From 3fbcaef3603c349e378963104f7c62681aec02ee Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Wed, 24 May 2023 10:53:08 +0530 Subject: [PATCH 1/7] Update azuredeploy.json - Link to logo was broken on readme.md file, updated - Updated the wrong alternate text - Added escaped quotes for tags in playbook - Added check for null while creating STIX format --- .../{ACSC logo.png => ACSCLogo.png} | Bin .../azuredeploy.json | 30 +++++++++--------- .../Playbooks/readme.md | 2 +- 3 files changed, 16 insertions(+), 16 deletions(-) rename Solutions/Australian Cyber Security Centre/{ACSC logo.png => ACSCLogo.png} (100%) diff --git a/Solutions/Australian Cyber Security Centre/ACSC logo.png b/Solutions/Australian Cyber Security Centre/ACSCLogo.png similarity index 100% rename from Solutions/Australian Cyber Security Centre/ACSC logo.png rename to Solutions/Australian Cyber Security Centre/ACSCLogo.png diff --git a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json index 0f6f5100c50..d610a423bab 100644 --- a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json +++ b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json @@ -223,7 +223,7 @@ "type": "ManagedServiceIdentity" }, "body": { - "keywords": "tags:@{parameters('Tag for indicators to be exported')}", + "keywords": "tags:\"@{parameters('Tag for indicators to be exported')}\"", "pageSize": 100, "sortBy": [ { @@ -434,28 +434,28 @@ "inputs": { "from": "@body('Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete')", "select": { - "confidence": "@item()?['properties']?['confidence']", - "created": "@item()?['properties']?['created']", + "confidence": "@if(item()?['properties']?['confidence'], item()?['properties']?['confidence'], '')", + "created": "@if(item()?['properties']?['created'], item()?['properties']?['created'], '')", "created_by_ref": "", - "description": "@item()?['properties']?['description']", + "description": "@if(item()?['properties']?['description'], item()?['properties']?['description'], '')", "external_references": "", "granular_markings": "", - "id": "indicator--@{item()?['name']}", - "indicator_types": "@item()?['properties']?['threatTypes']", + "id": "indicator--@{if(item()?['name'], item()?['name'], '')}", + "indicator_types": "@if(item()?['properties']?['threatTypes'], item()?['properties']?['threatTypes'], '')", "kill_chain_phases": "", - "labels": "@item()?['properties']?['threatIntelligenceTags']", + "labels": "@if(item()?['properties']?['threatIntelligenceTags'], item()?['properties']?['threatIntelligenceTags'], '')", "lang": "", - "modified": "@item()?['properties']?['lastUpdatedTimeUtc']", - "name": "@item()?['properties']?['displayName']", - "object_marking_refs": "@item()?['properties']?['objectMarkingRefs']", - "pattern": "@item()?['properties']?['pattern']", - "pattern_type": "@item()?['properties']?['patternType']", + "modified": "@if(item()?['properties']?['lastUpdatedTimeUtc'], item()?['properties']?['lastUpdatedTimeUtc'], '')", + "name": "@if(item()?['properties']?['displayName'], item()?['properties']?['displayName'], '')", + "object_marking_refs": "@if(item()?['properties']?['objectMarkingRefs'], item()?['properties']?['objectMarkingRefs'], '')", + "pattern": "@if(item()?['properties']?['pattern'], item()?['properties']?['pattern'], '')", + "pattern_type": "@if(item()?['properties']?['patternType'], item()?['properties']?['patternType'], '')", "pattern_version": "2.1", - "revoked": "@item()?['properties']?['revoked']", + "revoked": "@if(item()?['properties']?['revoked'], item()?['properties']?['revoked'], '')", "spec_version": "2.1", "type": "indicator", - "valid_from": "@item()?['properties']?['validFrom']", - "valid_until": "@item()?['properties']?['validUntil']" + "valid_from": "@if(item()?['properties']?['validFrom'], item()?['properties']?['validFrom'], '')", + "valid_until": "@if(item()?['properties']?['validUntil'], item()?['properties']?['validUntil'], '')" } } } diff --git a/Solutions/Australian Cyber Security Centre/Playbooks/readme.md b/Solutions/Australian Cyber Security Centre/Playbooks/readme.md index d05f5c598e1..b85d03db194 100644 --- a/Solutions/Australian Cyber Security Centre/Playbooks/readme.md +++ b/Solutions/Australian Cyber Security Centre/Playbooks/readme.md @@ -1,3 +1,3 @@ # Australian Cyber Security Centre Playbook Templates -neustar \ No newline at end of file +Australian Cyber Security Centre \ No newline at end of file From 3429c79b164d554a44b52a51d00c4110b3f40822 Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Thu, 25 May 2023 10:11:58 +0530 Subject: [PATCH 2/7] Update azuredeploy.json --- .../azuredeploy.json | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json index d610a423bab..8d18b57ddf3 100644 --- a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json +++ b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json @@ -434,28 +434,28 @@ "inputs": { "from": "@body('Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete')", "select": { - "confidence": "@if(item()?['properties']?['confidence'], item()?['properties']?['confidence'], '')", - "created": "@if(item()?['properties']?['created'], item()?['properties']?['created'], '')", + "confidence": "@if(not(equals(item()?['properties']?['confidence'], null)), item()?['properties']?['confidence'], '')", + "created": "@if(not(equals(item()?['properties']?['created'], null)), item()?['properties']?['created'], '')", "created_by_ref": "", - "description": "@if(item()?['properties']?['description'], item()?['properties']?['description'], '')", + "description": "@if(not(equals(item()?['properties']?['description'], null)), item()?['properties']?['description'], '')", "external_references": "", "granular_markings": "", - "id": "indicator--@{if(item()?['name'], item()?['name'], '')}", - "indicator_types": "@if(item()?['properties']?['threatTypes'], item()?['properties']?['threatTypes'], '')", + "id": "indicator--@{if(not(equals(item()?['name'], null)), item()?['name'], '')}", + "indicator_types": "@if(not(equals(item()?['properties']?['threatTypes'], null)), item()?['properties']?['threatTypes'], '')", "kill_chain_phases": "", - "labels": "@if(item()?['properties']?['threatIntelligenceTags'], item()?['properties']?['threatIntelligenceTags'], '')", + "labels": "@if(not(equals(item()?['properties']?['threatIntelligenceTags'], null)), item()?['properties']?['threatIntelligenceTags'], '')", "lang": "", - "modified": "@if(item()?['properties']?['lastUpdatedTimeUtc'], item()?['properties']?['lastUpdatedTimeUtc'], '')", - "name": "@if(item()?['properties']?['displayName'], item()?['properties']?['displayName'], '')", - "object_marking_refs": "@if(item()?['properties']?['objectMarkingRefs'], item()?['properties']?['objectMarkingRefs'], '')", - "pattern": "@if(item()?['properties']?['pattern'], item()?['properties']?['pattern'], '')", - "pattern_type": "@if(item()?['properties']?['patternType'], item()?['properties']?['patternType'], '')", + "modified": "@if(not(equals(item()?['properties']?['lastUpdatedTimeUtc'], null)), item()?['properties']?['lastUpdatedTimeUtc'], '')", + "name": "@if(not(equals(item()?['properties']?['displayName'], null)), item()?['properties']?['displayName'], '')", + "object_marking_refs": "@if(not(equals(item()?['properties']?['objectMarkingRefs'], null)), item()?['properties']?['objectMarkingRefs'], '')", + "pattern": "@if(not(equals(item()?['properties']?['pattern'], null)), item()?['properties']?['pattern'], '')", + "pattern_type": "@if(not(equals(item()?['properties']?['patternType'], null)), item()?['properties']?['patternType'], '')", "pattern_version": "2.1", - "revoked": "@if(item()?['properties']?['revoked'], item()?['properties']?['revoked'], '')", + "revoked": "@if(not(equals(item()?['properties']?['revoked'], null)), item()?['properties']?['revoked'], '')", "spec_version": "2.1", "type": "indicator", - "valid_from": "@if(item()?['properties']?['validFrom'], item()?['properties']?['validFrom'], '')", - "valid_until": "@if(item()?['properties']?['validUntil'], item()?['properties']?['validUntil'], '')" + "valid_from": "@if(not(equals(item()?['properties']?['validFrom'], null)), item()?['properties']?['validFrom'], '')", + "valid_until": "@if(not(equals(item()?['properties']?['validUntil'], null)), item()?['properties']?['validUntil'], '')" } } } From dce2ef5f7da19686243fc028f97ee6c359941dc1 Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Thu, 10 Aug 2023 23:48:26 +0530 Subject: [PATCH 3/7] Update azuredeploy.json Updated to convert Sentinel TI data to STIX format. --- .../azuredeploy.json | 894 +++++++++++++++++- 1 file changed, 843 insertions(+), 51 deletions(-) diff --git a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json index 8d18b57ddf3..c160cacb70f 100644 --- a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json +++ b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json @@ -4,12 +4,15 @@ "metadata": { "title": "AusCtisExportTaggedIndicators", "description": "This playbook gets triggered every hour and perform the following actions:\n 1. Get all the threat intelligence indicators from Sentinel Workspace with given tag.\n 2. Filter all the indicators whose export in not completed.\n 3. Export the indicators to provided TAXII server. ", - "prerequisites": ["1. Have TAXII Server Url, Collection ID, Username and Password handy before the deployment of the Playbook", - "2. Tag the indicators that need to be exported, by default this playbook exports the indicators with tag 'ACSC Export', this can be changes during the deployment of playbook. Details on how to tag can be found [here](https://learn.microsoft.com/azure/sentinel/understand-threat-intelligence#view-and-manage-your-threat-indicators)"], - "postDeployment": ["This playbook needs contributor role on Log Analytics, to read and update threat indicator tags. 1. Go to Log Analytics Workspace resource --> 2. Select Access control (IAM) tab -->3. Add role assignments --> 4. Select Contributor role --> 5. In the Members tab choose 'Assign access to' Managed Identity --> 6. Click on 'Select members' --> 7. Provide correct Subscription and Managed Identity --> 8. Provide the playbook name in 'Search by name' textbox --> 9. Select the correct identity and click on Select --> 10. Click on 'Review + assign' " + "prerequisites": [ + "1. Have TAXII Server Url, Collection ID, Username and Password handy before the deployment of the Playbook", + "2. Tag the indicators that need to be exported, by default this playbook exports the indicators with tag 'ACSC Export', this can be changes during the deployment of playbook. Details on how to tag can be found [here](https://learn.microsoft.com/azure/sentinel/understand-threat-intelligence#view-and-manage-your-threat-indicators)" + ], + "postDeployment": [ + "This playbook needs contributor role on Log Analytics, to read and update threat indicator tags. 1. Go to Log Analytics Workspace resource --> 2. Select Access control (IAM) tab -->3. Add role assignments --> 4. Select Contributor role --> 5. In the Members tab choose 'Assign access to' Managed Identity --> 6. Click on 'Select members' --> 7. Provide correct Subscription and Managed Identity --> 8. Provide the playbook name in 'Search by name' textbox --> 9. Select the correct identity and click on Select --> 10. Click on 'Review + assign' " ], "prerequisitesDeployTemplateFile": "", - "lastUpdateTime": "2022-11-15T12:00:38Z", + "lastUpdateTime": "2023-08-10T12:00:38Z", "entities": [ ], "tags": [ @@ -75,7 +78,7 @@ "variables": { "SubscriptionID": "[subscription().subscriptionId]", "ResourceGroup": "[resourceGroup().name]", - "azure": "[concat('https://management','.azure','.com')]" + "azure": "[concat('https://management','.azure','.com')]" }, "resources": [ { @@ -161,13 +164,802 @@ "where": "@not(contains(item()?['properties']?['threatIntelligenceTags'], parameters('Tag for indicator export completion')))" } }, - "For_each_filtered_indicator": { - "foreach": "@body('Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete')", + "For_each_Indicator": { "actions": { - "HTTP_appendTags_request": { + "Append_to_array_Indicators": { + "inputs": { + "name": "Indicators", + "value": "@variables('Indicator')" + }, "runAfter": { + "Condition_to_check_if_'killChainPhases'_property_exist": [ + "Succeeded" + ] }, - "type": "Http", + "type": "AppendToArrayVariable" + }, + "Compose_mandatory_properties": { + "inputs": { + "created": "@formatDateTime(string(items('For_each_Indicator')?['properties']?