diff --git a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json index 22ee087fd89..3ca80a881cb 100644 --- a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json +++ b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json @@ -12,7 +12,7 @@ "This playbook needs contributor role on Log Analytics, to read and update threat indicator tags. 1. Go to Log Analytics Workspace resource --> 2. Select Access control (IAM) tab -->3. Add role assignments --> 4. Select Contributor role --> 5. In the Members tab choose 'Assign access to' Managed Identity --> 6. Click on 'Select members' --> 7. Provide correct Subscription and Managed Identity --> 8. Provide the playbook name in 'Search by name' textbox --> 9. Select the correct identity and click on Select --> 10. Click on 'Review + assign' " ], "prerequisitesDeployTemplateFile": "", - "lastUpdateTime": "2023-08-10T12:00:38Z", + "lastUpdateTime": "2023-10-13T12:13:00Z", "entities": [ ], "tags": [ @@ -22,7 +22,7 @@ "tier": "community" }, "author": { - "name": "Australian Cyber Security Center" + "name": "Australian Cyber Security Center, Microsoft" } }, "parameters": { @@ -210,8 +210,7 @@ } }, "Compose_mandatory_properties": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": { "created": "@formatDateTime(string(items('For_each_Indicator')?['properties']?['created']), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", @@ -227,8 +226,7 @@ "Condition_to_check_if_'confidence'_property_exist": { "actions": { "Compose_'confidence'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'confidence', item()?['properties']?['confidence'])" }, @@ -269,8 +267,7 @@ "Condition_to_chek_if_'createdByRef'_in_STIIX_format": { "actions": { "Compose_'created_by_ref'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'created_by_ref', item()?['properties']?['createdByRef'])" }, @@ -287,8 +284,7 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "expression": { "and": [ { @@ -324,8 +320,7 @@ "Condition_to_check_if_'description'_property_exist": { "actions": { "Compose_'description'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'description', item()?['properties']?['description'])" }, @@ -376,8 +371,7 @@ "Condition_to_check_if_'displayName'_property_exist": { "actions": { "Compose_'name'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'name', item()?['properties']?['displayName'])" }, @@ -418,8 +412,7 @@ "Condition_to_check_if_extension_definition_exist": { "actions": { "Compose_'extensions'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'extensions', item()?['properties']?['extensions'])" }, @@ -436,8 +429,7 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "expression": { "and": [ { @@ -477,8 +469,7 @@ "Condition_to_check_if__externalReferences_is_empty_array": { "actions": { "Compose_'external_references'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'external_references', item()?['properties']?['externalReferences'])" }, @@ -495,8 +486,7 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "expression": { "and": [ { @@ -536,8 +526,7 @@ "Condition_to_check_if_granularMarkings_is_empty_array": { "actions": { "Compose_'granular_markings'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'granular_markings', item()?['properties']?['granularMarkings'])" }, @@ -554,8 +543,7 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "expression": { "and": [ { @@ -595,8 +583,7 @@ "Condition_to_check_if_indicatorTypes_is_empty_array": { "actions": { "Compose_'indicator_types'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'indicator_types', item()?['properties']?