Forum Discussion

JaroslavKozak's avatar
JaroslavKozak
Copper Contributor
Jun 15, 2020

Sentinel as Code - Api COnnections

Hello,   I have several JSON templates for Playbooks and Logic apps. I can deploy them successfully with any issues. However, I have to manually authorize API connections used in Sentinel Playbook....
Thijs Lecomte's avatar
Thijs Lecomte
Bronze Contributor
Jul 13, 2021

Hi SocInABox 

 

I don't unfortunately...

 

It's a nice idea for a Youtube video

Tagging Rod_Trent who might know if something like this exists

  • Rod_Trent's avatar
    Rod_Trent
    Icon for Microsoft rankMicrosoft
    Jul 13, 2021
    I don't know offhand, but there's been some discussion about this internally. This may be something we need to put together, or supply some better context on how to accomplish the templatizing.
    • SocInABox's avatar
      SocInABox
      Iron Contributor
      Jul 13, 2021

      The demo that would really help me would include:
      - create a simple playbook and export the arm template
      - is there anything useful in parameters.json that you need?
      - after renaming template.json to azuredeploy.json, discuss:
      - parameters - seems to make sense..
      - variables - when to add variables? Is there a reference list for common variables? Are there specific requirements for these variables? eg. azuread-xxx, auzresentinel-xxx
      - resources - am I ADDING or MODIFYING resources? Github suggest I'm ADDing resources?
      - If I have to add resources, then where can I get a list of common resources? I have no idea how to build a resource from scratch w/o a reference to something.

       

      In this example demonstrate what variables need to be included in the template:)

      (note: connections_office365_1_externalid refers to the parameters.json file that was created during the arm template export from Azure)

      "parameters": {
      "$connections": {
      "value": {
      "office365": {
      "connectionId": "[parameters('connections_office365_1_externalid')]",
      "connectionName": "office365-1",
      "id": "/subscriptions/<tenant>/providers/Microsoft.Web/locations/eastus/managedApis/office365"
      }
      }
      }
      }


      Thanks!!

      And I've gone through github and picked some playbooks with unique resources that would be useful for practical demonstrations:
      Advanced-SNOW-Teams-Integration
      Close-SentinelIncident-fromSNOW
      AutoConnect-ASCSubscriptions
      AzureFirewall-AddIPtoTIAllowList
      Block-IPs-on-MDATP-Using-GraphSecurity
      CarbonBlack
      Close-Incident-ASCAlert
      Close-Incident-MCAS
      Get-CompromisedPasswords
      Get-MDEFileActivityWithin30Mins
      M365-Security-Posture


      • SocInABox's avatar
        SocInABox
        Iron Contributor
        Jul 15, 2021

        Thijs Lecomte , Rod_Trent 

        I've worked very hard to understand the github instructions on converting my playbook to a template.

         

        I think I'm 95% there, but I've hit a wall.

         

        I’ve made enough progress that my playbook template can now be deployed.

        However most of the actions that require a connector fail – see below.

        If you have any tips I’d really appreciate it.

         

         

         

Resources