-
-
Save dstreefkerk/64250bfbce3ffb7cd63157d2354f87dd to your computer and use it in GitHub Desktop.
This ARM template deploys an Azure Logic App workflow designed to notify users about updates to Microsoft Sentinel analytic rules.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | |
| "contentVersion": "1.0.0.0", | |
| "parameters": { | |
| "NamePrefix": { | |
| "defaultValue": "", | |
| "type": "String", | |
| "metadata": { | |
| "description": "Optional prefix to prepend to all resource names for easy identification." | |
| } | |
| }, | |
| "PlaybookName": { | |
| "defaultValue": "[concat(parameters('NamePrefix'), '-Notify-OOBRulesUpdate')]", | |
| "type": "string", | |
| "metadata": { | |
| "description": "Name of the Logic App Playbook. Defaults to a combination of NamePrefix and a predefined suffix." | |
| } | |
| }, | |
| "Email": { | |
| "type": "string", | |
| "metadata": { | |
| "description": "Recipient email address where notifications about Sentinel rule updates will be sent." | |
| } | |
| }, | |
| "ResourceGroup": { | |
| "type": "string", | |
| "metadata": { | |
| "description": "Name of the Azure Resource Group containing the Sentinel workspace." | |
| } | |
| }, | |
| "SubscriptionId": { | |
| "type": "string", | |
| "metadata": { | |
| "description": "Azure Subscription ID where the Sentinel workspace is located." | |
| } | |
| }, | |
| "WorkspaceName": { | |
| "type": "string", | |
| "metadata": { | |
| "description": "Name of the Microsoft Sentinel workspace being monitored for analytic rule updates." | |
| } | |
| }, | |
| "ExecutionFrequency": { | |
| "defaultValue": "Day", | |
| "type": "string", | |
| "allowedValues": ["Minute", "Hour", "Day", "Week", "Month"], | |
| "metadata": { | |
| "description": "Frequency of the Logic App execution (e.g., Minute, Hour, Day). Defaults to 'Day'." | |
| } | |
| }, | |
| "ExecutionInterval": { | |
| "defaultValue": 1, | |
| "type": "int", | |
| "metadata": { | |
| "description": "Interval for the Logic App execution based on the frequency. Defaults to 1." | |
| } | |
| }, | |
| "ExecutionTimeZone": { | |
| "defaultValue": "AUS Eastern Standard Time", | |
| "type": "string", | |
| "metadata": { | |
| "description": "Time zone for Logic App execution. Defaults to 'AUS Eastern Standard Time' (Sydney, Australia)." | |
| } | |
| } | |
| }, | |
| "variables": { | |
| "ArmConnectionName": "[concat('Arm-', parameters('PlaybookName'))]", | |
| "Office365ConnectionName": "[concat('Office365-', parameters('PlaybookName'))]" | |
| }, | |
| "resources": [ | |
| { | |
| "properties": { | |
| "provisioningState": "Succeeded", | |
| "state": "Enabled", | |
| "definition": { | |
| "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", | |
| "contentVersion": "1.0.0.0", | |
| "parameters": { | |
| "$connections": { | |
| "defaultValue": {}, | |
| "type": "Object" | |
| }, | |
| "Email": { | |
| "defaultValue": "[parameters('Email')]", | |
| "type": "string" | |
| }, | |
| "ResourceGroup": { | |
| "defaultValue": "[parameters('ResourceGroup')]", | |
| "type": "string" | |
| }, | |
| "SubscriptionId": { | |
| "defaultValue": "[parameters('SubscriptionId')]", | |
| "type": "string" | |
| }, | |
| "WorkspaceName": { | |
| "defaultValue": "[parameters('WorkspaceName')]", | |
