Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard
verified publisher icon Azure

feat: add Playbooks/Enrich-AzureResourceGraph

Open juju4 opened this issue 2 years ago • 5 comments

Change(s):

  • add Playbooks/Enrich-AzureResourceGraph

Reason for Change(s): This LogicApp is querying Azure ResourceGraph and return typical azure information related to the resource like subscription, resourcegroup, tags and management groups. It is encapsulated in other Logic app to enrich Sentinel incident (like Enrich-AzureResourceGraph-Incident).

Testing Completed:

  • Yes. used in production for many months

Checked that the validations are passing and have addressed any issues that are present:

  • Yes. Deployed in production with Sentinel Repository feature, precommit and psrule

juju4 avatar Apr 22 '23 20:04 juju4

Hi @juju4, can you please address @rahul0216's comment?

v-rbajaj avatar Apr 26 '23 04:04 v-rbajaj

Hi @juju4, can you please address @rahul0216's comment?

v-rbajaj avatar Apr 28 '23 05:04 v-rbajaj

ARM template prerequisites has

"1. Set service principal with Reader role to query resourcegraph.\n2. Set keyvault to store client id and secret.\n3. Pass those parameters at deployment time."

Readme had

  • Service principal client id and secret stored in Azure keyvault (Possible change to Managed Identity as supported by HTTP block)

Slightly edited the later to add expected keyvault secret names.

Please withold on merge as I'm reviewing playbook to have resourcegraph as a an optional playbook parameter.

juju4 avatar Apr 30 '23 14:04 juju4

@juju4 I'll wait for your confirmation before approving this PR, as you may have some changes.

rahul0216 avatar May 02 '23 04:05 rahul0216

Hi @juju4, waiting for confirmation from your side.

v-rbajaj avatar May 03 '23 04:05 v-rbajaj

Hi @juju4, can you please provide confirmation?

v-rbajaj avatar May 05 '23 05:05 v-rbajaj

Please give me one or two weeks to work on testing.

juju4 avatar May 07 '23 13:05 juju4

Hi @juju4, thanks for acknowledging.

v-atulyadav avatar May 10 '23 04:05 v-atulyadav

Code and docs update but as per support delay, I won't be able to test until an extra week. So probably 2 weeks more before giving go.

juju4 avatar May 13 '23 23:05 juju4

@juju4, Thanks for updating us.

v-rbajaj avatar May 18 '23 12:05 v-rbajaj

Hi @juju4, is there any update on this PR?

v-rbajaj avatar Jun 16 '23 08:06 v-rbajaj

updated pushed. Thanks for your patience.

juju4 avatar Jun 17 '23 17:06 juju4

Hi @juju4, please act on @rahul0216's comments. Thanks

v-atulyadav avatar Jul 07 '23 03:07 v-atulyadav

Playbook deployment is failing with following error when there is no tenant id provided, image

rahul0216 avatar Jul 10 '23 05:07 rahul0216

Fixed but that means Playbooks/Notify-ASCAlertAzureResource/azuredeploy.json is likely broken as it was following same parameter model.

juju4 avatar Jul 11 '23 11:07 juju4

Last update deploys fine but is not functional. Tenant parameter not replaced in url path. I wonder if there is a recommended way to handle that or a working model template unlike Playbooks/Notify-ASCAlertAzureResource

juju4 avatar Jul 11 '23 19:07 juju4

@juju4 parameter values are replaced during execution. Did you run the playbook and test after update? You can refer this playbook, https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Australian%20Cyber%20Security%20Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json

It is not exact scenario but it may give you an idea how parameters are used in logic app. Also, Please attach a screenshot of successful run once you have one.

rahul0216 avatar Jul 12 '23 07:07 rahul0216

Hi @juju4, please look into Rahul's comment, please work on the requested changes.

v-rbajaj avatar Jul 20 '23 06:07 v-rbajaj

Hi @juju4, please look into Rahul's comment and act on it accordingly.

v-rbajaj avatar Jul 25 '23 05:07 v-rbajaj

Hi @juju4, waiting for some update from you on this PR

v-rbajaj avatar Jul 27 '23 09:07 v-rbajaj

Hi @juju4, please act on this PR.

v-rbajaj avatar Aug 01 '23 08:08 v-rbajaj

Hi @juju4, hope you are doing well. Just wanted to check if you got a chance to look at the suggestions/feedback shared. Please feel free to reach out to us for any queries and/or support.

v-rbajaj avatar Aug 03 '23 08:08 v-rbajaj

fix for tenantid done. tested in deployment pipeline and run. should be good for merge.

juju4 avatar Aug 05 '23 13:08 juju4

@juju4 Thanks for the updates. These looks good. Can you please share screenshot of a successful run?

rahul0216 avatar Aug 08 '23 19:08 rahul0216

Here are some screenshots Screenshot run1 Screenshot run2

juju4 avatar Aug 12 '23 16:08 juju4