Skip to content

Commit

Permalink
Merge pull request Azure#11037 from recordedfuture/RecordedFutureIden…
Browse files Browse the repository at this point in the history 
…tityFixes

Recorded Future Identity Bugfixes and solution pack fixes
  • Loading branch information
@v-prasadboke
v-prasadboke authored Sep 11, 2024
2 parents 121e147 + 62c066a commit 7dbea3e
Show file tree
Hide file tree
Showing 7 changed files with 102 additions and 49 deletions.
14 changes: 7 additions & 7 deletions Solutions/Recorded Future Identity/Data/Solution_RecordedFutureIdentity.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,15 @@
"Description": "[Recorded Future](https://www.recordedfuture.com/) Identity Intelligence enables security and IT teams to detect identity compromises, for both employees and customers. To do this, Recorded Future automates the collection, analysis, and production of identity intelligence from a vast range of sources. Organizations can incorporate identity intelligence into automated workflows that regularly monitor for compromised credentials and take immediate action with applications such as Azure Active Directory and Microsoft Sentinel.\nThere are many ways organizations can utilize Recorded Future Identity Intelligence; the playbooks in this Solution are just a quick introduction to some of those ways. In particular, these playbooks include several actions that can be coordinated, or used separately. They include:\n1. searches for compromised workforce or external customer users\n2. looking up existing users and saving the compromised user data to a Log file\n3. confirming high risk Azure Active Directory (AAD) users\n4. adding a compromised user to an AAD security group\n\nFor more information, see the [Documentation for this Solution](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Recorded%20Future%20Identity/Playbooks).\n\nThe playbooks have internal dependencies where you have to install: \n- RecordedFutureIdentity-add-EntraID-security-group-user \n- RecordedFutureIdentity-confirm-EntraID-risky-user \n- RecordedFutureIdentity-lookup-and-save-user \n\nBefore: \n- RecordedFutureIdentity-search-workforce-user \n- RecordedFutureIdentity-search-external-user.\n\nThis solution depends on underlying Microsoft technologies. Some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:\n* [Log Analytics](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design)\n* [Logic apps](https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-pricing)\n",
"PlaybooksBladeDescription": "This solution will install playbooks that import users with leaked credentials from Recorded Future and set them as RiskyUsers in Azure Active Directory.",
"Playbooks": [
"/Playbooks/RFI-CustomConnector-0-1-0/azuredeploy.json",
"/Playbooks/RFI-add-EntraID-security-group-user/azuredeploy.json",
"/Playbooks/RFI-confirm-EntraID-risky-user/azuredeploy.json",
"/Playbooks/RFI-lookup-and-save-user/azuredeploy.json",
"/Playbooks/RFI-search-workforce-user/azuredeploy.json",
"/Playbooks/RFI-search-external-user/azuredeploy.json"
"Playbooks/RFI-CustomConnector-0-1-0/azuredeploy.json",
"Playbooks/RFI-add-EntraID-security-group-user/azuredeploy.json",
"Playbooks/RFI-confirm-EntraID-risky-user/azuredeploy.json",
"Playbooks/RFI-lookup-and-save-user/azuredeploy.json",
"Playbooks/RFI-search-workforce-user/azuredeploy.json",
"Playbooks/RFI-search-external-user/azuredeploy.json"
],
"BasePath": "D:\\Azure-Sentinel\\Solutions\\Recorded Future Identity\\",
"Version": "3.0.0",
"Version": "3.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
Expand Down
Binary file added Solutions/Recorded Future Identity/Package/3.0.1.zip
View file
Binary file not shown.
82 changes: 55 additions & 27 deletions Solutions/Recorded Future Identity/Package/mainTemplate.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,8 @@
"email": "support@recordedfuture.com",
"_email": "[variables('email')]",
"_solutionName": "Recorded Future Identity",
"_solutionVersion": "3.0.0",
"solutionId": "recordedfuture1605638642586.recorded_future_identity_sentinel_solution",
"_solutionVersion": "3.0.1",
"solutionId": "recordedfuture1605638642586.recorded_future_identity_solution",
"_solutionId": "[variables('solutionId')]",
"RFI-CustomConnector-0-1-0": "RFI-CustomConnector-0-1-0",
"_RFI-CustomConnector-0-1-0": "[variables('RFI-CustomConnector-0-1-0')]",
Expand Down Expand Up @@ -73,15 +73,15 @@
"_RFI-search-workforce-user": "[variables('RFI-search-workforce-user')]",
"TemplateEmptyObject": "[json('{}')]",
"blanks": "[replace('b', 'b', '')]",
"playbookVersion5": "1.1",
"playbookVersion5": "1.2",
"playbookContentId5": "RFI-search-workforce-user",
"_playbookContentId5": "[variables('playbookContentId5')]",
"playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]",
"playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]",
"_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]",
"RFI-search-external-user": "RFI-search-external-user",
"_RFI-search-external-user": "[variables('RFI-search-external-user')]",
"playbookVersion6": "1.1",
"playbookVersion6": "1.2",
"playbookContentId6": "RFI-search-external-user",
"_playbookContentId6": "[variables('playbookContentId6')]",
"playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]",
Expand All @@ -99,7 +99,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RFI-CustomConnector-0-1-0 Playbook with template version 3.0.0",
"description": "RFI-CustomConnector-0-1-0 Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
Expand Down Expand Up @@ -464,7 +464,7 @@
"title": "From",
"description": "YYYY-MM-DD (until today)",
"type": "string",
"example": "2017-07-21T23:02:28+05:30",
"example": "2017-07-21T19:32:28+02:00",
"x-ms-visibility": "important"
},
"properties": {
Expand Down Expand Up @@ -745,7 +745,7 @@
"format": "date-time",
"description": "YYYY-MM-DD (until today)",
"type": "string",
"example": "2022-02-08T16:02:37.951+05:30"
"example": "2022-02-08T11:32:37.951+01:00"
},
"name": {
"type": "string",
Expand Down Expand Up @@ -1393,7 +1393,7 @@
"format": "date-time",
"description": "YYYY-MM-DD (until today)",
"type": "string",
"example": "2022-02-08T16:02:37.951+05:30"
"example": "2022-02-08T11:32:37.951+01:00"
},
"name": {
"type": "string",
Expand Down Expand Up @@ -1995,7 +1995,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RFI-add-EntraID-security-group-user Playbook with template version 3.0.0",
"description": "RFI-add-EntraID-security-group-user Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
Expand Down Expand Up @@ -2443,7 +2443,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RFI-confirm-EntraID-risky-user Playbook with template version 3.0.0",
"description": "RFI-confirm-EntraID-risky-user Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
Expand Down Expand Up @@ -2924,7 +2924,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RFI-lookup-and-save-user Playbook with template version 3.0.0",
"description": "RFI-lookup-and-save-user Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
Expand Down Expand Up @@ -3398,7 +3398,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RFI-search-workforce-user Playbook with template version 3.0.0",
"description": "RFI-search-workforce-user Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion5')]",
Expand All @@ -3407,6 +3407,13 @@
"defaultValue": "RFI-search-workforce-user",
"type": "string"
},
"workspace_name": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Microsoft Log Analytic Workspace Name"
}
},
"Playbook-Name-add-EntraID-security-group-user": {
"defaultValue": "RFI-add-EntraID-security-group-user",
"type": "string"
Expand Down Expand Up @@ -3441,7 +3448,7 @@
"name": "[[parameters('PlaybookName')]",
"location": "[[variables('workspace-location-inline')]",
"tags": {
"hidden-SentinelTemplateVersion": "1.1",
"hidden-SentinelTemplateVersion": "1.2",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
"dependsOn": [
Expand Down Expand Up @@ -3901,10 +3908,10 @@
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "RF",
"resourcename": "RF-log-analyitics",
"resourcegroups": "[[resourceGroup().name]",
"resourcename": "[[parameters('workspace_name')]",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "@subscription().subscriptionId",
"subscriptions": "[[subscription().subscriptionId]",
"timerange": "@{formatDateTime(addDays(utcNow(), parameters('search_lookback_days')), 'yyyy-MM-dd')}"
}
}
Expand All @@ -3926,10 +3933,10 @@
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "RF",
"resourcename": "RF-log-analyitics",
"resourcegroups": "[[resourceGroup().name]",
"resourcename": "[[parameters('workspace_name')]",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "@subscription().subscriptionId",
"subscriptions": "[[subscription().subscriptionId]",
"timerange": "@{formatDateTime(addDays(utcNow(), parameters('search_lookback_days')), 'yyyy-MM-dd')}"
}
}
Expand Down Expand Up @@ -4087,7 +4094,7 @@
"metadata": {
"title": "RFI-search-workforce-user",
"description": "This playbook searches the Recorded Future Identity Intelligence Module for compromised workforce users.\n\nThis playbook depends on:\n- RFI-add-EntraID-security-group-user\n- RFI-confirm-EntraID-risky-user\n- RFI-lookup-and-save-user\n\n Those playbooks need to be installed **manually** before installing current playbook.",
"lastUpdateTime": "2024-06-11T14:25:00Z",
"lastUpdateTime": "2024-08-27T14:25:00Z",
"tags": [
"Identity protection"
],
Expand All @@ -4105,6 +4112,13 @@
"notes": [
