Governance & Compliance Team,
\n
\nThe security posture of a workload has changed per the alerting details below:
\n
\nSeverity of Alert: @{items('For_each')?['properties']?['severity']}
\n
\nMicrosoft Sentinel Incident
\nTItle: @{triggerBody()?['object']?['properties']?['title']}
\nStatus: @{triggerBody()?['object']?['properties']?['status']}
\nNumber: @{triggerBody()?['object']?['properties']?['incidentNumber']}
\nCreated Time (UTC): @{triggerBody()?['object']?['properties']?['createdTimeUtc']}
\nIncident Link: @{triggerBody()?['object']?['properties']?['incidentUrl']}
\n
\nAlert Details
\nAlert Display Name: @{items('For_each')?['properties']?['alertDisplayName']}
\nAlert Type: @{items('For_each')?['properties']?['alertType']}
\nSubscription ID: @{triggerBody()?['workspaceInfo']?['SubscriptionId']}
\nProvider Alert ID: @{items('For_each')?['properties']?['providerAlertId']}
\nAlert Link: @{items('For_each')?['properties']?['alertLink']}
Governance & Compliance Team,
\n
\nThe security posture of a workload has changed per the alerting details below:
\n
\n
\nMicrosoft Sentinel Incident
\nTItle: @{triggerBody()?['object']?['properties']?['title']}
\nStatus: @{triggerBody()?['object']?['properties']?['status']}
\nNumber: @{triggerBody()?['object']?['properties']?['incidentNumber']}
\nIncident Severity: @{triggerBody()?['object']?['properties']?['severity']}
\nCreated Time (UTC): @{triggerBody()?['object']?['properties']?['createdTimeUtc']}
\nIncident Link: @{triggerBody()?['object']?['properties']?['incidentUrl']}
\n
\nAlert Details
\nAlert Display Name: @{items('For_each')?['properties']?['alertDisplayName']}
\nAlert Product Name: @{items('For_each')?['properties']?['productName']}
\nAlert Severity: @{items('For_each')?['properties']?['severity']}
\nAlert Type: @{items('For_each')?['properties']?['alertType']}
\nSubscription ID: @{triggerBody()?['workspaceInfo']?['SubscriptionId']}
\nProvider Alert ID: @{items('For_each')?['properties']?['providerAlertId']}
\nAlert Link: @{items('For_each')?['properties']?['alertLink']}
Azure DevOps Task created: @{body('Create_a_work_item')?['url']}
" }, "host": { "connection": { "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, "method": "post", "path": "/Incidents/Comment" }, "runAfter": { "Create_a_work_item": [ "Succeeded" ] }, "type": "ApiConnection" }, "Create_a_work_item": { "inputs": { "body": { "description": "Incident Description: @{triggerBody()?['object']?['properties']?['description']}\nIncident Severity: @{triggerBody()?['object']?['properties']?['severity']}\nIncident URL: @{triggerBody()?['object']?['properties']?['incidentUrl']}\n", "title": "New Microsoft Sentinel Incident: @{triggerBody()?['object']?['properties']?['title']}" }, "host": { "connection": { "name": "@parameters('$connections')['visualstudioteamservices']['connectionId']" } }, "method": "patch", "path": "/@{encodeURIComponent('test')}/_apis/wit/workitems/$@{encodeURIComponent('Task')}", "queries": { "account": "test" } }, "type": "ApiConnection" } }, "contentVersion": "1.0.0.0", "parameters": { "$connections": { "type": "Object" } }, "triggers": { "When_Azure_Sentinel_incident_creation_rule_was_triggered": { "inputs": { "body": { "callback_url": "@{listCallbackUrl()}" }, "host": { "connection": { "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, "path": "/incident-creation" }, "type": "ApiConnectionWebhook" } } }, "parameters": { "$connections": { "value": { "azuresentinel": { "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", "connectionName": "[[variables('AzureSentinelConnectionName')]", "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", "connectionProperties": { "authentication": { "type": "ManagedServiceIdentity" } } }, "visualstudioteamservices": { "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureDevOpsConnectionName'))]", "connectionName": "[[variables('AzureDevOpsConnectionName')]", "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/visualstudioteamservices')]" } } } } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", "properties": { "parentId": "[variables('playbookId2')]", "contentId": "[variables('_playbookContentId2')]", "kind": "Playbook", "version": "[variables('playbookVersion2')]", "source": { "kind": "Solution", "name": "ZeroTrust(TIC3.0)", "sourceId": "[variables('_solutionId')]" }, "author": { "name": "Microsoft", "email": "[variables('_email')]" }, "support": { "name": "Microsoft Corporation", "email": "support@microsoft.com", "tier": "Microsoft", "link": "https://support.microsoft.com" } } } ], "metadata": { "title": "Create-AzureDevOpsTask", "description": "This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details.", "lastUpdateTime": "2022-08-05T00:00:00Z", "tags": [ "Sync" ], "releaseNotes": [ { "version": "1.0.0", "title": "Create Azure DevOps Task", "notes": [ "Initial version" ] } ] } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId2')]", "contentKind": "Playbook", "displayName": "Create-AzureDevOpsTask-ZeroTrust", "contentProductId": "[variables('_playbookcontentProductId2')]", "id": "[variables('_playbookcontentProductId2')]", "version": "[variables('playbookVersion2')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", "name": "[variables('playbookTemplateSpecName3')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { "description": "CreateJiraIssue-ZeroTrust Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", "parameters": { "PlaybookName": { "defaultValue": "CreateJiraIssue-ZeroTrust", "type": "string", "metadata": { "description": "Incident trigger" } } }, "variables": { "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", "JiraConnectionName": "[[concat('jira-', parameters('PlaybookName'))]", "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", "_connection-1": "[[variables('connection-1')]", "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/jira')]", "_connection-2": "[[variables('connection-2')]", "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", "workspace-name": "[parameters('workspace')]", "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" }, "resources": [ { "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", "name": "[[variables('AzureSentinelConnectionName')]", "location": "[[variables('workspace-location-inline')]", "properties": { "displayName": "[[variables('AzureSentinelConnectionName')]", "parameterValueType": "Alternative", "api": { "id": "[[variables('_connection-1')]" } } }, { "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", "name": "[[variables('jiraConnectionName')]", "location": "[[variables('workspace-location-inline')]", "properties": { "displayName": "[[variables('jiraConnectionName')]", "api": { "id": "[[variables('_connection-2')]" } } }, { "type": "Microsoft.Logic/workflows", "apiVersion": "2017-07-01", "name": "[[parameters('PlaybookName')]", "location": "[[variables('workspace-location-inline')]", "tags": { "hidden-SentinelTemplateName": "CreateJiraIssue-Incident", "hidden-SentinelTemplateVersion": "1.0", "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" }, "identity": { "type": "SystemAssigned" }, "dependsOn": [ "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", "[[resourceId('Microsoft.Web/connections', variables('JiraConnectionName'))]" ], "properties": { "state": "Enabled", "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "contentVersion": "1.0.0.0", "parameters": { "$connections": { "type": "Object" } }, "triggers": { "When_Azure_Sentinel_incident_creation_rule_was_triggered": { "type": "ApiConnectionWebhook", "inputs": { "body": { "callback_url": "@{listCallbackUrl()}" }, "host": { "connection": { "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, "path": "/incident-creation" } } }, "actions": { "Create_a_new_issue": { "type": "ApiConnection", "inputs": { "body": { "fields": { "description": "Incident description: @{triggerBody()?['object']?['properties']?['description']};\nSeverity: @{triggerBody()?['object']?['properties']?['severity']};\nIncident URL: @{triggerBody()?['object']?['properties']?['incidentUrl']}", "issuetype": { "id": "10007" }, "summary": "@triggerBody()?['object']?['properties']?['title']" } }, "host": { "connection": { "name": "@parameters('$connections')['Jira']['connectionId']" } }, "method": "post", "path": "/issue", "queries": { "projectKey": "SOC" } } } } }, "parameters": { "$connections": { "value": { "azuresentinel": { "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", "connectionName": "[[variables('AzureSentinelConnectionName')]", "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", "connectionProperties": { "authentication": { "type": "ManagedServiceIdentity" } } }, "Jira": { "connectionId": "[[resourceId('Microsoft.Web/connections', variables('jiraConnectionName'))]", "connectionName": "[[variables('jiraConnectionName')]", "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/jira')]" } } } } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", "properties": { "parentId": "[variables('playbookId3')]", "contentId": "[variables('_playbookContentId3')]", "kind": "Playbook", "version": "[variables('playbookVersion3')]", "source": { "kind": "Solution", "name": "ZeroTrust(TIC3.0)", "sourceId": "[variables('_solutionId')]" }, "author": { "name": "Microsoft", "email": "[variables('_email')]" }, "support": { "name": "Microsoft Corporation", "email": "support@microsoft.com", "tier": "Microsoft", "link": "https://support.microsoft.com" } } } ], "metadata": { "title": "Create Jira Issue", "description": "This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel.", "prerequisites": [ "1. Jira instance (ex. xyz.atlassian.net)", "2. Jira API", "3. Username." ], "lastUpdateTime": "2022-08-05T00:00:00Z", "tags": [ "Sync" ], "releaseNotes": [ { "version": "1.0.0", "title": "Create Jira Issue", "notes": [ "Initial version" ] } ] } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId3')]", "contentKind": "Playbook", "displayName": "CreateJiraIssue-ZeroTrust", "contentProductId": "[variables('_playbookcontentProductId3')]", "id": "[variables('_playbookcontentProductId3')]", "version": "[variables('playbookVersion3')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "ZeroTrust(TIC3.0)", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Microsoft Sentinel Zero Trust (TIC 3.0) solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across 25+ Microsoft and 3rd party products. The solution includes the new Zero Trust (TIC 3.0) Workbook, (1) Analytics Rule, and (3) Playbooks. While only Microsoft Sentinel and Microsoft Defender for Cloud are required to get started, the solution is enhanced with numerous Microsoft offerings. This Solution enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud, multi-cloud, hybrid, and on-premise workloads. For more information, see 💡Microsoft Zero Trust Model 💡Trusted Internet Connections: Core Guidance Documents
\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.
\nWorkbooks: 1, Analytic Rules: 1, Playbooks: 3
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", "icon": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\")
",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
"name": "ZeroTrust(TIC3.0)",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "Workbook",
"contentId": "[variables('_workbookContentId1')]",
"version": "[variables('workbookVersion1')]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
},
{
"kind": "Playbook",
"contentId": "[variables('_Notify_GovernanceComplianceTeam-ZeroTrust')]",
"version": "[variables('playbookVersion1')]"
},
{
"kind": "Playbook",
"contentId": "[variables('_Open_DevOpsTaskRecommendation-ZeroTrust')]",
"version": "[variables('playbookVersion2')]"
},
{
"kind": "Playbook",
"contentId": "[variables('_Open_JIRATicketRecommendation-ZeroTrust')]",
"version": "[variables('playbookVersion3')]"
}
]
},
"firstPublishDate": "2021-10-20",
"providers": [
"Microsoft"
],
"categories": {
"domains": [
"Identity",
"Security - Others",
"Compliance",
"Security - Automation (SOAR)"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
}
],
"outputs": {}
}