Skip to content

Instantly share code, notes, and snippets.

@bisskar

bisskar/oob_update.json Secret

Last active January 9, 2025 01:24
Show Gist options
  • Save bisskar/467bc0d89cad3a36faf503b6f00de1b2 to your computer and use it in GitHub Desktop.
Save bisskar/467bc0d89cad3a36faf503b6f00de1b2 to your computer and use it in GitHub Desktop.
Download ZIP
Sentinel OOB update notification
Raw
oob_update.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"NamePrefix": {
"defaultValue": "",
"type": "String"
},
"PlaybookName": {
"defaultValue": "[concat(parameters('NamePrefix'), '-Notify-OOBRulesUpdate')]",
"type": "string"
},
"Email": {
"type": "string",
"metadata": {
"description": "Enter value for Email"
}
},
"ResourceGroup": {
"type": "string",
"metadata": {
"description": "Enter value for ResourceGroup"
}
},
"SubscriptionId": {
"type": "string",
"metadata": {
"description": "Enter value for SubscriptionId"
}
},
"WorkspaceName": {
"type": "string",
"metadata": {
"description": "Enter value for WorkspaceName"
}
}
},
"variables": {
"ArmConnectionName": "[concat('Arm-', parameters('PlaybookName'))]",
"Office365ConnectionName": "[concat('Office365-', parameters('PlaybookName'))]"
},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {
},
"type": "Object"
},
"Email": {
"defaultValue": "[parameters('Email')]",
"type": "string"
},
"ResourceGroup": {
"defaultValue": "[parameters('ResourceGroup')]",
"type": "string"
},
"SubscriptionId": {
"defaultValue": "[parameters('SubscriptionId')]",
"type": "string"
},
"WorkspaceName": {
"defaultValue": "[parameters('WorkspaceName')]",
"type": "string"
}
},
"triggers": {
"Run_every_day": {
"recurrence": {
"frequency": "Day",
"interval": 1,
"timeZone": "W. Europe Standard Time"
},
"evaluatedRecurrence": {
"frequency": "Day",
"interval": 1,
"timeZone": "W. Europe Standard Time"
},
"type": "Recurrence"
}
},
"actions": {
"Condition_-_if_updates_available": {
"actions": {
"Create_CSV_table": {
"runAfter": {
"Create_HTML_table_-_Updated_Rules_Table": [
"Succeeded"
]
},
"type": "Table",
"inputs": {
"format": "CSV",
"from": "@variables('Updated_Rules_Array')"
}
},
"Create_HTML_table_-_Updated_Rules_Table": {
"runAfter": {
},
"type": "Table",
"inputs": {
"format": "HTML",
"from": "@variables('Updated_Rules_Array')"
}
},
"Send_an_email_-_updates_available": {
"runAfter": {
"Create_CSV_table": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"Attachments": [
{
"ContentBytes": "@{base64(body('Create_CSV_table'))}",
"Name": "UpdatedRulesReport.xlsx"
}
],
"Body": "\u003cp\u003ePlease review the updates provided by Microsoft for the following analytics rules:\u003cbr\u003e\n@{body('Create_HTML_table_-_Updated_Rules_Table')}\u003c/p\u003e",
"Importance": "Normal",
"Subject": "Updates available for Micorosoft Sentinel analytics rules",
"To": "@parameters('Email')"
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
}
},
"method": "post",
"path": "/v2/Mail"
}
}
},
"runAfter": {
"For_each_active_rule": [
"Succeeded"
]
},
"expression": {
"and": [
{
"greater": [
"@length(variables('Updated_Rules_Array'))",
0
]
}
]
},
"type": "If"
},
"For_each_active_rule": {
"foreach": "@body('Read_a_resource_-_Query_all_active_rules_from_Sentinel_workspace')?['value']",
"actions": {
"Condition_-_if_OOB_rule": {
"actions": {
"Condition_-_if_template_updated": {
"actions": {
"Append_to_array_variable_-_Updated_Rules_Array": {
"runAfter": {
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "Updated_Rules_Array",
"value": {
"alert_id": "@{items('For_each_active_rule')?['name']}",
"alert_name": "@{items('For_each_active_rule')?['properties']?['displayName']}"
}
}
}
},
"runAfter": {
"Set_variable_-_Vendor_Template_Version": [
"Succeeded"
]
},
"expression": {
"and": [
{
"not": {
"equals": [
"@variables('Enabled_Template_Version')",
"@variables('Vendor_Template_Version')"
]
}
}
]
},
"type": "If"
},
"Read_a_resource_-_Fetch_Vendor_Template": {
"runAfter": {
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['arm_1']['connectionId']"
}
},
"method": "get",
