-
Notifications
You must be signed in to change notification settings - Fork 2.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
FlareSystemsFirework: update to 1.0.1 solution
- Loading branch information
1 parent
2be8d9a
commit b404ea6
Showing
4 changed files
with
335 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
304 changes: 304 additions & 0 deletions
304
Solutions/FlareSystemsFirework/Playbooks/azuredeploy.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,304 @@ | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"metadata": { | ||
"title": "credential-warning", | ||
"author": { | ||
"name": "Jean-Christophe Taillandier" | ||
} | ||
}, | ||
"parameters": { | ||
"PlaybookName": { | ||
"defaultValue": "credential-warning", | ||
"type": "string" | ||
} | ||
}, | ||
"variables": { | ||
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]", | ||
"o365ConnectionName": "[concat('o365-', parameters('PlaybookName'))]" | ||
}, | ||
"resources": [ | ||
{ | ||
"type": "Microsoft.Web/connections", | ||
"apiVersion": "2016-06-01", | ||
"name": "[variables('AzureSentinelConnectionName')]", | ||
"location": "[resourceGroup().location]", | ||
"kind": "V1", | ||
"properties": { | ||
"displayName": "[variables('AzureSentinelConnectionName')]", | ||
"customParameterValues": {}, | ||
"parameterValueType": "Alternative", | ||
"api": { | ||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" | ||
} | ||
} | ||
}, | ||
{ | ||
"type": "Microsoft.Web/connections", | ||
"apiVersion": "2016-06-01", | ||
"name": "[variables('o365ConnectionName')]", | ||
"location": "[resourceGroup().location]", | ||
"properties": { | ||
"displayName": "[parameters('PlaybookName')]", | ||
"customParameterValues": {}, | ||
"api": { | ||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]" | ||
} | ||
} | ||
}, | ||
{ | ||
"type": "Microsoft.Logic/workflows", | ||
"apiVersion": "2017-07-01", | ||
"name": "[parameters('PlaybookName')]", | ||
"location": "[resourceGroup().location]", | ||
"tags": { | ||
"LogicAppsCategory": "security", | ||
"hidden-SentinelTemplateName": "PlaybookName", | ||
"hidden-SentinelTemplateVersion": "1.0" | ||
}, | ||
"identity": { | ||
"type": "SystemAssigned" | ||
}, | ||
"dependsOn": [ | ||
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", | ||
"[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]" | ||
], | ||
"properties": { | ||
"state": "Disabled", | ||
"definition": { | ||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", | ||
"parameters": { | ||
"$connections": { | ||
"defaultValue": {}, | ||
"type": "Object" | ||
} | ||
}, | ||
"actions": { | ||
"For_each": { | ||
"actions": { | ||
"For_each_2": { | ||
"actions": { | ||
"For_each_3": { | ||
"actions": { | ||
"Send_an_email_(V2)": { | ||
"inputs": { | ||
"body": { | ||
"Body": "<p>Hello,<br>\n<br>\nThis is a message to warn you we believe a password you had been using has been leaked online, as part of a data breach.<br>\n<br>\nIf the following password is one you are still using commonly, we recommend changing it as soon as possible.<br>\n<br>\n@{items('For_each_3')['hash']}<br>\n<br>\nIn addition we want to remind you not to use your corporate email address to register to services outside of work.<br>\n<br>\nCordially,<br>\n<br>\nSecurity Team<br>\n</p>", | ||
"Subject": "Possible compromised password", | ||
"To": "blank@flare.systems" | ||
}, | ||
"host": { | ||
"connection": { | ||
"name": "@parameters('$connections')['office365']['connectionId']" | ||
} | ||
}, | ||
"method": "post", | ||
"path": "/v2/Mail" | ||
}, | ||
"runAfter": {}, | ||
"type": "ApiConnection" | ||
} | ||
}, | ||
"foreach": "@items('For_each_2')['passwords']", | ||
"runAfter": {}, | ||
"type": "Foreach" | ||
} | ||
}, | ||
"foreach": "@body('Parse_JSON')", | ||
"runAfter": { | ||
"Parse_JSON": [ | ||
"Succeeded" | ||
] | ||
}, | ||
"type": "Foreach" | ||
}, | ||
"Parse_JSON": { | ||
"inputs": { | ||
"content": "@items('For_each')", | ||
"schema": { | ||
"items": { | ||
"properties": { | ||
"name": { | ||
"type": "string" | ||
}, | ||
"passwords": { | ||
"items": { | ||
