro [x64]", + "Username": "" + }, + { + "Document_Id": "62a47fd6-4c00-4e11-9ee1-d0d3f9b92d2a", + "Domain": "example.net", + "Email": "sanitized@sanitized.com", + "IP_Address": "41.199.16.142", + "Infected_Machine_Id": "40c31de2-d2ad-4f3b-9a7b-0506578cdd03", + "Infected_Path": "C:\\Users\\CHOICE COMPUTER\\Downloads\\pswd_9787_portable-setup\\Setup.exe", + "Infected_Time": "2023-01-27T21:50:06Z", + "Password": "Chancery1", + "Password_Plaintext": "Chancery1", + "Severity": "25", + "Source_Id": "45775", + "SpyCloud_Publish_Date": "2023-07-21T00:00:00Z", + "Target_Domain": "cytonn.com", + "Target_SubDomain": "stage.careers.cytonn.com", + "Target_URL": "stage.careers.cytonn.com", + "User_Hostname": "DESKTOP-R2LML9F", + "User_OS": "Windows 10 Pro [x64]", + "Username": "" + }, + { + "Document_Id": "7720e6ec-ab63-441d-9b06-7551e45f8ca3", + "Domain": "example.net", + "Email": "sanitized@sanitized.com", + "IP_Address": "41.199.16.142", + "Infected_Machine_Id": "17ccfce3-b74f-4dbd-abd2-5f879caa7068", + "Infected_Path": "C:\\Windows\\SysWOW64\\explorer.exe", + "Infected_Time": "2021-02-11T01:45:46Z", + "Password": "password@admin$", + "Password_Plaintext": "password@admin$", + "Severity": "25", + "Source_Id": "45775", + "SpyCloud_Publish_Date": "2023-07-21T00:00:00Z", + "Target_Domain": "", + "Target_SubDomain": "", + "Target_URL": "127.0.0.1", + "User_Hostname": "DESKTOP-Q8BDVTN", + "User_OS": "Windows 10 Pro [x64]", + "Username": "" + } +] \ No newline at end of file diff --git a/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionBreachRule.yaml b/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionBreachRule.yaml new file mode 100644 index 00000000000..7251d4c1aa7 --- /dev/null +++ b/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionBreachRule.yaml @@ -0,0 +1,53 @@ +id: cb410ad5-6e9d-4278-b963-1e3af205d680 +name: SpyCloud Enterprise Breach Detection +description: | + 'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data' +severity: High +requiredDataConnectors: [] +status: Available +queryFrequency: 12h +queryPeriod: 12h +triggerOperator: gt +triggerThreshold: 0 +suppressionDuration: 5h +tactics: + - CredentialAccess +relevantTechniques: + - T1555 +query: | + SpyCloudBreachDataWatchlist_CL + | where Severity_s == '20' + | project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, IP_Address_s +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: 12h + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: AlertPerResult +alertDetailsOverride: null +entityMappings: + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: Email_s + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Username_s + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IP_Address_s +customDetails: + Document_Id: Document_Id_g + Password: Password_s + Password_Plaintext: Password_Plaintext_s + Source_Id: Source_Id_s + Domain: Domain_s + PublishDate: SpyCloud_Publish_Date_t +sentinelEntitiesMappings: null +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionMalwareRule.yaml b/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionMalwareRule.yaml new file mode 100644 index 00000000000..53d5b8e42bb --- /dev/null +++ b/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionMalwareRule.yaml @@ -0,0 +1,68 @@ +id: 7ba50f9e-2f94-462b-a54b-8642b8c041f5 +name: SpyCloud Enterprise Malware Detection +description: | + 'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data' +severity: High +requiredDataConnectors: [] +status: Available +queryFrequency: 12h +queryPeriod: 12h +triggerOperator: gt +triggerThreshold: 0 +suppressionDuration: 5h +tactics: + - CredentialAccess +relevantTechniques: + - T1555 +query: | + SpyCloudBreachDataWatchlist_CL + | where Severity_s == '25' + | project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, Infected_Machine_Id_g, Infected_Path_s, Infected_Time_t, Target_Domain_s, Target_SubDomain_s, User_Hostname_s, User_OS_s, Target_URL_s,IP_Address_s +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: 12h + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: AlertPerResult +alertDetailsOverride: null +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: Infected_Machine_Id_g + - identifier: DnsDomain + columnName: User_Hostname_s + - entityType: Account + fieldMappings: + - identifier: FullName + columnName: Email_s + - identifier: Name + columnName: Username_s + - entityType: DNS + fieldMappings: + - identifier: DomainName + columnName: Target_Domain_s + - entityType: DNS + fieldMappings: + - identifier: DomainName + columnName: Target_SubDomain_s + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IP_Address_s +customDetails: + Document_Id: Document_Id_g + Password: Password_s + Password_Plaintext: Password_Plaintext_s + Infected_Path: Infected_Path_s + Infected_Time: Infected_Time_t + Domain: Domain_s + Source_Id: Source_Id_s + PublishDate: SpyCloud_Publish_Date_t + User_Host_Name: User_Hostname_s +sentinelEntitiesMappings: null +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/SpyCloud Enterprise Protection/Data/Solution_Spycloud_Enterprise_Protection.json b/Solutions/SpyCloud Enterprise Protection/Data/Solution_Spycloud_Enterprise_Protection.json new file mode 100644 index 00000000000..d042f068302 --- /dev/null +++ b/Solutions/SpyCloud Enterprise Protection/Data/Solution_Spycloud_Enterprise_Protection.json @@ -0,0 +1,26 @@ +{ + "Name": "SpyCloud Enterprise Protection", + "Author": "SpyCloud", + "Logo": "", + "Description": "Cybercriminals continue to utilize stolen corporate credentials as the number one technique for account takeover (ATO). In fact, the FBI estimated that this resulted in estimated losses totaling more than $2.7 billion in 2022. SpyCloud helps prevent account takeover and ransomware attacks by identifying exposed credentials related to a company’s domains, IP addresses and emails. Through this integration, breach and malware data from SpyCloud can be loaded into Sentinel.", + "Playbooks": [ + "Playbooks/Custom Connector/azuredeploy.json", + "Playbooks/SpyCloud-Breach-Playbook/azuredeploy.json", + "Playbooks/SpyCloud-Get-Domain-Breach-Data-Playbook/azuredeploy.json", + "Playbooks/SpyCloud-Get-Email-Breach-Data-Playbook/azuredeploy.json", + "Playbooks/SpyCloud-Get-IP-Breach-Data-Playbook/azuredeploy.json", + "Playbooks/SpyCloud-Get-Password-Breach-Data-Playbook/azuredeploy.json", + "Playbooks/SpyCloud-Get-Username-Breach-Data-Playbook/azuredeploy.json", + "Playbooks/SpyCloud-Malware-Playbook/azuredeploy.json", + "Playbooks/SpyCloud-Monitor-Watchlist-Data/azuredeploy.json" + ], + "Analytic Rules": [ + "Analytic Rules/SpyCloudEnterpriseProtectionBreachRule.yaml", + "Analytic Rules/SpyCloudEnterpriseProtectionMalwareRule.yaml" + ], + "BasePath": "D:\\GitHub\\Azure-Sentinel\\Solutions\\SpyCloud Enterprise Protection", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false +} diff --git a/Solutions/SpyCloud Enterprise Protection/Package/3.0.0.zip b/Solutions/SpyCloud Enterprise Protection/Package/3.0.0.zip new file mode 100644 index 00000000000..c1bba90795d Binary files /dev/null and b/Solutions/SpyCloud Enterprise Protection/Package/3.0.0.zip differ diff --git a/Solutions/SpyCloud Enterprise Protection/Package/createUiDefinition.json b/Solutions/SpyCloud Enterprise Protection/Package/createUiDefinition.json new file mode 100644 index 00000000000..2064ea3437e --- /dev/null +++ b/Solutions/SpyCloud Enterprise Protection/Package/createUiDefinition.json @@ -0,0 +1,145 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nCybercriminals continue to utilize stolen corporate credentials as the number one technique for account takeover (ATO). In fact, the FBI estimated that this resulted in estimated losses totaling more than $2.7 billion in 2022. SpyCloud helps prevent account takeover and ransomware attacks by identifying exposed credentials related to a company’s domains, IP addresses and emails. Through this integration, breach and malware data from SpyCloud can be loaded into Sentinel.\n\n**Analytic Rules:** 2, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "SpyCloud Enterprise Breach Detection", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This alert creates an incident when an malware record is detected in the SpyCloud watchlist data" + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "SpyCloud Enterprise Malware Detection", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This alert creates an incident when an malware record is detected in the SpyCloud watchlist data" + } + } + ] + } + ] + }, + { + "name": "playbooks", + "label": "Playbooks", + "subLabel": { + "preValidation": "Configure the playbooks", + "postValidation": "Done" + }, + "bladeTitle": "Playbooks", + "elements": [ + { + "name": "playbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." + } + }, + { + "name": "playbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/SpyCloud Enterprise Protection/Package/mainTemplate.json b/Solutions/SpyCloud Enterprise Protection/Package/mainTemplate.json new file mode 100644 index 00000000000..8a768603fba --- /dev/null +++ b/Solutions/SpyCloud Enterprise Protection/Package/mainTemplate.json @@ -0,0 +1,7412 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "SpyCloud", + "comments": "Solution template for SpyCloud Enterprise Protection" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } + }, + "variables": { + "_solutionName": "SpyCloud Enterprise Protection", + "_solutionVersion": "3.0.0", + "solutionId": "spycloudinc1680448518850.azure-sentinel-solution-spycloudenterprise", + "_solutionId": "[variables('solutionId')]", + "Custom Connector": "Custom Connector", + "_Custom Connector": "[variables('Custom Connector')]", + "TemplateEmptyArray": "[json('[]')]", + "playbookVersion1": "1.0", + "playbookContentId1": "Custom Connector", + "_playbookContentId1": "[variables('playbookContentId1')]", + "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-lc-',uniquestring(variables('_playbookContentId1'))))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','lc','-', uniqueString(concat(variables('_solutionId'),'-','LogicAppsCustomConnector','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", + "blanks": "[replace('b', 'b', '')]", + "SpyCloud-Breach-Playbook": "SpyCloud-Breach-Playbook", + "_SpyCloud-Breach-Playbook": "[variables('SpyCloud-Breach-Playbook')]", + "playbookVersion2": "1.0", + "playbookContentId2": "SpyCloud-Breach-Playbook", + "_playbookContentId2": "[variables('playbookContentId2')]", + "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", + "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]", + "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", + "SpyCloud-Get-Domain-Breach-Data-Playbook": "SpyCloud-Get-Domain-Breach-Data-Playbook", + "_SpyCloud-Get-Domain-Breach-Data-Playbook": "[variables('SpyCloud-Get-Domain-Breach-Data-Playbook')]", + "playbookVersion3": "1.0", + "playbookContentId3": "SpyCloud-Get-Domain-Breach-Data-Playbook", + "_playbookContentId3": "[variables('playbookContentId3')]", + "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", + "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", + "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", + "SpyCloud-Get-Email-Breach-Data-Playbook": "SpyCloud-Get-Email-Breach-Data-Playbook", + "_SpyCloud-Get-Email-Breach-Data-Playbook": "[variables('SpyCloud-Get-Email-Breach-Data-Playbook')]", + "playbookVersion4": "1.0", + "playbookContentId4": "SpyCloud-Get-Email-Breach-Data-Playbook", + "_playbookContentId4": "[variables('playbookContentId4')]", + "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]", + "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]", + "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]", + "SpyCloud-Get-IP-Breach-Data-Playbook": "SpyCloud-Get-IP-Breach-Data-Playbook", + "_SpyCloud-Get-IP-Breach-Data-Playbook": "[variables('SpyCloud-Get-IP-Breach-Data-Playbook')]", + "playbookVersion5": "1.0", + "playbookContentId5": "SpyCloud-Get-IP-Breach-Data-Playbook", + "_playbookContentId5": "[variables('playbookContentId5')]", + "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]", + "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]", + "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]", + "SpyCloud-Get-Password-Breach-Data-Playbook": "SpyCloud-Get-Password-Breach-Data-Playbook", + "_SpyCloud-Get-Password-Breach-Data-Playbook": "[variables('SpyCloud-Get-Password-Breach-Data-Playbook')]", + "playbookVersion6": "1.0", + "playbookContentId6": "SpyCloud-Get-Password-Breach-Data-Playbook", + "_playbookContentId6": "[variables('playbookContentId6')]", + "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]", + "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]", + "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]", + "SpyCloud-Get-Username-Breach-Data-Playbook": "SpyCloud-Get-Username-Breach-Data-Playbook", + "_SpyCloud-Get-Username-Breach-Data-Playbook": "[variables('SpyCloud-Get-Username-Breach-Data-Playbook')]", + "playbookVersion7": "1.0", + "playbookContentId7": "SpyCloud-Get-Username-Breach-Data-Playbook", + "_playbookContentId7": "[variables('playbookContentId7')]", + "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]", + "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]", + "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]", + "SpyCloud-Malware-Playbook": "SpyCloud-Malware-Playbook", + "_SpyCloud-Malware-Playbook": "[variables('SpyCloud-Malware-Playbook')]", + "playbookVersion8": "1.0", + "playbookContentId8": "SpyCloud-Malware-Playbook", + "_playbookContentId8": "[variables('playbookContentId8')]", + "playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]", + "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]", + "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]", + "SpyCloud-Monitor-Watchlist-Data": "SpyCloud-Monitor-Watchlist-Data", + "_SpyCloud-Monitor-Watchlist-Data": "[variables('SpyCloud-Monitor-Watchlist-Data')]", + "playbookVersion9": "1.0", + "playbookContentId9": "SpyCloud-Monitor-Watchlist-Data", + "_playbookContentId9": "[variables('playbookContentId9')]", + "playbookId9": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId9'))]", + "playbookTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9'))))]", + "_playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]", + "analyticRuleVersion1": "1.0.0", + "analyticRulecontentId1": "cb410ad5-6e9d-4278-b963-1e3af205d680", + "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", + "analyticRuleVersion2": "1.0.0", + "analyticRulecontentId2": "7ba50f9e-2f94-462b-a54b-8642b8c041f5", + "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Custom Connector Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "SpyCloudConnectorName": { + "defaultValue": "SpyCloud-Enterprise-Protection", + "type": "String" + } + }, + "variables": { + "operationId-Breach_Catalog": "Breach_Catalog", + "_operationId-Breach_Catalog": "[[variables('operationId-Breach_Catalog')]", + "operationId-Breach_Catalog_ID": "Breach_Catalog_ID", + "_operationId-Breach_Catalog_ID": "[[variables('operationId-Breach_Catalog_ID')]", + "operationId-Breach_Catalog_Domain": "Breach_Catalog_Domain", + "_operationId-Breach_Catalog_Domain": "[[variables('operationId-Breach_Catalog_Domain')]", + "operationId-Breach_Data_Email": "Breach_Data_Email", + "_operationId-Breach_Data_Email": "[[variables('operationId-Breach_Data_Email')]", + "operationId-Breach_Data_IP_Address": "Breach_Data_IP_Address", + "_operationId-Breach_Data_IP_Address": "[[variables('operationId-Breach_Data_IP_Address')]", + "operationId-Breach_Data_Password": "Breach_Data_Password", + "_operationId-Breach_Data_Password": "[[variables('operationId-Breach_Data_Password')]", + "operationId-Breach_Data_Username": "Breach_Data_Username", + "_operationId-Breach_Data_Username": "[[variables('operationId-Breach_Data_Username')]", + "operationId-Breach_Data_Watchlist": "Breach_Data_Watchlist", + "_operationId-Breach_Data_Watchlist": "[[variables('operationId-Breach_Data_Watchlist')]", + "operationId-Compass_Devices_List": "Compass_Devices_List", + "_operationId-Compass_Devices_List": "[[variables('operationId-Compass_Devices_List')]", + "operationId-Compass_Devices_Data": "Compass_Devices_Data", + "_operationId-Compass_Devices_Data": "[[variables('operationId-Compass_Devices_Data')]", + "operationId-Compass_Applications_Data": "Compass_Applications_Data", + "_operationId-Compass_Applications_Data": "[[variables('operationId-Compass_Applications_Data')]", + "operationId-Compass_Data": "Compass_Data", + "_operationId-Compass_Data": "[[variables('operationId-Compass_Data')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "playbookContentId1": "Custom Connector", + "playbookId1": "[[resourceId('Microsoft.Web/customApis', parameters('SpyCloudConnectorName'))]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/customApis", + "apiVersion": "2016-06-01", + "name": "[[parameters('SpyCloudConnectorName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "connectionParameters": { + "api_key": { + "type": "securestring", + "uiDefinition": { + "displayName": "API Key", + "description": "The API Key for this api", + "tooltip": "Provide your API Key", + "constraints": { + "tabIndex": 2, + "clearText": false, + "required": "true" + } + } + } + }, + "backendService": { + "serviceUrl": "https://api.spycloud.io/enterprise-v2" + }, + "description": "The SpyCloud Enterprise Protection connector allows access to SpyCloud’s Enterprise Protection API. The connector is organized around the SpyCloud Enterprise Protection API endpoints. JSON is returned by all API responses, including those with errors.", + "displayName": "[[parameters('SpyCloudConnectorName')]", + "iconUri": "", + "swagger": { + "swagger": "2.0", + "info": { + "title": "SpyCloud Enterprise Protection", + "description": "The SpyCloud Enterprise Protection connector allows access to SpyCloud’s Enterprise Protection API. The connector is organized around the SpyCloud Enterprise Protection API endpoints. JSON is returned by all API responses, including those with errors.", + "contact": { + "name": "SpyCloud Integrations", + "url": "https://portal/spycloud.com/", + "email": "integrations@spycloud.com" + }, + "version": "1.0" + }, + "host": "api.spycloud.io", + "basePath": "/enterprise-v2", + "schemes": [ + "https" + ], + "consumes": "[variables('TemplateEmptyArray')]", + "produces": "[variables('TemplateEmptyArray')]", + "paths": { + "/breach/catalog": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Catalog_Schema" + } + } + }, + "summary": "List or Query the Breach Catalog", + "description": "List or Query the Breach Catalog.", + "operationId": "[[variables('_operationId-Breach_Catalog')]", + "parameters": [ + { + "$ref": "#/parameters/Query" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + } + ] + } + }, + "/breach/catalog/{id}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Catalog_Schema" + } + } + }, + "summary": "Get Catalog", + "description": "Get/Retrieve Breach Catalog Information by ID.", + "operationId": "[[variables('_operationId-Breach_Catalog_ID')]", + "parameters": [ + { + "$ref": "#/parameters/ID" + } + ] + } + }, + "/breach/data/domains/{domain}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Data_By_Domain_Schema" + } + } + }, + "summary": "Get Breach Data by Domain Search", + "description": "Get Breach Data by Domain Search.", + "operationId": "[[variables('_operationId-Breach_Catalog_Domain')]", + "parameters": [ + { + "$ref": "#/parameters/Domain" + }, + { + "$ref": "#/parameters/Type" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Modification_Date" + }, + { + "$ref": "#/parameters/Until_Modification_Date" + }, + { + "$ref": "#/parameters/Severity" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/breach/data/emails/{email}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Data_By_Email_Schema" + } + } + }, + "summary": "Get Breach Data by Email Search", + "description": "Get Breach Data by Email Search.", + "operationId": "[[variables('_operationId-Breach_Data_Email')]", + "parameters": [ + { + "$ref": "#/parameters/Email" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Modification_Date" + }, + { + "$ref": "#/parameters/Until_Modification_Date" + }, + { + "$ref": "#/parameters/Severity" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/breach/data/ips/{ip}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Data_By_IP_Schema" + } + } + }, + "summary": "Get Breach Data by IP Address", + "description": "Get Breach Data by IP Address.", + "operationId": "[[variables('_operationId-Breach_Data_IP_Address')]", + "parameters": [ + { + "$ref": "#/parameters/IP" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Modification_Date" + }, + { + "$ref": "#/parameters/Until_Modification_Date" + }, + { + "$ref": "#/parameters/Severity" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/breach/data/passwords/{password}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Data_By_Password_Schema" + } + } + }, + "summary": "Get Breach Data by Password Search", + "description": "Get Breach Data by Password Search.", + "operationId": "[[variables('_operationId-Breach_Data_Password')]", + "parameters": [ + { + "$ref": "#/parameters/Password" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Modification_Date" + }, + { + "$ref": "#/parameters/Until_Modification_Date" + }, + { + "$ref": "#/parameters/Severity" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/breach/data/usernames/{username}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Data_By_Username_Schema" + } + } + }, + "summary": "Get Breach Data by Username Search", + "description": "Get Breach Data by Username Search.", + "operationId": "[[variables('_operationId-Breach_Data_Username')]", + "parameters": [ + { + "$ref": "#/parameters/Username" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Modification_Date" + }, + { + "$ref": "#/parameters/Until_Modification_Date" + }, + { + "$ref": "#/parameters/Severity" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/breach/data/watchlist": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Data_By_Watchlist_Schema" + } + } + }, + "summary": "Get Breach Data for Entire Watchlist", + "description": "Get Breach Data for Entire Watchlist.", + "operationId": "[[variables('_operationId-Breach_Data_Watchlist')]", + "parameters": [ + { + "$ref": "#/parameters/Type" + }, + { + "$ref": "#/parameters/Watchlist_Type" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Modification_Date" + }, + { + "$ref": "#/parameters/Until_Modification_Date" + }, + { + "$ref": "#/parameters/Severity" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/compass/devices": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Compass_Devices_List_Schema" + } + } + }, + "summary": "Get Compass Devices List", + "description": "Get Compass Devices List.", + "operationId": "[[variables('_operationId-Compass_Devices_List')]", + "parameters": [ + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Infected" + }, + { + "$ref": "#/parameters/Until_Infected" + } + ] + } + }, + "/compass/data/devices/{infected_machine_id}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Compass_Devices_Data_Schema" + } + } + }, + "summary": "Get Compass Devices Data", + "description": "Get Compass Devices Data.", + "operationId": "[[variables('_operationId-Compass_Devices_Data')]", + "parameters": [ + { + "$ref": "#/parameters/Infected_Machine_Id" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/compass/data/applications/{target_application}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Compass_Applications_Data_Schema" + } + } + }, + "summary": "Get Compass Applications Data", + "description": "Get Compass Applications Data.", + "operationId": "[[variables('_operationId-Compass_Applications_Data')]", + "parameters": [ + { + "$ref": "#/parameters/Target_Application" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/compass/data": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Compass_Applications_Data_Schema" + } + } + }, + "summary": "Get Compass Data", + "description": "Get Compass Data.", + "operationId": "[[variables('_operationId-Compass_Data')]", + "parameters": [ + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Infected" + }, + { + "$ref": "#/parameters/Until_Infected" + }, + { + "$ref": "#/parameters/Compass_Type" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + } + }, + "x-ms-connector-metadata": [ + { + "propertyName": "Website", + "propertyValue": "http://www.spycloud.com/" + }, + { + "propertyName": "Privacy policy", + "propertyValue": "https://www.spycloud.com/company/privacy-policy/" + }, + { + "propertyName": "Categories", + "propertyValue": "Security;Website" + } + ], + "definitions": { + "Breach_Catalog_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "title": { + "type": "string", + "description": "Breach title. For each ingested breach our security research team documents a breach title. This is only available when we can disclose the breach details, otherwise it will have a generic title.", + "title": "Title" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "description": { + "type": "string", + "description": "Breach description. For each ingested breach our security research team documents a breach description. This is only available when we can disclose the breach details, otherwise it will have a generic description.", + "title": "Description" + }, + "site_description": { + "type": "string", + "description": "Description of the breached organization, when available.", + "title": "Site Description" + }, + "site": { + "type": "string", + "description": "Website of breached organization, when available.", + "title": "Site" + }, + "confidence": { + "type": "number", + "description": "Numerical score representing the confidence in the source of the breach.", + "title": "Confidence" + }, + "id": { + "type": "number", + "description": "Numerical breach ID. This number correlates to source_id data point found in breach records.", + "title": "Id" + }, + "premium_flag": { + "type": "string", + "description": "premium flag.", + "title": "Premium Flag" + }, + "acquisition_date": { + "type": "string", + "description": "The date on which our security research team first acquired the breached data.", + "title": "Acquisition Date" + }, + "uuid": { + "type": "string", + "description": "UUID v4 encoded version of breach ID. This is relevant for users of Firehose, where each deliverable (records file) is named using the breach UUID.", + "title": "UUID" + }, + "type": { + "type": "string", + "description": "Denotes if a breach is considered public or private. A public breach is one that is easily found on the internet, while a private breach is often exclusive to SpyCloud.", + "title": "Type" + }, + "num_records": { + "type": "number", + "description": "Number of records we parsed and ingested from this particular breach. This is after parsing, normalization and deduplication take place.", + "title": "Number of Records" + }, + "assets": { + "type": "object", + "properties": { + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target Url" + }, + "av_softwares": { + "type": "number", + "description": "List of AV software found installed on the infected user's system.", + "title": "AV Softwares" + }, + "infected_time": { + "type": "number", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "infected_machine_id": { + "type": "number", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "country_code": { + "type": "number", + "description": "Country code; derived from country.", + "title": "Country Code" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addresses" + }, + "user_browser": { + "type": "string", + "description": "Browser name.", + "title": "User Browser" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "User System Registered Owner" + }, + "keyboard_languages": { + "type": "string", + "description": "The keyboard language found in the OS. This usually comes from Botnet data.", + "title": "Keyboard Languages" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "email": { + "type": "string", + "description": "Email address.", + "title": "Password" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "User OS" + }, + "country": { + "type": "string", + "description": "Country name.", + "title": "Country" + }, + "username": { + "type": "string", + "description": "Username.", + "title": "Username" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + } + } + } + }, + "description": "Catalog Breach Results Object" + } + } + }, + "description": "Catalog Breach Data Response" + }, + "Breach_Data_By_Domain_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "email": { + "type": "string", + "description": "Email address.", + "title": "Email Address." + }, + "full_name": { + "type": "string", + "description": "Full name.", + "title": "Full Name" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "severity": { + "type": "number", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document ID" + } + } + }, + "description": "Domain Breach Results Object" + } + }, + "description": "Domain Breach Data Response" + }, + "Breach_Data_By_Email_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "email": { + "type": "string", + "description": "Email address.", + "title": "Email Address." + }, + "username": { + "type": "string", + "description": "User name.", + "title": "Username" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plaintext" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "Password Type" + }, + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target URL" + }, + "user_browser": { + "type": "string", + "description": "Browser name.", + "title": "User Browser" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addressess" + }, + "infected_machine_id": { + "type": "string", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "user_sys_domain": { + "type": "string", + "description": "System domain. This usually comes from Botnet data.", + "title": "User System Domain" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "User OS Name" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "System Registered Owner Name" + }, + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "domain": { + "type": "string", + "description": "Domain name.", + "title": "Domain" + }, + "target_domain": { + "type": "string", + "description": "SLD extracted from 'target_url' field.", + "title": "Target Domain" + }, + "target_subdomain": { + "type": "string", + "description": "Subdomain and SLD extracted from 'target_url' field.", + "title": "Target Sub Domain" + }, + "severity": { + "type": "number", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document ID" + } + } + }, + "description": "Email Breach Results Object" + } + }, + "description": "Email Breach Data Response" + }, + "Breach_Data_By_IP_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "email": { + "type": "string", + "description": "Email address.", + "title": "Email Address." + }, + "username": { + "type": "string", + "description": "User name.", + "title": "Username" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plaintext" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "Password Type" + }, + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target URL" + }, + "user_browser": { + "type": "string", + "description": "Browser name.", + "title": "User Browser" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addressess" + }, + "infected_machine_id": { + "type": "string", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "user_sys_domain": { + "type": "string", + "description": "System domain. This usually comes from Botnet data.", + "title": "User System Domain" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "User OS Name" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "System Registered Owner Name" + }, + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "domain": { + "type": "string", + "description": "Domain name.", + "title": "Domain" + }, + "target_domain": { + "type": "string", + "description": "SLD extracted from 'target_url' field.", + "title": "Target Domain" + }, + "target_subdomain": { + "type": "string", + "description": "Subdomain and SLD extracted from 'target_url' field.", + "title": "Target Sub Domain" + }, + "severity": { + "type": "number", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document ID" + } + } + }, + "description": "IP Address Breach Results Object" + } + }, + "description": "IP Address Breach Data Response" + }, + "Breach_Data_By_Password_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "email": { + "type": "string", + "description": "Email address.", + "title": "Email Address." + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "Password Type" + }, + "full_name": { + "type": "string", + "description": "Full name.", + "title": "Full Name" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "domain": { + "type": "string", + "description": "Domain name.", + "title": "Domain" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plain Text" + }, + "severity": { + "type": "number", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document ID" + } + } + }, + "description": "Password Breach Results Object" + } + }, + "description": "Password Breach Data Response" + }, + "Breach_Data_By_Username_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "email": { + "type": "string", + "description": "Email address.", + "title": "Email Address." + }, + "username": { + "type": "string", + "description": "User name.", + "title": "Username" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plaintext" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "Password Type" + }, + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target URL" + }, + "user_browser": { + "type": "string", + "description": "Browser name.", + "title": "User Browser" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addressess" + }, + "infected_machine_id": { + "type": "string", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "user_sys_domain": { + "type": "string", + "description": "System domain. This usually comes from Botnet data.", + "title": "User System Domain" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "User OS Name" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "System Registered Owner Name" + }, + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "domain": { + "type": "string", + "description": "Domain name.", + "title": "Domain" + }, + "target_domain": { + "type": "string", + "description": "SLD extracted from 'target_url' field.", + "title": "Target Domain" + }, + "target_subdomain": { + "type": "string", + "description": "Subdomain and SLD extracted from 'target_url' field.", + "title": "Target Sub Domain" + }, + "severity": { + "type": "number", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document ID" + } + } + }, + "description": "Username Breach Results Object" + } + }, + "description": "Username Breach Data Response" + }, + "Breach_Data_By_Watchlist_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "username": { + "type": "string", + "description": "User name.", + "title": "Username" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plaintext" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "Password Type" + }, + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target URL" + }, + "user_browser": { + "type": "string", + "description": "Browser name.", + "title": "User Browser" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addressess" + }, + "infected_machine_id": { + "type": "string", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "user_sys_domain": { + "type": "string", + "description": "System domain. This usually comes from Botnet data.", + "title": "User System Domain" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "User OS Name" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "System Registered Owner Name" + }, + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "target_domain": { + "type": "string", + "description": "SLD extracted from 'target_url' field.", + "title": "Target Domain" + }, + "target_subdomain": { + "type": "string", + "description": "Subdomain and SLD extracted from 'target_url' field.", + "title": "Target Sub Domain" + }, + "severity": { + "type": "number", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document ID" + } + } + }, + "description": "Watchlist Breach Results Object" + } + }, + "description": "Watchlist Breach Data Response" + }, + "Compass_Devices_List_Schema": { + "type": "object", + "properties": { + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "infected_device_id": { + "type": "string", + "description": "Infected Device Id.", + "title": "Infected Device Id" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "User OS" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addresses" + }, + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "application_count": { + "type": "string", + "description": "Application Count.", + "title": "Application Count" + } + } + }, + "description": "Compass Devices List Results Object" + } + }, + "description": "Compass Devices List Data Response" + }, + "Compass_Devices_Data_Schema": { + "type": "object", + "properties": { + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "cursor": { + "type": "string", + "description": "Token used for iterating through multiple pages of results.", + "title": "Cursor" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "user_browser": { + "type": "string", + "description": "Browser Name.", + "title": "User Browser" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document Id" + }, + "source_id": { + "type": "string", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source Id" + }, + "email": { + "type": "string", + "description": "Email address.", + "title": "Email" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addresses" + }, + "country": { + "type": "string", + "description": "Country name.", + "title": "Country" + }, + "infected_machine_id": { + "type": "string", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "USer OS" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "User System Registered Owner" + }, + "keyboard_languages": { + "type": "string", + "description": "The keyboard language found in the OS. This usually comes from Botnet data.", + "title": "Keyboard Languages" + }, + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target URL" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which this record was ingested into our systems. In ISO 8601 datetime format. This correlates with spycloud_publish_date field in Breach Catalog objects.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "domain": { + "type": "string", + "description": "Domain name.", + "title": "Domain" + }, + "target_domain": { + "type": "string", + "description": "SLD extracted from 'target_url' field.", + "title": "Target Domain" + }, + "target_subdomain": { + "type": "string", + "description": "Subdomain and SLD extracted from 'target_url' field.", + "title": "Target Subdomain" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "PAssword Type" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plaintext" + }, + "country_code": { + "type": "string", + "description": "Country code; derived from country.", + "title": "Country Code" + }, + "severity": { + "type": "string", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + } + } + }, + "description": "Compass Devices Data Results Object" + } + }, + "description": "Compass Devices Data Response" + }, + "Compass_Applications_Data_Schema": { + "type": "object", + "properties": { + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "cursor": { + "type": "string", + "description": "Token used for iterating through multiple pages of results.", + "title": "Cursor" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "user_browser": { + "type": "string", + "description": "Browser Name.", + "title": "User Browser" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document Id" + }, + "source_id": { + "type": "string", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source Id" + }, + "email": { + "type": "string", + "description": "Email address.", + "title": "Email" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addresses" + }, + "country": { + "type": "string", + "description": "Country name.", + "title": "Country" + }, + "infected_machine_id": { + "type": "string", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "USer OS" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "User System Registered Owner" + }, + "keyboard_languages": { + "type": "string", + "description": "The keyboard language found in the OS. This usually comes from Botnet data.", + "title": "Keyboard Languages" + }, + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target URL" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which this record was ingested into our systems. In ISO 8601 datetime format. This correlates with spycloud_publish_date field in Breach Catalog objects.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "domain": { + "type": "string", + "description": "Domain name.", + "title": "Domain" + }, + "target_domain": { + "type": "string", + "description": "SLD extracted from 'target_url' field.", + "title": "Target Domain" + }, + "target_subdomain": { + "type": "string", + "description": "Subdomain and SLD extracted from 'target_url' field.", + "title": "Target Subdomain" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "PAssword Type" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plaintext" + }, + "country_code": { + "type": "string", + "description": "Country code; derived from country.", + "title": "Country Code" + }, + "severity": { + "type": "string", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + } + } + }, + "description": "Compass Application Data Results Object" + } + }, + "description": "Compass Application Data Response" + } + }, + "parameters": { + "Infected_Machine_Id": { + "name": "infected_machine_id", + "in": "path", + "required": true, + "type": "string", + "description": "One or more comma delimited Infected Machine ID to search for compass breach records.", + "x-ms-summary": "Infected Machine Id" + }, + "Target_Application": { + "name": "target_application", + "in": "path", + "required": true, + "type": "string", + "description": "One or more comma delimited Compass target application (subdomain or domain) to search for.", + "x-ms-summary": "Target Application" + }, + "ID": { + "name": "id", + "in": "path", + "required": true, + "type": "string", + "description": "Numerical ID of the breach. Both integer and UUIDv4 ID formats are supported. You may also use a comma delimiter to request more than one breach at a time.", + "x-ms-summary": "ID" + }, + "Domain": { + "name": "domain", + "in": "path", + "required": true, + "type": "string", + "description": "Domain or Subdomain name to search for.", + "x-ms-summary": "Domain" + }, + "Email": { + "name": "email", + "in": "path", + "required": true, + "type": "string", + "description": "Email address to search for.", + "x-ms-summary": "Email Address" + }, + "IP": { + "name": "ip", + "in": "path", + "required": true, + "type": "string", + "description": "IP address or network CIDR notation to search for. For CIDR notation, use an underscore instead of a slash.", + "x-ms-summary": "IP Address" + }, + "Password": { + "name": "password", + "in": "path", + "required": true, + "type": "string", + "description": "Password you wish to search for.", + "x-ms-summary": "Password" + }, + "Username": { + "name": "username", + "in": "path", + "required": true, + "type": "string", + "description": "Username you wish to search for.", + "x-ms-summary": "Username" + }, + "Query": { + "name": "query", + "in": "query", + "required": false, + "type": "string", + "description": "Query value to search the breach catalog for.", + "x-ms-summary": "Query" + }, + "Type": { + "name": "type", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter lets you filter results by several types. The allowed values are 'corporate' for corporate records, and 'infected' for infected user records, email_domain to just match against email domains, and target_domain to just match against target domains or subdomains. If no value has been provided the API function will, by default, return all record types.", + "x-ms-summary": "Type", + "enum": [ + "corporate", + "infected", + "email_domain", + "target_domain" + ] + }, + "Compass_Type": { + "name": "type", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter will return records that are verified or unverified, meaning those that matched the watchlist or not. By default if type is not used, both types will be returned.", + "x-ms-summary": "Type", + "enum": [ + "verified", + "unverified" + ] + }, + "Watchlist_Type": { + "name": "watchlist_type", + "in": "query", + "required": false, + "type": "string", + "description": "This parameters lets you filter results for only emails or only domains on your watchlist. The allowed values are: ['email', 'domain', 'subdomain', 'ip']. If no value has been provided, the API will return all watchlist types.", + "x-ms-summary": "Watchlist Type", + "enum": [ + "email", + "domain", + "subdomain", + "ip" + ] + }, + "Cursor": { + "name": "cursor", + "in": "query", + "required": false, + "type": "string", + "description": "Token used for iterating through multiple pages of results.", + "x-ms-summary": "Cursor" + }, + "Since": { + "name": "since", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to define the starting point for a date range query on the spycloud_publish_date field.", + "x-ms-summary": "Since(YYYY-MM-DD)" + }, + "Until": { + "name": "until", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to define the ending point for a date range query on the spycloud_publish_date field.", + "x-ms-summary": "Until(YYYY-MM-DD)" + }, + "Since_Modification_Date": { + "name": "since_modification_date", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to define the starting point for a date range query on the when an already published record was modified (record_modification_date).", + "x-ms-summary": "Since Modification Date(YYYY-MM-DD)" + }, + "Until_Modification_Date": { + "name": "until_modification_date", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to define the ending point for a date range query on the when an already published record was modified (record_modification_date).", + "x-ms-summary": "Until Modification Date(YYYY-MM-DD)" + }, + "Severity": { + "name": "severity", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to filter based on the numeric severity code.", + "x-ms-summary": "Severity" + }, + "Source_Id": { + "name": "source_id", + "in": "query", + "required": false, + "type": "number", + "description": "This parameter allows you to filter based on a particular breach source.", + "x-ms-summary": "Source Id" + }, + "Salt": { + "name": "salt", + "in": "query", + "required": false, + "type": "string", + "description": "If hashing is enabled for your API key, you have the option to provide a 10 to 24 character, high entropy salt otherwise the pre-configured salt will be used.", + "x-ms-summary": "Salt" + }, + "Since_Infected": { + "name": "since_infected", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to define the starting point for a date range query on the infected_time..", + "x-ms-summary": "Since Infected(YYYY-MM-DD)" + }, + "Until_Infected": { + "name": "until_infected", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to define the ending point for a date range query on the infected_time field.", + "x-ms-summary": "Until Infected(YYYY-MM-DD)" + } + }, + "securityDefinitions": { + "API Key": { + "type": "apiKey", + "in": "header", + "name": "X-API-Key" + } + }, + "security": [ + { + "API Key": "[variables('TemplateEmptyArray')]" + } + ], + "tags": "[variables('TemplateEmptyArray')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('LogicAppsCustomConnector-', last(split(variables('playbookId1'),'/'))))]", + "properties": { + "parentId": "[[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "LogicAppsCustomConnector", + "version": "[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "SpyCloud Enterprise Protection", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SpyCloud" + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + } + } + } + ], + "metadata": { + "comments": "SpyCloud Enterprise Protection Custom Connector", + "lastUpdateTime": "2023-09-15T15:51:43.853Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "LogicAppsCustomConnector", + "displayName": "Custom Connector", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SpyCloud-Breach-Playbook Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion2')]", + "parameters": { + "PlaybookName": { + "defaultValue": "SpyCloud-Breach-Playbook", + "type": "string", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + } + }, + "variables": { + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident_2": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Account_Name": { + "runAfter": { + "Incident_Email_Account": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "account_name", + "type": "string" + } + ] + } + }, + "Astriek_Variable": { + "runAfter": { + "UPN_Suffix_": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "astriek", + "type": "string", + "value": "@" + } + ] + } + }, + "Check_if_the_incident_is_created_by_SpyCloud_Breach": { + "actions": { + "Entities_-_Get_Accounts": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "For_each_account": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Set__upn_suffix": { + "runAfter": { + "Set_account_name": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "upn_suffix", + "value": "@items('For_each_account')?