['created']), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", + "id": "indicator--@{guid()}", + "modified": "@formatDateTime(string(items('For_each_Indicator')?['properties']?['lastUpdatedTimeUtc']), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", + "pattern": "@items('For_each_Indicator')?['properties']?['pattern']", + "pattern_type": "@if(contains(createArray('stix', 'pcre', 'sigma', 'snort', 'suricata', 'yara'), string(items('For_each_Indicator')?['properties']?['patternType'])), string(items('For_each_Indicator')?['properties']?['patternType']), 'stix')", + "spec_version": "2.1", + "type": "indicator", + "valid_from": "@formatDateTime(string(items('For_each_Indicator')?['properties']?['validFrom']), 'yyyy-MM-ddTHH:mm:ss.ffffffK')" + }, + "runAfter": {}, + "type": "Compose" + }, + "Condition_to_check_if_'confidence'_property_exist": { + "actions": { + "Compose_'confidence'_property": { + "inputs": "@addProperty(variables('Indicator'), 'confidence', item()?['properties']?['confidence'])", + "runAfter": {}, + "type": "Compose" + }, + "Set_variable_Indicator_with_'confidence'_property": { + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''confidence''_property')" + }, + "runAfter": { + "Compose_'confidence'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_Indicator')?['properties']?['confidence']", + "@null" + ] + } + } + ] + }, + "runAfter": { + "Set_variable_Indicator_with_mandatory_properties": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Condition_to_check_if_'createdByRef'_property_exist": { + "actions": { + "Condition_to_chek_if_'createdByRef'_in_STIIX_format": { + "actions": { + "Compose_'created_by_ref'_property": { + "inputs": "@addProperty(variables('Indicator'), 'created_by_ref', item()?['properties']?['createdByRef'])", + "runAfter": {}, + "type": "Compose" + }, + "Set_variable_Indicator_with_'created_by_ref'_property": { + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''created_by_ref''_property')" + }, + "runAfter": { + "Compose_'created_by_ref'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "equals": [ + "@startsWith(item()?['properties']?['createdByRef'], 'indicator--')", + "@true" + ] + } + ] + }, + "runAfter": {}, + "type": "If" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_Indicator')?['properties']?['createdByRef']", + "@null" + ] + } + } + ] + }, + "runAfter": { + "Condition_to_check_if_'displayName'_property_exist": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Condition_to_check_if_'description'_property_exist": { + "actions": { + "Compose_'description'_property": { + "inputs": "@addProperty(variables('Indicator'), 'description', item()?['properties']?['description'])", + "runAfter": {}, + "type": "Compose" + }, + "Set_variable_Indicator_with_'description'_property": { + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''description''_property')" + }, + "runAfter": { + "Compose_'description'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_Indicator')?['properties']?['description']", + "@null" + ] + } + } + ] + }, + "runAfter": { + "Condition_to_check_if_'confidence'_property_exist": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Condition_to_check_if_'displayName'_property_exist": { + "actions": { + "Compose_'name'_property": { + "inputs": "@addProperty(variables('Indicator'), 'name', item()?['properties']?['displayName'])", + "runAfter": {}, + "type": "Compose" + }, + "Set_variable_Indicator_with_'name'_property": { + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''name''_property')" + }, + "runAfter": { + "Compose_'name'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_Indicator')?['properties']?['displayName']", + "@null" + ] + } + } + ] + }, + "runAfter": { + "Condition_to_check_if_'language'_property_exist": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Condition_to_check_if_'extensions'_property_exist": { + "actions": { + "Condition_to_check_if_extension_definition_exist": { + "actions": { + "Compose_'extensions'_property": { + "inputs": "@addProperty(variables('Indicator'), 'extensions', item()?['properties']?['extensions'])", + "runAfter": {}, + "type": "Compose" + }, + "Set_variable_Indicator_with_'extensions'_property": { + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''extensions''_property')" + }, + "runAfter": { + "Compose_'extensions'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@indexOf(string(item()?['properties']?['extensions']), 'extension-definition--')", + -1 + ] + } + } + ] + }, + "runAfter": {}, + "type": "If" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_Indicator')?['properties']?['extensions']", + "@null" + ] + } + } + ] + }, + "runAfter": { + "Condition_to_check_if_'granularMarkings'_property_exist": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Condition_to_check_if_'externalReferences'_property_exist": { + "actions": { + "Condition_to_check_if__externalReferences_is_empty_array": { + "actions": { + "Compose_'external_references'_property": { + "inputs": "@addProperty(variables('Indicator'), 'external_references', item()?['properties']?['externalReferences'])", + "runAfter": {}, + "type": "Compose" + }, + "Set_variable_Indicator_with_'external_references'_property": { + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''external_references''_property')" + }, + "runAfter": { + "Compose_'external_references'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@length(item()?['properties']?['externalReferences'])", + 0 + ] + } + } + ] + }, + "runAfter": {}, + "type": "If" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_Indicator')?['properties']?['externalReferences']", + "@null" + ] + } + } + ] + }, + "runAfter": { + "Condition_to_check_if_'revoked'_property_exist": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Condition_to_check_if_'granularMarkings'_property_exist": { + "actions": { + "Condition_to_check_if_granularMarkings_is_empty_array": { + "actions": { + "Compose_'granular_markings'_property": { + "inputs": "@addProperty(variables('Indicator'), 'granular_markings', item()?['properties']?['granularMarkings'])", + "runAfter": {}, + "type": "Compose" + }, + "Set_variable_Indicator_with_'granular_markings'_property": { + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''granular_markings''_property')" + }, + "runAfter": { + "Compose_'granular_markings'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@length(item()?['properties']?['granularMarkings'])", + 0 + ] + } + } + ] + }, + "runAfter": {}, + "type": "If" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_Indicator')?['properties']?['granular_markings']", + "@null" + ] + } + } + ] + }, + "runAfter": { + "Condition_to_check_if_'objectMarkingRefs'_property_exist": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Condition_to_check_if_'indicatorTypes'_property_exist": { + "actions": { + "Condition_to_check_if_indicatorTypes_is_empty_array": { + "actions": { + "Compose_'indicator_types'_property": { + "inputs": "@addProperty(variables('Indicator'), 'indicator_types', item()?['properties']?['indicatorTypes'])", + "runAfter": {}, + "type": "Compose" + }, + "Set_variable_Indicator_with_'indicator_types'_property": { + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''indicator_types''_property')" + }, + "runAfter": { + "Compose_'indicator_types'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@length(item()?['properties']?['indicatorTypes'])", + 0 + ] + } + } + ] + }, + "runAfter": {}, + "type": "If" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_Indicator')?['properties']?['indicatorTypes']", + "@null" + ] + } + } + ] + }, + "runAfter": { + "Condition_to_check_if_'extensions'_property_exist": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Condition_to_check_if_'killChainPhases'_property_exist": { + "actions": { + "Condition_to_check_if_killChainPhases_is_empty_array": { + "actions": { + "Compose_'kill_chain_phases'_property": { + "inputs": "@addProperty(variables('Indicator'), 'kill_chain_phases', item()?['properties']?['killChainPhases'])", + "runAfter": {}, + "type": "Compose" + }, + "Set_variable_Indicator_with_'kill_chain_phases'_property": { + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''kill_chain_phases''_property')" + }, + "runAfter": { + "Compose_'kill_chain_phases'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@length(item()?['properties']?['killChainPhases'])", + 0 + ] + } + } + ] + }, + "runAfter": {}, + "type": "If" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_Indicator')?['properties']?['killChainPhases']", + "@null" + ] + } + } + ] + }, + "runAfter": { + "Condition_to_check_if_'validUntil'_property_exist": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Condition_to_check_if_'labels'_property_exist": { + "actions": { + "Condition_to_check_if_labels_is_empty_array": { + "actions": { + "Compose_'labels'_property": { + "inputs": "@addProperty(variables('Indicator'), 'labels', item()?['properties']?['labels'])", + "runAfter": {}, + "type": "Compose" + }, + "Set_variable_Indicator_with_'labels'_property": { + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''labels''_property')" + }, + "runAfter": { + "Compose_'labels'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@length(item()?['properties']?['labels'])", + 0 + ] + } + } + ] + }, + "runAfter": {}, + "type": "If" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_Indicator')?['properties']?['labels']", + "@null" + ] + } + } + ] + }, + "runAfter": { + "Condition_to_check_if_'createdByRef'_property_exist": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Condition_to_check_if_'language'_property_exist": { + "actions": { + "Compose_'lang'_property": { + "inputs": "@addProperty(variables('Indicator'), 'lang', item()?['properties']?['language'])", + "runAfter": {}, + "type": "Compose" + }, + "Set_variable_Indicator_with_'lang'_property": { + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''lang''_property')" + }, + "runAfter": { + "Compose_'lang'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_Indicator')?['properties']?['language']", + "@null" + ] + } + } + ] + }, + "runAfter": { + "Condition_to_check_if_'description'_property_exist": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Condition_to_check_if_'objectMarkingRefs'_property_exist": { + "actions": { + "Condition_to_check_if_objectMarkingRefs_is_empty_array": { + "actions": { + "Compose_'object_marking_refs'_property": { + "inputs": "@addProperty(variables('Indicator'), 'object_marking_refs', item()?['properties']?['objectMarkingRefs'])", + "runAfter": {}, + "type": "Compose" + }, + "Set_variable_Indicator_with_'object_marking_refs'_property": { + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''object_marking_refs''_property')" + }, + "runAfter": { + "Compose_'object_marking_refs'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@length(item()?['properties']?['objectMarkingRefs'])", + 0 + ] + } + } + ] + }, + "runAfter": {}, + "type": "If" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_Indicator')?['properties']?['objectMarkingRefs']", + "@null" + ] + } + } + ] + }, + "runAfter": { + "Condition_to_check_if_'externalReferences'_property_exist": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Condition_to_check_if_'patternVersion'_property_exist": { + "actions": { + "Compose_'pattern_version'_property": { + "inputs": "@addProperty(variables('Indicator'), 'pattern_version', item()?['properties']?['patternVersion'])", + "runAfter": {}, + "type": "Compose" + }, + "Set_variable_Indicator_with_'pattern_version'_property": { + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''pattern_version''_property')" + }, + "runAfter": { + "Compose_'pattern_version'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_Indicator')?['properties']?['patternVersion']", + "@null" + ] + } + } + ] + }, + "runAfter": { + "Condition_to_check_if_'indicatorTypes'_property_exist": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Condition_to_check_if_'revoked'_property_exist": { + "actions": { + "Compose_'revoked'_property": { + "inputs": "@addProperty(variables('Indicator'), 'revoked', item()?['properties']?['revoked'])", + "runAfter": {}, + "type": "Compose" + }, + "Set_variable_Indicator_with_'revoked'_property": { + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''revoked''_property')" + }, + "runAfter": { + "Compose_'revoked'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_Indicator')?['properties']?