"path": "/subscriptions/@{encodeURIComponent(parameters('SubscriptionId'))}/resourcegroups/@{encodeURIComponent(parameters('ResourceGroup'))}/providers/@{encodeURIComponent('Microsoft.OperationalInsights')}/@{encodeURIComponent('/workspaces/',parameters('WorkspaceName'),'/providers/Microsoft.SecurityInsights/alertRuleTemplates/',variables('Rule_Template_ID'))}",
"queries": {
"x-ms-api-version": "2023-02-01"
}
}
},
"Set_variable_-_Vendor_Template_Version": {
"runAfter": {
"Read_a_resource_-_Fetch_Vendor_Template": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "Vendor_Template_Version",
"value": "@body('Read_a_resource_-_Fetch_Vendor_Template')?['properties']?['version']"
}
}
},
"runAfter": {
"Set_variable_-_Enabled_Template_Version": [
"Succeeded"
]
},
"expression": {
"and": [
{
"not": {
"equals": [
"@variables('Rule_Template_ID')",
""
]
}
},
{
"not": {
"equals": [
"@variables('Enabled_Template_Version')",
""
]
}
},
{
"not": {
"equals": [
"@variables('Enabled_Template_Version')",
null
]
}
}
]
},
"type": "If"
},
"Set_variable_-_Enabled_Template_Version": {
"runAfter": {
"Set_variable_-_Rule_Template_ID": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "Enabled_Template_Version",
"value": "@{items('For_each_active_rule')?['properties']?['templateVersion']}"
}
},
"Set_variable_-_Rule_Template_ID": {
"runAfter": {
},
"type": "SetVariable",
"inputs": {
"name": "Rule_Template_ID",
"value": "@{items('For_each_active_rule')?['properties']?['alertRuleTemplateName']}"
}
}
},
"runAfter": {
"Initialize_variable_-_Updated_Rules_Array": [
"Succeeded"
]
},
"type": "Foreach",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
},
"Initialize_variable_-_Alert_Rule_Template_ID": {
"runAfter": {
"Read_a_resource_-_Query_all_active_rules_from_Sentinel_workspace": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Rule_Template_ID",
"type": "string"
}
]
}
},
"Initialize_variable_-_Enabled_Template_Version": {
"runAfter": {
"Initialize_variable_-_Alert_Rule_Template_ID": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Enabled_Template_Version",
"type": "string"
}
]
}
},
"Initialize_variable_-_Updated_Rules_Array": {
"runAfter": {
"Initialize_variable_-_Vendor_Template_Version": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Updated_Rules_Array",
"type": "array"
}
]
}
},
"Initialize_variable_-_Vendor_Template_Version": {
"runAfter": {
"Initialize_variable_-_Enabled_Template_Version": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Vendor_Template_Version",
"type": "string"
}
]
}
},
"Read_a_resource_-_Query_all_active_rules_from_Sentinel_workspace": {
"runAfter": {
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['arm_1']['connectionId']"
}
},
"method": "get",
"path": "/subscriptions/@{encodeURIComponent(parameters('SubscriptionId'))}/resourcegroups/@{encodeURIComponent(parameters('ResourceGroup'))}/providers/@{encodeURIComponent('Microsoft.OperationalInsights')}/@{encodeURIComponent('/workspaces/',parameters('WorkspaceName'),'/providers/Microsoft.SecurityInsights/alertRules')}",
"queries": {
"x-ms-api-version": "2023-02-01"
}
}
}
},
"outputs": {
}
},
"parameters": {
"$connections": {
"value": {
"arm_1": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('ArmConnectionName'))]",
"connectionName": "[variables('ArmConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Arm')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"office365": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
"connectionName": "[variables('Office365ConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]"
}
}
}
}
},
"name": "[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"apiVersion": "2017-07-01",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('ArmConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('ArmConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('ArmConnectionName')]",
"customParameterValues": {
},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Arm')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('Office365ConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('Office365ConnectionName')]",
"customParameterValues": {
},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]"
}
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment