Forum Discussion

JaroslavKozak's avatar
JaroslavKozak
Copper Contributor
Jun 15, 2020

Sentinel as Code - Api COnnections

Hello,   I have several JSON templates for Playbooks and Logic apps. I can deploy them successfully with any issues. However, I have to manually authorize API connections used in Sentinel Playbook....
  • Thijs Lecomte's avatar
    Thijs Lecomte
    Bronze Contributor
    Jul 13, 2021

    Hi SocInABox 

     

    I don't unfortunately...

     

    It's a nice idea for a Youtube video

    Tagging Rod_Trent who might know if something like this exists

    • Rod_Trent's avatar
      Rod_Trent
      Icon for Microsoft rankMicrosoft
      Jul 13, 2021
      I don't know offhand, but there's been some discussion about this internally. This may be something we need to put together, or supply some better context on how to accomplish the templatizing.
      • SocInABox's avatar
        SocInABox
        Iron Contributor
        Jul 13, 2021

        The demo that would really help me would include:
        - create a simple playbook and export the arm template
        - is there anything useful in parameters.json that you need?
        - after renaming template.json to azuredeploy.json, discuss:
        - parameters - seems to make sense..
        - variables - when to add variables? Is there a reference list for common variables? Are there specific requirements for these variables? eg. azuread-xxx, auzresentinel-xxx
        - resources - am I ADDING or MODIFYING resources? Github suggest I'm ADDing resources?
        - If I have to add resources, then where can I get a list of common resources? I have no idea how to build a resource from scratch w/o a reference to something.

         

        In this example demonstrate what variables need to be included in the template:)

        (note: connections_office365_1_externalid refers to the parameters.json file that was created during the arm template export from Azure)

        "parameters": {
        "$connections": {
        "value": {
        "office365": {
        "connectionId": "[parameters('connections_office365_1_externalid')]",
        "connectionName": "office365-1",
        "id": "/subscriptions/<tenant>/providers/Microsoft.Web/locations/eastus/managedApis/office365"
        }
        }
        }
        }


        Thanks!!

        And I've gone through github and picked some playbooks with unique resources that would be useful for practical demonstrations:
        Advanced-SNOW-Teams-Integration
        Close-SentinelIncident-fromSNOW
        AutoConnect-ASCSubscriptions
        AzureFirewall-AddIPtoTIAllowList
        Block-IPs-on-MDATP-Using-GraphSecurity
        CarbonBlack
        Close-Incident-ASCAlert
        Close-Incident-MCAS
        Get-CompromisedPasswords
        Get-MDEFileActivityWithin30Mins
        M365-Security-Posture


Resources