['revoked']", + "@null" + ] + } + } + ] + }, + "runAfter": { + "Condition_to_check_if_'labels'_property_exist": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Condition_to_check_if_'validUntil'_property_exist": { + "actions": { + "Compose_'valid_until'_property": { + "inputs": "@addProperty(variables('Indicator'), 'valid_until', formatDateTime(string(item()?['properties']?['validUntil']), 'yyyy-MM-ddTHH:mm:ss.ffffffK'))", + "runAfter": {}, + "type": "Compose" + }, + "Set_variable_Indicator_with_'valid_until'_property": { + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''valid_until''_property')" + }, + "runAfter": { + "Compose_'valid_until'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_Indicator')?['properties']?['validUntil']", + "@null" + ] + } + } + ] + }, + "runAfter": { + "Condition_to_check_if_'patternVersion'_property_exist": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Reset_variable_Indicator": { + "inputs": { + "name": "Indicator", + "value": {} + }, + "runAfter": { + "Append_to_array_Indicators": [ + "Succeeded" + ] + }, + "type": "SetVariable" + }, + "Set_variable_Indicator_with_mandatory_properties": { + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_mandatory_properties')" + }, + "runAfter": { + "Compose_mandatory_properties": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "foreach": "@body('Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete')", + "runAfter": { + "Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete": [ + "Succeeded" + ] + }, + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + }, + "type": "Foreach" + }, + "For_each_filtered_indicator": { + "actions": { + "HTTP_appendTags_request": { "inputs": { "authentication": { "type": "ManagedServiceIdentity" @@ -178,10 +970,13 @@ ] }, "method": "POST", - "uri": "[uriComponentToString(uri(variables('azure'),'subscriptions/@{parameters(''SubscriptionID'')}/resourceGroups/@{parameters(''ResourceGroup'')}/providers/Microsoft.OperationalInsights/workspaces/@{parameters(''Workspace'')}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/@{items(''For_each_filtered_indicator'')?[''name'']}/appendTags?api-version=2021-10-01'))]" - } + "uri": "https://management.azure.com/subscriptions/@{parameters('SubscriptionID')}/resourceGroups/@{parameters('ResourceGroup')}/providers/Microsoft.OperationalInsights/workspaces/@{parameters('Workspace')}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/@{items('For_each_filtered_indicator')?['name']}/appendTags?api-version=2021-10-01" + }, + "runAfter": {}, + "type": "Http" } }, + "foreach": "@body('Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete')", "runAfter": { "HTTP_POST_stix_bundle_to_TAXII_server": [ "Succeeded" @@ -216,6 +1011,9 @@ }, "HTTP_queryIndicators_request": { "runAfter": { + "Initialize_variable_Indicator": [ + "Succeeded" + ] }, "type": "Http", "inputs": { @@ -239,22 +1037,51 @@ "uri": "[uriComponentToString(uri(variables('azure'),'subscriptions/@{parameters(''SubscriptionID'')}/resourceGroups/@{parameters(''ResourceGroup'')}/providers/Microsoft.OperationalInsights/workspaces/@{parameters(''Workspace'')}/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2022-06-01-preview'))]" } }, - "Initialize_variable_for_STIX_bundle_JSON": { + "Initialize_array_Indicators": { + "inputs": { + "variables": [ + { + "name": "Indicators", + "type": "array" + } + ] + }, + "runAfter": {}, + "type": "InitializeVariable" + }, + "Initialize_variable_Indicator": { + "inputs": { + "variables": [ + { + "name": "Indicator", + "type": "object", + "value": {} + } + ] + }, "runAfter": { - "Select_indicators_into_STIX_format": [ + "Initialize_array_Indicators": [ "Succeeded" ] }, - "type": "InitializeVariable", + "type": "InitializeVariable" + }, + "Initialize_variable_for_STIX_bundle_JSON": { "inputs": { "variables": [ { "name": "StixBundle", "type": "string", - "value": "{\n \"type\": \"bundle\",\n \"id\": \"bundle--1736e032-a96a-41e9-8302-126677d4d781\",\n \"objects\": @{body('Select_indicators_into_STIX_format')}\n}" + "value": "{\n \"type\": \"bundle\",\n \"id\": \"bundle--1736e032-a96a-41e9-8302-126677d4d781\",\n \"objects\": @{string(variables('Indicators'))}\n}" } ] - } + }, + "runAfter": { + "For_each_Indicator": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" }, "Parse_JSON_queryIndicators_response": { "runAfter": { @@ -423,41 +1250,6 @@ "type": "object" } } - }, - "Select_indicators_into_STIX_format": { - "runAfter": { - "Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete": [ - "Succeeded" - ] - }, - "type": "Select", - "inputs": { - "from": "@body('Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete')", - "select": { - "confidence": "@if(not(equals(item()?['properties']?['confidence'], null)), item()?['properties']?['confidence'], '')", - "created": "@if(not(equals(item()?['properties']?['created'], null)), item()?['properties']?['created'], '')", - "created_by_ref": "", - "description": "@if(not(equals(item()?['properties']?['description'], null)), item()?['properties']?['description'], '')", - "external_references": "", - "granular_markings": "", - "id": "indicator--@{if(not(equals(item()?['name'], null)), item()?['name'], '')}", - "indicator_types": "@if(not(equals(item()?['properties']?['threatTypes'], null)), item()?['properties']?['threatTypes'], '')", - "kill_chain_phases": "", - "labels": "@if(not(equals(item()?['properties']?['threatIntelligenceTags'], null)), item()?['properties']?['threatIntelligenceTags'], '')", - "lang": "", - "modified": "@if(not(equals(item()?['properties']?['lastUpdatedTimeUtc'], null)), item()?['properties']?['lastUpdatedTimeUtc'], '')", - "name": "@if(not(equals(item()?['properties']?['displayName'], null)), item()?['properties']?['displayName'], '')", - "object_marking_refs": "@if(not(equals(item()?['properties']?['objectMarkingRefs'], null)), item()?['properties']?['objectMarkingRefs'], '')", - "pattern": "@if(not(equals(item()?['properties']?['pattern'], null)), item()?['properties']?['pattern'], '')", - "pattern_type": "@if(not(equals(item()?['properties']?['patternType'], null)), item()?['properties']?['patternType'], '')", - "pattern_version": "2.1", - "revoked": "@if(not(equals(item()?['properties']?['revoked'], null)), item()?['properties']?['revoked'], '')", - "spec_version": "2.1", - "type": "indicator", - "valid_from": "@if(not(equals(item()?['properties']?['validFrom'], null)), item()?['properties']?['validFrom'], '')", - "valid_until": "@if(not(equals(item()?['properties']?['validUntil'], null)), item()?['properties']?['validUntil'], '')" - } - } } }, "outputs": { From 9f410a71143d8dd720bc689392557aa6da1b18ad Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Fri, 6 Oct 2023 14:42:11 +0530 Subject: [PATCH 4/7] Update azuredeploy.json MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update template, 1. If TLP tag is present, keep that tag and If No TLP tag is present, assign default TLP:WHITE tag 2. If ‘Incident ID: xxxx’ tag is present, prefix this to description in STIX format --- .../azuredeploy.json | 660 ++++++++++++------ 1 file changed, 430 insertions(+), 230 deletions(-) diff --git a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json index c160cacb70f..0c1c2df33dc 100644 --- a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json +++ b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json @@ -165,20 +165,23 @@ } }, "For_each_Indicator": { + "foreach": "@body('Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete')", "actions": { "Append_to_array_Indicators": { - "inputs": { - "name": "Indicators", - "value": "@variables('Indicator')" - }, "runAfter": { "Condition_to_check_if_'killChainPhases'_property_exist": [ "Succeeded" ] }, - "type": "AppendToArrayVariable" + "type": "AppendToArrayVariable", + "inputs": { + "name": "Indicators", + "value": "@variables('Indicator')" + } }, "Compose_mandatory_properties": { + "runAfter": {}, + "type": "Compose", "inputs": { "created": "@formatDateTime(string(items('For_each_Indicator')?['properties']?['created']), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", "id": "indicator--@{guid()}", @@ -188,30 +191,33 @@ "spec_version": "2.1", "type": "indicator", "valid_from": "@formatDateTime(string(items('For_each_Indicator')?['properties']?['validFrom']), 'yyyy-MM-ddTHH:mm:ss.ffffffK')" - }, - "runAfter": {}, - "type": "Compose" + } }, "Condition_to_check_if_'confidence'_property_exist": { "actions": { "Compose_'confidence'_property": { - "inputs": "@addProperty(variables('Indicator'), 'confidence', item()?['properties']?['confidence'])", "runAfter": {}, - "type": "Compose" + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'confidence', item()?['properties']?['confidence'])" }, "Set_variable_Indicator_with_'confidence'_property": { - "inputs": { - "name": "Indicator", - "value": "@outputs('Compose_''confidence''_property')" - }, "runAfter": { "Compose_'confidence'_property": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''confidence''_property')" + } } }, + "runAfter": { + "Set_variable_Indicator_with_mandatory_properties": [ + "Succeeded" + ] + }, "expression": { "and": [ { @@ -224,11 +230,6 @@ } ] }, - "runAfter": { - "Set_variable_Indicator_with_mandatory_properties": [ - "Succeeded" - ] - }, "type": "If" }, "Condition_to_check_if_'createdByRef'_property_exist": { @@ -236,23 +237,24 @@ "Condition_to_chek_if_'createdByRef'_in_STIIX_format": { "actions": { "Compose_'created_by_ref'_property": { - "inputs": "@addProperty(variables('Indicator'), 'created_by_ref', item()?['properties']?['createdByRef'])", "runAfter": {}, - "type": "Compose" + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'created_by_ref', item()?['properties']?['createdByRef'])" }, "Set_variable_Indicator_with_'created_by_ref'_property": { - "inputs": { - "name": "Indicator", - "value": "@outputs('Compose_''created_by_ref''_property')" - }, "runAfter": { "Compose_'created_by_ref'_property": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''created_by_ref''_property')" + } } }, + "runAfter": {}, "expression": { "and": [ { @@ -263,10 +265,14 @@ } ] }, - "runAfter": {}, "type": "If" } }, + "runAfter": { + "Condition_to_check_if_'displayName'_property_exist": [ + "Succeeded" + ] + }, "expression": { "and": [ { @@ -279,33 +285,45 @@ } ] }, - "runAfter": { - "Condition_to_check_if_'displayName'_property_exist": [ - "Succeeded" - ] - }, "type": "If" }, "Condition_to_check_if_'description'_property_exist": { "actions": { "Compose_'description'_property": { - "inputs": "@addProperty(variables('Indicator'), 'description', item()?['properties']?['description'])", "runAfter": {}, - "type": "Compose" + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'description', item()?['properties']?['description'])" }, - "Set_variable_Indicator_with_'description'_property": { - "inputs": { - "name": "Indicator", - "value": "@outputs('Compose_''description''_property')" + "Set_variable_Description": { + "runAfter": { + "Set_variable_Indicator_with_'description'_property": [ + "Succeeded" + ] }, + "type": "SetVariable", + "inputs": { + "name": "Description", + "value": "@{item()?['properties']?['description']}" + } + }, + "Set_variable_Indicator_with_'description'_property": { "runAfter": { "Compose_'description'_property": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''description''_property')" + } } }, + "runAfter": { + "Condition_to_check_if_'confidence'_property_exist": [ + "Succeeded" + ] + }, "expression": { "and": [ { @@ -318,33 +336,33 @@ } ] }, - "runAfter": { - "Condition_to_check_if_'confidence'_property_exist": [ - "Succeeded" - ] - }, "type": "If" }, "Condition_to_check_if_'displayName'_property_exist": { "actions": { "Compose_'name'_property": { - "inputs": "@addProperty(variables('Indicator'), 'name', item()?['properties']?['displayName'])", "runAfter": {}, - "type": "Compose" + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'name', item()?['properties']?['displayName'])" }, "Set_variable_Indicator_with_'name'_property": { - "inputs": { - "name": "Indicator", - "value": "@outputs('Compose_''name''_property')" - }, "runAfter": { "Compose_'name'_property": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''name''_property')" + } } }, + "runAfter": { + "Condition_to_check_if_'language'_property_exist": [ + "Succeeded" + ] + }, "expression": { "and": [ { @@ -357,11 +375,6 @@ } ] }, - "runAfter": { - "Condition_to_check_if_'language'_property_exist": [ - "Succeeded" - ] - }, "type": "If" }, "Condition_to_check_if_'extensions'_property_exist": { @@ -369,23 +382,24 @@ "Condition_to_check_if_extension_definition_exist": { "actions": { "Compose_'extensions'_property": { - "inputs": "@addProperty(variables('Indicator'), 'extensions', item()?