| "type": "string" | |
| } | |
| }, | |
| "triggers": { | |
| "RunAsScheduled": { | |
| "recurrence": { | |
| "frequency": "[parameters('ExecutionFrequency')]", | |
| "interval": "[parameters('ExecutionInterval')]", | |
| "timeZone": "[parameters('ExecutionTimeZone')]" | |
| }, | |
| "evaluatedRecurrence": { | |
| "frequency": "[parameters('ExecutionFrequency')]", | |
| "interval": "[parameters('ExecutionInterval')]", | |
| "timeZone": "[parameters('ExecutionTimeZone')]" | |
| }, | |
| "type": "Recurrence" | |
| } | |
| }, | |
| "actions": { | |
| "Condition_-_if_updates_available": { | |
| "actions": { | |
| "Create_CSV_table": { | |
| "runAfter": { | |
| "Create_HTML_table_-_Updated_Rules_Table": [ | |
| "Succeeded" | |
| ] | |
| }, | |
| "type": "Table", | |
| "inputs": { | |
| "format": "CSV", | |
| "from": "@variables('Updated_Rules_Array')" | |
| } | |
| }, | |
| "Create_HTML_table_-_Updated_Rules_Table": { | |
| "runAfter": {}, | |
| "type": "Table", | |
| "inputs": { | |
| "format": "HTML", | |
| "from": "@variables('Updated_Rules_Array')" | |
| } | |
| }, | |
| "Send_an_email_-_updates_available": { | |
| "runAfter": { | |
| "Create_CSV_table": [ | |
| "Succeeded" | |
| ] | |
| }, | |
| "type": "ApiConnection", | |
| "inputs": { | |
| "body": { | |
| "Attachments": [ | |
| { | |
| "ContentBytes": "@{base64(body('Create_CSV_table'))}", | |
| "Name": "UpdatedRulesReport.xlsx" | |
| } | |
| ], | |
| "Body": "<p>Please review the updates provided by Microsoft for the following analytics rules:<br>@{body('Create_HTML_table_-_Updated_Rules_Table')}</p>", | |
| "Importance": "Normal", | |
| "Subject": "Updates available for Microsoft Sentinel analytics rules", | |
| "To": "@parameters('Email')" | |
| }, | |
| "host": { | |
| "connection": { | |
| "name": "@parameters('$connections')['office365']['connectionId']" | |
| } | |
| }, | |
| "method": "post", | |
| "path": "/v2/Mail" | |
| } | |
| } | |
| }, | |
| "runAfter": { | |
| "For_each_active_rule": [ | |
| "Succeeded" | |
| ] | |
| }, | |
| "expression": { | |
| "and": [ | |
| { | |
| "greater": [ | |
| "@length(variables('Updated_Rules_Array'))", | |
| 0 | |
| ] | |
| } | |
| ] | |
| }, | |
| "type": "If" | |
| }, | |
| "For_each_active_rule": { | |
| "foreach": "@body('Read_a_resource_-_Query_all_active_rules_from_Sentinel_workspace')?['value']", | |
| "actions": { | |
| "Condition_-_if_OOB_rule": { | |
| "actions": { | |
| "Condition_-_if_template_updated": { | |
| "actions": { | |
| "Append_to_array_variable_-_Updated_Rules_Array": { | |
| "runAfter": {}, | |
| "type": "AppendToArrayVariable", | |
| "inputs": { | |
| "name": "Updated_Rules_Array", | |
| "value": { | |
| "alert_id": "@{items('For_each_active_rule')?['name']}", | |
| "alert_name": "@{items('For_each_active_rule')?['properties']?['displayName']}" | |
| } | |
| } | |
| } | |
| }, | |
| "runAfter": { | |
| "Set_variable_-_Vendor_Template_Version": [ | |
| "Succeeded" | |
| ] | |
| }, | |
| "expression": { | |
| "and": [ | |
| { | |
| "not": { | |
| "equals": [ | |
| "@variables('Enabled_Template_Version')", | |
| "@variables('Vendor_Template_Version')" | |
| ] | |
| } | |
| } | |
| ] | |
| }, | |
| "type": "If" | |
| }, | |
| "Read_a_resource_-_Fetch_Vendor_Template": { | |
| "runAfter": {}, | |
| "type": "ApiConnection", | |
