{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.2", "metadata":{ "comments":"This playbook will provide users with Recommended SOC Actions using a .csv file that they upload into a WatchList and give it the the Alias of SocRA. This also contains steps an Analyst should consider taking when an Analytic Detection has not been onboarded to the WatchList .csv file.", "author": "Rin Ure" }, "parameters": { "PlaybookName": { "defaultValue": "Get-SOCActions", "type": "string" }, "UserName": { "defaultValue": "@", "type": "string" }, "SubscriptionID": { "defaultValue": "", "type": "string" }, "ResourceGroup": { "defaultValue": "", "type": "string" }, "ResourceName": { "defaultValue": "", "type": "string" }, "ResourceType": { "defaultValue": "Log Analytics Workspace", "type": "string" } }, "variables": { "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]", "AzureMonitorLogsConnectionName": "[concat('azuremonitorlogs-', parameters('PlaybookName'))]" }, "resources": [ { "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", "name": "[variables('AzureSentinelConnectionName')]", "location": "[resourceGroup().location]", "properties": { "displayName": "[parameters('UserName')]", "customParameterValues": {}, "api": { "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" } } }, { "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", "name": "[variables('AzureMonitorLogsConnectionName')]", "location": "[resourceGroup().location]", "properties": { "displayName": "[parameters('UserName')]", "customParameterValues": {}, "api": { "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]" } } }, { "type": "Microsoft.Logic/workflows", "apiVersion": "2017-07-01", "name": "[parameters('PlaybookName')]", "location": "[resourceGroup().location]", "dependsOn": [ "[resourceId('Microsoft.Web/connections', variables('AzureMonitorLogsConnectionName'))]", "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" ], "properties": { "state": "Enabled", "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "contentVersion": "1.0.0.0", "parameters": { "$connections": { "defaultValue": {}, "type": "Object" } }, "triggers": { "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { "type": "ApiConnectionWebhook", "inputs": { "body": { "callback_url": "@{listCallbackUrl()}" }, "host": { "connection": { "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, "path": "/incident-creation" } } }, "actions": { "Alert_-_Get_incident": { "runAfter": {}, "type": "ApiConnection", "inputs": { "host": { "connection": { "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, "method": "get", "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" } }, "Condition_2": { "actions": { "Add_comment_to_incident_(V3)": { "runAfter": { "Compose": [ "Succeeded" ] }, "type": "ApiConnection", "inputs": { "body": { "incidentArmId": "@body('Alert_-_Get_incident')?['id']", "message": "

@{outputs('Compose')}

" }, "host": { "connection": { "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, "method": "post", "path": "/Incidents/Comment" } }, "Compose": { "runAfter": {}, "type": "Compose", "inputs": "\n

Incident Analysis Procedures

\nRecommended Actions:\n

Step 1: Group Events for Analysis\nThe Primary Analyst should review all events/Alerts in the Incident where necessary. \nIf analysis on any of the events/Alerts is expected to take longer than 5 - 15 minutes, the Primary Analyst will escalate the Incident to \"Open Incident\" by tagging it for review by the Secondary Analyst.\n\nStep 2: Understanding the Attack\nThe Primary Analyst should gather and understand the full context of the Incident. \nUse Bookmarks to record the following information (this will be added to the Incident TimeLine as an annotation/evidence): Identify Source IP / Destination IP Addresses.\n\nStep 3: Analyze and Assess the Impact of the Attack\nThe Analysts should investigate any Attack by using any/all internal and external tools and resources.

\n\n

Additionally, all Analysts should be prepared to answer the following:\n - Was the attempt successful?\n - How many hosts are involved?\n - Was the IP blocked by the FW or Proxy?\n - Were any Customers impacted?\nWhat was the origin and/or details about the attacker IP?\n - WhoIs, Domain tools\n - Country, ISP, Business (what is the net block)\nWhat was attacked?\n - DMZ\n - Corporate systems\n - Database(s)\n - Application(s) - Web?\nWhat did they do (or try to do)?\n - Identify all date-time-groups (DTG), attack timeline (fast/slow), time of day in source IP time zone.\n - Identify a series of subtle events or rash of attacks (fast/slow)\n - Same time of day vs. various times\nWhere did they attack from?\n - Identify the IP address of attacked system(s), external/internal/DMZ, applications, open ports, vulnerabilities, and usernames (if any).\nWhy did they do it?\n - Identify the purpose of the attack. Targeted or random?\n - Web Defacement\n - Admin access\n - Reconnaissance\n - Dos/DDoS or other outage\nHow did they go about it?\n - Identify the tool used (vulnerability scanner, port scanner), hand crafted, type of attack (buffer overflow, SQL injection, format string), protocol used, flags set, or other details.

\n\n

Step 4: Determine What Action is Needed Depending on the severity of the event, an analyst may need to report the Incident in several manners. \nThe outcome of the analysis should prompt the analyst to perform one or more of the following actions. \nOnce one of the below actions are taken, the Incident should be tagged using the appropriate annotation/tagging as detailed in the Event Triage Workflow Procedures.\nWorkflow Proceedures:\n - Update/Tag/Close Incident(s)\n - Report Incidents/Alerts/Events/Bookmarks in Shift Logs\n - Escalate Incident(s) to IR Team - Use Tagging in Incident\n

" } }, "runAfter": { "Run_query_and_list_results": [ "Succeeded" ] }, "else": { "actions": { "For_each": { "foreach": "@body('Parse_JSON')", "actions": { "Condition": { "actions": {}, "runAfter": {}, "else": { "actions": { "Add_comment_to_incident_(V3)_2": { "runAfter": { "Compose_HTML_Output_False": [ "Succeeded" ] }, "type": "ApiConnection", "inputs": { "body": { "incidentArmId": "@body('Alert_-_Get_incident')?['id']", "message": "

@{outputs('Compose_HTML_Output_False')}

" }, "host": { "connection": { "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, "method": "post", "path": "/Incidents/Comment" } }, "Compose_HTML_Output_False": { "runAfter": {}, "type": "Compose", "inputs": "\n

Alert: @{items('For_each')['Alert']}

\n

Recommended Actions:

\n

@{items('For_each')['A1']}\n@{items('For_each')['A2']}\n@{items('For_each')['A3']}\n@{items('For_each')['A4']}\n@{items('For_each')['A5']}\n@{items('For_each')['A6']}\n@{items('For_each')['A7']}\n@{items('For_each')['A8']}\n@{items('For_each')['A9']}\n@{items('For_each')['A10']}\n@{items('For_each')['A11']}\n@{items('For_each')['A12']}\n@{items('For_each')['A13']}\n@{items('For_each')['A14']}\n@{items('For_each')['A15']}\n@{items('For_each')['A16']}\n@{items('For_each')['A17']}\n@{items('For_each')['A18']}\n@{items('For_each')['A19']}\n

" } } }, "expression": { "and": [ { "equals": [ "@empty(items('For_each')['Alert'])", true ] } ] }, "type": "If" } }, "runAfter": { "Parse_JSON": [ "Succeeded" ] }, "type": "Foreach" }, "Parse_JSON": { "runAfter": {}, "type": "ParseJson", "inputs": { "content": "@body('Run_query_and_list_results')?['value']", "schema": { "items": { "properties": { "A1": { "type": "string" }, "A10": { "type": "string" }, "A11": { "type": "string" }, "A12": { "type": "string" }, "A13": { "type": "string" }, "A14": { "type": "string" }, "A15": { "type": "string" }, "A16": { "type": "string" }, "A17": { "type": "string" }, "A18": { "type": "string" }, "A19": { "type": "string" }, "A2": { "type": "string" }, "A3": { "type": "string" }, "A4": { "type": "string" }, "A5": { "type": "string" }, "A6": { "type": "string" }, "A7": { "type": "string" }, "A8": { "type": "string" }, "A9": { "type": "string" }, "Alert": { "type": "string" }, "Date": { "type": "string" }, "LastUpdatedTimeUTC": { "type": "string" }, "_DTItemId": { "type": "string" } }, "required": [ "_DTItemId", "LastUpdatedTimeUTC", "A1", "A10", "A11", "A12", "A13", "A14", "A15", "A16", "A17", "A18", "A19", "A2", "A3", "A4", "A5", "A6", "A7", "A8", "A9", "Alert", "Date" ], "type": "object" }, "type": "array" } } } } }, "expression": { "and": [ { "equals": [ "@empty(body('Run_query_and_list_results')?['value'])", true ] } ] }, "type": "If" }, "Run_query_and_list_results": { "runAfter": { "Alert_-_Get_incident": [ "Succeeded" ] }, "type": "ApiConnection", "inputs": { "body": "_GetWatchlist('SocRA') | where Alert == \"@{triggerBody()?['AlertDisplayName']}\"", "host": { "connection": { "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" } }, "method": "post", "path": "/queryData", "queries": { "resourcegroups": "[parameters('ResourceGroup')]", "resourcename": "[parameters('ResourceName')]", "resourcetype": "[parameters('ResourceType')]", "subscriptions": "[parameters('SubscriptionID')]", "timerange": "@{utcNow()}" } } } }, "outputs": {} }, "parameters": { "$connections": { "value": { "azuremonitorlogs": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureMonitorLogsConnectionName'))]", "connectionName": "[variables('AzureMonitorLogsConnectionName')]", "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]" }, "azuresentinel": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", "connectionName": "[variables('AzureSentinelConnectionName')]", "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" } } } } } } ] }