['properties']?['extensions'])", "runAfter": {}, - "type": "Compose" + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'extensions', item()?['properties']?['extensions'])" }, "Set_variable_Indicator_with_'extensions'_property": { - "inputs": { - "name": "Indicator", - "value": "@outputs('Compose_''extensions''_property')" - }, "runAfter": { "Compose_'extensions'_property": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''extensions''_property')" + } } }, + "runAfter": {}, "expression": { "and": [ { @@ -398,10 +412,14 @@ } ] }, - "runAfter": {}, "type": "If" } }, + "runAfter": { + "Condition_to_check_if_'granularMarkings'_property_exist": [ + "Succeeded" + ] + }, "expression": { "and": [ { @@ -414,11 +432,6 @@ } ] }, - "runAfter": { - "Condition_to_check_if_'granularMarkings'_property_exist": [ - "Succeeded" - ] - }, "type": "If" }, "Condition_to_check_if_'externalReferences'_property_exist": { @@ -426,23 +439,24 @@ "Condition_to_check_if__externalReferences_is_empty_array": { "actions": { "Compose_'external_references'_property": { - "inputs": "@addProperty(variables('Indicator'), 'external_references', item()?['properties']?['externalReferences'])", "runAfter": {}, - "type": "Compose" + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'external_references', item()?['properties']?['externalReferences'])" }, "Set_variable_Indicator_with_'external_references'_property": { - "inputs": { - "name": "Indicator", - "value": "@outputs('Compose_''external_references''_property')" - }, "runAfter": { "Compose_'external_references'_property": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''external_references''_property')" + } } }, + "runAfter": {}, "expression": { "and": [ { @@ -455,10 +469,14 @@ } ] }, - "runAfter": {}, "type": "If" } }, + "runAfter": { + "Condition_to_check_if_'revoked'_property_exist": [ + "Succeeded" + ] + }, "expression": { "and": [ { @@ -471,11 +489,6 @@ } ] }, - "runAfter": { - "Condition_to_check_if_'revoked'_property_exist": [ - "Succeeded" - ] - }, "type": "If" }, "Condition_to_check_if_'granularMarkings'_property_exist": { @@ -483,23 +496,24 @@ "Condition_to_check_if_granularMarkings_is_empty_array": { "actions": { "Compose_'granular_markings'_property": { - "inputs": "@addProperty(variables('Indicator'), 'granular_markings', item()?['properties']?['granularMarkings'])", "runAfter": {}, - "type": "Compose" + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'granular_markings', item()?['properties']?['granularMarkings'])" }, "Set_variable_Indicator_with_'granular_markings'_property": { - "inputs": { - "name": "Indicator", - "value": "@outputs('Compose_''granular_markings''_property')" - }, "runAfter": { "Compose_'granular_markings'_property": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''granular_markings''_property')" + } } }, + "runAfter": {}, "expression": { "and": [ { @@ -512,10 +526,14 @@ } ] }, - "runAfter": {}, "type": "If" } }, + "runAfter": { + "Condition_to_check_if_'objectMarkingRefs'_property_exist": [ + "Succeeded" + ] + }, "expression": { "and": [ { @@ -528,11 +546,6 @@ } ] }, - "runAfter": { - "Condition_to_check_if_'objectMarkingRefs'_property_exist": [ - "Succeeded" - ] - }, "type": "If" }, "Condition_to_check_if_'indicatorTypes'_property_exist": { @@ -540,23 +553,24 @@ "Condition_to_check_if_indicatorTypes_is_empty_array": { "actions": { "Compose_'indicator_types'_property": { - "inputs": "@addProperty(variables('Indicator'), 'indicator_types', item()?['properties']?['indicatorTypes'])", "runAfter": {}, - "type": "Compose" + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'indicator_types', item()?['properties']?['indicatorTypes'])" }, "Set_variable_Indicator_with_'indicator_types'_property": { - "inputs": { - "name": "Indicator", - "value": "@outputs('Compose_''indicator_types''_property')" - }, "runAfter": { "Compose_'indicator_types'_property": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''indicator_types''_property')" + } } }, + "runAfter": {}, "expression": { "and": [ { @@ -569,10 +583,14 @@ } ] }, - "runAfter": {}, "type": "If" } }, + "runAfter": { + "Condition_to_check_if_'extensions'_property_exist": [ + "Succeeded" + ] + }, "expression": { "and": [ { @@ -585,11 +603,6 @@ } ] }, - "runAfter": { - "Condition_to_check_if_'extensions'_property_exist": [ - "Succeeded" - ] - }, "type": "If" }, "Condition_to_check_if_'killChainPhases'_property_exist": { @@ -597,23 +610,24 @@ "Condition_to_check_if_killChainPhases_is_empty_array": { "actions": { "Compose_'kill_chain_phases'_property": { - "inputs": "@addProperty(variables('Indicator'), 'kill_chain_phases', item()?['properties']?['killChainPhases'])", "runAfter": {}, - "type": "Compose" + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'kill_chain_phases', item()?['properties']?['killChainPhases'])" }, "Set_variable_Indicator_with_'kill_chain_phases'_property": { - "inputs": { - "name": "Indicator", - "value": "@outputs('Compose_''kill_chain_phases''_property')" - }, "runAfter": { "Compose_'kill_chain_phases'_property": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''kill_chain_phases''_property')" + } } }, + "runAfter": {}, "expression": { "and": [ { @@ -626,10 +640,14 @@ } ] }, - "runAfter": {}, "type": "If" } }, + "runAfter": { + "Condition_to_check_if_'validUntil'_property_exist": [ + "Succeeded" + ] + }, "expression": { "and": [ { @@ -642,51 +660,190 @@ } ] }, - "runAfter": { - "Condition_to_check_if_'validUntil'_property_exist": [ - "Succeeded" - ] - }, "type": "If" }, "Condition_to_check_if_'labels'_property_exist": { "actions": { - "Condition_to_check_if_labels_is_empty_array": { + "Add_Incidet_ID_to_Description": { "actions": { - "Compose_'labels'_property": { - "inputs": "@addProperty(variables('Indicator'), 'labels', item()?['properties']?['labels'])", - "runAfter": {}, - "type": "Compose" - }, - "Set_variable_Indicator_with_'labels'_property": { - "inputs": { - "name": "Indicator", - "value": "@outputs('Compose_''labels''_property')" + "Condition_to_check_if_Incident_tag_is_present": { + "actions": { + "Condition_to_check_if_Description_is_not_null": { + "actions": { + "Concat_IncidentTag_with_Description_": { + "runAfter": {}, + "type": "Compose", + "inputs": "@setProperty(variables('Indicator'), 'description', concat('[',variables('IncidentTag'), '] ', item()?['properties']?['description']))" + }, + "Set_variable_Indicator_with_updated_Description": { + "runAfter": { + "Concat_IncidentTag_with_Description_": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Concat_IncidentTag_with_Description_')" + } + } + }, + "runAfter": { + "For_each_Lable_in_Lables": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Compose_description_as_IncidentTag": { + "runAfter": {}, + "type": "Compose", + "inputs": "@setProperty(variables('Indicator'), 'description', concat('[', variables('IncidentTag'), ']'))" + }, + "Set_variable_Indicator_with_description_as_IncidentTag": { + "runAfter": { + "Compose_description_as_IncidentTag": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_description_as_IncidentTag')" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@variables('Description')", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "For_each_Lable_in_Lables": { + "foreach": "@variables('Lables')", + "actions": { + "Condition_to_check_if_it_is_incident_tag": { + "actions": { + "Set_variable_IncidentTag": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "IncidentTag", + "value": "@{string(items('For_each_Lable_in_Lables'))}" + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@contains(toLower(items('For_each_Lable_in_Lables')), 'incident id:')", + "@true" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "type": "Foreach" + } }, - "runAfter": { - "Compose_'labels'_property": [ - "Succeeded" + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@contains(toLower(join(variables('Lables'), '|')), 'incident id:')", + "@true" + ] + } ] }, - "type": "SetVariable" + "type": "If" + } + }, + "runAfter": { + "Condition_to_check_if_TLP_tag_not_present": [ + "Succeeded" + ] + }, + "type": "Scope" + }, + "Compose_'labels'_property": { + "runAfter": { + "Add_Incidet_ID_to_Description": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'labels', variables('Lables'))" + }, + "Condition_to_check_if_TLP_tag_not_present": { + "actions": { + "Append_to_array_Lables": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Lables", + "value": "@string('TLP:WHITE')" + } } }, + "runAfter": { + "Set_array_Lables": [ + "Succeeded" + ] + }, "expression": { "and": [ { - "not": { - "equals": [ - "@length(item()?['properties']?['labels'])", - 0 - ] - } + "equals": [ + "@contains(toLower(join(items('For_each_Indicator')?['properties']?['labels'], '|')), 'tlp:')", + "@false" + ] } ] }, - "runAfter": {}, "type": "If" + }, + "Set_array_Lables": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "Lables", + "value": "@items('For_each_Indicator')?['properties']?['labels']" + } + }, + "Set_variable_Indicator_with_'labels'_property": { + "runAfter": { + "Compose_'labels'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''labels''_property')" + } } }, + "runAfter": { + "Condition_to_check_if_'createdByRef'_property_exist": [ + "Succeeded" + ] + }, "expression": { "and": [ { @@ -699,33 +856,33 @@ } ] }, - "runAfter": { - "Condition_to_check_if_'createdByRef'_property_exist": [ - "Succeeded" - ] - }, "type": "If" }, "Condition_to_check_if_'language'_property_exist": { "actions": { "Compose_'lang'_property": { - "inputs": "@addProperty(variables('Indicator'), 'lang', item()?['properties']?['language'])", "runAfter": {}, - "type": "Compose" + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'lang', item()?['properties']?['language'])" }, "Set_variable_Indicator_with_'lang'_property": { - "inputs": { - "name": "Indicator", - "value": "@outputs('Compose_''lang''_property')" - }, "runAfter": { "Compose_'lang'_property": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''lang''_property')" + } } }, + "runAfter": { + "Condition_to_check_if_'description'_property_exist": [ + "Succeeded" + ] + }, "expression": { "and": [ { @@ -738,11 +895,6 @@ } ] }, - "runAfter": { - "Condition_to_check_if_'description'_property_exist": [ - "Succeeded" - ] - }, "type": "If" }, "Condition_to_check_if_'objectMarkingRefs'_property_exist": { @@ -750,23 +902,24 @@ "Condition_to_check_if_objectMarkingRefs_is_empty_array": { "actions": { "Compose_'object_marking_refs'_property": { - "inputs": "@addProperty(variables('Indicator'), 'object_marking_refs', item()?['properties']?['objectMarkingRefs'])", "runAfter": {}, - "type": "Compose" + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'object_marking_refs', item()?['properties']?['objectMarkingRefs'])" }, "Set_variable_Indicator_with_'object_marking_refs'_property": { - "inputs": { - "name": "Indicator", - "value": "@outputs('Compose_''object_marking_refs''_property')" - }, "runAfter": { "Compose_'object_marking_refs'_property": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''object_marking_refs''_property')" + } } }, + "runAfter": {}, "expression": { "and": [ { @@ -779,10 +932,14 @@ } ] }, - "runAfter": {}, "type": "If" } }, + "runAfter": { + "Condition_to_check_if_'externalReferences'_property_exist": [ + "Succeeded" + ] + }, "expression": { "and": [ { @@ -795,33 +952,33 @@ } ] }, - "runAfter": { - "Condition_to_check_if_'externalReferences'_property_exist": [ - "Succeeded" - ] - }, "type": "If" }, "Condition_to_check_if_'patternVersion'_property_exist": { "actions": { "Compose_'pattern_version'_property": { - "inputs": "@addProperty(variables('Indicator'), 'pattern_version', item()?['properties']?['patternVersion'])", "runAfter": {}, - "type": "Compose" + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'pattern_version', item()?['properties']?['patternVersion'])" }, "Set_variable_Indicator_with_'pattern_version'_property": { - "inputs": { - "name": "Indicator", - "value": "@outputs('Compose_''pattern_version''_property')" - }, "runAfter": { "Compose_'pattern_version'_property": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''pattern_version''_property')" + } } }, + "runAfter": { + "Condition_to_check_if_'indicatorTypes'_property_exist": [ + "Succeeded" + ] + }, "expression": { "and": [ { @@ -834,33 +991,33 @@ } ] }, - "runAfter": { - "Condition_to_check_if_'indicatorTypes'_property_exist": [ - "Succeeded" - ] - }, "type": "If" }, "Condition_to_check_if_'revoked'_property_exist": { "actions": { "Compose_'revoked'_property": { - "inputs": "@addProperty(variables('Indicator'), 'revoked', item()?