| "inputs": { | |
| "host": { | |
| "connection": { | |
| "name": "@parameters('$connections')['arm_1']['connectionId']" | |
| } | |
| }, | |
| "method": "get", | |
| "path": "/subscriptions/@{encodeURIComponent(parameters('SubscriptionId'))}/resourcegroups/@{encodeURIComponent(parameters('ResourceGroup'))}/providers/@{encodeURIComponent('Microsoft.OperationalInsights')}/@{encodeURIComponent('/workspaces/',parameters('WorkspaceName'),'/providers/Microsoft.SecurityInsights/alertRuleTemplates/',variables('Rule_Template_ID'))}", | |
| "queries": { | |
| "x-ms-api-version": "2023-02-01" | |
| } | |
| } | |
| }, | |
| "Set_variable_-_Vendor_Template_Version": { | |
| "runAfter": { | |
| "Read_a_resource_-_Fetch_Vendor_Template": [ | |
| "Succeeded" | |
| ] | |
| }, | |
| "type": "SetVariable", | |
| "inputs": { | |
| "name": "Vendor_Template_Version", | |
| "value": "@body('Read_a_resource_-_Fetch_Vendor_Template')?['properties']?['version']" | |
| } | |
| } | |
| }, | |
| "runAfter": { | |
| "Set_variable_-_Enabled_Template_Version": [ | |
| "Succeeded" | |
| ] | |
| }, | |
| "expression": { | |
| "and": [ | |
| { | |
| "not": { | |
| "equals": [ | |
| "@variables('Rule_Template_ID')", | |
| "" | |
| ] | |
| } | |
| }, | |
| { | |
| "not": { | |
| "equals": [ | |
| "@variables('Enabled_Template_Version')", | |
| "" | |
| ] | |
| } | |
| }, | |
| { | |
| "not": { | |
| "equals": [ | |
| "@variables('Enabled_Template_Version')", | |
| null | |
| ] | |
| } | |
| } | |
| ] | |
| }, | |
| "type": "If" | |
| }, | |
| "Set_variable_-_Enabled_Template_Version": { | |
| "runAfter": { | |
| "Set_variable_-_Rule_Template_ID": [ | |
| "Succeeded" | |
| ] | |
| }, | |
| "type": "SetVariable", | |
| "inputs": { | |
| "name": "Enabled_Template_Version", | |
| "value": "@{items('For_each_active_rule')?['properties']?['templateVersion']}" | |
| } | |
| }, | |
| "Set_variable_-_Rule_Template_ID": { | |
| "runAfter": {}, | |
| "type": "SetVariable", | |
| "inputs": { | |
| "name": "Rule_Template_ID", | |
| "value": "@{items('For_each_active_rule')?['properties']?['alertRuleTemplateName']}" | |
| } | |
| } | |
| }, | |
| "runAfter": { | |
| "Initialize_variable_-_Updated_Rules_Array": [ | |
| "Succeeded" | |
| ] | |
| }, | |
| "type": "Foreach", | |
| "runtimeConfiguration": { | |
| "concurrency": { | |
| "repetitions": 1 | |
| } | |
| } | |
| }, | |
| "Initialize_variable_-_Alert_Rule_Template_ID": { | |
| "runAfter": { | |
| "Read_a_resource_-_Query_all_active_rules_from_Sentinel_workspace": [ | |
| "Succeeded" | |
| ] | |
| }, | |
| "type": "InitializeVariable", | |
| "inputs": { | |
| "variables": [ | |
| { | |
| "name": "Rule_Template_ID", | |
| "type": "string" | |
| } | |
| ] | |
| } | |
| }, | |
| "Initialize_variable_-_Enabled_Template_Version": { | |
| "runAfter": { | |
| "Initialize_variable_-_Alert_Rule_Template_ID": [ | |
| "Succeeded" | |
| ] | |
| }, | |
| "type": "InitializeVariable", | |
| "inputs": { | |
| "variables": [ | |
| { | |
| "name": "Enabled_Template_Version", | |
| "type": "string" | |
| } | |
| ] | |
| } | |
| }, | |
| "Initialize_variable_-_Updated_Rules_Array": { | |
| "runAfter": { | |
| "Initialize_variable_-_Vendor_Template_Version": [ | |
| "Succeeded" | |
| ] | |
| }, | |
| "type": "InitializeVariable", | |