['indicatorTypes'])" }, @@ -613,8 +600,7 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "expression": { "and": [ { @@ -663,12 +649,11 @@ "inputs": "@addProperty(variables('Indicator'), 'kill_chain_phases', array(outputs('Compose_sub_properties_of_''kill_chain_phases''_property')))" }, "Compose_sub_properties_of_'kill_chain_phases'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": { - "kill_chain_name": "@item()?['properties']?['killChainPhases'][0]?['killChainName']", - "phase_name": "@item()?['properties']?['killChainPhases'][0]?['phaseName']" + "kill_chain_name": "lockheed-martin-cyber-kill-chain", + "phase_name": "@toLower(item()?['properties']?['killChainPhases'][0]?['phaseName'])" } }, "Set_variable_Indicator_with_'kill_chain_phases'_property": { @@ -684,8 +669,7 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "expression": { "and": [ { @@ -729,8 +713,7 @@ "Condition_to_check_if_Description_is_not_null": { "actions": { "Concat_IncidentTag_with_Description_": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@setProperty(variables('Indicator'), 'description', concat('[',variables('IncidentTag'), '] ', item()?['properties']?['description']))" }, @@ -755,8 +738,7 @@ "else": { "actions": { "Compose_description_as_IncidentTag": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@setProperty(variables('Indicator'), 'description', concat('[', variables('IncidentTag'), ']'))" }, @@ -794,8 +776,7 @@ "Condition_to_check_if_it_is_incident_tag": { "actions": { "Set_variable_IncidentTag": { - "runAfter": { - }, + "runAfter": {}, "type": "SetVariable", "inputs": { "name": "IncidentTag", @@ -803,8 +784,7 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "expression": { "and": [ { @@ -818,13 +798,11 @@ "type": "If" } }, - "runAfter": { - }, + "runAfter": {}, "type": "Foreach" } }, - "runAfter": { - }, + "runAfter": {}, "expression": { "and": [ { @@ -857,8 +835,7 @@ "Filter_Export_tag": { "actions": { "Filter_Labels_array": { - "runAfter": { - }, + "runAfter": {}, "type": "Query", "inputs": { "from": "@items('For_each_Indicator')?['properties']?['labels']", @@ -878,8 +855,7 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "type": "Scope" }, "Set_variable_Indicator_with_'labels'_property": { @@ -901,8 +877,7 @@ "Condition_to_check_if_valid_TLP_lable_exist": { "actions": { "Set_variable_TLPLabel": { - "runAfter": { - }, + "runAfter": {}, "type": "SetVariable", "inputs": { "name": "TLPLabel", @@ -918,8 +893,7 @@ "else": { "actions": { "Set_variable_TLPLabel_if_not_valid_TLP_label_exist": { - "runAfter": { - }, + "runAfter": {}, "type": "SetVariable", "inputs": { "name": "TLPLabel", @@ -941,8 +915,7 @@ "type": "If" }, "Filter_TLP_tag": { - "runAfter": { - }, + "runAfter": {}, "type": "Query", "inputs": { "from": "@variables('Lables')", @@ -962,13 +935,11 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "else": { "actions": { "Set_variable_TLPLabel_if_not_provided": { - "runAfter": { - }, + "runAfter": {}, "type": "SetVariable", "inputs": { "name": "TLPLabel", @@ -1020,8 +991,7 @@ "Condition_to_check_if_'language'_property_exist": { "actions": { "Compose_'lang'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'lang', item()?['properties']?['language'])" }, @@ -1062,8 +1032,7 @@ "Condition_to_check_if_objectMarkingRefs_is_empty_array": { "actions": { "Compose_'object_marking_refs'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'object_marking_refs', union(item()?['properties']?['objectMarkingRefs'], variables('MarkingRefsObjIds')))" }, @@ -1080,13 +1049,11 @@ } } }, - "runAfter": { - }, + "runAfter": {}, "else": { "actions": { "Compose_'object_marking_refs'_property_when_empty": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'object_marking_refs', variables('MarkingRefsObjIds'))" }, @@ -1127,8 +1094,7 @@ "else": { "actions": { "Compose_'object_marking_refs'_propert_when_null": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'object_marking_refs', variables('MarkingRefsObjIds'))" }, @@ -1163,8 +1129,7 @@ "Condition_to_check_if_'patternVersion'_property_exist": { "actions": { "Compose_'pattern_version'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'pattern_version', item()?