['properties']?['revoked'])", "runAfter": {}, - "type": "Compose" + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'revoked', item()?['properties']?['revoked'])" }, "Set_variable_Indicator_with_'revoked'_property": { - "inputs": { - "name": "Indicator", - "value": "@outputs('Compose_''revoked''_property')" - }, "runAfter": { "Compose_'revoked'_property": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''revoked''_property')" + } } }, + "runAfter": { + "Condition_to_check_if_'labels'_property_exist": [ + "Succeeded" + ] + }, "expression": { "and": [ { @@ -873,33 +1030,33 @@ } ] }, - "runAfter": { - "Condition_to_check_if_'labels'_property_exist": [ - "Succeeded" - ] - }, "type": "If" }, "Condition_to_check_if_'validUntil'_property_exist": { "actions": { "Compose_'valid_until'_property": { - "inputs": "@addProperty(variables('Indicator'), 'valid_until', formatDateTime(string(item()?['properties']?['validUntil']), 'yyyy-MM-ddTHH:mm:ss.ffffffK'))", "runAfter": {}, - "type": "Compose" + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'valid_until', formatDateTime(string(item()?['properties']?['validUntil']), 'yyyy-MM-ddTHH:mm:ss.ffffffK'))" }, "Set_variable_Indicator_with_'valid_until'_property": { - "inputs": { - "name": "Indicator", - "value": "@outputs('Compose_''valid_until''_property')" - }, "runAfter": { "Compose_'valid_until'_property": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''valid_until''_property')" + } } }, + "runAfter": { + "Condition_to_check_if_'patternVersion'_property_exist": [ + "Succeeded" + ] + }, "expression": { "and": [ { @@ -912,50 +1069,44 @@ } ] }, - "runAfter": { - "Condition_to_check_if_'patternVersion'_property_exist": [ - "Succeeded" - ] - }, "type": "If" }, "Reset_variable_Indicator": { - "inputs": { - "name": "Indicator", - "value": {} - }, "runAfter": { "Append_to_array_Indicators": [ "Succeeded" ] }, - "type": "SetVariable" - }, - "Set_variable_Indicator_with_mandatory_properties": { + "type": "SetVariable", "inputs": { "name": "Indicator", - "value": "@outputs('Compose_mandatory_properties')" - }, + "value": {} + } + }, + "Set_variable_Indicator_with_mandatory_properties": { "runAfter": { "Compose_mandatory_properties": [ "Succeeded" ] }, - "type": "SetVariable" + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_mandatory_properties')" + } } }, - "foreach": "@body('Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete')", "runAfter": { "Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete": [ "Succeeded" ] }, + "type": "Foreach", "runtimeConfiguration": { "concurrency": { "repetitions": 1 } - }, - "type": "Foreach" + } }, "For_each_filtered_indicator": { "actions": { @@ -1011,7 +1162,7 @@ }, "HTTP_queryIndicators_request": { "runAfter": { - "Initialize_variable_Indicator": [ + "Initialize_variable_IncidentTag": [ "Succeeded" ] }, @@ -1038,6 +1189,8 @@ } }, "Initialize_array_Indicators": { + "runAfter": {}, + "type": "InitializeVariable", "inputs": { "variables": [ { @@ -1045,26 +1198,73 @@ "type": "array" } ] + } + }, + "Initialize_array_Lables": { + "runAfter": { + "Initialize_variable_Description": [ + "Succeeded" + ] }, - "runAfter": {}, - "type": "InitializeVariable" + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Lables", + "type": "array" + } + ] + } }, - "Initialize_variable_Indicator": { + "Initialize_variable_Description": { + "runAfter": { + "Initialize_variable_Indicator": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", "inputs": { "variables": [ { - "name": "Indicator", - "type": "object", - "value": {} + "name": "Description", + "type": "string", + "value": "@{null}" } ] + } + }, + "Initialize_variable_IncidentTag": { + "runAfter": { + "Initialize_array_Lables": [ + "Succeeded" + ] }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "IncidentTag", + "type": "string" + } + ] + } + }, + "Initialize_variable_Indicator": { "runAfter": { "Initialize_array_Indicators": [ "Succeeded" ] }, - "type": "InitializeVariable" + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Indicator", + "type": "object", + "value": {} + } + ] + } }, "Initialize_variable_for_STIX_bundle_JSON": { "inputs": { From 55a38c6451721b61e710340e2bb40c4aa2b66536 Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Thu, 12 Oct 2023 19:31:28 +0530 Subject: [PATCH 5/7] Update azuredeploy.json --- .../azuredeploy.json | 574 +++++++++++++++--- 1 file changed, 490 insertions(+), 84 deletions(-) diff --git a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json index 0c1c2df33dc..22ee087fd89 100644 --- a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json +++ b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json @@ -36,12 +36,6 @@ "description": "Enter TAXII API Root URL" } }, - "CollectionID": { - "type": "string", - "metadata": { - "description": "Enter value for Collection ID" - } - }, "TAXIIServerUsername": { "type": "string", "metadata": { @@ -54,6 +48,12 @@ "description": "Enter TAXII server password" } }, + "CollectionID": { + "type": "string", + "metadata": { + "description": "Enter value for Collection ID" + } + }, "SentinelWorkspace": { "type": "string", "metadata": { @@ -73,6 +73,20 @@ "metadata": { "description": "Enter value for Tag for indicator export completion" } + }, + "Default TLP Label": { + "type": "string", + "defaultValue": "TLP:CLEAR", + "allowedValues": [ + "TLP:RED", + "TLP:AMBER+STRICT", + "TLP:AMBER", + "TLP:GREEN", + "TLP:CLEAR" + ], + "metadata": { + "description": "Enter value for Default TLP Label" + } } }, "variables": { @@ -93,6 +107,10 @@ "defaultValue": "[parameters('CollectionID')]", "type": "string" }, + "Default TLP Label": { + "defaultValue": "[parameters('Default TLP Label')]", + "type": "string" + }, "ResourceGroup": { "defaultValue": "[variables('ResourceGroup')]", "type": "string" @@ -101,14 +119,14 @@ "defaultValue": "[variables('SubscriptionID')]", "type": "string" }, + "TAXIIServerPassword": { + "defaultValue": "[parameters('TAXIIServerPassword')]", + "type": "string" + }, "TAXIIServerRootURL": { "defaultValue": "[parameters('TAXIIServerRootURL')]", "type": "string" }, - "TAXIIServerPassword": { - "defaultValue": "[parameters('TAXIIServerPassword')]", - "type": "securestring" - }, "TAXIIServerUsername": { "defaultValue": "[parameters('TAXIIServerUsername')]", "type": "string" @@ -133,7 +151,7 @@ "interval": 1 }, "evaluatedRecurrence": { - "frequency": "Hour", + "frequency": "Day", "interval": 1 }, "type": "Recurrence" @@ -167,6 +185,18 @@ "For_each_Indicator": { "foreach": "@body('Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete')", "actions": { + "Append_MarkingRefObj_to_array_Indicators": { + "runAfter": { + "Reset_variable_Indicator": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Indicators", + "value": "@variables('MarkingRefObj')" + } + }, "Append_to_array_Indicators": { "runAfter": { "Condition_to_check_if_'killChainPhases'_property_exist": [ @@ -180,7 +210,8 @@ } }, "Compose_mandatory_properties": { - "runAfter": {}, + "runAfter": { + }, "type": "Compose", "inputs": { "created": "@formatDateTime(string(items('For_each_Indicator')?['properties']?['created']), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", @@ -196,7 +227,8 @@ "Condition_to_check_if_'confidence'_property_exist": { "actions": { "Compose_'confidence'_property": { - "runAfter": {}, + "runAfter": { + }, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'confidence', item()?['properties']?['confidence'])" }, @@ -237,7 +269,8 @@ "Condition_to_chek_if_'createdByRef'_in_STIIX_format": { "actions": { "Compose_'created_by_ref'_property": { - "runAfter": {}, + "runAfter": { + }, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'created_by_ref', item()?['properties']?['createdByRef'])" }, @@ -254,7 +287,8 @@ } } }, - "runAfter": {}, + "runAfter": { + }, "expression": { "and": [ { @@ -290,7 +324,8 @@ "Condition_to_check_if_'description'_property_exist": { "actions": { "Compose_'description'_property": { - "runAfter": {}, + "runAfter": { + }, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'description', item()?['properties']?['description'])" }, @@ -341,7 +376,8 @@ "Condition_to_check_if_'displayName'_property_exist": { "actions": { "Compose_'name'_property": { - "runAfter": {}, + "runAfter": { + }, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'name', item()?['properties']?['displayName'])" }, @@ -382,7 +418,8 @@ "Condition_to_check_if_extension_definition_exist": { "actions": { "Compose_'extensions'_property": { - "runAfter": {}, + "runAfter": { + }, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'extensions', item()?['properties']?['extensions'])" }, @@ -399,7 +436,8 @@ } } }, - "runAfter": {}, + "runAfter": { + }, "expression": { "and": [ { @@ -439,7 +477,8 @@ "Condition_to_check_if__externalReferences_is_empty_array": { "actions": { "Compose_'external_references'_property": { - "runAfter": {}, + "runAfter": { + }, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'external_references', item()?['properties']?['externalReferences'])" }, @@ -456,7 +495,8 @@ } } }, - "runAfter": {}, + "runAfter": { + }, "expression": { "and": [ { @@ -496,7 +536,8 @@ "Condition_to_check_if_granularMarkings_is_empty_array": { "actions": { "Compose_'granular_markings'_property": { - "runAfter": {}, + "runAfter": { + }, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'granular_markings', item()?['properties']?['granularMarkings'])" }, @@ -513,7 +554,8 @@ } } }, - "runAfter": {}, + "runAfter": { + }, "expression": { "and": [ { @@ -553,7 +595,8 @@ "Condition_to_check_if_indicatorTypes_is_empty_array": { "actions": { "Compose_'indicator_types'_property": { - "runAfter": {}, + "runAfter": { + }, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'indicator_types', item()?['properties']?['indicatorTypes'])" }, @@ -570,7 +613,8 @@ } } }, - "runAfter": {}, + "runAfter": { + }, "expression": { "and": [ { @@ -610,9 +654,22 @@ "Condition_to_check_if_killChainPhases_is_empty_array": { "actions": { "Compose_'kill_chain_phases'_property": { - "runAfter": {}, + "runAfter": { + "Compose_sub_properties_of_'kill_chain_phases'_property": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'kill_chain_phases', array(outputs('Compose_sub_properties_of_''kill_chain_phases''_property')))" + }, + "Compose_sub_properties_of_'kill_chain_phases'_property": { + "runAfter": { + }, "type": "Compose", - "inputs": "@addProperty(variables('Indicator'), 'kill_chain_phases', item()?['properties']?['killChainPhases'])" + "inputs": { + "kill_chain_name": "@item()?['properties']?['killChainPhases'][0]?['killChainName']", + "phase_name": "@item()?['properties']?['killChainPhases'][0]?['phaseName']" + } }, "Set_variable_Indicator_with_'kill_chain_phases'_property": { "runAfter": { @@ -627,7 +684,8 @@ } } }, - "runAfter": {}, + "runAfter": { + }, "expression": { "and": [ { @@ -671,7 +729,8 @@ "Condition_to_check_if_Description_is_not_null": { "actions": { "Concat_IncidentTag_with_Description_": { - "runAfter": {}, + "runAfter": { + }, "type": "Compose", "inputs": "@setProperty(variables('Indicator'), 'description', concat('[',variables('IncidentTag'), '] ', item()?['properties']?['description']))" }, @@ -696,7 +755,8 @@ "else": { "actions": { "Compose_description_as_IncidentTag": { - "runAfter": {}, + "runAfter": { + }, "type": "Compose", "inputs": "@setProperty(variables('Indicator'), 'description', concat('[', variables('IncidentTag'), ']'))" }, @@ -734,7 +794,8 @@ "Condition_to_check_if_it_is_incident_tag": { "actions": { "Set_variable_IncidentTag": { - "runAfter": {}, + "runAfter": { + }, "type": "SetVariable", "inputs": { "name": "IncidentTag", @@ -742,7 +803,8 @@ } } }, - "runAfter": {}, + "runAfter": { + }, "expression": { "and": [ { @@ -756,11 +818,13 @@ "type": "If" } }, - "runAfter": {}, + "runAfter": { + }, "type": "Foreach" } }, - "runAfter": {}, + "runAfter": { + }, "expression": { "and": [ { @@ -775,7 +839,7 @@ } }, "runAfter": { - "Condition_to_check_if_TLP_tag_not_present": [ + "TLP_tag_processing": [ "Succeeded" ] }, @@ -790,41 +854,33 @@ "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'labels', variables('Lables'))" }, - "Condition_to_check_if_TLP_tag_not_present": { + "Filter_Export_tag": { "actions": { - "Append_to_array_Lables": { - "runAfter": {}, - "type": "AppendToArrayVariable", + "Filter_Labels_array": { + "runAfter": { + }, + "type": "Query", + "inputs": { + "from": "@items('For_each_Indicator')?