| "inputs": { | |
| "variables": [ | |
| { | |
| "name": "Updated_Rules_Array", | |
| "type": "array" | |
| } | |
| ] | |
| } | |
| }, | |
| "Initialize_variable_-_Vendor_Template_Version": { | |
| "runAfter": { | |
| "Initialize_variable_-_Enabled_Template_Version": [ | |
| "Succeeded" | |
| ] | |
| }, | |
| "type": "InitializeVariable", | |
| "inputs": { | |
| "variables": [ | |
| { | |
| "name": "Vendor_Template_Version", | |
| "type": "string" | |
| } | |
| ] | |
| } | |
| }, | |
| "Read_a_resource_-_Query_all_active_rules_from_Sentinel_workspace": { | |
| "runAfter": {}, | |
| "type": "ApiConnection", | |
| "inputs": { | |
| "host": { | |
| "connection": { | |
| "name": "@parameters('$connections')['arm_1']['connectionId']" | |
| } | |
| }, | |
| "method": "get", | |
| "path": "/subscriptions/@{encodeURIComponent(parameters('SubscriptionId'))}/resourcegroups/@{encodeURIComponent(parameters('ResourceGroup'))}/providers/@{encodeURIComponent('Microsoft.OperationalInsights')}/@{encodeURIComponent('/workspaces/',parameters('WorkspaceName'),'/providers/Microsoft.SecurityInsights/alertRules')}", | |
| "queries": { | |
| "x-ms-api-version": "2023-02-01" | |
| } | |
| } | |
| } | |
| }, | |
| "outputs": {} | |
| }, | |
| "parameters": { | |
| "$connections": { | |
| "value": { | |
| "arm_1": { | |
| "connectionId": "[resourceId('Microsoft.Web/connections', variables('ArmConnectionName'))]", | |
| "connectionName": "[variables('ArmConnectionName')]", | |
| "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Arm')]", | |
| "connectionProperties": { | |
| "authentication": { | |
| "type": "ManagedServiceIdentity" | |
| } | |
| } | |
| }, | |
| "office365": { | |
| "connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", | |
| "connectionName": "[variables('Office365ConnectionName')]", | |
| "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]" | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "name": "[parameters('PlaybookName')]", | |
| "type": "Microsoft.Logic/workflows", | |
| "location": "[resourceGroup().location]", | |
| "identity": { | |
| "type": "SystemAssigned" | |
| }, | |
| "apiVersion": "2017-07-01", | |
| "dependsOn": [ | |
| "[resourceId('Microsoft.Web/connections', variables('ArmConnectionName'))]", | |
| "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]" | |
| ] | |
| }, | |
| { | |
| "type": "Microsoft.Web/connections", | |
| "apiVersion": "2016-06-01", | |
| "name": "[variables('ArmConnectionName')]", | |
| "location": "[resourceGroup().location]", | |
| "kind": "V1", | |
| "properties": { | |
| "displayName": "[variables('ArmConnectionName')]", | |
| "customParameterValues": {}, | |
| "parameterValueType": "Alternative", | |
| "api": { | |
| "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Arm')]" | |
| } | |
| } | |
| }, | |
| { | |
| "type": "Microsoft.Web/connections", | |
| "apiVersion": "2016-06-01", | |
| "name": "[variables('Office365ConnectionName')]", | |
| "location": "[resourceGroup().location]", | |
| "kind": "V1", | |
| "properties": { | |
| "displayName": "[variables('Office365ConnectionName')]", | |
| "customParameterValues": {}, | |
| "api": { | |
| "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]" | |
| } | |
| } | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment