Azure · v-atulyadav · Dec 13, 2024 · Dec 2, 2024 · Dec 2, 2024 · Dec 2, 2024
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/IllumioLogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/IllumioSaaS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[IllumioSaaS](https://www.illumio.com/) solution provides ability to ingest auditable and flow events from AWS S3 bucket.\n\n**Data Connectors:** 1, **Workbooks:** 3, **Analytic Rules:** 6\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/IllumioLogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/IllumioSaaS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[IllumioSaaS](https://www.illumio.com/) solution provides ability to ingest auditable and flow events from AWS S3 bucket.\n\n**Data Connectors:** 1, **Workbooks:** 3, **Analytic Rules:** 6, **Function Apps:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -256,6 +256,34 @@
             ]
           }
         ]
+      },
+      {
+        "name": "playbooks",
+        "label": "Playbooks",
+        "subLabel": {
+          "preValidation": "Configure the playbooks",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Playbooks",
+        "elements": [
+          {
+            "name": "playbooks-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
+            }
+          },
+          {
+            "name": "playbooks-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+              }
+            }
+          }
+        ]
       }
     ],
     "outputs": {

@@ -0,0 +1,186 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "FunctionAppName": {
+            "defaultValue": "illumiopbfuncapp",
+            "type": "String",
+            "metadata": {
+                "description": "Function app Name"
+            }
+        },
+        "StorageAccountName": {
+            "type": "String",
+            "metadata": {
+                "description": "Storage name should be globally unique name"
+            }
+        },
+        "PCE_FQDN": {
+            "type": "String",
+            "metadata": {
+                "description": "FQDN of PCE"
+            }
+        },
+        "PORT": {
+            "type": "String",
+            "metadata": {
+                "description": "Port that PCE connects to, like 443"
+            }
+        },
+        "ORG_ID": {
+            "type": "String",
+            "metadata": {
+                "description": "Customer's org id"
+            }
+        },
+        "API_KEY": {
+            "type": "String",
+            "metadata": {
+                "description": "API key"
+            }
+        },
+        "API_SECRET": {
+            "type": "String",
+            "metadata": {
+                "description": "API secret"
+            }
+        }
+    },
+    "variables": {
+        "hostingPlanName": "[parameters('FunctionAppName')]",
+        "storageAccountName": "[parameters('StorageAccountName')]",
+        "functionAppName": "[parameters('FunctionAppName')]",
+        "applicationInsightsName": "[parameters('FunctionAppName')]",
+        "pceFQDN": "[parameters('PCE_FQDN')]",
+        "port": "[parameters('PORT')]",
+        "orgId": "[parameters('ORG_ID')]",
+        "apiKey": "[parameters('API_KEY')]",
+        "apiSecret": "[parameters('API_SECRET')]"        
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Web/serverfarms",
+            "apiVersion": "2022-03-01",
+            "name": "[variables('hostingPlanName')]",
+            "location": "[resourceGroup().location]",
+            "sku": {
+                "name": "Y1",
+                "tier": "Dynamic"
+            },
+            "properties": {
+                "name": "[variables('hostingPlanName')]",
+                "computeMode": "Dynamic"
+            }
+        },
+        {
+            "type": "Microsoft.Storage/storageAccounts",
+            "apiVersion": "2023-04-01",
+            "name": "[variables('storageAccountName')]",
+            "location": "[resourceGroup().location]",
+            "sku": {
+                "name": "Standard_LRS",
+                "tier": "Standard"
+            },
+            "kind": "StorageV2",
+            "properties": {
+                "accessTier": "Hot",
+                "minimumTlsVersion": "TLS1_2",
+                "supportsHttpsTrafficOnly": "true",
+                "allowBlobPublicAccess": "false",
+                "allowSharedKeyAccess": "true",
+                "networkAcls": {
+                    "bypass": "AzureServices",
+                    "defaultAction": "Allow",
+                    "ipRules": []
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Insights/components",
+            "apiVersion": "2020-02-02",
+            "name": "[variables('applicationInsightsName')]",
+            "location": "[resourceGroup().location]",
+            "tags": {
+                "[concat('hidden-link:', resourceId('Microsoft.Web/sites', variables('applicationInsightsName')))]": "Resource"
+            },