"properties": { | ||
"domain": {}, | ||
"extra": { | ||
"properties": {}, | ||
"type": "object" | ||
}, | ||
"hash": { | ||
"type": "string" | ||
}, | ||
"hash_type": { | ||
"type": "string" | ||
}, | ||
"id": { | ||
"type": "integer" | ||
}, | ||
"imported_at": { | ||
"type": "string" | ||
}, | ||
"source_id": { | ||
"type": "string" | ||
}, | ||
"source_params": { | ||
"properties": { | ||
"line": { | ||
"type": "integer" | ||
} | ||
}, | ||
"type": "object" | ||
} | ||
}, | ||
"required": [ | ||
"id", | ||
"hash", | ||
"hash_type", | ||
"extra", | ||
"domain", | ||
"source_id", | ||
"source_params", | ||
"imported_at" | ||
], | ||
"type": "object" | ||
}, | ||
"type": "array" | ||
} | ||
}, | ||
"required": [ | ||
"name", | ||
"passwords" | ||
], | ||
"type": "object" | ||
}, | ||
"type": "array" | ||
} | ||
}, | ||
"runAfter": {}, | ||
"type": "ParseJson" | ||
} | ||
}, | ||
"foreach": "@variables('leaks')['leaked_credentials']", | ||
"runAfter": { | ||
"Initialize_variable": [ | ||
"Succeeded" | ||
] | ||
}, | ||
"type": "Foreach" | ||
}, | ||
"Initialize_variable": { | ||
"inputs": { | ||
"variables": [ | ||
{ | ||
"name": "leaks", | ||
"type": "object", | ||
"value": "@json(body('Parse_JSON_2')['Custom Details'])" | ||
} | ||
] | ||
}, | ||
"runAfter": { | ||
"Parse_JSON_2": [ | ||
"Succeeded" | ||
] | ||
}, | ||
"type": "InitializeVariable" | ||
}, | ||
"Parse_JSON_2": { | ||
"inputs": { | ||
"content": "@triggerBody()?['ExtendedProperties']", | ||
"schema": { | ||
"properties": { | ||
"Analytic Rule Ids": { | ||
"type": "string" | ||
}, | ||
"Analytic Rule Name": { | ||
"type": "string" | ||
}, | ||
"Custom Details": { | ||
"type": "string" | ||
}, | ||
"Data Sources": { | ||
"type": "string" | ||
}, | ||
"Event Grouping": { | ||
"type": "string" | ||
}, | ||
"ProcessedBySentinel": { | ||
"type": "string" | ||
}, | ||
"Query": { | ||
"type": "string" | ||
}, | ||
"Query End Time UTC": { | ||
"type": "string" | ||
}, | ||
"Query Period": { | ||
"type": "string" | ||
}, | ||
"Query Start Time UTC": { | ||
"type": "string" | ||
}, | ||
"Search Query Results Overall Count": { | ||
"type": "string" | ||
}, | ||
"Trigger Operator": { | ||
"type": "string" | ||
}, | ||
"Trigger Threshold": { | ||
"type": "string" | ||
} | ||
}, | ||
"type": "object" | ||
} | ||
}, | ||
"runAfter": {}, | ||
"type": "ParseJson" | ||
} | ||
}, | ||
"contentVersion": "1.0.0.0", | ||
"outputs": {}, | ||
"triggers": { | ||
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { | ||
"inputs": { | ||
"body": { | ||
"callback_url": "@{listCallbackUrl()}" | ||
}, | ||
"host": { | ||
"connection": { | ||
"name": "@parameters('$connections')['azuresentinel']['connectionId']" | ||
} | ||
}, | ||
"path": "/subscribe" | ||
}, | ||
"type": "ApiConnectionWebhook" | ||
} | ||
} | ||
}, | ||
"parameters": { | ||
"$connections": { | ||
"value": { | ||
"azuresentinel": { | ||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", | ||
"connectionName": "[variables('AzureSentinelConnectionName')]", | ||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", | ||
"connectionProperties": { | ||
"authentication": { | ||
"type": "ManagedServiceIdentity" | ||
} | ||
} | ||
}, | ||
"office365": { | ||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]", | ||
"connectionName": "[variables('o365ConnectionName')]", | ||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]" | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
# Send Email Warning when email:password combination is received from Firework identifiers alerts | ||
Author: Jean-Christophe, Flare Systems | ||
|
||
This playbook monitors all data received from Firework looking for leaked credentials (email:password combinations). When found, this playbook will send an email to the email address warning their password has been leaked, recommending appropriate measures if necessary. To learn more about how to connect Firework to Azure Sentinel, see the [API documentation](https://docs.flared.io/azure-sentinel-integration). | ||
|
||
<a href="" target="_blank"> | ||
<img src="https://aka.ms/deploytoazurebutton""/> | ||
</a> |