{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"For_each_-_CVE": {
"actions": {
"Send_Data_-_CVE": {
"inputs": {
"body": "@{items('For_each_-_CVE')}",
"headers": {
"Log-Type": "AD4IOT_CVE"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
},
"foreach": "@body('HTTP_Get-DefenderForIoT_-_CVEs')",
"runAfter": {
"HTTP_Get-DefenderForIoT_-_CVEs": [
"Succeeded"
]
},
"type": "Foreach"
},
"For_each_-_Devices": {
"actions": {
"Send_Data_-_Devices": {
"inputs": {
"body": "@{items('For_each_-_Devices')}",
"headers": {
"Log-Type": "AD4IOT_Devices"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
},
"foreach": "@body('HTTP_Get-DefenderForIoT-Devices')",
"runAfter": {
"HTTP_Get-DefenderForIoT-Devices": [
"Succeeded"
]
},
"type": "Foreach"
},
"For_each_-_Events": {
"actions": {
"Send_Data_-_Events": {
"inputs": {
"body": "@{items('For_each_-_Events')}",
"headers": {
"Log-Type": "AD4IOT_Events"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
},
"foreach": "@body('HTTP_Get-DefenderForIoT_-_Events')",
"runAfter": {
"HTTP_Get-DefenderForIoT_-_Events": [
"Succeeded"
]
},
"type": "Foreach"
},
"For_each_-_Windows_Iteration": {
"actions": {
"Send_Data_-_Windows": {
"inputs": {
"body": "@{items('For_each_-_Windows_Iteration')}",
"headers": {
"Log-Type": "AgentHealthStatusWindows"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {},
"type": "ApiConnection"
}
},
"foreach": "@body('Parse_JSON')?['Results']",
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "Foreach"
},
"HTTP_-_MACAVHunting_-_TVM": {
"inputs": {
"authentication": {
"audience": "https://api.securitycenter.windows.com",
"clientId": "@parameters('Application ID')",
"secret": "@parameters('Secret')",
"tenant": "@parameters('Tenant ID')",
"type": "ActiveDirectoryOAuth"
},
"body": {
"Query": "DeviceTvmSecureConfigurationAssessment| where ConfigurationId in ('scid-5001', 'scid-5002', 'scid-5090', 'scid-5091', 'scid-5092', 'scid-5093', 'scid-5094', 'scid-5095')| where IsApplicable == 1| where OSPlatform == 'macOS'| extend Test = case(ConfigurationId == 'scid-5001', 'SensorDataCollection',ConfigurationId == 'scid-5002', 'ImpairedCommunications',ConfigurationId == 'scid-5092', 'TamperProtection',ConfigurationId == 'scid-5095', 'AntivirusSignatureVersion',ConfigurationId == 'scid-5090', 'RealtimeProtection',ConfigurationId == 'scid-5093', 'BehaviorMonitoring',ConfigurationId == 'scid-5091', 'PUAProtection',ConfigurationId == 'scid-5094', 'CloudProtection','N/A'),Result = case(IsApplicable == 0, 'N/A', IsCompliant == 1, 'GOOD', 'BAD')| extend packed = pack(Test, Result)| summarize Tests = make_bag(packed), DeviceName = any(DeviceName) by DeviceId| evaluate bag_unpack(Tests)"
},
"headers": {
"content-type": "application/json"
},
"method": "POST",
"uri": "https://api.securitycenter.windows.com/api/advancedqueries/run"
},
"runAfter": {
"For_each_-_Windows_Iteration": [
"Succeeded"
]
},
"type": "Http"
},
"HTTP_Get-DefenderForIoT-Devices": {
"inputs": {
"headers": {
"Authorization": "@parameters('AD4IoTKey')",
"Content-Type": "application/json"
},
"method": "GET",
"uri": "https://www.s3pl.net/api/v1/devices"
},
"runAfter": {
"Send_Data_-_MACAVHunting": [
"Succeeded"
]
},
"type": "Http"
},
"HTTP_Get-DefenderForIoT_-_CVEs": {
"inputs": {
"headers": {
"Authorization": "@parameters('AD4IoTKey')",
"Content-Type": "application/json"
},
"method": "GET",
"uri": "https://www.s3pl.net/api/v1/devices/cves"
},
"runAfter": {
"For_each_-_Devices": [
"Succeeded"
]
},
"type": "Http"
},
"HTTP_Get-DefenderForIoT_-_Events": {
"inputs": {
"headers": {
"Authorization": "@parameters('AD4IoTKey')",
"Content-Type": "application/json"
},
"method": "GET",
"uri": "https://www.s3pl.net/api/v1/events"
},
"runAfter": {
"For_each_-_CVE": [
"Succeeded"
]
},
"type": "Http"
},
"MDE_Hunting_Query_Agent_Health_Windows_-_TVM": {
"inputs": {
"authentication": {
"audience": "https://api.securitycenter.windows.com",
"clientId": "@parameters('Application ID')",
"secret": "@parameters('Secret')",
"tenant": "@parameters('Tenant ID')",
"type": "ActiveDirectoryOAuth"
},
"body": {
"Query": "DeviceTvmSecureConfigurationAssessment| where Timestamp >= ago(24h)| where ConfigurationId in ('scid-91', 'scid-2000', 'scid-2001', 'scid-2002', 'scid-2003', 'scid-2010', 'scid-2011', 'scid-2012', 'scid-2013', 'scid-2014', 'scid-2016')| extend Test = case(ConfigurationId == 'scid-2000', 'SensorEnabled',ConfigurationId == 'scid-2001', 'SensorDataCollection',ConfigurationId == 'scid-2002', 'ImpairedCommunications',ConfigurationId == 'scid-2003', 'TamperProtection',ConfigurationId == 'scid-2010', 'AntivirusEnabled',ConfigurationId == 'scid-2011', 'AntivirusSignatureVersion',ConfigurationId == 'scid-2012', 'RealtimeProtection',ConfigurationId == 'scid-91', 'BehaviorMonitoring',ConfigurationId == 'scid-2013', 'PUAProtection',ConfigurationId == 'scid-2014', 'AntivirusReporting',ConfigurationId == 'scid-2016', 'CloudProtection','N/A'),Result = case(IsApplicable == 0, 'N/A', IsCompliant == 1, 'ENABLED', 'DISABLED')| extend packed = pack(Test, Result)| summarize Tests = make_bag(packed), DeviceName = any(DeviceName) by DeviceId| evaluate bag_unpack(Tests)|project-away DeviceName"
},
"headers": {
"content-type": "application/json"
},
"method": "POST",
"uri": "https://api.securitycenter.windows.com/api/advancedqueries/run"
},
"runAfter": {},
"type": "Http"
},
"Parse_JSON": {
"inputs": {
"content": "@body('MDE_Hunting_Query_Agent_Health_Windows_-_TVM')",
"schema": {
"properties": {
"Results": {
"items": {
"properties": {
"AntivirusEnabled": {
"type": "string"
},
"AntivirusReporting": {
"type": "string"
},
"AntivirusSignatureVersion": {
"type": "string"
},
"BehaviorMonitoring": {
"type": "string"
},
"CloudProtection": {
"type": "string"
},
"DeviceId": {
"type": "string"
},
"ImpairedCommunications": {
"type": "string"
},
"PUAProtection": {
"type": "string"
},
"RealtimeProtection": {
"type": "string"
},
"SensorDataCollection": {
"type": "string"
},
"SensorEnabled": {
"type": "string"
},
"TamperProtection": {
"type": "string"
}
},
"required": [
"DeviceId",
"AntivirusEnabled",
"AntivirusReporting",
"AntivirusSignatureVersion",
"BehaviorMonitoring",
"CloudProtection",
"ImpairedCommunications",
"PUAProtection",
"RealtimeProtection",
"SensorDataCollection",
"SensorEnabled",
"TamperProtection"
],
"type": "object"
},
"type": "array"
},
"Schema": {
"items": {
"properties": {
"Name": {
"type": "string"
},
"Type": {
"type": "string"
}
},
"required": [
"Name",
"Type"
],
"type": "object"
},
"type": "array"
},
"Stats": {
"properties": {
"ExecutionTime": {
"type": "number"
},
"dataset_statistics": {
"items": {
"properties": {
"table_row_count": {
"type": "integer"
},
"table_size": {
"type": "integer"
}
},
"required": [
"table_row_count",
"table_size"
],
"type": "object"
},
"type": "array"
},
"resource_usage": {
"properties": {
"cache": {
"properties": {
"disk": {
"properties": {
"hits": {
"type": "integer"
},
"misses": {
"type": "integer"
},
"total": {
"type": "integer"
}
},
"type": "object"
},
"memory": {
"properties": {
"hits": {
"type": "integer"
},
"misses": {
"type": "integer"
},
"total": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
},
"cpu": {
"properties": {
"kernel": {
"type": "string"
},
"total cpu": {
"type": "string"
},
"user": {
"type": "string"
}
},
"type": "object"
},
"memory": {
"properties": {
"peak_per_node": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
}
},
"runAfter": {
"MDE_Hunting_Query_Agent_Health_Windows_-_TVM": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Parse_JSON_-_MAC_Data": {
"inputs": {
"content": "@body('HTTP_-_MACAVHunting_-_TVM')",
"schema": {
"properties": {
"Results": {
"type": "array"
},
"Schema": {
"items": {
"properties": {
"Name": {
"type": "string"
},
"Type": {
"type": "string"
}
},
"required": [
"Name",
"Type"
],
"type": "object"
},
"type": "array"
},
"Stats": {
"properties": {
"ExecutionTime": {
"type": "number"
},
"dataset_statistics": {
"items": {
"properties": {
"table_row_count": {
"type": "integer"
},
"table_size": {
"type": "integer"
}
},
"required": [
"table_row_count",
"table_size"
],
"type": "object"
},
"type": "array"
},
"resource_usage": {
"properties": {
"cache": {
"properties": {
"disk": {
"properties": {
"hits": {
"type": "integer"
},
"misses": {
"type": "integer"
},
"total": {
"type": "integer"
}
},
"type": "object"
},
"memory": {
"properties": {
"hits": {
"type": "integer"
},
"misses": {
"type": "integer"
},
"total": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
},
"cpu": {
"properties": {
"kernel": {
"type": "string"
},
"total cpu": {
"type": "string"
},
"user": {
"type": "string"
}
},
"type": "object"
},
"memory": {
"properties": {
"peak_per_node": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
}
},
"runAfter": {
"HTTP_-_MACAVHunting_-_TVM": [
"Succeeded"
]
},
"type": "ParseJson"
},
"Send_Data_-_MACAVHunting": {
"inputs": {
"body": "@{body('Parse_JSON_-_MAC_Data')}",
"headers": {
"Log-Type": "MDE_MAC_devicehealth"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']"
}
},
"method": "post",
"path": "/api/logs"
},
"runAfter": {
"Parse_JSON_-_MAC_Data": [
"Succeeded"
]
},
"type": "ApiConnection"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"AD4IoTKey": {
"defaultValue": ""XXX-XXX-XXX-XXX-XXX",
"type": "String"
},
"Application ID": {
"defaultValue": ""XXX-XXX-XXX-XXX-XXX",
"type": "String"
},
"Secret": {
"defaultValue": ""XXX-XXX-XXX-XXX-XXX",
"type": "String"
},
"Tenant ID": {
"defaultValue": "XXX-XXX-XXX-XXX-XXX",
"type": "String"
}
},
"triggers": {
"Recurrence": {
"evaluatedRecurrence": {
"frequency": "Day",
"interval": 1
},
"recurrence": {
"frequency": "Day",
"interval": 1
},
"type": "Recurrence"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureloganalyticsdatacollector": {
"connectionId": "/subscriptions/6aXXXde-51XX-4XXe-9XXX-9XXX4/resourceGroups/hesaad-csgRG/providers/Microsoft.Web/connections/azureloganalyticsdatacollector-2",
"connectionName": "azureloganalyticsdatacollector-2",
"id": "/subscriptions/6aXXX-5XX8-4XXe-9XX0-9XX/providers/Microsoft.Web/locations/eastus/managedApis/azureloganalyticsdatacollector"
}
}
}
}
}