Merge pull request #73 from zekihan/master

zekihan · web-flow · commit e768d896067c · 2024-12-02T11:29:04.000+03:00
Add Microsoft Sentinel
diff --git a/microsoft-sentinel/README.md b/microsoft-sentinel/README.md
@@ -0,0 +1,4 @@
+Use the Microsoft Sentinel integration to create alerts in Jira Service Management (JSM) for incidents in Microsoft Sentinel.
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fatlassian%2Fjsm-integration-scripts%2Fmaster%2Fmicrosoft-sentinel%2Fazuredeploy.json)
+[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fatlassian%2Fjsm-integration-scripts%2Fmaster%2Fmicrosoft-sentinel%2Fazuredeploy.json)    
diff --git a/microsoft-sentinel/azuredeploy.json b/microsoft-sentinel/azuredeploy.json
@@ -0,0 +1,139 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "comments": "This playbook is intended to be run from an Microsoft Sentinel Incident. It will generate a Jira Service Management Alert.",
+    "author": "Atlassian"
+  },
+  "parameters": {
+    "logicAppName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the logic app to create."
+      }
+    },
+    "endpoint": {
+      "type": "string",
+      "metadata": {
+        "description": "JSM operations endpoint"
+      }
+    }
+  },
+  "variables": {
+    "azuresentinel": "[concat('azuresentinel-', parameters('logicAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/connections",
+      "apiVersion": "2016-06-01",
+      "name": "[variables('azuresentinel')]",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "displayName": "[parameters('logicAppName')]",
+        "customParameterValues": {
+        },
+        "api": {
+          "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Logic/workflows",
+      "apiVersion": "2019-05-01",
+      "name": "[parameters('logicAppName')]",
+      "location": "[resourceGroup().location]",
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/connections', variables('azuresentinel'))]"
+      ],
+      "tags": {
+        "displayName": "[parameters('logicAppName')]"
+      },
+      "properties": {
+        "state": "Enabled",
+        "definition": {
+          "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+          "contentVersion": "1.0.0.0",
+          "parameters": {
+            "endpoint": {
+              "type": "string",
+              "defaultValue": "[parameters('endpoint')]"
+            },
+            "$connections": {
+              "defaultValue": {},
+              "type": "Object"
+            }
+          },
+          "triggers": {
+            "Microsoft_Sentinel_incident": {
+              "type": "ApiConnectionWebhook",
+              "inputs": {
+                "body": {
+                  "callback_url": "@{listCallbackUrl()}"
+                },
+                "host": {
+                  "connection": {
+                    "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                  }
+                },
+                "path": "/incident-creation"
+              }
+            }
+          },
+          "actions": {
+            "Create_Alert": {
+              "type": "Http",
+              "inputs": {
+                "body": {
+                  "id": "@triggerBody()?['object']?['name']",
+                  "description": "@triggerBody()?['object']?['properties']?['description']",
+                  "title": "@triggerBody()?['object']?['properties']?['title']",
+                  "severity": "@triggerBody()?['object']?['properties']?['severity']",
+                  "status": "@triggerBody()?['object']?['properties']?['status']",
+                  "incidentUrl": "@triggerBody()?['object']?['properties']?['incidentUrl']",
+                  "labels": "@triggerBody()?['object']?['properties']?['labels']",
+                  "resourceGroupName": "@triggerBody()?['workspaceInfo']?['ResourceGroupName']",
+                  "workspaceName": "@triggerBody()?['workspaceInfo']?['WorkspaceName']",
+                  "subscriptionId": "@triggerBody()?['workspaceInfo']?['SubscriptionId']"
+                },
+                "headers": {
+                  "Content-Type": "application/json"
+                },
+                "method": "POST",
+                "uri": "[parameters('endpoint')]"
+              }
+            }
+          }
+        },
+        "parameters": {
+          "$connections": {
+            "value": {
+              "azuresentinel": {
+                "connectionId": "[resourceId('Microsoft.Web/connections', variables('azuresentinel'))]",
+                "connectionName": "[variables('azuresentinel')]",
+                "id": "[concat('/subscriptions/', subscription().subscriptionId,'/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+              }
+            }
+          }
+        }
+      }
+    }
+  ],
+  "outputs": {
+    "name": {
+      "type": "string",
+      "value": "[parameters('logicAppName')]"
+    },
+    "resourceId": {
+      "type": "string",
+      "value": "[resourceId('Microsoft.Logic/workflows', parameters('logicAppName'))]"
+    },
+    "resourceGroupName": {
+      "type": "string",
+      "value": "[resourceGroup().name]"
+    },
+    "location": {
+      "type": "string",
+      "value": "[resourceGroup().location]"
+    }
+  }
+}
