Keshav Jain

Mar 24, 20212 min

Azure Sentinel Playbook Code for pulling up the IP Address from the Alert.

{
  "definition": {
  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
  "actions": {
  "Alert_-_Get_IPs": {
  "inputs": {
  "body": "@triggerBody()?['Entities']",
  "host": {
  "connection": {
  "name": "@parameters('$connections')['azuresentinel']['connectionId']"
  }
  },
  "method": "post",
  "path": "/entities/ip"
  },
  "runAfter": {
  "Alert_-_Get_hosts": [
  "Succeeded"
  ]
  },
  "type": "ApiConnection"
  },
  "Alert_-_Get_URLs": {
  "inputs": {
  "body": "@triggerBody()?['Entities']",
  "host": {
  "connection": {
  "name": "@parameters('$connections')['azuresentinel']['connectionId']"
  }
  },
  "method": "post",
  "path": "/entities/url"
  },
  "runAfter": {
  "Alert_-_Get_IPs": [
  "Succeeded"
  ]
  },
  "type": "ApiConnection"
  },
  "Alert_-_Get_accounts": {
  "inputs": {
  "body": "@triggerBody()?['Entities']",
  "host": {
  "connection": {
  "name": "@parameters('$connections')['azuresentinel']['connectionId']"
  }
  },
  "method": "post",
  "path": "/entities/account"
  },
  "runAfter": {
  "Alert_-_Get_incident": [
  "Succeeded"
  ]
  },
  "type": "ApiConnection"
  },
  "Alert_-_Get_hosts": {
  "inputs": {
  "body": "@triggerBody()?['Entities']",
  "host": {
  "connection": {
  "name": "@parameters('$connections')['azuresentinel']['connectionId']"
  }
  },
  "method": "post",
  "path": "/entities/host"
  },
  "runAfter": {
  "Alert_-_Get_accounts": [
  "Succeeded"
  ]
  },
  "type": "ApiConnection"
  },
  "Alert_-_Get_incident": {
  "inputs": {
  "host": {
  "connection": {
  "name": "@parameters('$connections')['azuresentinel']['connectionId']"
  }
  },
  "method": "get",
  "path": "/Cases/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}"
  },
  "runAfter": {},
  "type": "ApiConnection"
  },
  "For_each": {
  "actions": {
  "For_each_2": {
  "actions": {
  "For_each_3": {
  "actions": {
  "For_each_4": {
  "actions": {
  "Send_an_email_(V2)": {
  "inputs": {
  "body": {
  "Body": "<p><strong>Please verify why you have deployed a public IP . <br>\n<br>\access.<br>\n</strong><br>\n<br>\nPublic IP @{items('For_each_3')?['Address']} is created.<br>\n<br>\nName of the IP Address @{items('For_each_4')?['Name']}<br>\n<br>\nThis User @{items('For_each')?['Url']} created the public IP.<br>\n<br>\nOther Deteails about this resource :- <br>\n<br>\n@{body('Alert_-_Get_hosts')?['Hosts']}<br>\n<br>\n<br>\nThis email is generated using the logic App. <br>\n</p>",
  "Cc": "abc@xyz.com ",
  "Subject": "Azure Sentinel Alert for Public IP. ",
  "To": "@{items('For_each')?['Url']}"
  },
  "host": {
  "connection": {
  "name": "@parameters('$connections')['office365']['connectionId']"
  }
  },
  "method": "post",
  "path": "/v2/Mail"
  },
  "runAfter": {},
  "type": "ApiConnection"
  }
  },
  "foreach": "@body('Alert_-_Get_accounts')?['Accounts']",
  "runAfter": {},
  "type": "Foreach"
  }
  },
  "foreach": "@body('Alert_-_Get_IPs')?['IPs']",
  "runAfter": {},
  "type": "Foreach"
  }
  },
  "foreach": "@body('Alert_-_Get_hosts')?['Hosts']",
  "runAfter": {},
  "type": "Foreach"
  }
  },
  "foreach": "@body('Alert_-_Get_URLs')?['Urls']",
  "runAfter": {
  "Alert_-_Get_URLs": [
  "Succeeded"
  ]
  },
  "type": "Foreach"
  }
  },
  "contentVersion": "1.0.0.0",
  "outputs": {},
  "parameters": {
  "$connections": {
  "defaultValue": {},
  "type": "Object"
  }
  },
  "triggers": {
  "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
  "inputs": {
  "body": {
  "callback_url": "@{listCallbackUrl()}"
  },
  "host": {
  "connection": {
  "name": "@parameters('$connections')['azuresentinel']['connectionId']"
  }
  },
  "path": "/subscribe"
  },
  "type": "ApiConnectionWebhook"
  }
  }
  },
  "parameters": {
  "$connections": {
  "value": {
  "azuresentinel": {
  "connectionId": "/subscriptions/<>/resourceGroups/<>/providers/Microsoft.Web/connections/azuresentinel",
  "connectionName": "azuresentinel",
  "id": "/subscriptions/<>/providers/Microsoft.Web/locations/<>/managedApis/azuresentinel"
  },
  "office365": {
  "connectionId": "/subscriptions/<>/resourceGroups/<>/providers/Microsoft.Web/connections/office365-6",
  "connectionName": "office365-6",
  "id": "/subscriptions/<>/providers/Microsoft.Web/locations/<>/managedApis/office365"
  }
  }
  }
  }
 }

    4350
    22