['properties']?['patternVersion'])" }, @@ -1203,8 +1168,7 @@ "Condition_to_check_if_'revoked'_property_exist": { "actions": { "Compose_'revoked'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'revoked', item()?['properties']?['revoked'])" }, @@ -1243,8 +1207,7 @@ "Condition_to_check_if_'validUntil'_property_exist": { "actions": { "Compose_'valid_until'_property": { - "runAfter": { - }, + "runAfter": {}, "type": "Compose", "inputs": "@addProperty(variables('Indicator'), 'valid_until', formatDateTime(string(item()?['properties']?['validUntil']), 'yyyy-MM-ddTHH:mm:ss.ffffffK'))" }, @@ -1289,8 +1252,7 @@ "type": "SetVariable", "inputs": { "name": "MarkingRefsObjIds", - "value": [ - ] + "value": [] } }, "Reset_variable_Indicator": { @@ -1302,8 +1264,7 @@ "type": "SetVariable", "inputs": { "name": "Indicator", - "value": { - } + "value": {} } }, "Reset_variable_MarkingRefObject": { @@ -1315,8 +1276,7 @@ "type": "SetVariable", "inputs": { "name": "MarkingRefObj", - "value": { - } + "value": {} } }, "Set_variable_Indicator_with_mandatory_properties": { @@ -1347,7 +1307,7 @@ }, "Compose_Default_TLP_Marking_definition": { "runAfter": { - "Set_variable_MarkingRefObjId": [ + "Switch": [ "Succeeded" ] }, @@ -1355,7 +1315,7 @@ "inputs": { "created": "@formatDateTime(string(items('For_each_Indicator')?['properties']?['created']), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", "extensions": { - "extension-definition--@{guid()}": { + "extension-definition--60a3c5c5-0d10-413e-aab3-9e08dde9e88d": { "extension_type": "property-extension", "tlp_2_0": "@{toLower(string(split(variables('TLPLabel'), ':')[1]))}" } @@ -1378,15 +1338,6 @@ "value": "@{null}" } }, - "Set_variable_MarkingRefObjId": { - "runAfter": { - }, - "type": "SetVariable", - "inputs": { - "name": "MarkingRefObjId", - "value": "marking-definition--@{guid()}" - } - }, "Set_variable_MarkingRefObj_with_default_TLP_Marking_definition": { "runAfter": { "Compose_Default_TLP_Marking_definition": [ @@ -1398,6 +1349,81 @@ "name": "MarkingRefObj", "value": "@outputs('Compose_Default_TLP_Marking_definition')" } + }, + "Switch": { + "runAfter": {}, + "cases": { + "AMBER": { + "case": "TLP:AMBER", + "actions": { + "Set_variable_MarkingRefObjId_for_AMBER": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "MarkingRefObjId", + "value": "marking-definition--55d920b0-5e8b-4f79-9ee9-91f868d9b421" + } + } + } + }, + "AMBER+STRICT": { + "case": "TLP:AMBER+STRICT", + "actions": { + "Set_variable_MarkingRefObjId_for_AMBER+STRICT": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "MarkingRefObjId", + "value": "marking-definition--939a9414-2ddd-4d32-a0cd-375ea402b003" + } + } + } + }, + "CLEAR": { + "case": "TLP:CLEAR", + "actions": { + "Set_variable_MarkingRefObjId_for_CLEAR": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "MarkingRefObjId", + "value": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" + } + } + } + }, + "GREEN": { + "case": "TLP:GREEN", + "actions": { + "Set_variable_Set_variable_MarkingRefObjId_for_GREEN": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "MarkingRefObjId", + "value": "marking-definition--bab4a63c-aed9-4cf5-a766-dfca5abac2bb" + } + } + } + }, + "RED": { + "case": "TLP:RED", + "actions": { + "Set_variable_MarkingRefObjId_for_RED": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "MarkingRefObjId", + "value": "marking-definition--e828b379-4e03-4974-9ac4-e53a884c97c1" + } + } + } + } + }, + "default": { + "actions": {} + }, + "expression": "@variables('TLPLabel')", + "type": "Switch" } }, "runAfter": {