Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FlareSystemsFirework: update to 1.0.1 solution #2697

Merged
merged 1 commit into from
Nov 9, 2021
Merged

FlareSystemsFirework: update to 1.0.1 solution #2697

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
24 changes: 23 additions & 1 deletion Solutions/FlareSystemsFirework/Data Connectors/Connector_REST_API_FlareSystemsFirework.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,29 @@
"description": "As an organization administrator, authenticate on [Firework](https://firework.flared.io/) and access the [team page](https://firework.flared.io/#/team) to create a new alert channel."
},
{
"description": "Click on 'Create a new alert channel' and select 'Azure Sentinel'. Enter your Shared Key And WorkspaceID. Save the Alert Channel."
"description": "Click on 'Create a new alert channel' and select 'Azure Sentinel'. Enter your Shared Key And WorkspaceID. Save the Alert Channel. \n For more help and details, see our [Azure configuration documentation](https://docs.microsoft.com/azure/sentinel/connect-data-sources).",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID",
"value": "{0}"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary key",
"value": "{0} "
},
"type": "CopyableLabel"
}
]
}
]
},
Expand Down
Binary file added Solutions/FlareSystemsFirework/Package/1.0.1.zip
View file
Open in desktop
Binary file not shown.
304 changes: 304 additions & 0 deletions Solutions/FlareSystemsFirework/Playbooks/azuredeploy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,304 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "credential-warning",
"author": {
"name": "Jean-Christophe Taillandier"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "credential-warning",
"type": "string"
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"o365ConnectionName": "[concat('o365-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('AzureSentinelConnectionName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('o365ConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('PlaybookName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"LogicAppsCategory": "security",
"hidden-SentinelTemplateName": "PlaybookName",
"hidden-SentinelTemplateVersion": "1.0"
},
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]"
],
"properties": {
"state": "Disabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"actions": {
"For_each": {
"actions": {
"For_each_2": {
"actions": {
"For_each_3": {
"actions": {
"Send_an_email_(V2)": {
"inputs": {
"body": {
"Body": "<p>Hello,<br>\n<br>\nThis is a message to warn you we believe a password you had been using has &nbsp;been leaked online, as part of a data breach.<br>\n<br>\nIf the following password is one you are still using commonly, we recommend changing it as soon as possible.<br>\n<br>\n@{items('For_each_3')['hash']}<br>\n<br>\nIn addition we want to remind you not to use your corporate email address to register to services outside of work.<br>\n<br>\nCordially,<br>\n<br>\nSecurity Team<br>\n</p>",
"Subject": "Possible compromised password",
"To": "blank@flare.systems"
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
}
},
"method": "post",
"path": "/v2/Mail"
},
"runAfter": {},
"type": "ApiConnection"
}
},
"foreach": "@items('For_each_2')['passwords']",
"runAfter": {},
"type": "Foreach"
}
},
"foreach": "@body('Parse_JSON')",
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "Foreach"
},
"Parse_JSON": {
"inputs": {
"content": "@items('For_each')",
"schema": {
"items": {
"properties": {
"name": {
"type": "string"
},
"passwords": {
"items": {
"properties": {
"domain": {},
"extra": {
"properties": {},
"type": "object"
},
"hash": {
"type": "string"
},
"hash_type": {
"type": "string"
},
"id": {
"type": "integer"
},
"imported_at": {
"type": "string"
},
"source_id": {
"type": "string"
},
"source_params": {
"properties": {
"line": {
"type": "integer"
}
},
"type": "object"
}
},
"required": [
"id",
"hash",
"hash_type",
"extra",
"domain",
"source_id",
"source_params",
"imported_at"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"name",
"passwords"
],
"type": "object"
},
"type": "array"
}
},
"runAfter": {},
"type": "ParseJson"
}
},
"foreach": "@variables('leaks')['leaked_credentials']",
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Foreach"
},
"Initialize_variable": {
"inputs": {
"variables": [
{
"name": "leaks",
"type": "object",
"value": "@json(body('Parse_JSON_2')['Custom Details'])"
}
]
},
"runAfter": {
"Parse_JSON_2": [
"Succeeded"
]
},
"type": "InitializeVariable"
},
"Parse_JSON_2": {
"inputs": {
"content": "@triggerBody()?['ExtendedProperties']",
"schema": {
"properties": {
"Analytic Rule Ids": {
"type": "string"
},
"Analytic Rule Name": {
"type": "string"
},
"Custom Details": {
"type": "string"
},
"Data Sources": {
"type": "string"
},
"Event Grouping": {
"type": "string"
},
"ProcessedBySentinel": {
"type": "string"
},
"Query": {
"type": "string"
},
"Query End Time UTC": {
"type": "string"
},
"Query Period": {
"type": "string"
},
"Query Start Time UTC": {
"type": "string"
},
"Search Query Results Overall Count": {
"type": "string"
},
"Trigger Operator": {
"type": "string"
},
"Trigger Threshold": {
"type": "string"
}
},
"type": "object"
}
},
"runAfter": {},
"type": "ParseJson"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"office365": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
"connectionName": "[variables('o365ConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
}
}
}
}
}
]
}
8 changes: 8 additions & 0 deletions Solutions/FlareSystemsFirework/Playbooks/readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Send Email Warning when email:password combination is received from Firework identifiers alerts
Author: Jean-Christophe, Flare Systems

This playbook monitors all data received from Firework looking for leaked credentials (email:password combinations). When found, this playbook will send an email to the email address warning their password has been leaked, recommending appropriate measures if necessary. To learn more about how to connect Firework to Azure Sentinel, see the [API documentation](https://docs.flared.io/azure-sentinel-integration).

<a href="" target="_blank">
<img src="https://aka.ms/deploytoazurebutton""/>
</a>