Search

Azure Sentinel Playbook Code for pulling up the IP Address from the Alert.

{
    "definition": {
        "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
        "actions": {
            "Alert_-_Get_IPs": {
                "inputs": {
                    "body": "@triggerBody()?['Entities']",
                    "host": {
                        "connection": {
                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
                        }
                    },
                    "method": "post",
                    "path": "/entities/ip"
                },
                "runAfter": {
                    "Alert_-_Get_hosts": [
                        "Succeeded"
                    ]
                },
                "type": "ApiConnection"
            },
            "Alert_-_Get_URLs": {
                "inputs": {
                    "body": "@triggerBody()?['Entities']",
                    "host": {
                        "connection": {
                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
                        }
                    },
                    "method": "post",
                    "path": "/entities/url"
                },
                "runAfter": {
                    "Alert_-_Get_IPs": [
                        "Succeeded"
                    ]
                },
                "type": "ApiConnection"
            },
            "Alert_-_Get_accounts": {
                "inputs": {
                    "body": "@triggerBody()?['Entities']",
                    "host": {
                        "connection": {
                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
                        }
                    },
                    "method": "post",
                    "path": "/entities/account"
                },
                "runAfter": {
                    "Alert_-_Get_incident": [
                        "Succeeded"
                    ]
                },
                "type": "ApiConnection"
            },
            "Alert_-_Get_hosts": {
                "inputs": {
                    "body": "@triggerBody()?['Entities']",
                    "host": {
                        "connection": {
                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
                        }
                    },
                    "method": "post",
                    "path": "/entities/host"
                },
                "runAfter": {
                    "Alert_-_Get_accounts": [
                        "Succeeded"
                    ]
                },
                "type": "ApiConnection"
            },
            "Alert_-_Get_incident": {
                "inputs": {
                    "host": {
                        "connection": {
                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
                        }
                    },
                    "method": "get",
                    "path": "/Cases/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}"
                },
                "runAfter": {},
                "type": "ApiConnection"
            },
            "For_each": {
                "actions": {
                    "For_each_2": {
                        "actions": {
                            "For_each_3": {
                                "actions": {
                                    "For_each_4": {
                                        "actions": {
                                            "Send_an_email_(V2)": {
                                                "inputs": {
                                                    "body": {
                                                        "Body": "<p><strong>Please verify why you have deployed a public IP . <br>\n<br>\access.<br>\n</strong><br>\n<br>\nPublic IP @{items('For_each_3')?['Address']} is created.<br>\n<br>\nName of the IP Address @{items('For_each_4')?['Name']}<br>\n<br>\nThis User @{items('For_each')?['Url']} created the public IP.<br>\n<br>\nOther Deteails about this resource :- <br>\n<br>\n@{body('Alert_-_Get_hosts')?['Hosts']}<br>\n<br>\n<br>\nThis email is generated using the logic App. <br>\n</p>",
                                                        "Cc": "abc@xyz.com ",
                                                        "Subject": "Azure Sentinel Alert for Public IP. ",
                                                        "To": "@{items('For_each')?['Url']}"
                                                    },
                                                    "host": {
                                                        "connection": {
                                                            "name": "@parameters('$connections')['office365']['connectionId']"
                                                        }
                                                    },
                                                    "method": "post",
                                                    "path": "/v2/Mail"
                                                },
                                                "runAfter": {},
                                                "type": "ApiConnection"
                                            }
                                        },
                                        "foreach": "@body('Alert_-_Get_accounts')?['Accounts']",
                                        "runAfter": {},
                                        "type": "Foreach"
                                    }
                                },
                                "foreach": "@body('Alert_-_Get_IPs')?['IPs']",
                                "runAfter": {},
                                "type": "Foreach"
                            }
                        },
                        "foreach": "@body('Alert_-_Get_hosts')?['Hosts']",
                        "runAfter": {},
                        "type": "Foreach"
                    }
                },
                "foreach": "@body('Alert_-_Get_URLs')?['Urls']",
                "runAfter": {
                    "Alert_-_Get_URLs": [
                        "Succeeded"
                    ]
                },
                "type": "Foreach"
            }
        },
        "contentVersion": "1.0.0.0",
        "outputs": {},
        "parameters": {
            "$connections": {
                "defaultValue": {},
                "type": "Object"
            }
        },
        "triggers": {
            "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
                "inputs": {
                    "body": {
                        "callback_url": "@{listCallbackUrl()}"
                    },
                    "host": {
                        "connection": {
                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
                        }
                    },
                    "path": "/subscribe"
                },
                "type": "ApiConnectionWebhook"
            }
        }
    },
    "parameters": {
        "$connections": {
            "value": {
                "azuresentinel": {
                    "connectionId": "/subscriptions/<>/resourceGroups/<>/providers/Microsoft.Web/connections/azuresentinel",
                    "connectionName": "azuresentinel",
                    "id": "/subscriptions/<>/providers/Microsoft.Web/locations/<>/managedApis/azuresentinel"
                },
                "office365": {
                    "connectionId": "/subscriptions/<>/resourceGroups/<>/providers/Microsoft.Web/connections/office365-6",
                    "connectionName": "office365-6",
                    "id": "/subscriptions/<>/providers/Microsoft.Web/locations/<>/managedApis/office365"
                }
            }
        }
    }
} 
30 views0 comments

Recent Posts

See All