Skip to content

Created a new tool for creating Incidents with email #6409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
v-dvedak merged 18 commits into from
Mar 14, 2023
Merged

Created a new tool for creating Incidents with email #6409

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
4b1100f
Create azuredeploy.json
samikroy Oct 17, 2022
590fdb3
Create Readme.md
samikroy Oct 17, 2022
e8120a3
Update azuredeploy.json
samikroy Nov 29, 2022
7c225ce
Create azuredeploy.json
samikroy Nov 29, 2022
7bdb458
Create Readme.md
samikroy Nov 29, 2022
4ecde81
Update Readme.md
samikroy Nov 29, 2022
47ba4d6
Delete Tools/Create Incidents with Email directory
samikroy Nov 29, 2022
71c6a7f
Update azuredeploy.json
samikroy Dec 15, 2022
36bdfd5
Update azuredeploy.json
samikroy Dec 16, 2022
f057e88
Update azuredeploy.json
samikroy Dec 19, 2022
91ced81
Update azuredeploy.json
samikroy Dec 26, 2022
a8990c6
Update Readme.md
samikroy Jan 27, 2023
c0a8427
Update Readme.md
samikroy Jan 27, 2023
67261aa
Update Readme.md
samikroy Mar 3, 2023
d4c9545
Update azuredeploy.json
samikroy Mar 3, 2023
73ea96d
Update azuredeploy.json
samikroy Mar 6, 2023
9e51007
Update azuredeploy.json
samikroy Mar 7, 2023
5d54f6a
Update azuredeploy.json
v-atulyadav Mar 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions Playbooks/Create Incidents with Email/Readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@




Please use the below button to deploy

[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FCreate%2520Incidents%2520with%2520Email%2Fazuredeploy.json)

### Deployment

Once deployed you can configure the connections as below

![image](https://user-images.githubusercontent.com/20562985/196198346-2dbde9ca-9812-4c49-a0e6-d3ebca777bb3.png)


### Configuration

1. Sentinel Connection

![image](https://user-images.githubusercontent.com/20562985/196175586-0fd33803-6fd3-4429-8af4-945c8a0c8511.png)


2. Office 365 Connection

![image](https://user-images.githubusercontent.com/20562985/196175803-51712fbb-1bb4-4279-9d96-64cc24bcf63f.png)

### Post configuration

Once configured, the logic app will look like this.

![image](https://user-images.githubusercontent.com/20562985/195930261-a883dbc0-37ff-401c-87a6-74d4eba7ffea.png)

### Test

Step 1: Send an email to the configure email

![image](https://user-images.githubusercontent.com/20562985/196176523-21e76ca7-705f-468e-beec-aa75b814f742.png)


Step 2: Incident created in Sentinel

![image](https://user-images.githubusercontent.com/20562985/196183706-02062a9c-eea2-4fd1-9d57-4bf540456341.png)


### Use cases

SOC - In a organization there might be Security Incident / Suspicious activity occurring to the resources where Security is not tightened up yet.
So an email address can be whistle blower here. A suspicious activity can be reported over a dedicated email address to create an incident and address the incident.


Thank you for using the tool.

161 changes: 161 additions & 0 deletions Playbooks/Create Incidents with Email/azuredeploy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "Create-Incident-Logic-App",
"description": "This playbook will help to create an incident in Microsoft Sentinle when an email is sent to the configured email address.",
"prerequisites": ["1. A Office 365 MailBox.",
"2. An existing Microsoft Sentinel Instance"],
"lastUpdateTime": "2022-12-16T00:00:00.000Z",
"tags": ["Enrichment"],
"support": {
"tier": "community"
},
"author": {
"name": "samikroy"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "Create-Incident-Logic-App",
"type": "String"
},
"WorkspaceName": {
"defaultValue": "demo-workspace",
"type": "String"
}
},
"variables": {
"MicrosoftSentinelConnection": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"Office365Connection": "[concat('office-', parameters('PlaybookName'))]"

},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('Office365Connection')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('Office365Connection')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('MicrosoftSentinelConnection')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('MicrosoftSentinelConnection')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
Copy link
Contributor

@manishkumar1991 manishkumar1991 Mar 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Deployment is failing due to missing entry mentioned below:

After custom Parameters:
Kindly add.
"parameterValueType": "Alternative",

this will enable the deployment to install workflow as managed by service identity.

Note: Before submitting the PR, kindly test the deployment in your environment.

Copy link
Contributor

@manishkumar1991 manishkumar1991 Mar 7, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@samikroy is this done? Please confirm

Copy link
Contributor

@manishkumar1991 manishkumar1991 Mar 13, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@samikroy

Hello ,

after line number 58 you need to make the changes, you didn't get lost, that why I marked the comment at line 58.

Changes mentioned above are needs to be added in Microsoft.Web/connections of sentinel connection not in office 365 connection.

image

Copy link
Contributor

@manishkumar1991 manishkumar1991 Mar 13, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@v-atulyadav Waiting for @samikroy to complete the changes properly

"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnection'))]",
"[resourceId('Microsoft.Web/connections', variables('Office365Connection'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_a_new_email_arrives": {
"recurrence": {
"frequency": "Minute",
"interval": 1
},
"evaluatedRecurrence": {
"frequency": "Minute",
"interval": 1
},
"splitOn": "@triggerBody()?['value']",
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['Office365Connection']['connectionId']"
}
},
"method": "get",
"path": "/Mail/OnNewEmail",
"queries": {
"folderPath": "Inbox",
"importance": "Normal",
"subjectFilter": "Security Incident"
}
}
}
},
"actions": {
"Create_incident": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
"description": "A new Incident is reported \n\n@{triggerBody()?['Subject']}\n\nRepoted by - @{triggerBody()?['From']}",
"severity": "Low",
"status": "New",
"title": "User Reported Incident"
},
"host": {
"connection": {
"name": "@parameters('$connections')['MicrosoftSentinelConnection']['connectionId']"
}
},
"method": "put",
"path":"[concat('/Incidents/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/workspaces/',parameters('WorkspaceName'))]"
}
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"MicrosoftSentinelConnection": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnection'))]",
"connectionName": "[variables('MicrosoftSentinelConnection')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"Office365Connection": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365Connection'))]",
"connectionName": "[variables('Office365Connection')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
}
}
}
}
}
]
}