['UPNSuffix']" + } + }, + "Set_account_name": { + "type": "SetVariable", + "inputs": { + "name": "account_name", + "value": "@items('For_each_account')?['Name']" + } + }, + "set_email_address": { + "runAfter": { + "Set__upn_suffix": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "incident_email_address", + "value": "@{concat(variables('account_name'),concat(variables('astriek'),variables('upn_suffix')))}" + } + } + }, + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_incident_alert": { + "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Check_if_the_exposed_password_is_in_use_on_the_network": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "
Breach Playbook successful
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Check_if_password_exists_in_the_incident": { + "actions": { + "Set_Incident_Password": { + "type": "SetVariable", + "inputs": { + "name": "incident_password", + "value": "@{variables('incident_custom_details_object')?['Password']}" + } + }, + "Set_variable": { + "runAfter": { + "Set_Incident_Password": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "incident_plain_text_password", + "value": "@{replace(replace(variables('incident_password'),'[\"',''),'\"]','')}" + } + } + }, + "runAfter": { + "Set_custom_details_object": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@variables('incident_custom_details_object')?['Password']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Check_if_pwd_length_is_greater_than_required_length_by_organization": { + "runAfter": { + "Check_if_password_exists_in_the_incident": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "", + "" + ] + } + ] + }, + "type": "If" + }, + "Check_if_the_exposed_password_is_in_use_on_the_network": { + "runAfter": { + "Check_if_the_user_is_currently_an_active_employee": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "", + "" + ] + } + ] + }, + "type": "If" + }, + "Check_if_the_user_is_currently_an_active_employee": { + "runAfter": { + "Check_if_pwd_length_is_greater_than_required_length_by_organization": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "", + "" + ] + } + ] + }, + "type": "If" + }, + "Set_custom_details_object": { + "type": "SetVariable", + "inputs": { + "name": "incident_custom_details_object", + "value": "@json(items('For_each_incident_alert')?['properties']?['additionalData']?['Custom Details'])" + } + } + }, + "runAfter": { + "For_each_account": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + }, + "runAfter": { + "Incident_Custom_Details_Object": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@triggerBody()?['object']?['properties']?['title']", + "@variables('incident_name')" + ] + } + ] + }, + "type": "If" + }, + "IP_address": { + "runAfter": { + "Outputs_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_address", + "type": "string" + } + ] + } + }, + "Incident_Custom_Details_Object": { + "runAfter": { + "IP_address": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_custom_details_object", + "type": "object" + } + ] + } + }, + "Incident_Email_Account": { + "runAfter": { + "Incident_Plain_Text_Password": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_email_address", + "type": "string" + } + ] + } + }, + "Incident_Name": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_name", + "type": "string", + "value": "SpyCloud Enterprise Breach Detection" + } + ] + } + }, + "Incident_Password": { + "runAfter": { + "Incident_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_password", + "type": "string" + } + ] + } + }, + "Incident_Plain_Text_Password": { + "runAfter": { + "Incident_Password": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_plain_text_password", + "type": "string" + } + ] + } + }, + "Outputs_Variable": { + "runAfter": { + "Astriek_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "password_enrich_data", + "type": "array" + } + ] + } + }, + "UPN_Suffix_": { + "runAfter": { + "Account_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "upn_suffix", + "type": "string" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId2')]", + "contentId": "[variables('_playbookContentId2')]", + "kind": "Playbook", + "version": "[variables('playbookVersion2')]", + "source": { + "kind": "Solution", + "name": "SpyCloud Enterprise Protection", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SpyCloud" + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + } + } + } + ], + "metadata": { + "title": "SpyCloud Breach Information - SpyCloud Enterprise", + "description": "This Playbook will be triggered when an spycloud breach incident is created.", + "prerequisites": "SpyCloud Enterprise API Key.", + "postDeployment": [ + "Testing Description " + ], + "lastUpdateTime": "2022-09-05T00:00:00Z", + "entities": [ + "ACCOUNT" + ], + "tags": [ + "Enrichment" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId2')]", + "contentKind": "Playbook", + "displayName": "SpyCloud-Breach-Playbook", + "contentProductId": "[variables('_playbookcontentProductId2')]", + "id": "[variables('_playbookcontentProductId2')]", + "version": "[variables('playbookVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SpyCloud-Get-Domain-Breach-Data-Playbook Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion3')]", + "parameters": { + "PlaybookName": { + "defaultValue": "SpyCloud-Get-Domain-Breach-Data-Playbook", + "type": "string", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + }, + "SpyCloudConnectorName": { + "defaultValue": "SpyCloud-Enterprise-Protection", + "type": "String", + "metadata": { + "description": "SpyCloud Enterprise custom connector name" + } + } + }, + "variables": { + "SpyCloudEnterpriseConnectionName": "[[concat('spycloudconnector-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloudConnectorName'))]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('SpyCloudEnterpriseConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[variables('SpyCloudEnterpriseConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident_2": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Entities_-_Get_DNS": { + "runAfter": { + "IP_address": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/dnsresolution" + } + }, + "For_Each_Incident_DNS_Domain": { + "foreach": "@body('Entities_-_Get_DNS')?['Dnsresolutions']", + "actions": { + "Check_if_records_exists": { + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Check_number_of_Records": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "SpyCloud Breach Data for Domain @{items('For_Each_Incident_DNS_Domain')?['DomainName']}@{body('Create_HTML_table')}@{variables('more_records_display_text')}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Check_number_of_Records": { + "actions": { + "set_more_records_display_text": { + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": "Showing @{variables('min_records')} records out of @{variables('total_records')} records, for more information visit https://portal.spycloud.com/" + } + } + }, + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + "@variables('min_records')" + ] + } + ] + }, + "type": "If" + }, + "Create_HTML_table": { + "runAfter": { + "For_each_response": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('domain_breach_data_array')" + } + }, + "For_each_response": { + "foreach": "@take(body('Get_Breach_Data_by_Domain_Search')?['results'],variables('min_records'))", + "actions": { + "Append_to_array_variable": { + "runAfter": { + "Compose": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Domain_Breach_Data_Array", + "value": "@outputs('Compose')" + } + }, + "Compose": { + "runAfter": { + "Condition": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "Document Id": "@items('For_each_response')?['document_id']", + "Domain": "@items('For_each_response')?['domain']", + "Email": "@items('For_each_response')?['email']", + "IP Addresses": "@substring(variables('ip_address'),0,sub(length(variables('ip_address')),1))", + "Infected Machine Id": "@items('For_each_response')?['infected_machine_id']", + "Infected Path": "@items('For_each_response')?['infected_path']", + "Infected Time": "@items('For_each_response')?['infected_time']", + "Password": "@items('For_each_response')?['password']", + "Password Plaintext": "@items('For_each_response')?['password_plaintext']", + "Severity": "@items('For_each_response')?['severity']", + "Source Id": "@items('For_each_response')?['source_id']", + "Spycloud Publish Date": "@items('For_each_response')?['spycloud_publish_date']", + "Target Domain": "@items('For_each_response')?['target_domain']", + "Target Subdomain": "@items('For_each_response')?['target_subdomain']", + "Target Url": "@items('For_each_response')?['target_url']", + "User Hostname": "@items('For_each_response')?['user_hostname']", + "User OS": "@items('For_each_response')?['user_os']", + "Username": "@items('For_each_response')?['username']" + } + }, + "Condition": { + "actions": { + "For_each_ip": { + "foreach": "@items('For_each_response')?['ip_addresses']", + "actions": { + "Append_to_string_variable": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_address", + "value": "@{items('For_each_ip')}," + } + } + }, + "type": "Foreach" + } + }, + "runAfter": { + "Set_variable": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Set_variable": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": " " + } + } + }, + "runAfter": { + "Set_more_records_to_empty": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Set_array_to_Empty": { + "type": "SetVariable", + "inputs": { + "name": "Domain_Breach_Data_Array", + "value": "[variables('TemplateEmptyArray')]" + } + }, + "Set_more_records_to_empty": { + "runAfter": { + "Set_array_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": " " + } + } + }, + "runAfter": { + "set_total_records": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "SpyCloud Breach Data for Domain @{items('For_Each_Incident_DNS_Domain')?['DomainName']}
\nNo Records Found.
SpyCloud Breach Data for Email @{variables('email_address')}@{body('Create_HTML_table')}@{variables('more_records_display_text')}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Check_number_of_Records": { + "actions": { + "set_more_records_display_text": { + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": "Showing @{variables('min_records')} records out of @{variables('total_records')} records, for more information visit: https://portal.spycloud.com/" + } + } + }, + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + "@variables('min_records')" + ] + } + ] + }, + "type": "If" + }, + "Create_HTML_table": { + "runAfter": { + "For_each_response": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('email_breach_data_array')" + } + }, + "For_each_response": { + "foreach": "@take(body('Get_Breach_Data_by_Email_Search')?['results'],variables('min_records'))", + "actions": { + "Append_to_array_variable": { + "runAfter": { + "Compose": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "email_breach_data_array", + "value": "@outputs('Compose')" + } + }, + "Compose": { + "runAfter": { + "Condition": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "Document Id": "@items('For_each_response')?['document_id']", + "Domain": "@items('For_each_response')?['domain']", + "Email": "@items('For_each_response')?['email']", + "IP Addresses": "@substring(variables('ip_address'),0,sub(length(variables('ip_address')),1))", + "Infected Machine Id": "@items('For_each_response')?['infected_machine_id']", + "Infected Path": "@items('For_each_response')?['infected_path']", + "Infected Time": "@items('For_each_response')?['infected_time']", + "Password": "@items('For_each_response')?['password']", + "Password Plaintext": "@items('For_each_response')?['password_plaintext']", + "Severity": "@items('For_each_response')?['severity']", + "Source Id": "@items('For_each_response')?['source_id']", + "Spycloud Publish Date": "@items('For_each_response')?['spycloud_publish_date']", + "Target Domain": "@items('For_each_response')?['target_domain']", + "Target Subdomain": "@items('For_each_response')?['target_subdomain']", + "Target Url": "@items('For_each_response')?['target_url']", + "User Hostname": "@items('For_each_response')?['user_hostname']", + "User OS": "@items('For_each_response')?['user_os']", + "Username": "@items('For_each_response')?['username']" + } + }, + "Condition": { + "actions": { + "For_each_ip": { + "foreach": "@items('For_each_response')?['ip_addresses']", + "actions": { + "Append_to_string_variable": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_address", + "value": "@{items('For_each_ip')}," + } + } + }, + "type": "Foreach" + } + }, + "runAfter": { + "Set_variable": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Set_variable": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": " " + } + } + }, + "runAfter": { + "Set_more_records_to_empty": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Set_array_to_empty": { + "type": "SetVariable", + "inputs": { + "name": "email_breach_data_array", + "value": "[variables('TemplateEmptyArray')]" + } + }, + "Set_more_records_to_empty": { + "runAfter": { + "Set_array_to_empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": " " + } + } + }, + "runAfter": { + "set_total_records": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "SpyCloud Breach Data for Email @{variables('email_address')}
\nNo Records Found.
SpyCloud Breach Data for IP @{items('For_Each_Incident_IPS')?['Address']}@{body('Create_HTML_table')}@{variables('more_records_display_text')}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Check_number_of_Records": { + "actions": { + "set_more_records_display_text": { + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": "Showing @{variables('min_records')} records out of @{variables('total_records')} records, for more information visit https://portal.spycloud.com/" + } + } + }, + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + "@variables('min_records')" + ] + } + ] + }, + "type": "If" + }, + "Create_HTML_table": { + "runAfter": { + "For_each_response": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('ip_breach_data_array')" + } + }, + "For_each_response": { + "foreach": "@take(body('Get_Breach_Data_by_IP_Address')?['results'],variables('min_records'))", + "actions": { + "Append_to_array_variable": { + "runAfter": { + "Compose": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "IP_Breach_Data_Array", + "value": "@outputs('Compose')" + } + }, + "Compose": { + "runAfter": { + "Condition": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "Document Id": "@items('For_each_response')?['document_id']", + "Domain": "@items('For_each_response')?['domain']", + "Email": "@items('For_each_response')?['email']", + "IP Addresses": "@substring(variables('ip_address'),0,sub(length(variables('ip_address')),1))", + "Infected Machine Id": "@items('For_each_response')?['infected_machine_id']", + "Infected Path": "@items('For_each_response')?['infected_path']", + "Infected Time": "@items('For_each_response')?['infected_time']", + "Password": "@items('For_each_response')?['password']", + "Password Plaintext": "@items('For_each_response')?['password_plaintext']", + "Severity": "@items('For_each_response')?['severity']", + "Source Id": "@items('For_each_response')?['source_id']", + "Spycloud Publish Date": "@items('For_each_response')?['spycloud_publish_date']", + "Target Domain": "@items('For_each_response')?['target_domain']", + "Target Subdomain": "@items('For_each_response')?['target_subdomain']", + "Target Url": "@items('For_each_response')?['target_url']", + "User Hostname": "@items('For_each_response')?['user_hostname']", + "User OS": "@items('For_each_response')?['user_os']", + "Username": "@items('For_each_response')?['username']" + } + }, + "Condition": { + "actions": { + "For_each_ip": { + "foreach": "@items('For_each_response')?['ip_addresses']", + "actions": { + "Append_to_string_variable": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_address", + "value": "@{items('For_each_ip')}," + } + } + }, + "type": "Foreach" + } + }, + "runAfter": { + "Set_variable": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Set_variable": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": " " + } + } + }, + "runAfter": { + "Set_more_records_to_empty": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Set_array_to_Empty": { + "type": "SetVariable", + "inputs": { + "name": "ip_breach_data_array", + "value": "[variables('TemplateEmptyArray')]" + } + }, + "Set_more_records_to_empty": { + "runAfter": { + "Set_array_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": " " + } + } + }, + "runAfter": { + "set_total_records": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "SpyCloud Breach Data for IP @{items('For_Each_Incident_IPS')?['Address']}
\nNo Records Found.
SpyCloud Breach Data for username @{variables('username')}@{body('Create_HTML_table')}@{variables('more_records_display_text')}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Check_number_of_Records": { + "actions": { + "set_more_records_display_text": { + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": "Showing @{variables('min_records')} records out of @{variables('total_records')} records, for more information visit https://portal.spycloud.com/" + } + } + }, + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + "@variables('min_records')" + ] + } + ] + }, + "type": "If" + }, + "Create_HTML_table": { + "runAfter": { + "For_each_response": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('username_breach_data_array')" + } + }, + "For_each_response": { + "foreach": "@take(body('Get_Breach_Data_by_Username_Search')?['results'],variables('min_records'))", + "actions": { + "Append_to_array_variable": { + "runAfter": { + "Compose": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "username_breach_data_array", + "value": "@outputs('Compose')" + } + }, + "Compose": { + "runAfter": { + "Condition": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "Document Id": "@items('For_each_response')?['document_id']", + "Domain": "@items('For_each_response')?['domain']", + "Email": "@items('For_each_response')?['email']", + "IP Addresses": "@substring(variables('ip_address'),0,sub(length(variables('ip_address')),1))", + "Infected Machine Id": "@items('For_each_response')?['infected_machine_id']", + "Infected Path": "@items('For_each_response')?['infected_path']", + "Infected Time": "@items('For_each_response')?['infected_time']", + "Password": "@items('For_each_response')?['password']", + "Password Plaintext": "@items('For_each_response')?['password_plaintext']", + "Severity": "@items('For_each_response')?['severity']", + "Source Id": "@items('For_each_response')?['source_id']", + "Spycloud Publish Date": "@items('For_each_response')?['spycloud_publish_date']", + "Target Domain": "@items('For_each_response')?['target_domain']", + "Target Subdomain": "@items('For_each_response')?['target_subdomain']", + "Target Url": "@items('For_each_response')?['target_url']", + "User Hostname": "@items('For_each_response')?['user_hostname']", + "User OS": "@items('For_each_response')?['user_os']", + "Username": "@items('For_each_response')?['username']" + } + }, + "Condition": { + "actions": { + "For_each_ip": { + "foreach": "@items('For_each_response')?['ip_addresses']", + "actions": { + "Append_to_string_variable": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_address", + "value": "@{items('For_each_ip')}," + } + } + }, + "type": "Foreach" + } + }, + "runAfter": { + "Set_variable": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Set_variable": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": " " + } + } + }, + "runAfter": { + "Set_more_records_to_empty": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Set_array_to_Empty": { + "type": "SetVariable", + "inputs": { + "name": "username_breach_data_array", + "value": "[variables('TemplateEmptyArray')]" + } + }, + "Set_more_records_to_empty": { + "runAfter": { + "Set_array_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": " " + } + } + }, + "runAfter": { + "set_total_records": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "SpyCloud Breach Data for username @{variables('username')}
\nNo Records Found.
SpyCloud Comapss Devices Data for @{variables('infected_machine_id')}@{body('Create_HTML_table')}@{variables('more_records_display_text')}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Check_number_of_Records": { + "actions": { + "set_more_records_display_text": { + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": "Showing @{variables('min_records')} records out of @{variables('total_records')} records, for more information visit https://portal.spycloud.com/" + } + } + }, + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + "@variables('min_records')" + ] + } + ] + }, + "type": "If" + }, + "Create_HTML_table": { + "runAfter": { + "For_each_response": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('compass_device_data')" + } + }, + "For_each_response": { + "foreach": "@take(body('Get_Compass_Devices_Data')?['results'],variables('min_records'))", + "actions": { + "Append_to_array_variable": { + "runAfter": { + "Compose": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "compass_device_data", + "value": "@outputs('Compose')" + } + }, + "Compose": { + "runAfter": { + "Condition": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "Document Id": "@items('For_each_response')?['document_id']", + "Domain": "@items('For_each_response')?['domain']", + "Email": "@items('For_each_response')?['email']", + "IP Addresses": "@substring(variables('ip_address'),0,sub(length(variables('ip_address')),1))", + "Infected Machine Id": "@items('For_each_response')?['infected_machine_id']", + "Infected Path": "@items('For_each_response')?['infected_path']", + "Infected Time": "@items('For_each_response')?['infected_time']", + "Password": "@items('For_each_response')?['password']", + "Password Plaintext": "@items('For_each_response')?['password_plaintext']", + "Severity": "@items('For_each_response')?['severity']", + "Source Id": "@items('For_each_response')?['source_id']", + "Spycloud Publish Date": "@items('For_each_response')?['spycloud_publish_date']", + "Target Domain": "@items('For_each_response')?['target_domain']", + "Target Subdomain": "@items('For_each_response')?['target_subdomain']", + "Target Url": "@items('For_each_response')?['target_url']", + "User Hostname": "@items('For_each_response')?['user_hostname']", + "User OS": "@items('For_each_response')?['user_os']", + "Username": "@items('For_each_response')?['username']" + } + }, + "Condition": { + "actions": { + "For_each_ip": { + "foreach": "@items('For_each_response')?['ip_addresses']", + "actions": { + "Append_to_string_variable": { + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_address", + "value": "@{items('For_each_ip')}," + } + } + }, + "type": "Foreach" + } + }, + "runAfter": { + "Set_IP_Address_to_Empty": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Set_variable": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": " " + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Set_IP_Address_to_Empty": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": " " + } + } + }, + "type": "Foreach" + }, + "Update_incident": { + "runAfter": { + "Add_comment_to_incident_(V3)": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "owner": "someone@someone.com", + "ownerAction": "Assign", + "severity": "High" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + } + } + }, + "runAfter": { + "Get_Compass_Devices_Data": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@body('Get_Compass_Devices_Data')?['hits']", + 0 + ] + } + ] + }, + "type": "If" + }, + "Get_Compass_Devices_Data": { + "runAfter": { + "Set_Infected_Machine_ID": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['SpyCloud-Enterprise-Connector']['connectionId']" + } + }, + "method": "get", + "path": "/compass/data/devices/@{encodeURIComponent(variables('infected_machine_id'))}" + } + }, + "Set_Infected_Machine_ID": { + "type": "SetVariable", + "inputs": { + "name": "infected_machine_id", + "value": "@items('For_each_host')?['HostName']" + } + } + }, + "runAfter": { + "Entities_-_Get_Hosts": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_incident_alert": { + "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", + "actions": { + "Check_User_Host_Name_exists": { + "actions": { + "Check_if_Host_is_Managed_host": { + "runAfter": { + "Set_variable_2": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "", + "" + ] + } + ] + }, + "type": "If" + }, + "Set_User_Host_Name": { + "type": "SetVariable", + "inputs": { + "name": "user_host_name", + "value": "@{variables('incident_custom_details_object')?['User_Host_Name']}" + } + }, + "Set_variable_2": { + "runAfter": { + "Set_User_Host_Name": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "user_host_name_trim", + "value": "@{replace(replace(variables('user_host_name'),'[\"',''),'\"]','')}" + } + } + }, + "runAfter": { + "Set_custom_details_object": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@variables('incident_custom_details_object')?['User_Host_Name']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Set_custom_details_object": { + "type": "SetVariable", + "inputs": { + "name": "incident_custom_details_object", + "value": "@json(items('For_each_incident_alert')?['properties']?['additionalData']?['Custom Details'])" + } + } + }, + "type": "Foreach" + } + }, + "runAfter": { + "Incident_Custom_Details_Object": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@triggerBody()?['object']?['properties']?['title']", + "@variables('incident_name')" + ] + } + ] + }, + "type": "If" + }, + "IP_address": { + "runAfter": { + "Outputs_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_address", + "type": "string" + } + ] + } + }, + "Incident_Custom_Details_Array": { + "runAfter": { + "Is_Managed_Host": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_custom_details_array", + "type": "array" + } + ] + } + }, + "Incident_Custom_Details_Object": { + "runAfter": { + "Incident_Custom_Details_Array": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_custom_details_object", + "type": "object" + } + ] + } + }, + "Incident_Name": { + "runAfter": { + "more_records_display_text": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_name", + "type": "string", + "value": "SpyCloud Enterprise Malware Detection" + } + ] + } + }, + "Initialize_variable": { + "runAfter": { + "User_Host_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "user_host_name_trim", + "type": "string" + } + ] + } + }, + "Is_Managed_Host": { + "runAfter": { + "IP_address": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "is_managed_host", + "type": "boolean", + "value": "@true" + } + ] + } + }, + "Machine_ID": { + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "infected_machine_id", + "type": "string" + } + ] + } + }, + "Outputs_Variable": { + "runAfter": { + "Machine_ID": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "compass_device_data", + "type": "array" + } + ] + } + }, + "User_Host_Name": { + "runAfter": { + "Incident_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "user_host_name", + "type": "string" + } + ] + } + }, + "minimum_records": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "min_records", + "type": "integer", + "value": 15 + } + ] + } + }, + "more_records_display_text": { + "runAfter": { + "total_records": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "more_records_display_text", + "type": "string" + } + ] + } + }, + "total_records": { + "runAfter": { + "minimum_records": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "total_records", + "type": "integer" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "SpyCloud-Enterprise-Connector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "connectionName": "[[variables('SpyCloudEnterpriseConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloudConnectorName'))]" + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId8')]", + "contentId": "[variables('_playbookContentId8')]", + "kind": "Playbook", + "version": "[variables('playbookVersion8')]", + "source": { + "kind": "Solution", + "name": "SpyCloud Enterprise Protection", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SpyCloud" + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_Custom Connector')]", + "version": "[variables('playbookVersion1')]" + } + ] + } + } + } + ], + "metadata": { + "title": "SpyCloud Malware Information - SpyCloud Enterprise", + "description": "This Playbook will be triggered when an spycloud malware incident is created.", + "prerequisites": "SpyCloud Enterprise API Key.", + "postDeployment": [ + "Testing Description " + ], + "lastUpdateTime": "2022-09-05T00:00:00Z", + "entities": [ + "ACCOUNT" + ], + "tags": [ + "Enrichment" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId8')]", + "contentKind": "Playbook", + "displayName": "SpyCloud-Malware-Playbook", + "contentProductId": "[variables('_playbookcontentProductId8')]", + "id": "[variables('_playbookcontentProductId8')]", + "version": "[variables('playbookVersion8')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName9')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SpyCloud-Monitor-Watchlist-Data Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion9')]", + "parameters": { + "PlaybookName": { + "defaultValue": "SpyCloud-Monitor-Watchlist-Data", + "type": "string", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + }, + "SpyCloudConnectorName": { + "defaultValue": "SpyCloud-Enterprise-Protection", + "type": "String", + "metadata": { + "description": "SpyCloud Enterprise custom connector name" + } + }, + "SpyCloud_Custom_Log_Table_Name": { + "defaultValue": "SpyCloudBreachDataWatchlist", + "type": "String", + "metadata": { + "description": "SpyCloud Enterprise custom log name" + } + } + }, + "variables": { + "SpyCloudEnterpriseConnectionName": "[[concat('spycloudconnector-', parameters('PlaybookName'))]", + "AzureLogAnalyticsDataConnector": "[[concat('azuredataconnector-', parameters('PlaybookName'))]", + "SpyCloudCustomTableName": "[[parameters('SpyCloud_Custom_Log_Table_Name')]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azureloganalyticsdatacollector')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloudConnectorName'))]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureLogAnalyticsDataConnector')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[variables('AzureLogAnalyticsDataConnector')]", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('SpyCloudEnterpriseConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[variables('SpyCloudEnterpriseConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureLogAnalyticsDataConnector'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Day", + "interval": 1, + "startTime": "[variables('blanks')]" + }, + "evaluatedRecurrence": { + "frequency": "Day", + "interval": 1, + "startTime": "2023-05-06T00:00:00Z" + }, + "type": "Recurrence" + } + }, + "actions": { + "Cursor": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "cursor", + "type": "string", + "value": "start" + } + ] + } + }, + "Custom_Log_Name": { + "runAfter": { + "date_": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "custom_log_name", + "type": "string", + "value": "[[variables('SpyCloudCustomTableName')]" + } + ] + } + }, + "IP_address": { + "runAfter": { + "Is_First_Fetch": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_address", + "type": "string" + } + ] + } + }, + "Is_First_Fetch": { + "runAfter": { + "Cursor": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "first_fetch", + "type": "boolean", + "value": "@true" + } + ] + } + }, + "Until_Modified_Records_Exist": { + "actions": { + "Check_if_this_is_first_fetch_for_modified_records": { + "actions": { + "Set_Cursor_to_null_2": { + "type": "SetVariable", + "inputs": { + "name": "cursor", + "value": "@{null}" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('first_fetch')", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Get_Breach_Data_for_Entire_Watchlist_2": { + "runAfter": { + "Set_modified_records_array_to_empty": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['SpyCloud-Enterprise-Connector']['connectionId']" + } + }, + "method": "get", + "path": "/breach/data/watchlist", + "queries": { + "cursor": "@variables('cursor')", + "since_modification_date": "@variables('date')" + } + } + }, + "Set_false_to_first_fetch": { + "runAfter": { + "check_if_data_exist_for_date": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "first_fetch", + "value": "@false" + } + }, + "Set_modified_records_array_to_empty": { + "runAfter": { + "Check_if_this_is_first_fetch_for_modified_records": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "modified_records", + "value": "[variables('TemplateEmptyArray')]" + } + }, + "check_if_data_exist_for_date": { + "actions": { + "For_each_response_2": { + "foreach": "@body('Get_Breach_Data_for_Entire_Watchlist_2')?['results']", + "actions": { + "Append_to_modified_records_variable": { + "runAfter": { + "Check_IP_Address_is_Not_empty_2": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "modified_records", + "value": { + "Document_Id": "@{items('For_each_response_2')?['document_id']}", + "Domain": "@{items('For_each_response_2')?['domain']}", + "Email": "@{items('For_each_response_2')?['email']}", + "IP_Address": "@{variables('ip_address')}", + "Infected_Machine_Id": "@{items('For_each_response_2')?['infected_machine_id']}", + "Infected_Path": "@{items('For_each_response_2')?['infected_path']}", + "Infected_Time": "@{items('For_each_response_2')?['infected_time']}", + "Password": "@{items('For_each_response_2')?['password']}", + "Password_Plaintext": "@{items('For_each_response_2')?['password_plaintext']}", + "Severity": "@{items('For_each_response_2')?['severity']}", + "Source_Id": "@{items('For_each_response_2')?['source_id']}", + "SpyCloud_Publish_Date": "@{items('For_each_response_2')?['spycloud_publish_date']}", + "Target_Domain": "@{items('For_each_response_2')?['target_domain']}", + "Target_SubDomain": "@{items('For_each_response_2')?['target_subdomain']}", + "Target_URL": "@{items('For_each_response_2')?['target_url']}", + "User_Hostname": "@{items('For_each_response_2')?['user_hostname']}", + "User_OS": "@{items('For_each_response_2')?['user_os']}", + "Username": "@{items('For_each_response_2')?['username']}" + } + } + }, + "Check_IP_Address_is_Not_empty_2": { + "actions": { + "set_ip_variable": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": "@{first(items('For_each_response_2')?['ip_addresses'])}" + } + } + }, + "else": { + "actions": { + "set_ip_variable_to_null": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": "@{null}" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response_2')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + } + }, + "type": "Foreach" + }, + "Modified_Records_Compose": { + "runAfter": { + "For_each_response_2": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@variables('modified_records')" + }, + "Save_Modified_Records_to_Custom_Logs_Table": { + "runAfter": { + "Modified_Records_Compose": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@{outputs('Modified_Records_Compose')}", + "headers": { + "Log-Type": "@variables('custom_log_name')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Get_Breach_Data_for_Entire_Watchlist_2": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@body('Get_Breach_Data_for_Entire_Watchlist_2')?['hits']", + 0 + ] + } + ] + }, + "type": "If" + }, + "set_cursor_value": { + "runAfter": { + "Set_false_to_first_fetch": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "cursor", + "value": "@body('Get_Breach_Data_for_Entire_Watchlist_2')?['cursor']" + } + } + }, + "runAfter": { + "reset_first_fetch": [ + "Succeeded" + ] + }, + "expression": "@equals(empty(variables('cursor')), true)", + "limit": { + "count": 60, + "timeout": "PT1H" + }, + "type": "Until" + }, + "Until_New_Records_Exist": { + "actions": { + "Check_if_data_exists": { + "actions": { + "For_each_response": { + "foreach": "@body('Get_Breach_Data_for_Entire_Watchlist')?['results']", + "actions": { + "Append_to_new_records_array": { + "runAfter": { + "Check_IP_Address_is_Not_empty": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "new_records", + "value": { + "Document_Id": "@{items('For_each_response')?['document_id']}", + "Domain": "@{items('For_each_response')?['domain']}", + "Email": "@{items('For_each_response')?['email']}", + "IP_Address": "@{variables('ip_address')}", + "Infected_Machine_Id": "@{items('For_each_response')?['infected_machine_id']}", + "Infected_Path": "@{items('For_each_response')?['infected_path']}", + "Infected_Time": "@{items('For_each_response')?['infected_time']}", + "Password": "@{items('For_each_response')?['password']}", + "Password_Plaintext": "@{items('For_each_response')?['password_plaintext']}", + "Severity": "@{items('For_each_response')?['severity']}", + "Source_Id": "@{items('For_each_response')?['source_id']}", + "SpyCloud_Publish_Date": "@{items('For_each_response')?['spycloud_publish_date']}", + "Target_Domain": "@{items('For_each_response')?['target_domain']}", + "Target_SubDomain": "@{items('For_each_response')?['target_subdomain']}", + "Target_URL": "@{items('For_each_response')?['target_url']}", + "User_Hostname": "@{items('For_each_response')?['user_hostname']}", + "User_OS": "@{items('For_each_response')?['user_os']}", + "Username": "@{items('For_each_response')?['username']}" + } + } + }, + "Check_IP_Address_is_Not_empty": { + "actions": { + "Set_Address_to_value": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": "@{first(items('For_each_response')?['ip_addresses'])}" + } + } + }, + "else": { + "actions": { + "Set_Address_to_null": { + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": "@{null}" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + } + }, + "type": "Foreach" + }, + "New_Records_Compose": { + "runAfter": { + "For_each_response": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@variables('new_records')" + }, + "Save_New_Records_to_Custom_Logs_Table": { + "runAfter": { + "New_Records_Compose": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@{outputs('New_Records_Compose')}", + "headers": { + "Log-Type": "@variables('custom_log_name')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Get_Breach_Data_for_Entire_Watchlist": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@body('Get_Breach_Data_for_Entire_Watchlist')?['hits']", + 0 + ] + } + ] + }, + "type": "If" + }, + "Check_if_this_is_first_fetch_for_new_records": { + "actions": { + "Set_Cursor_to_null_": { + "type": "SetVariable", + "inputs": { + "name": "cursor", + "value": "@{null}" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('first_fetch')", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Get_Breach_Data_for_Entire_Watchlist": { + "runAfter": { + "Set_new_records_array_to_empty": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['SpyCloud-Enterprise-Connector']['connectionId']" + } + }, + "method": "get", + "path": "/breach/data/watchlist", + "queries": { + "cursor": "@variables('cursor')", + "since": "@variables('date')" + } + } + }, + "Set_First_Fetch_to_False": { + "runAfter": { + "Check_if_data_exists": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "first_fetch", + "value": "@false" + } + }, + "Set_cursor_from_the_API_response": { + "runAfter": { + "Set_First_Fetch_to_False": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "cursor", + "value": "@body('Get_Breach_Data_for_Entire_Watchlist')?['cursor']" + } + }, + "Set_new_records_array_to_empty": { + "runAfter": { + "Check_if_this_is_first_fetch_for_new_records": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "new_records", + "value": "[variables('TemplateEmptyArray')]" + } + } + }, + "runAfter": { + "modified_records": [ + "Succeeded" + ] + }, + "expression": "@equals(empty(variables('cursor')), true)", + "limit": { + "count": 60, + "timeout": "PT1H" + }, + "type": "Until" + }, + "date_": { + "runAfter": { + "IP_address": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "date", + "type": "string", + "value": "@{addDays(utcNow(), -1, 'yyyy-MM-dd')}" + } + ] + } + }, + "modified_records": { + "runAfter": { + "new_records_": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "modified_records", + "type": "array", + "value": "[variables('TemplateEmptyArray')]" + } + ] + } + }, + "new_records_": { + "runAfter": { + "Custom_Log_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "new_records", + "type": "array", + "value": "[variables('TemplateEmptyArray')]" + } + ] + } + }, + "reset_cursor": { + "runAfter": { + "Until_New_Records_Exist": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "cursor", + "value": "start" + } + }, + "reset_first_fetch": { + "runAfter": { + "reset_cursor": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "first_fetch", + "value": "@true" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "SpyCloud-Enterprise-Connector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "connectionName": "[[variables('SpyCloudEnterpriseConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloudConnectorName'))]" + }, + "azureloganalyticsdatacollector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureLogAnalyticsDataConnector'))]", + "connectionName": "[[variables('AzureLogAnalyticsDataConnector')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azureloganalyticsdatacollector')]" + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId9'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId9')]", + "contentId": "[variables('_playbookContentId9')]", + "kind": "Playbook", + "version": "[variables('playbookVersion9')]", + "source": { + "kind": "Solution", + "name": "SpyCloud Enterprise Protection", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SpyCloud" + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_Custom Connector')]", + "version": "[variables('playbookVersion1')]" + } + ] + } + } + } + ], + "metadata": { + "title": "SpyCloud Watachlist data - SpyCloud Enterprise", + "description": "This Playbook will run daily, gets the watchlist data from SpyCloud API and saved it into the custom logs.", + "prerequisites": "SpyCloud Enterprise API Key.", + "postDeployment": [ + "Testing Description " + ], + "lastUpdateTime": "2022-09-05T00:00:00Z", + "tags": [ + "Feed" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId9')]", + "contentKind": "Playbook", + "displayName": "SpyCloud-Monitor-Watchlist-Data", + "contentProductId": "[variables('_playbookcontentProductId9')]", + "id": "[variables('_playbookcontentProductId9')]", + "version": "[variables('playbookVersion9')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SpyCloudEnterpriseProtectionBreachRule_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId1')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This alert creates an incident when an malware record is detected in the SpyCloud watchlist data", + "displayName": "SpyCloud Enterprise Breach Detection", + "enabled": false, + "query": "SpyCloudBreachDataWatchlist_CL\n| where Severity_s == '20'\n| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, IP_Address_s\n", + "queryFrequency": "PT12H", + "queryPeriod": "PT12H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": "[variables('TemplateEmptyArray')]", + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1555" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "Email_s", + "identifier": "FullName" + } + ] + }, + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "Username_s", + "identifier": "Name" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IP_Address_s", + "identifier": "Address" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "Password": "Password_s", + "Domain": "Domain_s", + "Document_Id": "Document_Id_g", + "Password_Plaintext": "Password_Plaintext_s", + "Source_Id": "Source_Id_s", + "PublishDate": "SpyCloud_Publish_Date_t" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "12h", + "matchingMethod": "AllEntities" + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "properties": { + "description": "SpyCloud Enterprise Protection Analytics Rule 1", + "parentId": "[variables('analyticRuleId1')]", + "contentId": "[variables('_analyticRulecontentId1')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion1')]", + "source": { + "kind": "Solution", + "name": "SpyCloud Enterprise Protection", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SpyCloud" + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId1')]", + "contentKind": "AnalyticsRule", + "displayName": "SpyCloud Enterprise Breach Detection", + "contentProductId": "[variables('_analyticRulecontentProductId1')]", + "id": "[variables('_analyticRulecontentProductId1')]", + "version": "[variables('analyticRuleVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SpyCloudEnterpriseProtectionMalwareRule_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId2')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This alert creates an incident when an malware record is detected in the SpyCloud watchlist data", + "displayName": "SpyCloud Enterprise Malware Detection", + "enabled": false, + "query": "SpyCloudBreachDataWatchlist_CL\n| where Severity_s == '25'\n| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, Infected_Machine_Id_g, Infected_Path_s, Infected_Time_t, Target_Domain_s, Target_SubDomain_s, User_Hostname_s, User_OS_s, Target_URL_s,IP_Address_s\n", + "queryFrequency": "PT12H", + "queryPeriod": "PT12H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": "[variables('TemplateEmptyArray')]", + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1555" + ], + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "columnName": "Infected_Machine_Id_g", + "identifier": "HostName" + }, + { + "columnName": "User_Hostname_s", + "identifier": "DnsDomain" + } + ] + }, + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "Email_s", + "identifier": "FullName" + }, + { + "columnName": "Username_s", + "identifier": "Name" + } + ] + }, + { + "entityType": "DNS", + "fieldMappings": [ + { + "columnName": "Target_Domain_s", + "identifier": "DomainName" + } + ] + }, + { + "entityType": "DNS", + "fieldMappings": [ + { + "columnName": "Target_SubDomain_s", + "identifier": "DomainName" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IP_Address_s", + "identifier": "Address" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "Password": "Password_s", + "Domain": "Domain_s", + "Source_Id": "Source_Id_s", + "User_Host_Name": "User_Hostname_s", + "Infected_Time": "Infected_Time_t", + "Document_Id": "Document_Id_g", + "Password_Plaintext": "Password_Plaintext_s", + "Infected_Path": "Infected_Path_s", + "PublishDate": "SpyCloud_Publish_Date_t" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "12h", + "matchingMethod": "AllEntities" + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "properties": { + "description": "SpyCloud Enterprise Protection Analytics Rule 2", + "parentId": "[variables('analyticRuleId2')]", + "contentId": "[variables('_analyticRulecontentId2')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion2')]", + "source": { + "kind": "Solution", + "name": "SpyCloud Enterprise Protection", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SpyCloud" + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId2')]", + "contentKind": "AnalyticsRule", + "displayName": "SpyCloud Enterprise Malware Detection", + "contentProductId": "[variables('_analyticRulecontentProductId2')]", + "id": "[variables('_analyticRulecontentProductId2')]", + "version": "[variables('analyticRuleVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "SpyCloud Enterprise Protection", + "publisherDisplayName": "Spycloud", + "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nCybercriminals continue to utilize stolen corporate credentials as the number one technique for account takeover (ATO). In fact, the FBI estimated that this resulted in estimated losses totaling more than $2.7 billion in 2022. SpyCloud helps prevent account takeover and ransomware attacks by identifying exposed credentials related to a company’s domains, IP addresses and emails. Through this integration, breach and malware data from SpyCloud can be loaded into Sentinel.