['properties']?['labels']", + "where": "@not(equals(parameters('Tag for indicators to be exported'), item()))" + } + }, + "Set_array_Lables": { + "runAfter": { + "Filter_Labels_array": [ + "Succeeded" + ] + }, + "type": "SetVariable", "inputs": { "name": "Lables", - "value": "@string('TLP:WHITE')" + "value": "@body('Filter_Labels_array')" } } }, "runAfter": { - "Set_array_Lables": [ - "Succeeded" - ] }, - "expression": { - "and": [ - { - "equals": [ - "@contains(toLower(join(items('For_each_Indicator')?['properties']?['labels'], '|')), 'tlp:')", - "@false" - ] - } - ] - }, - "type": "If" - }, - "Set_array_Lables": { - "runAfter": {}, - "type": "SetVariable", - "inputs": { - "name": "Lables", - "value": "@items('For_each_Indicator')?['properties']?['labels']" - } + "type": "Scope" }, "Set_variable_Indicator_with_'labels'_property": { "runAfter": { @@ -837,6 +893,109 @@ "name": "Indicator", "value": "@outputs('Compose_''labels''_property')" } + }, + "TLP_tag_processing": { + "actions": { + "Condition_to_check_if_TLP_tag_is_present_and_valid": { + "actions": { + "Condition_to_check_if_valid_TLP_lable_exist": { + "actions": { + "Set_variable_TLPLabel": { + "runAfter": { + }, + "type": "SetVariable", + "inputs": { + "name": "TLPLabel", + "value": "@{toUpper(first(body('Filter_TLP_tag_against_TLPLables')))}" + } + } + }, + "runAfter": { + "Filter_TLP_tag_against_TLPLables": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Set_variable_TLPLabel_if_not_valid_TLP_label_exist": { + "runAfter": { + }, + "type": "SetVariable", + "inputs": { + "name": "TLPLabel", + "value": "@{toUpper(parameters('Default TLP Label'))}" + } + } + } + }, + "expression": { + "and": [ + { + "greater": [ + "@length(body('Filter_TLP_tag_against_TLPLables'))", + 0 + ] + } + ] + }, + "type": "If" + }, + "Filter_TLP_tag": { + "runAfter": { + }, + "type": "Query", + "inputs": { + "from": "@variables('Lables')", + "where": "@startsWith(string(toLower(item())), string('tlp:'))" + } + }, + "Filter_TLP_tag_against_TLPLables": { + "runAfter": { + "Filter_TLP_tag": [ + "Succeeded" + ] + }, + "type": "Query", + "inputs": { + "from": "@variables('TLPLables')", + "where": "@equals(toUpper(first(body('Filter_TLP_tag'))), item())" + } + } + }, + "runAfter": { + }, + "else": { + "actions": { + "Set_variable_TLPLabel_if_not_provided": { + "runAfter": { + }, + "type": "SetVariable", + "inputs": { + "name": "TLPLabel", + "value": "@{toUpper(parameters('Default TLP Label'))}" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@contains(toLower(join(items('For_each_Indicator')?['properties']?['labels'], '|')), 'tlp:')", + "@true" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Filter_Export_tag": [ + "Succeeded" + ] + }, + "type": "Scope" } }, "runAfter": { @@ -861,7 +1020,8 @@ "Condition_to_check_if_'language'_property_exist": { "actions": { "Compose_'lang'_property": { - "runAfter": {}, + "runAfter": { + }, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'lang', item()?['properties']?['language'])" }, @@ -902,9 +1062,10 @@ "Condition_to_check_if_objectMarkingRefs_is_empty_array": { "actions": { "Compose_'object_marking_refs'_property": { - "runAfter": {}, + "runAfter": { + }, "type": "Compose", - "inputs": "@addProperty(variables('Indicator'), 'object_marking_refs', item()?['properties']?['objectMarkingRefs'])" + "inputs": "@addProperty(variables('Indicator'), 'object_marking_refs', union(item()?['properties']?['objectMarkingRefs'], variables('MarkingRefsObjIds')))" }, "Set_variable_Indicator_with_'object_marking_refs'_property": { "runAfter": { @@ -919,7 +1080,30 @@ } } }, - "runAfter": {}, + "runAfter": { + }, + "else": { + "actions": { + "Compose_'object_marking_refs'_property_when_empty": { + "runAfter": { + }, + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'object_marking_refs', variables('MarkingRefsObjIds'))" + }, + "Set_variable_Indicator_with_'object_marking_refs'_property_when_empty": { + "runAfter": { + "Compose_'object_marking_refs'_property_when_empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''object_marking_refs''_property_when_empty')" + } + } + } + }, "expression": { "and": [ { @@ -940,6 +1124,28 @@ "Succeeded" ] }, + "else": { + "actions": { + "Compose_'object_marking_refs'_propert_when_null": { + "runAfter": { + }, + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'object_marking_refs', variables('MarkingRefsObjIds'))" + }, + "Set_variable_Indicator_with_'object_marking_refs'_property_when_null": { + "runAfter": { + "Compose_'object_marking_refs'_propert_when_null": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''object_marking_refs''_propert_when_null')" + } + } + } + }, "expression": { "and": [ { @@ -957,7 +1163,8 @@ "Condition_to_check_if_'patternVersion'_property_exist": { "actions": { "Compose_'pattern_version'_property": { - "runAfter": {}, + "runAfter": { + }, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'pattern_version', item()?['properties']?['patternVersion'])" }, @@ -996,7 +1203,8 @@ "Condition_to_check_if_'revoked'_property_exist": { "actions": { "Compose_'revoked'_property": { - "runAfter": {}, + "runAfter": { + }, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'revoked', item()?['properties']?['revoked'])" }, @@ -1014,7 +1222,7 @@ } }, "runAfter": { - "Condition_to_check_if_'labels'_property_exist": [ + "TLP_Marking_Ref_definition": [ "Succeeded" ] }, @@ -1035,7 +1243,8 @@ "Condition_to_check_if_'validUntil'_property_exist": { "actions": { "Compose_'valid_until'_property": { - "runAfter": {}, + "runAfter": { + }, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'valid_until', formatDateTime(string(item()?['properties']?['validUntil']), 'yyyy-MM-ddTHH:mm:ss.ffffffK'))" }, @@ -1071,6 +1280,19 @@ }, "type": "If" }, + "Reset_array_MarkingRefsObjIds": { + "runAfter": { + "Reset_variable_MarkingRefObject": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "MarkingRefsObjIds", + "value": [ + ] + } + }, "Reset_variable_Indicator": { "runAfter": { "Append_to_array_Indicators": [ @@ -1080,7 +1302,21 @@ "type": "SetVariable", "inputs": { "name": "Indicator", - "value": {} + "value": { + } + } + }, + "Reset_variable_MarkingRefObject": { + "runAfter": { + "Append_MarkingRefObj_to_array_Indicators": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "MarkingRefObj", + "value": { + } } }, "Set_variable_Indicator_with_mandatory_properties": { @@ -1094,6 +1330,82 @@ "name": "Indicator", "value": "@outputs('Compose_mandatory_properties')" } + }, + "TLP_Marking_Ref_definition": { + "actions": { + "Append_MarkingRefObjID_to_array_MarkingRefsObjectIds": { + "runAfter": { + "Set_variable_MarkingRefObj_with_default_TLP_Marking_definition": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "MarkingRefsObjIds", + "value": "@variables('MarkingRefObjId')" + } + }, + "Compose_Default_TLP_Marking_definition": { + "runAfter": { + "Set_variable_MarkingRefObjId": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "created": "@formatDateTime(string(items('For_each_Indicator')?['properties']?['created']), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", + "extensions": { + "extension-definition--@{guid()}": { + "extension_type": "property-extension", + "tlp_2_0": "@{toLower(string(split(variables('TLPLabel'), ':')[1]))}" + } + }, + "id": "@variables('MarkingRefObjId')", + "name": "@variables('TLPLabel')", + "spec_version": "2.1", + "type": "marking-definition" + } + }, + "Reset_variable_MarkingRefObjId": { + "runAfter": { + "Append_MarkingRefObjID_to_array_MarkingRefsObjectIds": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "MarkingRefObjId", + "value": "@{null}" + } + }, + "Set_variable_MarkingRefObjId": { + "runAfter": { + }, + "type": "SetVariable", + "inputs": { + "name": "MarkingRefObjId", + "value": "marking-definition--@{guid()}" + } + }, + "Set_variable_MarkingRefObj_with_default_TLP_Marking_definition": { + "runAfter": { + "Compose_Default_TLP_Marking_definition": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "MarkingRefObj", + "value": "@outputs('Compose_Default_TLP_Marking_definition')" + } + } + }, + "runAfter": { + "Condition_to_check_if_'labels'_property_exist": [ + "Succeeded" + ] + }, + "type": "Scope" } }, "runAfter": { @@ -1109,8 +1421,12 @@ } }, "For_each_filtered_indicator": { + "foreach": "@body('Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete')", "actions": { "HTTP_appendTags_request": { + "runAfter": { + }, + "type": "Http", "inputs": { "authentication": { "type": "ManagedServiceIdentity" @@ -1122,12 +1438,9 @@ }, "method": "POST", "uri": "https://management.azure.com/subscriptions/@{parameters('SubscriptionID')}/resourceGroups/@{parameters('ResourceGroup')}/providers/Microsoft.OperationalInsights/workspaces/@{parameters('Workspace')}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/@{items('For_each_filtered_indicator')?['name']}/appendTags?api-version=2021-10-01" - }, - "runAfter": {}, - "type": "Http" + } } }, - "foreach": "@body('Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete')", "runAfter": { "HTTP_POST_stix_bundle_to_TAXII_server": [ "Succeeded" @@ -1189,7 +1502,8 @@ } }, "Initialize_array_Indicators": { - "runAfter": {}, + "runAfter": { + }, "type": "InitializeVariable", "inputs": { "variables": [ @@ -1216,6 +1530,47 @@ ] } }, + "Initialize_array_MarkingRefsObjIds": { + "runAfter": { + "Initialize_variable_MarkingRefObjId": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "MarkingRefsObjIds", + "type": "array", + "value": [ + ] + } + ] + } + }, + "Initialize_array_TLPLables": { + "runAfter": { + "Initialize_array_Lables": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "TLPLables", + "type": "array", + "value": [ + "TLP:RED", + "TLP:AMBER+STRICT", + "TLP:AMBER", + "TLP:GREEN", + "TLP:CLEAR" + ] + } + ] + } + }, "Initialize_variable_Description": { "runAfter": { "Initialize_variable_Indicator": [ @@ -1235,7 +1590,7 @@ }, "Initialize_variable_IncidentTag": { "runAfter": { - "Initialize_array_Lables": [ + "Initialize_array_MarkingRefsObjIds": [ "Succeeded" ] }, @@ -1261,27 +1616,78 @@ { "name": "Indicator", "type": "object", - "value": {} + "value": { + } } ] } }, - "Initialize_variable_for_STIX_bundle_JSON": { + "Initialize_variable_MarkingRefObj": { + "runAfter": { + "Initialize_variable_TLPLabel": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", "inputs": { "variables": [ { - "name": "StixBundle", - "type": "string", - "value": "{\n \"type\": \"bundle\",\n \"id\": \"bundle--1736e032-a96a-41e9-8302-126677d4d781\",\n \"objects\": @{string(variables('Indicators'))}\n}" + "name": "MarkingRefObj", + "type": "object", + "value": { + } } ] + } + }, + "Initialize_variable_MarkingRefObjId": { + "runAfter": { + "Initialize_variable_MarkingRefObj": [ + "Succeeded" + ] }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "MarkingRefObjId", + "type": "string" + } + ] + } + }, + "Initialize_variable_TLPLabel": { + "runAfter": { + "Initialize_array_TLPLables": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "TLPLabel", + "type": "string" + } + ] + } + }, + "Initialize_variable_for_STIX_bundle_JSON": { "runAfter": { "For_each_Indicator": [ "Succeeded" ] }, - "type": "InitializeVariable" + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "StixBundle", + "type": "string", + "value": "{\n \"type\": \"bundle\",\n \"id\": \"bundle--1736e032-a96a-41e9-8302-126677d4d781\",\n \"objects\": @{string(variables('Indicators'))}\n}" + } + ] + } }, "Parse_JSON_queryIndicators_response": { "runAfter": { @@ -1462,7 +1868,7 @@ "type": "Microsoft.Logic/workflows", "location": "[resourceGroup().location]", "tags": { - "hidden-SentinelTemplateName": "AusCtisExportTaggedIndicatorsv2", + "hidden-SentinelTemplateName": "AusCtisExportTaggedIndicators", "hidden-SentinelTemplateVersion": "1.0" }, "identity": { From 722f54dbf59ffe023ce0836731f0d17b50e2f047 Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Mon, 16 Oct 2023 19:25:04 +0530 Subject: [PATCH 6/7] Update azuredeploy.json --- .../azuredeploy.json | 216 ++++++++++-------- 1 file changed, 121 insertions(+), 95 deletions(-) diff --git a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json index 22ee087fd89..3ca80a881cb 100644 --- a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json +++ b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json @@ -12,7 +12,7 @@ "This playbook needs contributor role on Log Analytics, to read and update threat indicator tags. 1. Go to Log Analytics Workspace resource --> 2. Select Access control (IAM) tab -->3. Add role assignments --> 4. Select Contributor role --> 5. In the Members tab choose 'Assign access to' Managed Identity --> 6. Click on 'Select members' --> 7. Provide correct Subscription and Managed Identity --> 8. Provide the playbook name in 'Search by name' textbox --> 9. Select the correct identity and click on Select --> 10. Click on 'Review + assign' " ], "prerequisitesDeployTemplateFile": "", - "lastUpdateTime": "2023-08-10T12:00:38Z", + "lastUpdateTime": "2023-10-13T12:13:00Z", "entities": [ ], "tags": [ @@ -22,7 +22,7 @@ "tier": "community" }, "author": { - "name": "Australian Cyber Security Center" + "name": "Australian Cyber Security Center, Microsoft" } }, "parameters": { @@ -210,8 +210,7 @@ } }, "Compose_mandatory_properties": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": { "created": "@formatDateTime(string(items('For_each_Indicator')?