Skip to content

Commit

Permalink
FlareSystemsFirework: update to 1.0.1 solution
Browse files Browse the repository at this point in the history
  • Loading branch information
@jctaillandier
jctaillandier committed Oct 18, 2021
1 parent 2be8d9a commit b404ea6
Show file tree
Hide file tree
Showing 4 changed files with 335 additions and 1 deletion.
24 changes: 23 additions & 1 deletion Solutions/FlareSystemsFirework/Data Connectors/Connector_REST_API_FlareSystemsFirework.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,29 @@
"description": "As an organization administrator, authenticate on [Firework](https://firework.flared.io/) and access the [team page](https://firework.flared.io/#/team) to create a new alert channel."
},
{
"description": "Click on 'Create a new alert channel' and select 'Azure Sentinel'. Enter your Shared Key And WorkspaceID. Save the Alert Channel."
"description": "Click on 'Create a new alert channel' and select 'Azure Sentinel'. Enter your Shared Key And WorkspaceID. Save the Alert Channel. \n For more help and details, see our [Azure configuration documentation](https://docs.microsoft.com/azure/sentinel/connect-data-sources).",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID",
"value": "{0}"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary key",
"value": "{0} "
},
"type": "CopyableLabel"
}
]
}
]
},
Expand Down
Binary file added Solutions/FlareSystemsFirework/Package/1.0.1.zip
View file
Binary file not shown.
304 changes: 304 additions & 0 deletions Solutions/FlareSystemsFirework/Playbooks/azuredeploy.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,304 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "credential-warning",
"author": {
"name": "Jean-Christophe Taillandier"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "credential-warning",
"type": "string"
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"o365ConnectionName": "[concat('o365-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('AzureSentinelConnectionName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('o365ConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"LogicAppsCategory": "security",
"hidden-SentinelTemplateName": "PlaybookName",
"hidden-SentinelTemplateVersion": "1.0"
},
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]"
],
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"actions": {
"For_each": {
"actions": {
"For_each_2": {
"actions": {
"For_each_3": {
"actions": {
"Send_an_email_(V2)": {
"inputs": {
"body": {
"Body": "<p>Hello,<br>\n<br>\nThis is a message to warn you we believe a password you had been using has &nbsp;been leaked online, as part of a data breach.<br>\n<br>\nIf the following password is one you are still using commonly, we recommend changing it as soon as possible.<br>\n<br>\n@{items('For_each_3')['hash']}<br>\n<br>\nIn addition we want to remind you not to use your corporate email address to register to services outside of work.<br>\n<br>\nCordially,<br>\n<br>\nSecurity Team<br>\n</p>",
"Subject": "Possible compromised password",
"To": "blank@flare.systems"
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
}
},
"method": "post",
"path": "/v2/Mail"
},
"runAfter": {},
"type": "ApiConnection"
}
},
"foreach": "@items('For_each_2')['passwords']",
"runAfter": {},
"type": "Foreach"
}
},
"foreach": "@body('Parse_JSON')",
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "Foreach"
},
"Parse_JSON": {
"inputs": {
"content": "@items('For_each')",
"schema": {
"items": {
"properties": {
"name": {
"type": "string"
},
"passwords": {
"items": {
"properties": {
"domain": {},
"extra": {
"properties": {},
"type": "object"
},
"hash": {
"type": "string"
},
"hash_type": {
"type": "string"
},
"id": {
"type": "integer"
},
"imported_at": {
"type": "string"
},
"source_id": {
"type": "string"
},
"source_params": {
"properties": {
"line": {
"type": "integer"
}
},
"type": "object"
}
},
"required": [
"id",
"hash",
"hash_type",
"extra",
"domain",
"source_id",
"source_params",
"imported_at"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"name",
"passwords"
],
"type": "object"
},
"type": "array"
}
},
"runAfter": {},
"type": "ParseJson"
}
},
"foreach": "@variables('leaks')['leaked_credentials']",
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Foreach"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "leaks",
"type": "object",
"value": "@json(body('Parse_JSON_2')['Custom Details'])"
}
]
},
"runAfter": {
"Parse_JSON_2": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Parse_JSON_2": {
"inputs": {
"content": "@triggerBody()?['ExtendedProperties']",
"schema": {
"properties": {
"Analytic Rule Ids": {
"type": "string"
},
"Analytic Rule Name": {
"type": "string"
},
"Custom Details": {
"type": "string"
},
"Data Sources": {
"type": "string"
},
"Event Grouping": {
"type": "string"
},
"ProcessedBySentinel": {
"type": "string"
},
"Query": {
"type": "string"
},
"Query End Time UTC": {
"type": "string"
},
"Query Period": {
"type": "string"
},
"Query Start Time UTC": {
"type": "string"
},
"Search Query Results Overall Count": {
"type": "string"
},
"Trigger Operator": {
"type": "string"
},
"Trigger Threshold": {
"type": "string"
}
},
"type": "object"
}
},
"runAfter": {},
"type": "ParseJson"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"office365": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
"connectionName": "[variables('o365ConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
}
}
}
}
}
]
}
8 changes: 8 additions & 0 deletions Solutions/FlareSystemsFirework/Playbooks/readme.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Send Email Warning when email:password combination is received from Firework identifiers alerts
Author: Jean-Christophe, Flare Systems

This playbook monitors all data received from Firework looking for leaked credentials (email:password combinations). When found, this playbook will send an email to the email address warning their password has been leaked, recommending appropriate measures if necessary. To learn more about how to connect Firework to Azure Sentinel, see the [API documentation](https://docs.flared.io/azure-sentinel-integration).

<a href="" target="_blank">
<img src="https://aka.ms/deploytoazurebutton""/>
</a>

0 comments on commit b404ea6

Please sign in to comment.