\nAnalytic Rules: 2, Custom Azure Logic Apps Connectors: 1, Playbooks: 8
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "SpyCloud Enterprise Protection", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SpyCloud" + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_Custom Connector')]", + "version": "[variables('playbookVersion1')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_SpyCloud-Breach-Playbook')]", + "version": "[variables('playbookVersion2')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_SpyCloud-Get-Domain-Breach-Data-Playbook')]", + "version": "[variables('playbookVersion3')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_SpyCloud-Get-Email-Breach-Data-Playbook')]", + "version": "[variables('playbookVersion4')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_SpyCloud-Get-IP-Breach-Data-Playbook')]", + "version": "[variables('playbookVersion5')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_SpyCloud-Get-Password-Breach-Data-Playbook')]", + "version": "[variables('playbookVersion6')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_SpyCloud-Get-Username-Breach-Data-Playbook')]", + "version": "[variables('playbookVersion7')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_SpyCloud-Malware-Playbook')]", + "version": "[variables('playbookVersion8')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_SpyCloud-Monitor-Watchlist-Data')]", + "version": "[variables('playbookVersion9')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId1')]", + "version": "[variables('analyticRuleVersion1')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId2')]", + "version": "[variables('analyticRuleVersion2')]" + } + ] + }, + "firstPublishDate": "2023-09-09", + "providers": [ + "Spycloud, Inc" + ], + "categories": { + "domains": [ + "Security - Automation (SOAR)", + "Security - Threat Intelligence" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/Custom Connector/azuredeploy.json b/Solutions/SpyCloud Enterprise Protection/Playbooks/Custom Connector/azuredeploy.json new file mode 100644 index 00000000000..1d52d4b10b7 --- /dev/null +++ b/Solutions/SpyCloud Enterprise Protection/Playbooks/Custom Connector/azuredeploy.json @@ -0,0 +1,2056 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "comments": "SpyCloud Enterprise Protection Custom Connector", + "author": "SpyCloud" + }, + "parameters": { + "SpyCloudConnectorName": { + "defaultValue": "SpyCloud-Enterprise-Protection", + "type": "String" + } + }, + "variables":{ + + }, + "resources": [ + { + "type": "Microsoft.Web/customApis", + "apiVersion": "2016-06-01", + "name": "[parameters('SpyCloudConnectorName')]", + "location":"[resourceGroup().location]", + "properties": { + "connectionParameters":{ + "api_key":{ + "type": "securestring", + "uiDefinition":{ + "displayName": "API Key", + "description": "The API Key for this api", + "tooltip": "Provide your API Key", + "constraints":{ + "tabIndex":2, + "clearText": false, + "required": "true" + } + } + } + }, + "backendService":{ + "serviceUrl": "https://api.spycloud.io/enterprise-v2" + }, + "description": "The SpyCloud Enterprise Protection connector allows access to SpyCloud’s Enterprise Protection API. The connector is organized around the SpyCloud Enterprise Protection API endpoints. JSON is returned by all API responses, including those with errors.", + "displayName": "[parameters('SpyCloudConnectorName')]", + "iconUri": "", + "swagger":{ + "swagger": "2.0", + "info": { + "title": "SpyCloud Enterprise Protection", + "description": "The SpyCloud Enterprise Protection connector allows access to SpyCloud’s Enterprise Protection API. The connector is organized around the SpyCloud Enterprise Protection API endpoints. JSON is returned by all API responses, including those with errors.", + "contact": { + "name": "SpyCloud Integrations", + "url": "https://portal/spycloud.com/", + "email": "integrations@spycloud.com" + }, + "version": "1.0" + }, + "host": "api.spycloud.io", + "basePath": "/enterprise-v2", + "schemes": [ + "https" + ], + "consumes": [], + "produces": [], + "paths": { + "/breach/catalog": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Catalog_Schema" + } + } + }, + "summary": "List or Query the Breach Catalog", + "description": "List or Query the Breach Catalog.", + "operationId": "Breach_Catalog", + "parameters": [ + { + "$ref": "#/parameters/Query" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + } + ] + } + }, + "/breach/catalog/{id}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Catalog_Schema" + } + } + }, + "summary": "Get Catalog", + "description": "Get/Retrieve Breach Catalog Information by ID.", + "operationId": "Breach_Catalog_ID", + "parameters": [ + { + "$ref": "#/parameters/ID" + } + ] + } + }, + "/breach/data/domains/{domain}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Data_By_Domain_Schema" + } + } + }, + "summary": "Get Breach Data by Domain Search", + "description": "Get Breach Data by Domain Search.", + "operationId": "Breach_Catalog_Domain", + "parameters": [ + { + "$ref": "#/parameters/Domain" + }, + { + "$ref": "#/parameters/Type" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Modification_Date" + }, + { + "$ref": "#/parameters/Until_Modification_Date" + }, + { + "$ref": "#/parameters/Severity" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/breach/data/emails/{email}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Data_By_Email_Schema" + } + } + }, + "summary": "Get Breach Data by Email Search", + "description": "Get Breach Data by Email Search.", + "operationId": "Breach_Data_Email", + "parameters": [ + { + "$ref": "#/parameters/Email" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Modification_Date" + }, + { + "$ref": "#/parameters/Until_Modification_Date" + }, + { + "$ref": "#/parameters/Severity" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/breach/data/ips/{ip}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Data_By_IP_Schema" + } + } + }, + "summary": "Get Breach Data by IP Address", + "description": "Get Breach Data by IP Address.", + "operationId": "Breach_Data_IP_Address", + "parameters": [ + { + "$ref": "#/parameters/IP" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Modification_Date" + }, + { + "$ref": "#/parameters/Until_Modification_Date" + }, + { + "$ref": "#/parameters/Severity" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/breach/data/passwords/{password}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Data_By_Password_Schema" + } + } + }, + "summary": "Get Breach Data by Password Search", + "description": "Get Breach Data by Password Search.", + "operationId": "Breach_Data_Password", + "parameters": [ + { + "$ref": "#/parameters/Password" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Modification_Date" + }, + { + "$ref": "#/parameters/Until_Modification_Date" + }, + { + "$ref": "#/parameters/Severity" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/breach/data/usernames/{username}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Data_By_Username_Schema" + } + } + }, + "summary": "Get Breach Data by Username Search", + "description": "Get Breach Data by Username Search.", + "operationId": "Breach_Data_Username", + "parameters": [ + { + "$ref": "#/parameters/Username" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Modification_Date" + }, + { + "$ref": "#/parameters/Until_Modification_Date" + }, + { + "$ref": "#/parameters/Severity" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/breach/data/watchlist": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Breach_Data_By_Watchlist_Schema" + } + } + }, + "summary": "Get Breach Data for Entire Watchlist", + "description": "Get Breach Data for Entire Watchlist.", + "operationId": "Breach_Data_Watchlist", + "parameters": [ + { + "$ref": "#/parameters/Type" + }, + { + "$ref": "#/parameters/Watchlist_Type" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Modification_Date" + }, + { + "$ref": "#/parameters/Until_Modification_Date" + }, + { + "$ref": "#/parameters/Severity" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/compass/devices": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Compass_Devices_List_Schema" + } + } + }, + "summary": "Get Compass Devices List", + "description": "Get Compass Devices List.", + "operationId": "Compass_Devices_List", + "parameters": [ + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Infected" + }, + { + "$ref": "#/parameters/Until_Infected" + } + ] + } + }, + "/compass/data/devices/{infected_machine_id}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Compass_Devices_Data_Schema" + } + } + }, + "summary": "Get Compass Devices Data", + "description": "Get Compass Devices Data.", + "operationId": "Compass_Devices_Data", + "parameters": [ + { + "$ref": "#/parameters/Infected_Machine_Id" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/compass/data/applications/{target_application}": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Compass_Applications_Data_Schema" + } + } + }, + "summary": "Get Compass Applications Data", + "description": "Get Compass Applications Data.", + "operationId": "Compass_Applications_Data", + "parameters": [ + { + "$ref": "#/parameters/Target_Application" + }, + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + }, + "/compass/data": { + "get": { + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "success", + "schema": { + "$ref": "#/definitions/Compass_Applications_Data_Schema" + } + } + }, + "summary": "Get Compass Data", + "description": "Get Compass Data.", + "operationId": "Compass_Data", + "parameters": [ + { + "$ref": "#/parameters/Source_Id" + }, + { + "$ref": "#/parameters/Since" + }, + { + "$ref": "#/parameters/Until" + }, + { + "$ref": "#/parameters/Since_Infected" + }, + { + "$ref": "#/parameters/Until_Infected" + }, + { + "$ref": "#/parameters/Compass_Type" + }, + { + "$ref": "#/parameters/Cursor" + }, + { + "$ref": "#/parameters/Salt" + } + ] + } + } + }, + "x-ms-connector-metadata": [ + { + "propertyName": "Website", + "propertyValue": "http://www.spycloud.com/" + }, + { + "propertyName": "Privacy policy", + "propertyValue": "https://www.spycloud.com/company/privacy-policy/" + }, + { + "propertyName": "Categories", + "propertyValue": "Security;Website" + } + ], + "definitions": { + "Breach_Catalog_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "title": { + "type": "string", + "description": "Breach title. For each ingested breach our security research team documents a breach title. This is only available when we can disclose the breach details, otherwise it will have a generic title.", + "title": "Title" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "description": { + "type": "string", + "description": "Breach description. For each ingested breach our security research team documents a breach description. This is only available when we can disclose the breach details, otherwise it will have a generic description.", + "title": "Description" + }, + "site_description": { + "type": "string", + "description": "Description of the breached organization, when available.", + "title": "Site Description" + }, + "site": { + "type": "string", + "description": "Website of breached organization, when available.", + "title": "Site" + }, + "confidence": { + "type": "number", + "description": "Numerical score representing the confidence in the source of the breach.", + "title": "Confidence" + }, + "id": { + "type": "number", + "description": "Numerical breach ID. This number correlates to source_id data point found in breach records.", + "title": "Id" + }, + "premium_flag": { + "type": "string", + "description": "premium flag.", + "title": "Premium Flag" + }, + "acquisition_date": { + "type": "string", + "description": "The date on which our security research team first acquired the breached data.", + "title": "Acquisition Date" + }, + "uuid": { + "type": "string", + "description": "UUID v4 encoded version of breach ID. This is relevant for users of Firehose, where each deliverable (records file) is named using the breach UUID.", + "title": "UUID" + }, + "type": { + "type": "string", + "description": "Denotes if a breach is considered public or private. A public breach is one that is easily found on the internet, while a private breach is often exclusive to SpyCloud.", + "title": "Type" + }, + "num_records": { + "type": "number", + "description": "Number of records we parsed and ingested from this particular breach. This is after parsing, normalization and deduplication take place.", + "title": "Number of Records" + }, + "assets": { + "type": "object", + "properties": { + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target Url" + }, + "av_softwares": { + "type": "number", + "description": "List of AV software found installed on the infected user's system.", + "title": "AV Softwares" + }, + "infected_time": { + "type": "number", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "infected_machine_id": { + "type": "number", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "country_code": { + "type": "number", + "description": "Country code; derived from country.", + "title": "Country Code" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addresses" + }, + "user_browser": { + "type": "string", + "description": "Browser name.", + "title": "User Browser" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "User System Registered Owner" + }, + "keyboard_languages": { + "type": "string", + "description": "The keyboard language found in the OS. This usually comes from Botnet data.", + "title": "Keyboard Languages" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "email": { + "type": "string", + "description": "Email address.", + "title": "Password" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "User OS" + }, + "country": { + "type": "string", + "description": "Country name.", + "title": "Country" + }, + "username": { + "type": "string", + "description": "Username.", + "title": "Username" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + } + } + } + }, + "description": "Catalog Breach Results Object" + } + } + }, + "description": "Catalog Breach Data Response" + }, + "Breach_Data_By_Domain_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "email": { + "type": "string", + "description": "Email address.", + "title": "Email Address." + }, + "full_name": { + "type": "string", + "description": "Full name.", + "title": "Full Name" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "severity": { + "type": "number", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document ID" + } + } + }, + "description": "Domain Breach Results Object" + } + }, + "description": "Domain Breach Data Response" + }, + "Breach_Data_By_Email_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "email": { + "type": "string", + "description": "Email address.", + "title": "Email Address." + }, + "username": { + "type": "string", + "description": "User name.", + "title": "Username" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plaintext" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "Password Type" + }, + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target URL" + }, + "user_browser": { + "type": "string", + "description": "Browser name.", + "title": "User Browser" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addressess" + }, + "infected_machine_id": { + "type": "string", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "user_sys_domain": { + "type": "string", + "description": "System domain. This usually comes from Botnet data.", + "title": "User System Domain" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "User OS Name" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "System Registered Owner Name" + }, + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "domain": { + "type": "string", + "description": "Domain name.", + "title": "Domain" + }, + "target_domain": { + "type": "string", + "description": "SLD extracted from 'target_url' field.", + "title": "Target Domain" + }, + "target_subdomain": { + "type": "string", + "description": "Subdomain and SLD extracted from 'target_url' field.", + "title": "Target Sub Domain" + }, + "severity": { + "type": "number", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document ID" + } + } + }, + "description": "Email Breach Results Object" + } + }, + "description": "Email Breach Data Response" + }, + "Breach_Data_By_IP_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "email": { + "type": "string", + "description": "Email address.", + "title": "Email Address." + }, + "username": { + "type": "string", + "description": "User name.", + "title": "Username" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plaintext" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "Password Type" + }, + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target URL" + }, + "user_browser": { + "type": "string", + "description": "Browser name.", + "title": "User Browser" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addressess" + }, + "infected_machine_id": { + "type": "string", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "user_sys_domain": { + "type": "string", + "description": "System domain. This usually comes from Botnet data.", + "title": "User System Domain" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "User OS Name" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "System Registered Owner Name" + }, + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "domain": { + "type": "string", + "description": "Domain name.", + "title": "Domain" + }, + "target_domain": { + "type": "string", + "description": "SLD extracted from 'target_url' field.", + "title": "Target Domain" + }, + "target_subdomain": { + "type": "string", + "description": "Subdomain and SLD extracted from 'target_url' field.", + "title": "Target Sub Domain" + }, + "severity": { + "type": "number", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document ID" + } + } + }, + "description": "IP Address Breach Results Object" + } + }, + "description": "IP Address Breach Data Response" + }, + "Breach_Data_By_Password_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "email": { + "type": "string", + "description": "Email address.", + "title": "Email Address." + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "Password Type" + }, + "full_name": { + "type": "string", + "description": "Full name.", + "title": "Full Name" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "domain": { + "type": "string", + "description": "Domain name.", + "title": "Domain" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plain Text" + }, + "severity": { + "type": "number", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document ID" + } + } + }, + "description": "Password Breach Results Object" + } + }, + "description": "Password Breach Data Response" + }, + "Breach_Data_By_Username_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "email": { + "type": "string", + "description": "Email address.", + "title": "Email Address." + }, + "username": { + "type": "string", + "description": "User name.", + "title": "Username" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plaintext" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "Password Type" + }, + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target URL" + }, + "user_browser": { + "type": "string", + "description": "Browser name.", + "title": "User Browser" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addressess" + }, + "infected_machine_id": { + "type": "string", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "user_sys_domain": { + "type": "string", + "description": "System domain. This usually comes from Botnet data.", + "title": "User System Domain" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "User OS Name" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "System Registered Owner Name" + }, + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "domain": { + "type": "string", + "description": "Domain name.", + "title": "Domain" + }, + "target_domain": { + "type": "string", + "description": "SLD extracted from 'target_url' field.", + "title": "Target Domain" + }, + "target_subdomain": { + "type": "string", + "description": "Subdomain and SLD extracted from 'target_url' field.", + "title": "Target Sub Domain" + }, + "severity": { + "type": "number", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document ID" + } + } + }, + "description": "Username Breach Results Object" + } + }, + "description": "Username Breach Data Response" + }, + "Breach_Data_By_Watchlist_Schema": { + "type": "object", + "properties": { + "cursor": { + "type": "string", + "description": "cursor", + "title": "Cursor" + }, + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "username": { + "type": "string", + "description": "User name.", + "title": "Username" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plaintext" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "Password Type" + }, + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target URL" + }, + "user_browser": { + "type": "string", + "description": "Browser name.", + "title": "User Browser" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addressess" + }, + "infected_machine_id": { + "type": "string", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "user_sys_domain": { + "type": "string", + "description": "System domain. This usually comes from Botnet data.", + "title": "User System Domain" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "User OS Name" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "System Registered Owner Name" + }, + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "target_domain": { + "type": "string", + "description": "SLD extracted from 'target_url' field.", + "title": "Target Domain" + }, + "target_subdomain": { + "type": "string", + "description": "Subdomain and SLD extracted from 'target_url' field.", + "title": "Target Sub Domain" + }, + "severity": { + "type": "number", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document ID" + } + } + }, + "description": "Watchlist Breach Results Object" + } + }, + "description": "Watchlist Breach Data Response" + }, + "Compass_Devices_List_Schema": { + "type": "object", + "properties": { + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "infected_device_id": { + "type": "string", + "description": "Infected Device Id.", + "title": "Infected Device Id" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "User OS" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addresses" + }, + "source_id": { + "type": "number", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source ID" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which we ingested the breached data into our systems. This is the same date on which the data becomes publicly available to our customers.", + "title": "Spycloud Publish Date" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "application_count": { + "type": "string", + "description": "Application Count.", + "title": "Application Count" + } + } + }, + "description": "Compass Devices List Results Object" + } + }, + "description": "Compass Devices List Data Response" + }, + "Compass_Devices_Data_Schema": { + "type": "object", + "properties": { + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "cursor": { + "type": "string", + "description": "Token used for iterating through multiple pages of results.", + "title": "Cursor" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "user_browser": { + "type": "string", + "description": "Browser Name.", + "title": "User Browser" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document Id" + }, + "source_id": { + "type": "string", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source Id" + }, + "email": { + "type": "string", + "description": "Email address.", + "title": "Email" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addresses" + }, + "country": { + "type": "string", + "description": "Country name.", + "title": "Country" + }, + "infected_machine_id": { + "type": "string", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "USer OS" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "User System Registered Owner" + }, + "keyboard_languages": { + "type": "string", + "description": "The keyboard language found in the OS. This usually comes from Botnet data.", + "title": "Keyboard Languages" + }, + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target URL" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which this record was ingested into our systems. In ISO 8601 datetime format. This correlates with spycloud_publish_date field in Breach Catalog objects.