['properties']?['created']), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", @@ -227,8 +226,7 @@ "Condition_to_check_if_'confidence'_property_exist": { "actions": { "Compose_'confidence'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'confidence', item()?['properties']?['confidence'])" }, @@ -269,8 +267,7 @@ "Condition_to_chek_if_'createdByRef'_in_STIIX_format": { "actions": { "Compose_'created_by_ref'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'created_by_ref', item()?['properties']?['createdByRef'])" }, @@ -287,8 +284,7 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "expression": { "and": [ { @@ -324,8 +320,7 @@ "Condition_to_check_if_'description'_property_exist": { "actions": { "Compose_'description'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'description', item()?['properties']?['description'])" }, @@ -376,8 +371,7 @@ "Condition_to_check_if_'displayName'_property_exist": { "actions": { "Compose_'name'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'name', item()?['properties']?['displayName'])" }, @@ -418,8 +412,7 @@ "Condition_to_check_if_extension_definition_exist": { "actions": { "Compose_'extensions'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'extensions', item()?['properties']?['extensions'])" }, @@ -436,8 +429,7 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "expression": { "and": [ { @@ -477,8 +469,7 @@ "Condition_to_check_if__externalReferences_is_empty_array": { "actions": { "Compose_'external_references'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'external_references', item()?['properties']?['externalReferences'])" }, @@ -495,8 +486,7 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "expression": { "and": [ { @@ -536,8 +526,7 @@ "Condition_to_check_if_granularMarkings_is_empty_array": { "actions": { "Compose_'granular_markings'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'granular_markings', item()?['properties']?['granularMarkings'])" }, @@ -554,8 +543,7 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "expression": { "and": [ { @@ -595,8 +583,7 @@ "Condition_to_check_if_indicatorTypes_is_empty_array": { "actions": { "Compose_'indicator_types'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'indicator_types', item()?['properties']?['indicatorTypes'])" }, @@ -613,8 +600,7 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "expression": { "and": [ { @@ -663,12 +649,11 @@ "inputs": "@addProperty(variables('Indicator'), 'kill_chain_phases', array(outputs('Compose_sub_properties_of_''kill_chain_phases''_property')))" }, "Compose_sub_properties_of_'kill_chain_phases'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": { - "kill_chain_name": "@item()?['properties']?['killChainPhases'][0]?['killChainName']", - "phase_name": "@item()?['properties']?['killChainPhases'][0]?['phaseName']" + "kill_chain_name": "lockheed-martin-cyber-kill-chain", + "phase_name": "@toLower(item()?['properties']?['killChainPhases'][0]?['phaseName'])" } }, "Set_variable_Indicator_with_'kill_chain_phases'_property": { @@ -684,8 +669,7 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "expression": { "and": [ { @@ -729,8 +713,7 @@ "Condition_to_check_if_Description_is_not_null": { "actions": { "Concat_IncidentTag_with_Description_": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@setProperty(variables('Indicator'), 'description', concat('[',variables('IncidentTag'), '] ', item()?['properties']?['description']))" }, @@ -755,8 +738,7 @@ "else": { "actions": { "Compose_description_as_IncidentTag": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@setProperty(variables('Indicator'), 'description', concat('[', variables('IncidentTag'), ']'))" }, @@ -794,8 +776,7 @@ "Condition_to_check_if_it_is_incident_tag": { "actions": { "Set_variable_IncidentTag": { - "runAfter": { - }, + "runAfter": {}, "type": "SetVariable", "inputs": { "name": "IncidentTag", @@ -803,8 +784,7 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "expression": { "and": [ { @@ -818,13 +798,11 @@ "type": "If" } }, - "runAfter": { - }, + "runAfter": {}, "type": "Foreach" } }, - "runAfter": { - }, + "runAfter": {}, "expression": { "and": [ { @@ -857,8 +835,7 @@ "Filter_Export_tag": { "actions": { "Filter_Labels_array": { - "runAfter": { - }, + "runAfter": {}, "type": "Query", "inputs": { "from": "@items('For_each_Indicator')?['properties']?['labels']", @@ -878,8 +855,7 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "type": "Scope" }, "Set_variable_Indicator_with_'labels'_property": { @@ -901,8 +877,7 @@ "Condition_to_check_if_valid_TLP_lable_exist": { "actions": { "Set_variable_TLPLabel": { - "runAfter": { - }, + "runAfter": {}, "type": "SetVariable", "inputs": { "name": "TLPLabel", @@ -918,8 +893,7 @@ "else": { "actions": { "Set_variable_TLPLabel_if_not_valid_TLP_label_exist": { - "runAfter": { - }, + "runAfter": {}, "type": "SetVariable", "inputs": { "name": "TLPLabel", @@ -941,8 +915,7 @@ "type": "If" }, "Filter_TLP_tag": { - "runAfter": { - }, + "runAfter": {}, "type": "Query", "inputs": { "from": "@variables('Lables')", @@ -962,13 +935,11 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "else": { "actions": { "Set_variable_TLPLabel_if_not_provided": { - "runAfter": { - }, + "runAfter": {}, "type": "SetVariable", "inputs": { "name": "TLPLabel", @@ -1020,8 +991,7 @@ "Condition_to_check_if_'language'_property_exist": { "actions": { "Compose_'lang'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'lang', item()?['properties']?['language'])" }, @@ -1062,8 +1032,7 @@ "Condition_to_check_if_objectMarkingRefs_is_empty_array": { "actions": { "Compose_'object_marking_refs'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'object_marking_refs', union(item()?['properties']?['objectMarkingRefs'], variables('MarkingRefsObjIds')))" }, @@ -1080,13 +1049,11 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "else": { "actions": { "Compose_'object_marking_refs'_property_when_empty": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'object_marking_refs', variables('MarkingRefsObjIds'))" }, @@ -1127,8 +1094,7 @@ "else": { "actions": { "Compose_'object_marking_refs'_propert_when_null": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'object_marking_refs', variables('MarkingRefsObjIds'))" }, @@ -1163,8 +1129,7 @@ "Condition_to_check_if_'patternVersion'_property_exist": { "actions": { "Compose_'pattern_version'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'pattern_version', item()?['properties']?['patternVersion'])" }, @@ -1203,8 +1168,7 @@ "Condition_to_check_if_'revoked'_property_exist": { "actions": { "Compose_'revoked'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'revoked', item()?['properties']?['revoked'])" }, @@ -1243,8 +1207,7 @@ "Condition_to_check_if_'validUntil'_property_exist": { "actions": { "Compose_'valid_until'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'valid_until', formatDateTime(string(item()?['properties']?['validUntil']), 'yyyy-MM-ddTHH:mm:ss.ffffffK'))" }, @@ -1289,8 +1252,7 @@ "type": "SetVariable", "inputs": { "name": "MarkingRefsObjIds", - "value": [ - ] + "value": [] } }, "Reset_variable_Indicator": { @@ -1302,8 +1264,7 @@ "type": "SetVariable", "inputs": { "name": "Indicator", - "value": { - } + "value": {} } }, "Reset_variable_MarkingRefObject": { @@ -1315,8 +1276,7 @@ "type": "SetVariable", "inputs": { "name": "MarkingRefObj", - "value": { - } + "value": {} } }, "Set_variable_Indicator_with_mandatory_properties": { @@ -1347,7 +1307,7 @@ }, "Compose_Default_TLP_Marking_definition": { "runAfter": { - "Set_variable_MarkingRefObjId": [ + "Switch": [ "Succeeded" ] }, @@ -1355,7 +1315,7 @@ "inputs": { "created": "@formatDateTime(string(items('For_each_Indicator')?['properties']?['created']), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", "extensions": { - "extension-definition--@{guid()}": { + "extension-definition--60a3c5c5-0d10-413e-aab3-9e08dde9e88d": { "extension_type": "property-extension", "tlp_2_0": "@{toLower(string(split(variables('TLPLabel'), ':')[1]))}" } @@ -1378,15 +1338,6 @@ "value": "@{null}" } }, - "Set_variable_MarkingRefObjId": { - "runAfter": { - }, - "type": "SetVariable", - "inputs": { - "name": "MarkingRefObjId", - "value": "marking-definition--@{guid()}" - } - }, "Set_variable_MarkingRefObj_with_default_TLP_Marking_definition": { "runAfter": { "Compose_Default_TLP_Marking_definition": [ @@ -1398,6 +1349,81 @@ "name": "MarkingRefObj", "value": "@outputs('Compose_Default_TLP_Marking_definition')" } + }, + "Switch": { + "runAfter": {}, + "cases": { + "AMBER": { + "case": "TLP:AMBER", + "actions": { + "Set_variable_MarkingRefObjId_for_AMBER": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "MarkingRefObjId", + "value": "marking-definition--55d920b0-5e8b-4f79-9ee9-91f868d9b421" + } + } + } + }, + "AMBER+STRICT": { + "case": "TLP:AMBER+STRICT", + "actions": { + "Set_variable_MarkingRefObjId_for_AMBER+STRICT": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "MarkingRefObjId", + "value": "marking-definition--939a9414-2ddd-4d32-a0cd-375ea402b003" + } + } + } + }, + "CLEAR": { + "case": "TLP:CLEAR", + "actions": { + "Set_variable_MarkingRefObjId_for_CLEAR": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "MarkingRefObjId", + "value": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" + } + } + } + }, + "GREEN": { + "case": "TLP:GREEN", + "actions": { + "Set_variable_Set_variable_MarkingRefObjId_for_GREEN": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "MarkingRefObjId", + "value": "marking-definition--bab4a63c-aed9-4cf5-a766-dfca5abac2bb" + } + } + } + }, + "RED": { + "case": "TLP:RED", + "actions": { + "Set_variable_MarkingRefObjId_for_RED": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "MarkingRefObjId", + "value": "marking-definition--e828b379-4e03-4974-9ac4-e53a884c97c1" + } + } + } + } + }, + "default": { + "actions": {} + }, + "expression": "@variables('TLPLabel')", + "type": "Switch" } }, "runAfter": { From a85a974d6739248429eece326c7767bbd4168f79 Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Tue, 7 Nov 2023 22:07:34 +0530 Subject: [PATCH 7/7] Update azuredeploy.json --- .../azuredeploy.json | 437 ++++++++++++++---- 1 file changed, 346 insertions(+), 91 deletions(-) diff --git a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json index 3ca80a881cb..2711c50f9b8 100644 --- a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json +++ b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json @@ -158,6 +158,163 @@ } }, "actions": { + "Condition_to_check_if_at_least_one_indicator_to_send": { + "actions": { + "For_each_filtered_indicator": { + "foreach": "@body('Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete')", + "actions": { + "HTTP_appendTags_request": { + "runAfter": {}, + "type": "Http", + "inputs": { + "authentication": { + "type": "ManagedServiceIdentity" + }, + "body": { + "threatIntelligenceTags": [ + "@{parameters('Tag for indicator export completion')}" + ] + }, + "method": "POST", + "uri": "[uriComponentToString(uri(variables('azure'), 'subscriptions/@{parameters(''SubscriptionID'')}/resourceGroups/@{parameters(''ResourceGroup'')}/providers/Microsoft.OperationalInsights/workspaces/@{parameters(''Workspace'')}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/@{items(''For_each_filtered_indicator'')?