+            "properties": {
+                "Application_Type": "web"
+            },
+            "kind": "web"
+        },
+        {
+            "type": "Microsoft.Web/sites",
+            "apiVersion": "2020-06-01",
+            "name": "[variables('functionAppName')]",
+            "location": "[resourceGroup().location]",
+            "kind": "functionapp,linux",
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "dependsOn": [
+                "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
+                "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
+                "[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]"
+            ],
+            "properties": {
+                "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
+                "siteConfig": {
+                    "appSettings": [
+                        {
+                            "name": "AzureWebJobsStorage",
+                            "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-04-01').keys[0].value)]"
+                        },
+                        {
+                            "name": "FUNCTIONS_EXTENSION_VERSION",
+                            "value": "~4"
+                        },
+                        {
+                            "name": "FUNCTIONS_WORKER_RUNTIME",
+                            "value": "node"
+                        },
+                        {
+                            "name": "WEBSITE_NODE_DEFAULT_VERSION",
+                            "value": "~20"
+                        },
+                        {
+                            "name": "APPINSIGHTS_INSTRUMENTATIONKEY",
+                            "value": "[reference(resourceId('microsoft.insights/components', variables('applicationInsightsName')), '2020-02-02').InstrumentationKey]"
+                        },
+                        {
+                            "name": "WEBSITE_RUN_FROM_PACKAGE",
+                            "value": "https://raw.githubusercontent.com/illumio-shield/Azure-Sentinel/illumio-sentinel-playbook-v2/Solutions/IllumioSaaS/Playbooks/CustomConnector/IllumioSaaS_FunctionAppConnector/IllumioSaaS_FunctionAppForPlaybooks.zip"
+                        },
+                        {
+                            "name": "PCE_FQDN",
+                            "value": "[variables('pceFQDN')]"
+                        },
+                        {
+                            "name": "PORT",
+                            "value": "[variables('port')]"
+                        },
+                        {
+                            "name": "ORG_ID",
+                            "value": "[variables('orgId')]"
+                        },
+                        {
+                            "name": "API_KEY",
+                            "value": "[variables('apiKey')]"
+                        },
+                        {
+                            "name": "API_SECRET",
+                            "value": "[variables('apiSecret')]"
+                        }
+                    ]
+                },
+                "cors": {
+                    "allowedOrigins": [
+                        "https://functions.azure.com",
+                        "https://functions-staging.azure.com",
+                        "https://functions-next.azure.com"
+                    ],
+                    "supportCredentials": false
+                }
+            }
+        }
+    ]
+}
@@ -0,0 +1,31 @@
+# Microsoft Sentinel Playbooks for Illumio Integration
+
+Playbooks are collections of procedures that can be run from Microsoft Sentinel.  
+
+---
+
+## Get VEN Details Playbook
+
+This playbook can be configured to respond to Microsoft Sentinel alerts.
+
+1. Once an alert is triggered, its body is sent to a function app.
+2. The function talks to the PCE with the help of api key/secret.
+3. Once VEN details are fetched from PCE, then the playbook constructs a table with the relevant information.
+4. Table comprises of, alert title, severity, ven details like ip address, hostname and labels and alert description.
+5. This is sent out as an email.
+
+# To deploy, follow the below link 
+Deploy the function app first:
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fillumio-shield%2FAzure-Sentinel%2Frefs%2Fheads%2Fillumio-sentinel-playbooks-v2%2FSolutions%2FIllumioSaaS%2FPlaybooks%2FCustomConnector%2FIllumioSaaS_FunctionAppConnector%2Fazuredeploy.json)
+
+Deploy logic app next:
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Frefs%2Fheads%2Fmaster%2FSolutions%2FIllumioSaaS%2FPlaybooks%2FIllumio-Get-Ven-Details%2Fazuredeploy.json)
+
+
+This playbook creates API connections, since it needs to query/interact with Outlook 365 and Microsoft Sentinel.
+
+Hence, ensure to provide "Deployers User name" as an email address. 
+
+Provide PCE fqdn, port, org id, api key and secret, click Next and follow next steps to deploy playbook.
+
+Once deployed, authorize the api connections.