"Added subscriptionId as a parameter and updated solution to match V3. Change PlaybookName prefix to RFI."
]
},
{
"version": "1.2",
"title": "Updates",
"notes": [
"Added workspace_name as a parameter."
]
}
]
}
Expand All @@ -4131,7 +4145,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RFI-search-external-user Playbook with template version 3.0.0",
"description": "RFI-search-external-user Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion6')]",
Expand All @@ -4140,6 +4154,13 @@
"defaultValue": "RFI-search-external-user",
"type": "string"
},
"workspace_name": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Microsoft Log Analytic Workspace Name"
}
},
"Playbook-Name-add-EntraID-security-group-user": {
"defaultValue": "RFI-add-EntraID-security-group-user",
"type": "string"
Expand Down Expand Up @@ -4174,7 +4195,7 @@
"name": "[[parameters('PlaybookName')]",
"location": "[[variables('workspace-location-inline')]",
"tags": {
"hidden-SentinelTemplateVersion": "1.1",
"hidden-SentinelTemplateVersion": "1.2",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
"dependsOn": [
Expand Down Expand Up @@ -4486,10 +4507,10 @@
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "RF",
"resourcename": "RF-log-analyitics",
"resourcegroups": "[[resourceGroup().name]",
"resourcename": "[[parameters('workspace_name')]",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "@subscription().subscriptionId",
"subscriptions": "[[subscription().subscriptionId]",
"timerange": "@{formatDateTime(addDays(utcNow(), parameters('search_lookback_days')), 'yyyy-MM-dd')}"
}
}
Expand Down Expand Up @@ -4616,7 +4637,7 @@
"metadata": {
"title": "RFI-search-external-user",
"description": "This playbook searches the Recorded Future Identity Intelligence Module for compromised external (customer) users.\n\nThis playbook depends on:\n- RFI-add-EntraID-security-group-user\n- RFI-confirm-EntraID-risky-user\n- RFI-lookup-and-save-user\n\n Those playbooks need to be installed **manually** before installing current playbook.",
"lastUpdateTime": "2024-06-11T14:25:00Z",
"lastUpdateTime": "2024-08-27T14:25:00Z",
"tags": [
"Identity protection"
],
Expand All @@ -4634,6 +4655,13 @@
"notes": [
"Added subscriptionId as a parameter and updated solution to match V3. Change PlaybookName prefix to RFI."
]
},
{
"version": "1.2",
"title": "Updates",
"notes": [
"Added Log Analytic Workspace as a parameter."
]
}
]
}
Expand All @@ -4656,7 +4684,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.0",
"version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Recorded Future Identity",
Expand Down
22 changes: 17 additions & 5 deletions Solutions/Recorded Future Identity/Playbooks/RFI-search-external-user/azuredeploy.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
"metadata": {
"title": "RFI-search-external-user",
"description": "This playbook searches the Recorded Future Identity Intelligence Module for compromised external (customer) users.\n\nThis playbook depends on:\n- RFI-add-EntraID-security-group-user\n- RFI-confirm-EntraID-risky-user\n- RFI-lookup-and-save-user\n\n Those playbooks need to be installed **manually** before installing current playbook.",
"lastUpdateTime": "2024-06-11T14:25:00.000Z",
"lastUpdateTime": "2024-08-27T14:25:00.000Z",
"entities": [],
"tags": ["Identity protection"],
"support": {
Expand All @@ -23,6 +23,11 @@
"version": "1.1",
"title": "Updates",
"notes": [ "Added subscriptionId as a parameter and updated solution to match V3. Change PlaybookName prefix to RFI." ]
},
{
"version": "1.2",
"title": "Updates",
"notes": [ "Added Log Analytic Workspace as a parameter." ]
}
]
},
Expand All @@ -31,6 +36,13 @@
"defaultValue": "RFI-search-external-user",
"type": "string"
},
"workspace_name": {
"type": "string",
"defaultValue": "",
"metadata": {
"description" : "Microsoft Log Analytic Workspace Name"
}
},
"Playbook-Name-add-EntraID-security-group-user": {
"defaultValue": "RFI-add-EntraID-security-group-user",
"type": "string"
Expand All @@ -56,7 +68,7 @@
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"hidden-SentinelTemplateVersion": "1.1"
"hidden-SentinelTemplateVersion": "1.2"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('LogAnalyticsDataCollectorConnectionName'))]",
Expand Down Expand Up @@ -373,10 +385,10 @@
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "RF",
"resourcename": "RF-log-analyitics",
"resourcegroups": "[resourceGroup().name]",
"resourcename": "[parameters('workspace_name')]",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "@subscription().subscriptionId",
"subscriptions": "[subscription().subscriptionId]",
"timerange": "@{formatDateTime(addDays(utcNow(), parameters('search_lookback_days')), 'yyyy-MM-dd')}"
}
}
Expand Down
Loading

0 comments on commit 7dbea3e

Please sign in to comment.