Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Sentinel as Code - Api COnnections

Copper Contributor

Hello,

 

I have several JSON templates for Playbooks and Logic apps. I can deploy them successfully with any issues. However, I have to manually authorize API connections used in Sentinel Playbook.

 

Is there a script/solution to authorize API connections without user interaction?

6 Replies
What API connectors are you looking into?

You can create them through an ARM template:
https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Close-Incident-ASCAlert/azuredeploy.js...

But OAuth API connections that utilize username/passwords require you to authorize user interaction

What connection are you looking into automating?
Happy to look into these with you as I have researched this quite a bit

@Thijs Lecomte Do you have a walkthrough for creating a playbook template?

I know there are some instructions here:

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks#instructions-for-templatizing-a-playbo...

 

 

But a walkthrough or video example would greatly help.

 

Hi @SocInABox 

 

I don't unfortunately...

 

It's a nice idea for a Youtube video

Tagging @Rod_Trent who might know if something like this exists

I don't know offhand, but there's been some discussion about this internally. This may be something we need to put together, or supply some better context on how to accomplish the templatizing.

The demo that would really help me would include:
- create a simple playbook and export the arm template
- is there anything useful in parameters.json that you need?
- after renaming template.json to azuredeploy.json, discuss:
- parameters - seems to make sense..
- variables - when to add variables? Is there a reference list for common variables? Are there specific requirements for these variables? eg. azuread-xxx, auzresentinel-xxx
- resources - am I ADDING or MODIFYING resources? Github suggest I'm ADDing resources?
- If I have to add resources, then where can I get a list of common resources? I have no idea how to build a resource from scratch w/o a reference to something.

 

In this example demonstrate what variables need to be included in the template:)

(note: connections_office365_1_externalid refers to the parameters.json file that was created during the arm template export from Azure)

"parameters": {
"$connections": {
"value": {
"office365": {
"connectionId": "[parameters('connections_office365_1_externalid')]",
"connectionName": "office365-1",
"id": "/subscriptions/<tenant>/providers/Microsoft.Web/locations/eastus/managedApis/office365"
}
}
}
}


Thanks!!

And I've gone through github and picked some playbooks with unique resources that would be useful for practical demonstrations:
Advanced-SNOW-Teams-Integration
Close-SentinelIncident-fromSNOW
AutoConnect-ASCSubscriptions
AzureFirewall-AddIPtoTIAllowList
Block-IPs-on-MDATP-Using-GraphSecurity
CarbonBlack
Close-Incident-ASCAlert
Close-Incident-MCAS
Get-CompromisedPasswords
Get-MDEFileActivityWithin30Mins
M365-Security-Posture


@Thijs Lecomte , @Rod_Trent 

I've worked very hard to understand the github instructions on converting my playbook to a template.

 

I think I'm 95% there, but I've hit a wall.

 

I’ve made enough progress that my playbook template can now be deployed.

However most of the actions that require a connector fail – see below.

If you have any tips I’d really appreciate it.