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "domain": { + "type": "string", + "description": "Domain name.", + "title": "Domain" + }, + "target_domain": { + "type": "string", + "description": "SLD extracted from 'target_url' field.", + "title": "Target Domain" + }, + "target_subdomain": { + "type": "string", + "description": "Subdomain and SLD extracted from 'target_url' field.", + "title": "Target Subdomain" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "PAssword Type" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plaintext" + }, + "country_code": { + "type": "string", + "description": "Country code; derived from country.", + "title": "Country Code" + }, + "severity": { + "type": "string", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + } + } + }, + "description": "Compass Devices Data Results Object" + } + }, + "description": "Compass Devices Data Response" + }, + "Compass_Applications_Data_Schema": { + "type": "object", + "properties": { + "hits": { + "type": "number", + "description": "hits", + "title": "Hits" + }, + "cursor": { + "type": "string", + "description": "Token used for iterating through multiple pages of results.", + "title": "Cursor" + }, + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "user_browser": { + "type": "string", + "description": "Browser Name.", + "title": "User Browser" + }, + "password": { + "type": "string", + "description": "Account password.", + "title": "Password" + }, + "document_id": { + "type": "string", + "description": "UUID v4 string which uniquely identifies this breach record in our data set.", + "title": "Document Id" + }, + "source_id": { + "type": "string", + "description": "Numerical breach ID. This correlates directly with the id field in Breach Catalog objects.", + "title": "Source Id" + }, + "email": { + "type": "string", + "description": "Email address.", + "title": "Email" + }, + "ip_addresses": { + "type": "string", + "description": "List of one or more IP addresses in alphanumeric format. Both IPV4 and IPv6 addresses are supported.", + "title": "IP Addresses" + }, + "country": { + "type": "string", + "description": "Country name.", + "title": "Country" + }, + "infected_machine_id": { + "type": "string", + "description": "The unique id of the infected user's system.", + "title": "Infected Machine Id" + }, + "infected_path": { + "type": "string", + "description": "The local path to the malicious software installed on the infected user's system.", + "title": "Infected Path" + }, + "user_os": { + "type": "string", + "description": "System OS name. This usually comes from Botnet data.", + "title": "USer OS" + }, + "user_hostname": { + "type": "string", + "description": "System hostname. This usually comes from Botnet data.", + "title": "User Hostname" + }, + "user_sys_registered_owner": { + "type": "string", + "description": "System registered owner name. This usually comes from Botnet data.", + "title": "User System Registered Owner" + }, + "keyboard_languages": { + "type": "string", + "description": "The keyboard language found in the OS. This usually comes from Botnet data.", + "title": "Keyboard Languages" + }, + "target_url": { + "type": "string", + "description": "URL extracted from Botnet data. This is the URL that is captured from a key logger installed on an infected user's system.", + "title": "Target URL" + }, + "infected_time": { + "type": "string", + "description": "The time at which the user's system was infected with malicious software.", + "title": "Infected Time" + }, + "spycloud_publish_date": { + "type": "string", + "description": "The date on which this record was ingested into our systems. In ISO 8601 datetime format. This correlates with spycloud_publish_date field in Breach Catalog objects.", + "title": "Spycloud Publish Date" + }, + "email_domain": { + "type": "string", + "description": "Domain extracted from 'email_address' field. This is not a SLD, but everything after the '@' symbol.", + "title": "Email Domain" + }, + "email_username": { + "type": "string", + "description": "Username extracted from 'email' field. This is everything before the '@' symbol.", + "title": "Email Username" + }, + "domain": { + "type": "string", + "description": "Domain name.", + "title": "Domain" + }, + "target_domain": { + "type": "string", + "description": "SLD extracted from 'target_url' field.", + "title": "Target Domain" + }, + "target_subdomain": { + "type": "string", + "description": "Subdomain and SLD extracted from 'target_url' field.", + "title": "Target Subdomain" + }, + "password_type": { + "type": "string", + "description": "Password type for original password as found in the data breach. This will either be plaintext or one of the many password hash/encryption types (SHA1, MD5, 3DES, etc).", + "title": "PAssword Type" + }, + "password_plaintext": { + "type": "string", + "description": "The cracked, plaintext version of the password (where the password is crackable).", + "title": "Password Plaintext" + }, + "country_code": { + "type": "string", + "description": "Country code; derived from country.", + "title": "Country Code" + }, + "severity": { + "type": "string", + "description": "Severity is a numeric code representing severity of a breach record. This can be used in API requests to ensure only Breach Records with plaintext password are returned.", + "title": "Severity" + } + } + }, + "description": "Compass Application Data Results Object" + } + }, + "description": "Compass Application Data Response" + } + }, + "parameters": { + "Infected_Machine_Id": { + "name": "infected_machine_id", + "in": "path", + "required": true, + "type": "string", + "description": "One or more comma delimited Infected Machine ID to search for compass breach records.", + "x-ms-summary": "Infected Machine Id" + }, + "Target_Application": { + "name": "target_application", + "in": "path", + "required": true, + "type": "string", + "description": "One or more comma delimited Compass target application (subdomain or domain) to search for.", + "x-ms-summary": "Target Application" + }, + "ID": { + "name": "id", + "in": "path", + "required": true, + "type": "string", + "description": "Numerical ID of the breach. Both integer and UUIDv4 ID formats are supported. You may also use a comma delimiter to request more than one breach at a time.", + "x-ms-summary": "ID" + }, + "Domain": { + "name": "domain", + "in": "path", + "required": true, + "type": "string", + "description": "Domain or Subdomain name to search for.", + "x-ms-summary": "Domain" + }, + "Email": { + "name": "email", + "in": "path", + "required": true, + "type": "string", + "description": "Email address to search for.", + "x-ms-summary": "Email Address" + }, + "IP": { + "name": "ip", + "in": "path", + "required": true, + "type": "string", + "description": "IP address or network CIDR notation to search for. For CIDR notation, use an underscore instead of a slash.", + "x-ms-summary": "IP Address" + }, + "Password": { + "name": "password", + "in": "path", + "required": true, + "type": "string", + "description": "Password you wish to search for.", + "x-ms-summary": "Password" + }, + "Username": { + "name": "username", + "in": "path", + "required": true, + "type": "string", + "description": "Username you wish to search for.", + "x-ms-summary": "Username" + }, + "Query": { + "name": "query", + "in": "query", + "required": false, + "type": "string", + "description": "Query value to search the breach catalog for.", + "x-ms-summary": "Query" + }, + "Type": { + "name": "type", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter lets you filter results by several types. The allowed values are 'corporate' for corporate records, and 'infected' for infected user records, email_domain to just match against email domains, and target_domain to just match against target domains or subdomains. If no value has been provided the API function will, by default, return all record types.", + "x-ms-summary": "Type", + "enum": [ + "corporate", + "infected", + "email_domain", + "target_domain" + ] + }, + "Compass_Type": { + "name": "type", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter will return records that are verified or unverified, meaning those that matched the watchlist or not. By default if type is not used, both types will be returned.", + "x-ms-summary": "Type", + "enum": [ + "verified", + "unverified" + ] + }, + "Watchlist_Type": { + "name": "watchlist_type", + "in": "query", + "required": false, + "type": "string", + "description": "This parameters lets you filter results for only emails or only domains on your watchlist. The allowed values are: ['email', 'domain', 'subdomain', 'ip']. If no value has been provided, the API will return all watchlist types.", + "x-ms-summary": "Watchlist Type", + "enum": [ + "email", + "domain", + "subdomain", + "ip" + ] + }, + "Cursor": { + "name": "cursor", + "in": "query", + "required": false, + "type": "string", + "description": "Token used for iterating through multiple pages of results.", + "x-ms-summary": "Cursor" + }, + "Since": { + "name": "since", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to define the starting point for a date range query on the spycloud_publish_date field.", + "x-ms-summary": "Since(YYYY-MM-DD)" + }, + "Until": { + "name": "until", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to define the ending point for a date range query on the spycloud_publish_date field.", + "x-ms-summary": "Until(YYYY-MM-DD)" + }, + "Since_Modification_Date": { + "name": "since_modification_date", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to define the starting point for a date range query on the when an already published record was modified (record_modification_date).", + "x-ms-summary": "Since Modification Date(YYYY-MM-DD)" + }, + "Until_Modification_Date": { + "name": "until_modification_date", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to define the ending point for a date range query on the when an already published record was modified (record_modification_date).", + "x-ms-summary": "Until Modification Date(YYYY-MM-DD)" + }, + "Severity": { + "name": "severity", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to filter based on the numeric severity code.", + "x-ms-summary": "Severity" + }, + "Source_Id": { + "name": "source_id", + "in": "query", + "required": false, + "type": "number", + "description": "This parameter allows you to filter based on a particular breach source.", + "x-ms-summary": "Source Id" + }, + "Salt": { + "name": "salt", + "in": "query", + "required": false, + "type": "string", + "description": "If hashing is enabled for your API key, you have the option to provide a 10 to 24 character, high entropy salt otherwise the pre-configured salt will be used.", + "x-ms-summary": "Salt" + }, + "Since_Infected": { + "name": "since_infected", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to define the starting point for a date range query on the infected_time..", + "x-ms-summary": "Since Infected(YYYY-MM-DD)" + }, + "Until_Infected": { + "name": "until_infected", + "in": "query", + "required": false, + "type": "string", + "description": "This parameter allows you to define the ending point for a date range query on the infected_time field.", + "x-ms-summary": "Until Infected(YYYY-MM-DD)" + } + }, + "responses": {}, + "securityDefinitions": { + "API Key": { + "type": "apiKey", + "in": "header", + "name": "X-API-Key" + } + }, + "security": [ + { + "API Key": [] + } + ], + "tags": [] + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/Custom Connector/images/logo.png b/Solutions/SpyCloud Enterprise Protection/Playbooks/Custom Connector/images/logo.png new file mode 100644 index 00000000000..5a489fefce7 Binary files /dev/null and b/Solutions/SpyCloud Enterprise Protection/Playbooks/Custom Connector/images/logo.png differ diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/Custom Connector/readme.md b/Solutions/SpyCloud Enterprise Protection/Playbooks/Custom Connector/readme.md new file mode 100644 index 00000000000..8b0b55ff80f --- /dev/null +++ b/Solutions/SpyCloud Enterprise Protection/Playbooks/Custom Connector/readme.md @@ -0,0 +1,55 @@ +# SpyCloud Enterprise Protection Logic Apps custom connector + +![SpyCloud Enterprise](images/logo.png)Breach Playbook successful
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Check_if_password_exists_in_the_incident": { + "actions": { + "Set_Incident_Password": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "incident_password", + "value": "@{variables('incident_custom_details_object')?['Password']}" + } + }, + "Set_variable": { + "runAfter": { + "Set_Incident_Password": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "incident_plain_text_password", + "value": "@{replace(replace(variables('incident_password'),'[\"',''),'\"]','')}" + } + } + }, + "runAfter": { + "Set_custom_details_object": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@variables('incident_custom_details_object')?['Password']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Check_if_pwd_length_is_greater_than_required_length_by_organization": { + "actions": {}, + "runAfter": { + "Check_if_password_exists_in_the_incident": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "", + "" + ] + } + ] + }, + "type": "If" + }, + "Check_if_the_exposed_password_is_in_use_on_the_network": { + "actions": {}, + "runAfter": { + "Check_if_the_user_is_currently_an_active_employee": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "", + "" + ] + } + ] + }, + "type": "If" + }, + "Check_if_the_user_is_currently_an_active_employee": { + "actions": {}, + "runAfter": { + "Check_if_pwd_length_is_greater_than_required_length_by_organization": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "", + "" + ] + } + ] + }, + "type": "If" + }, + "Set_custom_details_object": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "incident_custom_details_object", + "value": "@json(items('For_each_incident_alert')?['properties']?['additionalData']?['Custom Details'])" + } + } + }, + "runAfter": { + "For_each_account": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + }, + "runAfter": { + "Incident_Custom_Details_Object": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@triggerBody()?['object']?['properties']?['title']", + "@variables('incident_name')" + ] + } + ] + }, + "type": "If" + }, + "IP_address": { + "runAfter": { + "Outputs_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_address", + "type": "string" + } + ] + } + }, + "Incident_Custom_Details_Object": { + "runAfter": { + "IP_address": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_custom_details_object", + "type": "object" + } + ] + } + }, + "Incident_Email_Account": { + "runAfter": { + "Incident_Plain_Text_Password": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_email_address", + "type": "string" + } + ] + } + }, + "Incident_Name": { + "runAfter": {}, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_name", + "type": "string", + "value": "SpyCloud Enterprise Breach Detection" + } + ] + } + }, + "Incident_Password": { + "runAfter": { + "Incident_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_password", + "type": "string" + } + ] + } + }, + "Incident_Plain_Text_Password": { + "runAfter": { + "Incident_Password": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_plain_text_password", + "type": "string" + } + ] + } + }, + "Outputs_Variable": { + "runAfter": { + "Astriek_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "password_enrich_data", + "type": "array" + } + ] + } + }, + "UPN_Suffix_": { + "runAfter": { + "Account_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "upn_suffix", + "type": "string" + } + ] + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[variables('AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + } + ] +} diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Breach-Playbook/images/deployment.png b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Breach-Playbook/images/deployment.png new file mode 100644 index 00000000000..425f0317c9b Binary files /dev/null and b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Breach-Playbook/images/deployment.png differ diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Breach-Playbook/images/logo.png b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Breach-Playbook/images/logo.png new file mode 100644 index 00000000000..5a489fefce7 Binary files /dev/null and b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Breach-Playbook/images/logo.png differ diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Breach-Playbook/images/steps_to_configure.png b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Breach-Playbook/images/steps_to_configure.png new file mode 100644 index 00000000000..cc9e34ded9f Binary files /dev/null and b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Breach-Playbook/images/steps_to_configure.png differ diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Breach-Playbook/readme.md b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Breach-Playbook/readme.md new file mode 100644 index 00000000000..afe8fef2374 --- /dev/null +++ b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Breach-Playbook/readme.md @@ -0,0 +1,51 @@ +# SpyCloud Enterprise Breach Playbook + +![SpyCloud Enterprise](images/logo.png) + +## Table of Contents + +1. [Overview](#overview) +3. [Prerequisites](#prerequisites) +4. [Deployment](#deployment) +5. [Post Deployment Steps](#postdeployment) + + + + +## Overview +This playbook gets triggered when an incident is created from the "SpyCloud Breach Rule" and can perform the following actions + +- Check if the breached password length is >= the minimum required by the organization. If not, exit the playbook. +- Check if the user is currently an active employee. If not, exit the playbook. +- Check if the exposed password is in use on the network (check AD, check Okta, check Ping, check G-Suite, etc. +- If the password is in use in one of the checked systems, perform a password reset, raise an incident, etc. + + + + +## Prerequisites +- A SpyCloud Enterprise API Key. +- SpyCloud Enterprise custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found on the connector doc page. +- SpyCloud-Monitor-Watchlist-Data-Playbook needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found on the playbook doc page. + + + +## Deployment Instructions +- Deploy the playbooks by clicking on the "Deploy to Azure" button. This will take you to the ARM Template Wizard. +- Fill in the required parameters for deploying the playbook. + ![deployment](images/deployment.png) +- Click "Review + create". Once the validation is successful, click on "Create". + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FSpyCloud%20Enterprise%20Protection%2FPlaybooks%2FSpyCloud-Breach-Playbook%2Fazuredeploy.json) +[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FSpyCloud%20Enterprise%20Protection%2FPlaybooks%2FSpyCloud-Breach-Playbook%2Fazuredeploy.json) + + + +## Post Deployment Instructions +### Authorize connections +Once deployment is complete, you will need to authorize each connection: +- As a best practice, we have used the Sentinel connection in Logic Apps that use "ManagedSecurityIdentity" permissions. Please refer to [this document](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-managed-identity-for-azure-sentinel-logic-apps/ba-p/2068204) and provide permissions to the Logic App accordingly. +- Provide connection details for the SpyCloud Enterprise Custom Connector. +- Save the Logic App. If the Logic App prompts any missing connections, please update the connections similarly. +### b.Configurations in Sentinel: +- In Azure Sentinel, configure the SpyCloud Breach rule automation rules to trigger this playbook. diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Get-Domain-Breach-Data-Playbook/azuredeploy.json b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Get-Domain-Breach-Data-Playbook/azuredeploy.json new file mode 100644 index 00000000000..a97dc00d5d5 --- /dev/null +++ b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Get-Domain-Breach-Data-Playbook/azuredeploy.json @@ -0,0 +1,491 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Domain Breach Data - SpyCloud Enterprise", + "description": "The SpyCloud Enterprise API is able to provide breach data for a domain or set of domains associated with an incident.", + "prerequisites": "https://www.spycloud.com/integrations to request a trial key.", + "postDeployment": [ + "Testing Description " + ], + "lastUpdateTime": "2022-09-05T00:00:00.000Z", + "entities": ["dnsresolution"], + "tags": ["Enrichment"], + "support": { + "tier": "community" + }, + "author": { + "name": "SpyCloud Integrations" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "SpyCloud-Get-Domain-Breach-Data-Playbook", + "type": "string", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + }, + "SpyCloudConnectorName":{ + "defaultValue": "SpyCloud-Enterprise-Protection", + "type": "String", + "metadata": { + "description": "SpyCloud Enterprise custom connector name" + } + } + }, + "variables": { + "SpyCloudEnterpriseConnectionName": "[concat('spycloudconnector-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('SpyCloudEnterpriseConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[variables('SpyCloudEnterpriseConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloudConnectorName'))]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident_2": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Entities_-_Get_DNS": { + "runAfter": { + "IP_address": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/dnsresolution" + } + }, + "For_Each_Incident_DNS_Domain": { + "foreach": "@body('Entities_-_Get_DNS')?['Dnsresolutions']", + "actions": { + "Check_if_records_exists": { + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Check_number_of_Records": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "SpyCloud Breach Data for Domain @{items('For_Each_Incident_DNS_Domain')?['DomainName']}@{body('Create_HTML_table')}@{variables('more_records_display_text')}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Check_number_of_Records": { + "actions": { + "set_more_records_display_text": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": "Showing @{variables('min_records')} records out of @{variables('total_records')} records, for more information visit https://portal.spycloud.com/" + } + } + }, + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + "@variables('min_records')" + ] + } + ] + }, + "type": "If" + }, + "Create_HTML_table": { + "runAfter": { + "For_each_response": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('domain_breach_data_array')" + } + }, + "For_each_response": { + "foreach": "@take(body('Get_Breach_Data_by_Domain_Search')?['results'],variables('min_records'))", + "actions": { + "Append_to_array_variable": { + "runAfter": { + "Compose": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Domain_Breach_Data_Array", + "value": "@outputs('Compose')" + } + }, + "Compose": { + "runAfter": { + "Condition": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "Document Id": "@items('For_each_response')?['document_id']", + "Domain": "@items('For_each_response')?['domain']", + "Email": "@items('For_each_response')?['email']", + "IP Addresses": "@substring(variables('ip_address'),0,sub(length(variables('ip_address')),1))", + "Infected Machine Id": "@items('For_each_response')?['infected_machine_id']", + "Infected Path": "@items('For_each_response')?['infected_path']", + "Infected Time": "@items('For_each_response')?['infected_time']", + "Password": "@items('For_each_response')?['password']", + "Password Plaintext": "@items('For_each_response')?['password_plaintext']", + "Severity": "@items('For_each_response')?['severity']", + "Source Id": "@items('For_each_response')?['source_id']", + "Spycloud Publish Date": "@items('For_each_response')?['spycloud_publish_date']", + "Target Domain": "@items('For_each_response')?['target_domain']", + "Target Subdomain": "@items('For_each_response')?['target_subdomain']", + "Target Url": "@items('For_each_response')?['target_url']", + "User Hostname": "@items('For_each_response')?['user_hostname']", + "User OS": "@items('For_each_response')?['user_os']", + "Username": "@items('For_each_response')?['username']" + } + }, + "Condition": { + "actions": { + "For_each_ip": { + "foreach": "@items('For_each_response')?['ip_addresses']", + "actions": { + "Append_to_string_variable": { + "runAfter": {}, + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_address", + "value": "@{items('For_each_ip')}," + } + } + }, + "runAfter": {}, + "type": "Foreach" + } + }, + "runAfter": { + "Set_variable": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Set_variable": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": " " + } + } + }, + "runAfter": { + "Set_more_records_to_empty": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Set_array_to_Empty": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Domain_Breach_Data_Array", + "value": [] + } + }, + "Set_more_records_to_empty": { + "runAfter": { + "Set_array_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": " " + } + } + }, + "runAfter": { + "set_total_records": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "SpyCloud Breach Data for Domain @{items('For_Each_Incident_DNS_Domain')?['DomainName']}
\nNo Records Found.
SpyCloud Breach Data for Email @{variables('email_address')}@{body('Create_HTML_table')}@{variables('more_records_display_text')}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Check_number_of_Records": { + "actions": { + "set_more_records_display_text": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": "Showing @{variables('min_records')} records out of @{variables('total_records')} records, for more information visit: https://portal.spycloud.com/" + } + } + }, + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + "@variables('min_records')" + ] + } + ] + }, + "type": "If" + }, + "Create_HTML_table": { + "runAfter": { + "For_each_response": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('email_breach_data_array')" + } + }, + "For_each_response": { + "foreach": "@take(body('Get_Breach_Data_by_Email_Search')?['results'],variables('min_records'))", + "actions": { + "Append_to_array_variable": { + "runAfter": { + "Compose": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "email_breach_data_array", + "value": "@outputs('Compose')" + } + }, + "Compose": { + "runAfter": { + "Condition": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "Document Id": "@items('For_each_response')?['document_id']", + "Domain": "@items('For_each_response')?['domain']", + "Email": "@items('For_each_response')?['email']", + "IP Addresses": "@substring(variables('ip_address'),0,sub(length(variables('ip_address')),1))", + "Infected Machine Id": "@items('For_each_response')?['infected_machine_id']", + "Infected Path": "@items('For_each_response')?['infected_path']", + "Infected Time": "@items('For_each_response')?['infected_time']", + "Password": "@items('For_each_response')?['password']", + "Password Plaintext": "@items('For_each_response')?['password_plaintext']", + "Severity": "@items('For_each_response')?['severity']", + "Source Id": "@items('For_each_response')?['source_id']", + "Spycloud Publish Date": "@items('For_each_response')?['spycloud_publish_date']", + "Target Domain": "@items('For_each_response')?['target_domain']", + "Target Subdomain": "@items('For_each_response')?['target_subdomain']", + "Target Url": "@items('For_each_response')?['target_url']", + "User Hostname": "@items('For_each_response')?['user_hostname']", + "User OS": "@items('For_each_response')?['user_os']", + "Username": "@items('For_each_response')?['username']" + } + }, + "Condition": { + "actions": { + "For_each_ip": { + "foreach": "@items('For_each_response')?['ip_addresses']", + "actions": { + "Append_to_string_variable": { + "runAfter": {}, + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_address", + "value": "@{items('For_each_ip')}," + } + } + }, + "runAfter": {}, + "type": "Foreach" + } + }, + "runAfter": { + "Set_variable": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Set_variable": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": " " + } + } + }, + "runAfter": { + "Set_more_records_to_empty": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Set_array_to_empty": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "email_breach_data_array", + "value": [] + } + }, + "Set_more_records_to_empty": { + "runAfter": { + "Set_array_to_empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": " " + } + } + }, + "runAfter": { + "set_total_records": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "SpyCloud Breach Data for Email @{variables('email_address')}
\nNo Records Found.
SpyCloud Breach Data for IP @{items('For_Each_Incident_IPS')?['Address']}@{body('Create_HTML_table')}@{variables('more_records_display_text')}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Check_number_of_Records": { + "actions": { + "set_more_records_display_text": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": "Showing @{variables('min_records')} records out of @{variables('total_records')} records, for more information visit https://portal.spycloud.com/" + } + } + }, + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + "@variables('min_records')" + ] + } + ] + }, + "type": "If" + }, + "Create_HTML_table": { + "runAfter": { + "For_each_response": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('ip_breach_data_array')" + } + }, + "For_each_response": { + "foreach": "@take(body('Get_Breach_Data_by_IP_Address')?['results'],variables('min_records'))", + "actions": { + "Append_to_array_variable": { + "runAfter": { + "Compose": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "IP_Breach_Data_Array", + "value": "@outputs('Compose')" + } + }, + "Compose": { + "runAfter": { + "Condition": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "Document Id": "@items('For_each_response')?['document_id']", + "Domain": "@items('For_each_response')?['domain']", + "Email": "@items('For_each_response')?['email']", + "IP Addresses": "@substring(variables('ip_address'),0,sub(length(variables('ip_address')),1))", + "Infected Machine Id": "@items('For_each_response')?['infected_machine_id']", + "Infected Path": "@items('For_each_response')?['infected_path']", + "Infected Time": "@items('For_each_response')?['infected_time']", + "Password": "@items('For_each_response')?['password']", + "Password Plaintext": "@items('For_each_response')?['password_plaintext']", + "Severity": "@items('For_each_response')?['severity']", + "Source Id": "@items('For_each_response')?['source_id']", + "Spycloud Publish Date": "@items('For_each_response')?['spycloud_publish_date']", + "Target Domain": "@items('For_each_response')?['target_domain']", + "Target Subdomain": "@items('For_each_response')?['target_subdomain']", + "Target Url": "@items('For_each_response')?['target_url']", + "User Hostname": "@items('For_each_response')?['user_hostname']", + "User OS": "@items('For_each_response')?['user_os']", + "Username": "@items('For_each_response')?['username']" + } + }, + "Condition": { + "actions": { + "For_each_ip": { + "foreach": "@items('For_each_response')?['ip_addresses']", + "actions": { + "Append_to_string_variable": { + "runAfter": {}, + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_address", + "value": "@{items('For_each_ip')}," + } + } + }, + "runAfter": {}, + "type": "Foreach" + } + }, + "runAfter": { + "Set_variable": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Set_variable": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": " " + } + } + }, + "runAfter": { + "Set_more_records_to_empty": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Set_array_to_Empty": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "ip_breach_data_array", + "value": [] + } + }, + "Set_more_records_to_empty": { + "runAfter": { + "Set_array_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": " " + } + } + }, + "runAfter": { + "set_total_records": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "SpyCloud Breach Data for IP @{items('For_Each_Incident_IPS')?['Address']}
\nNo Records Found.
SpyCloud Breach Data for username @{variables('username')}@{body('Create_HTML_table')}@{variables('more_records_display_text')}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Check_number_of_Records": { + "actions": { + "set_more_records_display_text": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": "Showing @{variables('min_records')} records out of @{variables('total_records')} records, for more information visit https://portal.spycloud.com/" + } + } + }, + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + "@variables('min_records')" + ] + } + ] + }, + "type": "If" + }, + "Create_HTML_table": { + "runAfter": { + "For_each_response": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('username_breach_data_array')" + } + }, + "For_each_response": { + "foreach": "@take(body('Get_Breach_Data_by_Username_Search')?['results'],variables('min_records'))", + "actions": { + "Append_to_array_variable": { + "runAfter": { + "Compose": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "username_breach_data_array", + "value": "@outputs('Compose')" + } + }, + "Compose": { + "runAfter": { + "Condition": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "Document Id": "@items('For_each_response')?['document_id']", + "Domain": "@items('For_each_response')?['domain']", + "Email": "@items('For_each_response')?['email']", + "IP Addresses": "@substring(variables('ip_address'),0,sub(length(variables('ip_address')),1))", + "Infected Machine Id": "@items('For_each_response')?['infected_machine_id']", + "Infected Path": "@items('For_each_response')?['infected_path']", + "Infected Time": "@items('For_each_response')?['infected_time']", + "Password": "@items('For_each_response')?['password']", + "Password Plaintext": "@items('For_each_response')?['password_plaintext']", + "Severity": "@items('For_each_response')?['severity']", + "Source Id": "@items('For_each_response')?['source_id']", + "Spycloud Publish Date": "@items('For_each_response')?['spycloud_publish_date']", + "Target Domain": "@items('For_each_response')?['target_domain']", + "Target Subdomain": "@items('For_each_response')?['target_subdomain']", + "Target Url": "@items('For_each_response')?['target_url']", + "User Hostname": "@items('For_each_response')?['user_hostname']", + "User OS": "@items('For_each_response')?['user_os']", + "Username": "@items('For_each_response')?['username']" + } + }, + "Condition": { + "actions": { + "For_each_ip": { + "foreach": "@items('For_each_response')?['ip_addresses']", + "actions": { + "Append_to_string_variable": { + "runAfter": {}, + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_address", + "value": "@{items('For_each_ip')}," + } + } + }, + "runAfter": {}, + "type": "Foreach" + } + }, + "runAfter": { + "Set_variable": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Set_variable": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": " " + } + } + }, + "runAfter": { + "Set_more_records_to_empty": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Set_array_to_Empty": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "username_breach_data_array", + "value": [] + } + }, + "Set_more_records_to_empty": { + "runAfter": { + "Set_array_to_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": " " + } + } + }, + "runAfter": { + "set_total_records": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "SpyCloud Breach Data for username @{variables('username')}
\nNo Records Found.
SpyCloud Comapss Devices Data for @{variables('infected_machine_id')}@{body('Create_HTML_table')}@{variables('more_records_display_text')}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Check_number_of_Records": { + "actions": { + "set_more_records_display_text": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "more_records_display_text", + "value": "Showing @{variables('min_records')} records out of @{variables('total_records')} records, for more information visit https://portal.spycloud.com/" + } + } + }, + "runAfter": { + "Create_HTML_table": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@variables('total_records')", + "@variables('min_records')" + ] + } + ] + }, + "type": "If" + }, + "Create_HTML_table": { + "runAfter": { + "For_each_response": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "format": "HTML", + "from": "@variables('compass_device_data')" + } + }, + "For_each_response": { + "foreach": "@take(body('Get_Compass_Devices_Data')?['results'],variables('min_records'))", + "actions": { + "Append_to_array_variable": { + "runAfter": { + "Compose": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "compass_device_data", + "value": "@outputs('Compose')" + } + }, + "Compose": { + "runAfter": { + "Condition": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "Document Id": "@items('For_each_response')?['document_id']", + "Domain": "@items('For_each_response')?['domain']", + "Email": "@items('For_each_response')?['email']", + "IP Addresses": "@substring(variables('ip_address'),0,sub(length(variables('ip_address')),1))", + "Infected Machine Id": "@items('For_each_response')?['infected_machine_id']", + "Infected Path": "@items('For_each_response')?['infected_path']", + "Infected Time": "@items('For_each_response')?['infected_time']", + "Password": "@items('For_each_response')?['password']", + "Password Plaintext": "@items('For_each_response')?['password_plaintext']", + "Severity": "@items('For_each_response')?['severity']", + "Source Id": "@items('For_each_response')?['source_id']", + "Spycloud Publish Date": "@items('For_each_response')?['spycloud_publish_date']", + "Target Domain": "@items('For_each_response')?['target_domain']", + "Target Subdomain": "@items('For_each_response')?['target_subdomain']", + "Target Url": "@items('For_each_response')?['target_url']", + "User Hostname": "@items('For_each_response')?['user_hostname']", + "User OS": "@items('For_each_response')?['user_os']", + "Username": "@items('For_each_response')?['username']" + } + }, + "Condition": { + "actions": { + "For_each_ip": { + "foreach": "@items('For_each_response')?['ip_addresses']", + "actions": { + "Append_to_string_variable": { + "runAfter": {}, + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_address", + "value": "@{items('For_each_ip')}," + } + } + }, + "runAfter": {}, + "type": "Foreach" + } + }, + "runAfter": { + "Set_IP_Address_to_Empty": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Set_variable": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": " " + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Set_IP_Address_to_Empty": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": " " + } + } + }, + "runAfter": {}, + "type": "Foreach" + }, + "Update_incident": { + "runAfter": { + "Add_comment_to_incident_(V3)": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "owner": "someone@someone.com", + "ownerAction": "Assign", + "severity": "High" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + } + } + }, + "runAfter": { + "Get_Compass_Devices_Data": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@body('Get_Compass_Devices_Data')?['hits']", + 0 + ] + } + ] + }, + "type": "If" + }, + "Get_Compass_Devices_Data": { + "runAfter": { + "Set_Infected_Machine_ID": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['SpyCloud-Enterprise-Connector']['connectionId']" + } + }, + "method": "get", + "path": "/compass/data/devices/@{encodeURIComponent(variables('infected_machine_id'))}" + } + }, + "Set_Infected_Machine_ID": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "infected_machine_id", + "value": "@items('For_each_host')?['HostName']" + } + } + }, + "runAfter": { + "Entities_-_Get_Hosts": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_incident_alert": { + "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", + "actions": { + "Check_User_Host_Name_exists": { + "actions": { + "Check_if_Host_is_Managed_host": { + "actions": {}, + "runAfter": { + "Set_variable_2": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "", + "" + ] + } + ] + }, + "type": "If" + }, + "Set_User_Host_Name": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "user_host_name", + "value": "@{variables('incident_custom_details_object')?['User_Host_Name']}" + } + }, + "Set_variable_2": { + "runAfter": { + "Set_User_Host_Name": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "user_host_name_trim", + "value": "@{replace(replace(variables('user_host_name'),'[\"',''),'\"]','')}" + } + } + }, + "runAfter": { + "Set_custom_details_object": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@variables('incident_custom_details_object')?['User_Host_Name']", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "Set_custom_details_object": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "incident_custom_details_object", + "value": "@json(items('For_each_incident_alert')?['properties']?['additionalData']?['Custom Details'])" + } + } + }, + "runAfter": {}, + "type": "Foreach" + } + }, + "runAfter": { + "Incident_Custom_Details_Object": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@triggerBody()?['object']?['properties']?['title']", + "@variables('incident_name')" + ] + } + ] + }, + "type": "If" + }, + "IP_address": { + "runAfter": { + "Outputs_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_address", + "type": "string" + } + ] + } + }, + "Incident_Custom_Details_Array": { + "runAfter": { + "Is_Managed_Host": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_custom_details_array", + "type": "array" + } + ] + } + }, + "Incident_Custom_Details_Object": { + "runAfter": { + "Incident_Custom_Details_Array": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_custom_details_object", + "type": "object" + } + ] + } + }, + "Incident_Name": { + "runAfter": { + "more_records_display_text": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_name", + "type": "string", + "value": "SpyCloud Enterprise Malware Detection" + } + ] + } + }, + "Initialize_variable": { + "runAfter": { + "User_Host_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "user_host_name_trim", + "type": "string" + } + ] + } + }, + "Is_Managed_Host": { + "runAfter": { + "IP_address": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "is_managed_host", + "type": "boolean", + "value": "@true" + } + ] + } + }, + "Machine_ID": { + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "infected_machine_id", + "type": "string" + } + ] + } + }, + "Outputs_Variable": { + "runAfter": { + "Machine_ID": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "compass_device_data", + "type": "array" + } + ] + } + }, + "User_Host_Name": { + "runAfter": { + "Incident_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "user_host_name", + "type": "string" + } + ] + } + }, + "minimum_records": { + "runAfter": {}, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "min_records", + "type": "integer", + "value": 15 + } + ] + } + }, + "more_records_display_text": { + "runAfter": { + "total_records": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "more_records_display_text", + "type": "string" + } + ] + } + }, + "total_records": { + "runAfter": { + "minimum_records": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "total_records", + "type": "integer" + } + ] + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[variables('AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "SpyCloud-Enterprise-Connector": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "connectionName": "[variables('SpyCloudEnterpriseConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloudConnectorName'))]" + } + } + } + } + } + } + ] +} diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/images/check_managed_asset.png b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/images/check_managed_asset.png new file mode 100644 index 00000000000..aa70bfe9c50 Binary files /dev/null and b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/images/check_managed_asset.png differ diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/images/comments.png b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/images/comments.png new file mode 100644 index 00000000000..dbecbf3d465 Binary files /dev/null and b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/images/comments.png differ diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/images/deployment.png b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/images/deployment.png new file mode 100644 index 00000000000..425f0317c9b Binary files /dev/null and b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/images/deployment.png differ diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/images/for_each.png b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/images/for_each.png new file mode 100644 index 00000000000..db8da7ef89e Binary files /dev/null and b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/images/for_each.png differ diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/images/logo.png b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/images/logo.png new file mode 100644 index 00000000000..5a489fefce7 Binary files /dev/null and b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/images/logo.png differ diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/images/update_user.png b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/images/update_user.png new file mode 100644 index 00000000000..2985d8e24fd Binary files /dev/null and b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/images/update_user.png differ diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/readme.md b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/readme.md new file mode 100644 index 00000000000..86d37342a52 --- /dev/null +++ b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Malware-Playbook/readme.md @@ -0,0 +1,51 @@ +# SpyCloud Enterprise Malware Playbook + +![SpyCloud Enterprise](images/logo.png) + +## Table of Contents + +1. [Overview](#overview) +2. [Prerequisites](#prerequisites) +3. [Deployment](#deployment) +4. [Post Deployment Steps](#postdeployment) + + + + +## Overview +This playbook gets triggered when an incident is created from the "SpyCloud Malware Rule" and can perform the following actions + +- Check if the hostname is a managed asset. If no hostname exists in the record, skip this check. +- For the specific machine ID, if the organization has access to compass data, pull all the additional records for the specific machine ID from the appropriate compass endpoint and add them to the incident. +- Escalate the incident for someone to handle the malware infection. + +![Incident Comments](images/comments.png) + + + +## Prerequisites +- A SpyCloud Enterprise API Key +- SpyCloud Enterprise custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found on the connector documentation page. +- SpyCloud-Monitor-Watchlist-Data-Playbook needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found on the playbook document page. + + + +## Deployment Instructions +- Deploy the playbooks by clicking on the "Deploy to Azure" button. This will take you to the Deploy an ARM Template wizard. +- Fill in the required parameters for deploying the playbook. + ![deployment](images/deployment.png) +- Click "Review + create". Once the validation is successful, click on "Create". + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FSpyCloud%20Enterprise%20Protection%2FPlaybooks%2FSpyCloud-Malware-Playbook%2Fazuredeploy.json) +[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FSpyCloud%20Enterprise%20Protection%2FPlaybooks%2FSpyCloud-Malware-Playbook%2Fazuredeploy.json) + + + +## Post Deployment Instructions +### Authorize connections +Once deployment is complete, you will need to authorize each connection: +- As a best practice, we have used the Sentinel connection in Logic Apps that use "ManagedSecurityIdentity" permissions. Please refer to [this document](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-managed-identity-for-azure-sentinel-logic-apps/ba-p/2068204) and provide permissions to the Logic App accordingly. +- Provide connection details for the SpyCloud Enterprise Custom Connector. +- Save the Logic App. If the Logic App prompts any missing connections, please update the connections similarly. +### b.Configurations in Sentinel: +- In Azure Sentinel, configure the SpyCloud Malware rule automation rules to trigger this playbook. diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Monitor-Watchlist-Data/azuredeploy.json b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Monitor-Watchlist-Data/azuredeploy.json new file mode 100644 index 00000000000..9aa81c8598d --- /dev/null +++ b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Monitor-Watchlist-Data/azuredeploy.json @@ -0,0 +1,718 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "SpyCloud Watachlist data - SpyCloud Enterprise", + "description": "This Playbook will run daily, gets the watchlist data from SpyCloud API and saved it into the custom logs.", + "prerequisites": "SpyCloud Enterprise API Key.", + "postDeployment": [ + "Testing Description " + ], + "lastUpdateTime": "2022-09-05T00:00:00.000Z", + "tags": ["Feed"], + "support": { + "tier": "community" + }, + "author": { + "name": "SpyCloud Integrations" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "SpyCloud-Monitor-Watchlist-Data", + "type": "string", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + }, + "SpyCloudConnectorName":{ + "defaultValue": "SpyCloud-Enterprise-Protection", + "type": "String", + "metadata": { + "description": "SpyCloud Enterprise custom connector name" + } + }, + "SpyCloud_Custom_Log_Table_Name":{ + "defaultValue": "SpyCloudBreachDataWatchlist", + "type": "String", + "metadata": { + "description": "SpyCloud Enterprise custom log name" + } + } + }, + "variables": { + "SpyCloudEnterpriseConnectionName": "[concat('spycloudconnector-', parameters('PlaybookName'))]", + "AzureLogAnalyticsDataConnector": "[concat('azuredataconnector-', parameters('PlaybookName'))]", + "SpyCloudCustomTableName": "[parameters('SpyCloud_Custom_Log_Table_Name')]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureLogAnalyticsDataConnector')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[variables('AzureLogAnalyticsDataConnector')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('SpyCloudEnterpriseConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[variables('SpyCloudEnterpriseConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloudConnectorName'))]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureLogAnalyticsDataConnector'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Day", + "interval": 1, + "startTime": "" + }, + "evaluatedRecurrence": { + "frequency": "Day", + "interval": 1, + "startTime": "2023-05-06T00:00:00Z" + }, + "type": "Recurrence" + } + }, + "actions": { + "Cursor": { + "runAfter": {}, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "cursor", + "type": "string", + "value": "start" + } + ] + } + }, + "Custom_Log_Name": { + "runAfter": { + "date_": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "custom_log_name", + "type": "string", + "value": "[variables('SpyCloudCustomTableName')]" + } + ] + } + }, + "IP_address": { + "runAfter": { + "Is_First_Fetch": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_address", + "type": "string" + } + ] + } + }, + "Is_First_Fetch": { + "runAfter": { + "Cursor": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "first_fetch", + "type": "boolean", + "value": "@true" + } + ] + } + }, + "Until_Modified_Records_Exist": { + "actions": { + "Check_if_this_is_first_fetch_for_modified_records": { + "actions": { + "Set_Cursor_to_null_2": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "cursor", + "value": "@{null}" + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@variables('first_fetch')", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Get_Breach_Data_for_Entire_Watchlist_2": { + "runAfter": { + "Set_modified_records_array_to_empty": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['SpyCloud-Enterprise-Connector']['connectionId']" + } + }, + "method": "get", + "path": "/breach/data/watchlist", + "queries": { + "cursor": "@variables('cursor')", + "since_modification_date": "@variables('date')" + } + } + }, + "Set_false_to_first_fetch": { + "runAfter": { + "check_if_data_exist_for_date": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "first_fetch", + "value": "@false" + } + }, + "Set_modified_records_array_to_empty": { + "runAfter": { + "Check_if_this_is_first_fetch_for_modified_records": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "modified_records", + "value": [] + } + }, + "check_if_data_exist_for_date": { + "actions": { + "For_each_response_2": { + "foreach": "@body('Get_Breach_Data_for_Entire_Watchlist_2')?