{ "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "actions": { "For_each_-_CVE": { "actions": { "Send_Data_-_CVE": { "inputs": { "body": "@{items('For_each_-_CVE')}", "headers": { "Log-Type": "AD4IOT_CVE" }, "host": { "connection": { "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" } }, "method": "post", "path": "/api/logs" }, "runAfter": {}, "type": "ApiConnection" } }, "foreach": "@body('HTTP_Get-DefenderForIoT_-_CVEs')", "runAfter": { "HTTP_Get-DefenderForIoT_-_CVEs": [ "Succeeded" ] }, "type": "Foreach" }, "For_each_-_Devices": { "actions": { "Send_Data_-_Devices": { "inputs": { "body": "@{items('For_each_-_Devices')}", "headers": { "Log-Type": "AD4IOT_Devices" }, "host": { "connection": { "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" } }, "method": "post", "path": "/api/logs" }, "runAfter": {}, "type": "ApiConnection" } }, "foreach": "@body('HTTP_Get-DefenderForIoT-Devices')", "runAfter": { "HTTP_Get-DefenderForIoT-Devices": [ "Succeeded" ] }, "type": "Foreach" }, "For_each_-_Events": { "actions": { "Send_Data_-_Events": { "inputs": { "body": "@{items('For_each_-_Events')}", "headers": { "Log-Type": "AD4IOT_Events" }, "host": { "connection": { "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" } }, "method": "post", "path": "/api/logs" }, "runAfter": {}, "type": "ApiConnection" } }, "foreach": "@body('HTTP_Get-DefenderForIoT_-_Events')", "runAfter": { "HTTP_Get-DefenderForIoT_-_Events": [ "Succeeded" ] }, "type": "Foreach" }, "For_each_-_Windows_Iteration": { "actions": { "Send_Data_-_Windows": { "inputs": { "body": "@{items('For_each_-_Windows_Iteration')}", "headers": { "Log-Type": "AgentHealthStatusWindows" }, "host": { "connection": { "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" } }, "method": "post", "path": "/api/logs" }, "runAfter": {}, "type": "ApiConnection" } }, "foreach": "@body('Parse_JSON')?['Results']", "runAfter": { "Parse_JSON": [ "Succeeded" ] }, "type": "Foreach" }, "HTTP_-_MACAVHunting_-_TVM": { "inputs": { "authentication": { "audience": "https://api.securitycenter.windows.com", "clientId": "@parameters('Application ID')", "secret": "@parameters('Secret')", "tenant": "@parameters('Tenant ID')", "type": "ActiveDirectoryOAuth" }, "body": { "Query": "DeviceTvmSecureConfigurationAssessment| where ConfigurationId in ('scid-5001', 'scid-5002', 'scid-5090', 'scid-5091', 'scid-5092', 'scid-5093', 'scid-5094', 'scid-5095')| where IsApplicable == 1| where OSPlatform == 'macOS'| extend Test = case(ConfigurationId == 'scid-5001', 'SensorDataCollection',ConfigurationId == 'scid-5002', 'ImpairedCommunications',ConfigurationId == 'scid-5092', 'TamperProtection',ConfigurationId == 'scid-5095', 'AntivirusSignatureVersion',ConfigurationId == 'scid-5090', 'RealtimeProtection',ConfigurationId == 'scid-5093', 'BehaviorMonitoring',ConfigurationId == 'scid-5091', 'PUAProtection',ConfigurationId == 'scid-5094', 'CloudProtection','N/A'),Result = case(IsApplicable == 0, 'N/A', IsCompliant == 1, 'GOOD', 'BAD')| extend packed = pack(Test, Result)| summarize Tests = make_bag(packed), DeviceName = any(DeviceName) by DeviceId| evaluate bag_unpack(Tests)" }, "headers": { "content-type": "application/json" }, "method": "POST", "uri": "https://api.securitycenter.windows.com/api/advancedqueries/run" }, "runAfter": { "For_each_-_Windows_Iteration": [ "Succeeded" ] }, "type": "Http" }, "HTTP_Get-DefenderForIoT-Devices": { "inputs": { "headers": { "Authorization": "@parameters('AD4IoTKey')", "Content-Type": "application/json" }, "method": "GET", "uri": "https://www.s3pl.net/api/v1/devices" }, "runAfter": { "Send_Data_-_MACAVHunting": [ "Succeeded" ] }, "type": "Http" }, "HTTP_Get-DefenderForIoT_-_CVEs": { "inputs": { "headers": { "Authorization": "@parameters('AD4IoTKey')", "Content-Type": "application/json" }, "method": "GET", "uri": "https://www.s3pl.net/api/v1/devices/cves" }, "runAfter": { "For_each_-_Devices": [ "Succeeded" ] }, "type": "Http" }, "HTTP_Get-DefenderForIoT_-_Events": { "inputs": { "headers": { "Authorization": "@parameters('AD4IoTKey')", "Content-Type": "application/json" }, "method": "GET", "uri": "https://www.s3pl.net/api/v1/events" }, "runAfter": { "For_each_-_CVE": [ "Succeeded" ] }, "type": "Http" }, "MDE_Hunting_Query_Agent_Health_Windows_-_TVM": { "inputs": { "authentication": { "audience": "https://api.securitycenter.windows.com", "clientId": "@parameters('Application ID')", "secret": "@parameters('Secret')", "tenant": "@parameters('Tenant ID')", "type": "ActiveDirectoryOAuth" }, "body": { "Query": "DeviceTvmSecureConfigurationAssessment| where Timestamp >= ago(24h)| where ConfigurationId in ('scid-91', 'scid-2000', 'scid-2001', 'scid-2002', 'scid-2003', 'scid-2010', 'scid-2011', 'scid-2012', 'scid-2013', 'scid-2014', 'scid-2016')| extend Test = case(ConfigurationId == 'scid-2000', 'SensorEnabled',ConfigurationId == 'scid-2001', 'SensorDataCollection',ConfigurationId == 'scid-2002', 'ImpairedCommunications',ConfigurationId == 'scid-2003', 'TamperProtection',ConfigurationId == 'scid-2010', 'AntivirusEnabled',ConfigurationId == 'scid-2011', 'AntivirusSignatureVersion',ConfigurationId == 'scid-2012', 'RealtimeProtection',ConfigurationId == 'scid-91', 'BehaviorMonitoring',ConfigurationId == 'scid-2013', 'PUAProtection',ConfigurationId == 'scid-2014', 'AntivirusReporting',ConfigurationId == 'scid-2016', 'CloudProtection','N/A'),Result = case(IsApplicable == 0, 'N/A', IsCompliant == 1, 'ENABLED', 'DISABLED')| extend packed = pack(Test, Result)| summarize Tests = make_bag(packed), DeviceName = any(DeviceName) by DeviceId| evaluate bag_unpack(Tests)|project-away DeviceName" }, "headers": { "content-type": "application/json" }, "method": "POST", "uri": "https://api.securitycenter.windows.com/api/advancedqueries/run" }, "runAfter": {}, "type": "Http" }, "Parse_JSON": { "inputs": { "content": "@body('MDE_Hunting_Query_Agent_Health_Windows_-_TVM')", "schema": { "properties": { "Results": { "items": { "properties": { "AntivirusEnabled": { "type": "string" }, "AntivirusReporting": { "type": "string" }, "AntivirusSignatureVersion": { "type": "string" }, "BehaviorMonitoring": { "type": "string" }, "CloudProtection": { "type": "string" }, "DeviceId": { "type": "string" }, "ImpairedCommunications": { "type": "string" }, "PUAProtection": { "type": "string" }, "RealtimeProtection": { "type": "string" }, "SensorDataCollection": { "type": "string" }, "SensorEnabled": { "type": "string" }, "TamperProtection": { "type": "string" } }, "required": [ "DeviceId", "AntivirusEnabled", "AntivirusReporting", "AntivirusSignatureVersion", "BehaviorMonitoring", "CloudProtection", "ImpairedCommunications", "PUAProtection", "RealtimeProtection", "SensorDataCollection", "SensorEnabled", "TamperProtection" ], "type": "object" }, "type": "array" }, "Schema": { "items": { "properties": { "Name": { "type": "string" }, "Type": { "type": "string" } }, "required": [ "Name", "Type" ], "type": "object" }, "type": "array" }, "Stats": { "properties": { "ExecutionTime": { "type": "number" }, "dataset_statistics": { "items": { "properties": { "table_row_count": { "type": "integer" }, "table_size": { "type": "integer" } }, "required": [ "table_row_count", "table_size" ], "type": "object" }, "type": "array" }, "resource_usage": { "properties": { "cache": { "properties": { "disk": { "properties": { "hits": { "type": "integer" }, "misses": { "type": "integer" }, "total": { "type": "integer" } }, "type": "object" }, "memory": { "properties": { "hits": { "type": "integer" }, "misses": { "type": "integer" }, "total": { "type": "integer" } }, "type": "object" } }, "type": "object" }, "cpu": { "properties": { "kernel": { "type": "string" }, "total cpu": { "type": "string" }, "user": { "type": "string" } }, "type": "object" }, "memory": { "properties": { "peak_per_node": { "type": "integer" } }, "type": "object" } }, "type": "object" } }, "type": "object" } }, "type": "object" } }, "runAfter": { "MDE_Hunting_Query_Agent_Health_Windows_-_TVM": [ "Succeeded" ] }, "type": "ParseJson" }, "Parse_JSON_-_MAC_Data": { "inputs": { "content": "@body('HTTP_-_MACAVHunting_-_TVM')", "schema": { "properties": { "Results": { "type": "array" }, "Schema": { "items": { "properties": { "Name": { "type": "string" }, "Type": { "type": "string" } }, "required": [ "Name", "Type" ], "type": "object" }, "type": "array" }, "Stats": { "properties": { "ExecutionTime": { "type": "number" }, "dataset_statistics": { "items": { "properties": { "table_row_count": { "type": "integer" }, "table_size": { "type": "integer" } }, "required": [ "table_row_count", "table_size" ], "type": "object" }, "type": "array" }, "resource_usage": { "properties": { "cache": { "properties": { "disk": { "properties": { "hits": { "type": "integer" }, "misses": { "type": "integer" }, "total": { "type": "integer" } }, "type": "object" }, "memory": { "properties": { "hits": { "type": "integer" }, "misses": { "type": "integer" }, "total": { "type": "integer" } }, "type": "object" } }, "type": "object" }, "cpu": { "properties": { "kernel": { "type": "string" }, "total cpu": { "type": "string" }, "user": { "type": "string" } }, "type": "object" }, "memory": { "properties": { "peak_per_node": { "type": "integer" } }, "type": "object" } }, "type": "object" } }, "type": "object" } }, "type": "object" } }, "runAfter": { "HTTP_-_MACAVHunting_-_TVM": [ "Succeeded" ] }, "type": "ParseJson" }, "Send_Data_-_MACAVHunting": { "inputs": { "body": "@{body('Parse_JSON_-_MAC_Data')}", "headers": { "Log-Type": "MDE_MAC_devicehealth" }, "host": { "connection": { "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" } }, "method": "post", "path": "/api/logs" }, "runAfter": { "Parse_JSON_-_MAC_Data": [ "Succeeded" ] }, "type": "ApiConnection" } }, "contentVersion": "1.0.0.0", "outputs": {}, "parameters": { "$connections": { "defaultValue": {}, "type": "Object" }, "AD4IoTKey": { "defaultValue": ""XXX-XXX-XXX-XXX-XXX", "type": "String" }, "Application ID": { "defaultValue": ""XXX-XXX-XXX-XXX-XXX", "type": "String" }, "Secret": { "defaultValue": ""XXX-XXX-XXX-XXX-XXX", "type": "String" }, "Tenant ID": { "defaultValue": "XXX-XXX-XXX-XXX-XXX", "type": "String" } }, "triggers": { "Recurrence": { "evaluatedRecurrence": { "frequency": "Day", "interval": 1 }, "recurrence": { "frequency": "Day", "interval": 1 }, "type": "Recurrence" } } }, "parameters": { "$connections": { "value": { "azureloganalyticsdatacollector": { "connectionId": "/subscriptions/6aXXXde-51XX-4XXe-9XXX-9XXX4/resourceGroups/hesaad-csgRG/providers/Microsoft.Web/connections/azureloganalyticsdatacollector-2", "connectionName": "azureloganalyticsdatacollector-2", "id": "/subscriptions/6aXXX-5XX8-4XXe-9XX0-9XX/providers/Microsoft.Web/locations/eastus/managedApis/azureloganalyticsdatacollector" } } } } }