[''name'']}/appendTags?api-version=2021-10-01'))]" + } + } + }, + "runAfter": { + "HTTP_POST_stix_bundle_to_TAXII_server": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Grouping_Object_Composition": { + "actions": { + "Append_GroupObj_to_Indicators_array": { + "runAfter": { + "Compose_Group_Object": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Indicators", + "value": "@outputs('Compose_Group_Object')" + } + }, + "Compose_Group_Object": { + "runAfter": {}, + "type": "Compose", + "inputs": { + "confidence": 100, + "context": "suspicious-activity", + "created": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", + "created_by_ref": "@variables('CreatedByRefObjId')", + "id": "grouping--@{guid()}", + "modified": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", + "object_marking_refs": "@union(variables('AllMarkingRefObjIds'), variables('MarkingRefsObjIds'))", + "object_refs": "@variables('IndicatorIds')", + "spec_version": "2.1", + "type": "grouping" + } + } + }, + "runAfter": {}, + "type": "Scope" + }, + "HTTP_POST_stix_bundle_to_TAXII_server": { + "runAfter": { + "Set_variable_with_STIX_bundle_JSON": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "authentication": { + "password": "@parameters('TAXIIServerPassword')", + "type": "Basic", + "username": "@parameters('TAXIIServerUsername')" + }, + "body": "@variables('StixBuldle')", + "headers": { + "Accept": "application/taxii+json;version=2.1", + "Content-type": "application/taxii+json;version=2.1" + }, + "method": "POST", + "retryPolicy": { + "type": "none" + }, + "uri": "@{parameters('TAXIIServerRootURL')}/collections/@{parameters('CollectionID')}/objects/" + } + }, + "Identity_Object_Composition": { + "actions": { + "Append_IdentityObj_to_Indicators_array": { + "runAfter": { + "Compose_Identity_Object": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Indicators", + "value": "@outputs('Compose_Identity_Object')" + } + }, + "Compose_Identity_Object": { + "runAfter": {}, + "type": "Compose", + "inputs": { + "confidence": 100, + "created": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", + "id": "@variables('CreatedByRefObjId')", + "identity_class": "organization", + "modified": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", + "name": "CTIS", + "object_marking_refs": "@union(variables('AllMarkingRefObjIds'), variables('MarkingRefsObjIds'))", + "spec_version": "2.1", + "type": "identity" + } + } + }, + "runAfter": { + "Grouping_Object_Composition": [ + "Succeeded" + ] + }, + "type": "Scope" + }, + "Set_variable_with_STIX_bundle_JSON": { + "runAfter": { + "Identity_Object_Composition": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "StixBuldle", + "value": "{\n \"type\": \"bundle\",\n \"id\": \"bundle--1736e032-a96a-41e9-8302-126677d4d781\",\n \"objects\": @{variables('Indicators')}\n}" + } + } + }, + "runAfter": { + "For_each_Indicator": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@length(variables('Indicators'))", + 0 + ] + } + } + ] + }, + "type": "If" + }, "Filter_array_of_indicators_where_tags_contain_Export": { "runAfter": { "Parse_JSON_queryIndicators_response": [ @@ -185,6 +342,18 @@ "For_each_Indicator": { "foreach": "@body('Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete')", "actions": { + "Append_IndicatorId_to_array_IndicatorsIds": { + "runAfter": { + "Set_variable_IndicatorId": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "IndicatorIds", + "value": "@variables('IndicatorId')" + } + }, "Append_MarkingRefObj_to_array_Indicators": { "runAfter": { "Reset_variable_Indicator": [ @@ -210,12 +379,16 @@ } }, "Compose_mandatory_properties": { - "runAfter": {}, + "runAfter": { + "Append_IndicatorId_to_array_IndicatorsIds": [ + "Succeeded" + ] + }, "type": "Compose", "inputs": { "created": "@formatDateTime(string(items('For_each_Indicator')?['properties']?['created']), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", - "id": "indicator--@{guid()}", - "modified": "@formatDateTime(string(items('For_each_Indicator')?['properties']?['lastUpdatedTimeUtc']), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", + "id": "@variables('IndicatorId')", + "modified": "@addSeconds(formatDateTime(string(items('For_each_Indicator')?['properties']?['lastUpdatedTimeUtc'])), 5, 'yyyy-MM-ddTHH:mm:ss.ffffffK')", "pattern": "@items('For_each_Indicator')?['properties']?['pattern']", "pattern_type": "@if(contains(createArray('stix', 'pcre', 'sigma', 'snort', 'suricata', 'yara'), string(items('For_each_Indicator')?['properties']?['patternType'])), string(items('For_each_Indicator')?['properties']?['patternType']), 'stix')", "spec_version": "2.1", @@ -303,6 +476,27 @@ "Succeeded" ] }, + "else": { + "actions": { + "Compose_default_'created_by_ref'_property": { + "runAfter": {}, + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'created_by_ref', 'identity--02073f98-86a4-44c8-9fff-f92c2e0fceae')" + }, + "Set_variable_indicator_with_default_'created_by_ref'_property": { + "runAfter": { + "Compose_default_'created_by_ref'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_default_''created_by_ref''_property')" + } + } + } + }, "expression": { "and": [ { @@ -823,14 +1017,44 @@ }, "type": "Scope" }, - "Compose_'labels'_property": { + "Condition_to_check_if_any_lable_exist": { + "actions": { + "Compose_'labels'_property": { + "runAfter": {}, + "type": "Compose", + "inputs": "@addProperty(variables('Indicator'), 'labels', variables('Lables'))" + }, + "Set_variable_Indicator_with_'labels'_property": { + "runAfter": { + "Compose_'labels'_property": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "Indicator", + "value": "@outputs('Compose_''labels''_property')" + } + } + }, "runAfter": { "Add_Incidet_ID_to_Description": [ "Succeeded" ] }, - "type": "Compose", - "inputs": "@addProperty(variables('Indicator'), 'labels', variables('Lables'))" + "expression": { + "and": [ + { + "not": { + "equals": [ + "@length(variables('Lables'))", + 0 + ] + } + } + ] + }, + "type": "If" }, "Filter_Export_tag": { "actions": { @@ -858,18 +1082,6 @@ "runAfter": {}, "type": "Scope" }, - "Set_variable_Indicator_with_'labels'_property": { - "runAfter": { - "Compose_'labels'_property": [ - "Succeeded" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "Indicator", - "value": "@outputs('Compose_''labels''_property')" - } - }, "TLP_tag_processing": { "actions": { "Condition_to_check_if_TLP_tag_is_present_and_valid": { @@ -1257,7 +1469,7 @@ }, "Reset_variable_Indicator": { "runAfter": { - "Append_to_array_Indicators": [ + "Reset_variable_IndicatorId": [ "Succeeded" ] }, @@ -1267,6 +1479,18 @@ "value": {} } }, + "Reset_variable_IndicatorId": { + "runAfter": { + "Append_to_array_Indicators": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "IndicatorId", + "value": "@{null}" + } + }, "Reset_variable_MarkingRefObject": { "runAfter": { "Append_MarkingRefObj_to_array_Indicators": [ @@ -1279,6 +1503,14 @@ "value": {} } }, + "Set_variable_IndicatorId": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "IndicatorId", + "value": "indicator--@{guid()}" + } + }, "Set_variable_Indicator_with_mandatory_properties": { "runAfter": { "Compose_mandatory_properties": [ @@ -1293,6 +1525,19 @@ }, "TLP_Marking_Ref_definition": { "actions": { + "Append_MarkingRefObjID_to_array_AllMarkingRefsObjectIds": { + "runAfter": { + "Append_MarkingRefObjID_to_array_MarkingRefsObjectIds": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "AllMarkingRefObjIds", + "value": "@variables('MarkingRefObjId')" + }, + "description": "This array is used in Identity Object creation." + }, "Append_MarkingRefObjID_to_array_MarkingRefsObjectIds": { "runAfter": { "Set_variable_MarkingRefObj_with_default_TLP_Marking_definition": [ @@ -1328,7 +1573,7 @@ }, "Reset_variable_MarkingRefObjId": { "runAfter": { - "Append_MarkingRefObjID_to_array_MarkingRefsObjectIds": [ + "Append_MarkingRefObjID_to_array_AllMarkingRefsObjectIds": [ "Succeeded" ] }, @@ -1446,59 +1691,6 @@ } } }, - "For_each_filtered_indicator": { - "foreach": "@body('Filter_array_of_indicators_where_tags_do_not_contain_Export_Complete')", - "actions": { - "HTTP_appendTags_request": { - "runAfter": { - }, - "type": "Http", - "inputs": { - "authentication": { - "type": "ManagedServiceIdentity" - }, - "body": { - "threatIntelligenceTags": [ - "@{parameters('Tag for indicator export completion')}" - ] - }, - "method": "POST", - "uri": "https://management.azure.com/subscriptions/@{parameters('SubscriptionID')}/resourceGroups/@{parameters('ResourceGroup')}/providers/Microsoft.OperationalInsights/workspaces/@{parameters('Workspace')}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/@{items('For_each_filtered_indicator')?['name']}/appendTags?api-version=2021-10-01" - } - } - }, - "runAfter": { - "HTTP_POST_stix_bundle_to_TAXII_server": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "HTTP_POST_stix_bundle_to_TAXII_server": { - "runAfter": { - "Initialize_variable_for_STIX_bundle_JSON": [ - "Succeeded" - ] - }, - "type": "Http", - "inputs": { - "authentication": { - "password": "@parameters('TAXIIServerPassword')", - "type": "Basic", - "username": "@parameters('TAXIIServerUsername')" - }, - "body": "@variables('StixBundle')", - "headers": { - "Accept": "application/taxii+json;version=2.1", - "Content-type": "application/taxii+json;version=2.1" - }, - "method": "POST", - "retryPolicy": { - "type": "none" - }, - "uri": "@{parameters('TAXIIServerRootURL')}/collections/@{parameters('CollectionID')}/objects/" - } - }, "HTTP_queryIndicators_request": { "runAfter": { "Initialize_variable_IncidentTag": [ @@ -1527,10 +1719,43 @@ "uri": "[uriComponentToString(uri(variables('azure'),'subscriptions/@{parameters(''SubscriptionID'')}/resourceGroups/@{parameters(''ResourceGroup'')}/providers/Microsoft.OperationalInsights/workspaces/@{parameters(''Workspace'')}/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2022-06-01-preview'))]" } }, - "Initialize_array_Indicators": { + "Initialize_array_AllMarkingRefObjIds": { + "runAfter": { + "Initialize_array_MarkingRefsObjIds": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "AllMarkingRefObjIds", + "type": "array", + "value": [] + } + ] + } + }, + "Initialize_array_IndicatorIds": { "runAfter": { + "Initialize_variable_IndicatorId": [ + "Succeeded" + ] }, "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "IndicatorIds", + "type": "array", + "value": [] + } + ] + } + }, + "Initialize_array_Indicators": { + "runAfter": {}, + "type": "InitializeVariable", "inputs": { "variables": [ { @@ -1568,8 +1793,7 @@ { "name": "MarkingRefsObjIds", "type": "array", - "value": [ - ] + "value": [] } ] } @@ -1614,9 +1838,27 @@ ] } }, + "Initialize_variable_IdentityObjId_or_CreatedByRefObjId": { + "runAfter": { + "Initialize_array_IndicatorIds": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "CreatedByRefObjId", + "type": "string", + "value": "identity--02073f98-86a4-44c8-9fff-f92c2e0fceae" + } + ] + }, + "description": "Default CreatedByRefObjId or IdenityObjId" + }, "Initialize_variable_IncidentTag": { "runAfter": { - "Initialize_array_MarkingRefsObjIds": [ + "Initialize_variable_StixBundle": [ "Succeeded" ] }, @@ -1642,8 +1884,24 @@ { "name": "Indicator", "type": "object", - "value": { - } + "value": {} + } + ] + } + }, + "Initialize_variable_IndicatorId": { + "runAfter": { + "Initialize_array_AllMarkingRefObjIds": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "IndicatorId", + "type": "string", + "value": "@{null}" } ] } @@ -1660,8 +1918,7 @@ { "name": "MarkingRefObj", "type": "object", - "value": { - } + "value": {} } ] } @@ -1682,9 +1939,9 @@ ] } }, - "Initialize_variable_TLPLabel": { + "Initialize_variable_StixBundle": { "runAfter": { - "Initialize_array_TLPLables": [ + "Initialize_variable_IdentityObjId_or_CreatedByRefObjId": [ "Succeeded" ] }, @@ -1692,15 +1949,15 @@ "inputs": { "variables": [ { - "name": "TLPLabel", + "name": "StixBuldle", "type": "string" } ] } }, - "Initialize_variable_for_STIX_bundle_JSON": { + "Initialize_variable_TLPLabel": { "runAfter": { - "For_each_Indicator": [ + "Initialize_array_TLPLables": [ "Succeeded" ] }, @@ -1708,9 +1965,8 @@ "inputs": { "variables": [ { - "name": "StixBundle", - "type": "string", - "value": "{\n \"type\": \"bundle\",\n \"id\": \"bundle--1736e032-a96a-41e9-8302-126677d4d781\",\n \"objects\": @{string(variables('Indicators'))}\n}" + "name": "TLPLabel", + "type": "string" } ] } @@ -1759,8 +2015,7 @@ "properties": { "sentinel-ext": { "properties": { - "severity": { - } + "severity": {} }, "type": "object" },