['results']", + "actions": { + "Append_to_modified_records_variable": { + "runAfter": { + "Check_IP_Address_is_Not_empty_2": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "modified_records", + "value": { + "Document_Id": "@{items('For_each_response_2')?['document_id']}", + "Domain": "@{items('For_each_response_2')?['domain']}", + "Email": "@{items('For_each_response_2')?['email']}", + "IP_Address": "@{variables('ip_address')}", + "Infected_Machine_Id": "@{items('For_each_response_2')?['infected_machine_id']}", + "Infected_Path": "@{items('For_each_response_2')?['infected_path']}", + "Infected_Time": "@{items('For_each_response_2')?['infected_time']}", + "Password": "@{items('For_each_response_2')?['password']}", + "Password_Plaintext": "@{items('For_each_response_2')?['password_plaintext']}", + "Severity": "@{items('For_each_response_2')?['severity']}", + "Source_Id": "@{items('For_each_response_2')?['source_id']}", + "SpyCloud_Publish_Date": "@{items('For_each_response_2')?['spycloud_publish_date']}", + "Target_Domain": "@{items('For_each_response_2')?['target_domain']}", + "Target_SubDomain": "@{items('For_each_response_2')?['target_subdomain']}", + "Target_URL": "@{items('For_each_response_2')?['target_url']}", + "User_Hostname": "@{items('For_each_response_2')?['user_hostname']}", + "User_OS": "@{items('For_each_response_2')?['user_os']}", + "Username": "@{items('For_each_response_2')?['username']}" + } + } + }, + "Check_IP_Address_is_Not_empty_2": { + "actions": { + "set_ip_variable": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": "@{first(items('For_each_response_2')?['ip_addresses'])}" + } + } + }, + "runAfter": {}, + "else": { + "actions": { + "set_ip_variable_to_null": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": "@{null}" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response_2')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "type": "Foreach" + }, + "Modified_Records_Compose": { + "runAfter": { + "For_each_response_2": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@variables('modified_records')" + }, + "Save_Modified_Records_to_Custom_Logs_Table": { + "runAfter": { + "Modified_Records_Compose": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@{outputs('Modified_Records_Compose')}", + "headers": { + "Log-Type": "@variables('custom_log_name')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Get_Breach_Data_for_Entire_Watchlist_2": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@body('Get_Breach_Data_for_Entire_Watchlist_2')?['hits']", + 0 + ] + } + ] + }, + "type": "If" + }, + "set_cursor_value": { + "runAfter": { + "Set_false_to_first_fetch": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "cursor", + "value": "@body('Get_Breach_Data_for_Entire_Watchlist_2')?['cursor']" + } + } + }, + "runAfter": { + "reset_first_fetch": [ + "Succeeded" + ] + }, + "expression": "@equals(empty(variables('cursor')), true)", + "limit": { + "count": 60, + "timeout": "PT1H" + }, + "type": "Until" + }, + "Until_New_Records_Exist": { + "actions": { + "Check_if_data_exists": { + "actions": { + "For_each_response": { + "foreach": "@body('Get_Breach_Data_for_Entire_Watchlist')?['results']", + "actions": { + "Append_to_new_records_array": { + "runAfter": { + "Check_IP_Address_is_Not_empty": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "new_records", + "value": { + "Document_Id": "@{items('For_each_response')?['document_id']}", + "Domain": "@{items('For_each_response')?['domain']}", + "Email": "@{items('For_each_response')?['email']}", + "IP_Address": "@{variables('ip_address')}", + "Infected_Machine_Id": "@{items('For_each_response')?['infected_machine_id']}", + "Infected_Path": "@{items('For_each_response')?['infected_path']}", + "Infected_Time": "@{items('For_each_response')?['infected_time']}", + "Password": "@{items('For_each_response')?['password']}", + "Password_Plaintext": "@{items('For_each_response')?['password_plaintext']}", + "Severity": "@{items('For_each_response')?['severity']}", + "Source_Id": "@{items('For_each_response')?['source_id']}", + "SpyCloud_Publish_Date": "@{items('For_each_response')?['spycloud_publish_date']}", + "Target_Domain": "@{items('For_each_response')?['target_domain']}", + "Target_SubDomain": "@{items('For_each_response')?['target_subdomain']}", + "Target_URL": "@{items('For_each_response')?['target_url']}", + "User_Hostname": "@{items('For_each_response')?['user_hostname']}", + "User_OS": "@{items('For_each_response')?['user_os']}", + "Username": "@{items('For_each_response')?['username']}" + } + } + }, + "Check_IP_Address_is_Not_empty": { + "actions": { + "Set_Address_to_value": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": "@{first(items('For_each_response')?['ip_addresses'])}" + } + } + }, + "runAfter": {}, + "else": { + "actions": { + "Set_Address_to_null": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "ip_address", + "value": "@{null}" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_response')?['ip_addresses']", + "@null" + ] + } + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "type": "Foreach" + }, + "New_Records_Compose": { + "runAfter": { + "For_each_response": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@variables('new_records')" + }, + "Save_New_Records_to_Custom_Logs_Table": { + "runAfter": { + "New_Records_Compose": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@{outputs('New_Records_Compose')}", + "headers": { + "Log-Type": "@variables('custom_log_name')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Get_Breach_Data_for_Entire_Watchlist": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@body('Get_Breach_Data_for_Entire_Watchlist')?['hits']", + 0 + ] + } + ] + }, + "type": "If" + }, + "Check_if_this_is_first_fetch_for_new_records": { + "actions": { + "Set_Cursor_to_null_": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "cursor", + "value": "@{null}" + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@variables('first_fetch')", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Get_Breach_Data_for_Entire_Watchlist": { + "runAfter": { + "Set_new_records_array_to_empty": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['SpyCloud-Enterprise-Connector']['connectionId']" + } + }, + "method": "get", + "path": "/breach/data/watchlist", + "queries": { + "cursor": "@variables('cursor')", + "since": "@variables('date')" + } + } + }, + "Set_First_Fetch_to_False": { + "runAfter": { + "Check_if_data_exists": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "first_fetch", + "value": "@false" + } + }, + "Set_cursor_from_the_API_response": { + "runAfter": { + "Set_First_Fetch_to_False": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "cursor", + "value": "@body('Get_Breach_Data_for_Entire_Watchlist')?['cursor']" + } + }, + "Set_new_records_array_to_empty": { + "runAfter": { + "Check_if_this_is_first_fetch_for_new_records": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "new_records", + "value": [] + } + } + }, + "runAfter": { + "modified_records": [ + "Succeeded" + ] + }, + "expression": "@equals(empty(variables('cursor')), true)", + "limit": { + "count": 60, + "timeout": "PT1H" + }, + "type": "Until" + }, + "date_": { + "runAfter": { + "IP_address": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "date", + "type": "string", + "value": "@{addDays(utcNow(), -1, 'yyyy-MM-dd')}" + } + ] + } + }, + "modified_records": { + "runAfter": { + "new_records_": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "modified_records", + "type": "array", + "value": [] + } + ] + } + }, + "new_records_": { + "runAfter": { + "Custom_Log_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "new_records", + "type": "array", + "value": [] + } + ] + } + }, + "reset_cursor": { + "runAfter": { + "Until_New_Records_Exist": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "cursor", + "value": "start" + } + }, + "reset_first_fetch": { + "runAfter": { + "reset_cursor": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "first_fetch", + "value": "@true" + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "SpyCloud-Enterprise-Connector": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('SpyCloudEnterpriseConnectionName'))]", + "connectionName": "[variables('SpyCloudEnterpriseConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('SpyCloudConnectorName'))]" + }, + "azureloganalyticsdatacollector": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureLogAnalyticsDataConnector'))]", + "connectionName": "[variables('AzureLogAnalyticsDataConnector')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]" + } + } + } + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Monitor-Watchlist-Data/images/deployment.png b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Monitor-Watchlist-Data/images/deployment.png new file mode 100644 index 00000000000..425f0317c9b Binary files /dev/null and b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Monitor-Watchlist-Data/images/deployment.png differ diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Monitor-Watchlist-Data/images/logo.png b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Monitor-Watchlist-Data/images/logo.png new file mode 100644 index 00000000000..5a489fefce7 Binary files /dev/null and b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Monitor-Watchlist-Data/images/logo.png differ diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Monitor-Watchlist-Data/images/parameters.png b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Monitor-Watchlist-Data/images/parameters.png new file mode 100644 index 00000000000..d6727054c9e Binary files /dev/null and b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Monitor-Watchlist-Data/images/parameters.png differ diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Monitor-Watchlist-Data/images/recurrence.png b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Monitor-Watchlist-Data/images/recurrence.png new file mode 100644 index 00000000000..ae77e5a2584 Binary files /dev/null and b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Monitor-Watchlist-Data/images/recurrence.png differ diff --git a/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Monitor-Watchlist-Data/readme.md b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Monitor-Watchlist-Data/readme.md new file mode 100644 index 00000000000..d2fcd2bc69b --- /dev/null +++ b/Solutions/SpyCloud Enterprise Protection/Playbooks/SpyCloud-Monitor-Watchlist-Data/readme.md @@ -0,0 +1,56 @@ +# SpyCloud Enterprise Monitor Watchlist Data Playbook + +![SpyCloud Enterprise](images/logo.png) + +## Table of Contents + +1. [Overview](#overview) +2. [Prerequisites](#prerequisites) +3. [Deployment](#deployment) +4. [Post Deployment Steps](#postdeployment) + + + + +# Overview +This playbook gets triggered on a daily basis and performs the following actions: + +- Gets the new watchlist records from the SpyCloud database and saves them into the custom logs table. +- Gets the modified watchlist records from the SpyCloud database and saves them into the custom logs table. + + + +## Prerequisites +- A SpyCloud Enterprise API Key +- SpyCloud Enterprise custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found on the connector documentation page. + + + +## Deployment Instructions +- Deploy the playbooks by clicking on the "Deploy to Azure" button. This will take you to the Deploy an ARM Template wizard. +- Fill in the required parameters for deploying the playbook. + ![deployment](images/deployment.png) +- Click "Review + create". Once the validation is successful, click on "Create". + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FSpyCloud%20Enterprise%20Protection%2FPlaybooks%2FSpyCloud-Monitor-Watchlist-Data%2Fazuredeploy.json) +[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FSpyCloud%20Enterprise%20Protection%2FPlaybooks%2FSpyCloud-Monitor-Watchlist-Data%2Fazuredeploy.json) + + + +## Post-Deployment Instructions +### Provide Custom Log Table Name +- Open the Logic App in the edit mode, click on "Parameters" and provide the name of the custom log table, for ex:SpycloudWatchlistData and click on close. + ![parameters](images/parameters.png) + +### Recurrence Trigger Instructions +- The Logic App will run on an interval set to daily. Please do not change the interval, as it may result in duplication of data. +- If you do not wish to run the playbook immediately, set the start time. + ![recurrence](images/recurrence.png) + +### Authorize connections +Once deployment is complete, you will need to authorize each connection: +- Provide connection details for the SpyCloud Enterprise Custom Connector. +- Provide connection details for the Azure Log Analytics Data Collector. You need to provide a "Workspace ID" and "Workspace Key", You can obtain the "Workspace ID" in the overview of your "Log Analytics Workspace" and "Workspace key" from the "Agents> Log Analytics agent instructions" section. You can use either a "Primary key" or a "Secondary key". +- Save the Logic App. If the Logic App prompts for any missing connections, please update the connections similarly. + + \ No newline at end of file diff --git a/Solutions/SpyCloud Enterprise Protection/ReleaseNotes.md b/Solutions/SpyCloud Enterprise Protection/ReleaseNotes.md new file mode 100644 index 00000000000..014c56c6e6e --- /dev/null +++ b/Solutions/SpyCloud Enterprise Protection/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|---------------------------------------------| +| 3.0.0 | 12-09-2023 | Initial solution release | diff --git a/Solutions/SpyCloud Enterprise Protection/SolutionMetadata.json b/Solutions/SpyCloud Enterprise Protection/SolutionMetadata.json new file mode 100644 index 00000000000..00c253560e2 --- /dev/null +++ b/Solutions/SpyCloud Enterprise Protection/SolutionMetadata.json @@ -0,0 +1,15 @@ +{ + "publisherId": "spycloudinc1680448518850", + "offerId": "azure-sentinel-solution-spycloudenterprise", + "firstPublishDate": "2023-09-09", + "providers": ["Spycloud, Inc"], + "categories": { + "domains": ["Security - Automation (SOAR)", "Security - Threat Intelligence"] + }, + "support": { + "name": "Spycloud", + "email": "integrations@spycloud.com", + "tier": "Partner", + "link": "https://portal.spycloud.com" + } +} \ No newline at end of file diff --git a/Solutions/SpyCloud Enterprise Protection/readme.md b/Solutions/SpyCloud Enterprise Protection/readme.md new file mode 100644 index 00000000000..42cbdf68dc5 --- /dev/null +++ b/Solutions/SpyCloud Enterprise Protection/readme.md @@ -0,0 +1,88 @@ +# SpyCloud Enterprise Solution + + +## Table of Contents + +1. [Overview](#overview) +2. [Feed](#feed) +3. [Enrichment](#enrichment) +4. [SpyCloud Enterprise Deployment Instructions](#deployorder) + + + + +## Overview +Cybercriminals continue to utilize stolen corporate credentials as the number one technique for account takeover (ATO). In fact, the FBI estimated that this resulted in estimated losses totaling more than $2.7 billion in 2022. SpyCloud helps prevent account takeover and ransomware attacks by identifying exposed credentials related to a company’s domains, IP addresses and emails. Through this integration, breach and malware data from SpyCloud can be loaded into Sentinel. + +This solution contains the following: + +- Eight playbooks, + +- Two analytics rules, and + +- One custom connector. + +By identifying exposed assets that are available to criminals, enterprises can protect exposed accounts before criminals have a chance to use them for follow-on attacks These playbooks and actions are designed to meet several use cases. + + +## Feed Usecase +| Playbook | Description | +| --------- | -------------- | +| **SpyCloud-Monitor-Watchlist-Data** | This playbook runs on a daily basis, and fetches all the watchlist data from the SpyCloud Enterprise Protection API, parses the data, and saves the data into the custom logs table. | + +This solution provides the following rules which monitor the custom log table created from the above playbook. + +### Analytics Rules +| Analytic Rule | Description | +| --------- | -------------- | +| **SpyCloud-Malware-Rule** | This scheduled rule monitors the custom log table, and checks for any new malware records(severity=25). If a record is found, this analytic rule will create an incident with High Priority. | +| **SpyCloud-Breach-Rule** | This scheduled rule monitors the custom log table, and checks for any new breach records(severity=20). If a record is found, this analytic rule will create an incident with High Priority. | + +Many actions are available when a malware incident is created from the "SpyCloud Malware Rule." It can: + +- Check if the hostname is a managed asset. If no hostname exists in the record it will skip this check. +- Pull all the additional records for the specific machine ID from the appropriate endpoint and add them to the incident, if you have access to SpyCloud Compass data. +- Escalate the incident for someone to handle the malware infection. + +This solution also provides a "SpyCloud Malware Playbook" template that can be used to achieve the above use case. You can add this playbook to the "SpyCloud Malware Rule" automation section. + +The following actions can be taken when a breach incident is created from the "SpyCloud Breach Rule." + +- Check if breached password length is >= minimum required by the organization. If not, exit the playbook. +- Check if the user is currently an active employee. If not, exit the playbook. +- Check if the exposed password is in use on the network (check AD, check Okta, check Ping, check G-Suite, etc. +- If the password is in use in one of the checked systems, perform a password reset, raise an incident, etc. + +This solution also provides a "SpyCloud Breach Playbook" template that can be used to achieve the above use case. You can add this playbook to the "SpyCloud Breach Rule" automation section. + + +## Enrichment Usecase + +| Playbook | Description | +| --------- | -------------- | +| **SpyCloud-Malware-Playbook** | This playbook runs on an incident trigger created by the "SpyCloud Malware Rule," fetches all the entities associated with the incident, and does further investigation. | +| **SpyCloud-Breach-Playbook** | This playbook runs on an incident trigger created by the "SpyCloud Breach Rule," fetches all the entities associated with the incident, and allows for further investigation.| +| **SpyCloud-Get-Domain-Breach-Data-Playbook** | This playbook runs on an incident trigger, fetches all the domains(DNS Entity) from the incident, retrieves the breach data information from the SpyCloud API for each Domain, and then adds the breach data information to incident comments for further investigation. | +| **SpyCloud-Get-IP-Breach-Data-Playbook** | This playbook runs on an incident trigger, fetches all the IP addresses (IP Entity) from the incident, retrieves the breach data information from the SpyCloud API for each IP, and then adds the breach data information to incident comments for further investigation. | +| **SpyCloud-Get-Email-Breach-Data-Playbook** | This playbook runs on an incident trigger, fetches all the Email addresses (Account Entity) from the incident, retrieves the breach data information from the SpyCloud API for each email address, and then adds the breach data information to the incident comments for further investigation. | +| **SpyCloud-Get-Username-Breach-Data-Playbook** | This playbook runs on an incident trigger, fetches all the usernames (Account Entity) from the incident, retrieves the breach data information from the SpyCloud API for each username, and then adds the breach data information to incident comments for further investigation. | +| **SpyCloud-Get-Password-Breach-Data-Playbook** | This playbook takes a password as the input and identifies the breach data for that password from the SpyCloud API. The results are then processed in a tabular format as the final step. You can use this data for further investigation. | + +Please refer to the documentation pages for each playbook for more information. + + + +## Deployment Instructions + +Please follow the following order while installing the solution. + +1. CustomConnector +2. SpyCloud Monitor Watchlist Data Playbook +3. SpyCloud Malware Playbook +4. SpyCloud Breach Playbook +5. Analytics Rules +6. Domain Breach Data Playbook +7. Email Breach Data Playbook +8. IP Address Breach Data Playbook +9. Username Breach Data Playbook +10. Password Breach Data Playbook