{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Alert_-_Get_IPs": {
"inputs": {
"body": "@triggerBody()?['Entities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/ip"
},
"runAfter": {
"Alert_-_Get_hosts": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Alert_-_Get_URLs": {
"inputs": {
"body": "@triggerBody()?['Entities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/url"
},
"runAfter": {
"Alert_-_Get_IPs": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Alert_-_Get_accounts": {
"inputs": {
"body": "@triggerBody()?['Entities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/account"
},
"runAfter": {
"Alert_-_Get_incident": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Alert_-_Get_hosts": {
"inputs": {
"body": "@triggerBody()?['Entities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/host"
},
"runAfter": {
"Alert_-_Get_accounts": [
"Succeeded"
]
},
"type": "ApiConnection"
},
"Alert_-_Get_incident": {
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "get",
"path": "/Cases/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}"
},
"runAfter": {},
"type": "ApiConnection"
},
"For_each": {
"actions": {
"For_each_2": {
"actions": {
"For_each_3": {
"actions": {
"For_each_4": {
"actions": {
"Send_an_email_(V2)": {
"inputs": {
"body": {
"Body": "<p><strong>Please verify why you have deployed a public IP . <br>\n<br>\access.<br>\n</strong><br>\n<br>\nPublic IP @{items('For_each_3')?['Address']} is created.<br>\n<br>\nName of the IP Address @{items('For_each_4')?['Name']}<br>\n<br>\nThis User @{items('For_each')?['Url']} created the public IP.<br>\n<br>\nOther Deteails about this resource :- <br>\n<br>\n@{body('Alert_-_Get_hosts')?['Hosts']}<br>\n<br>\n<br>\nThis email is generated using the logic App. <br>\n</p>",
"Cc": "abc@xyz.com ",
"Subject": "Azure Sentinel Alert for Public IP. ",
"To": "@{items('For_each')?['Url']}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
}
},
"method": "post",
"path": "/v2/Mail"
},
"runAfter": {},
"type": "ApiConnection"
}
},
"foreach": "@body('Alert_-_Get_accounts')?['Accounts']",
"runAfter": {},
"type": "Foreach"
}
},
"foreach": "@body('Alert_-_Get_IPs')?['IPs']",
"runAfter": {},
"type": "Foreach"
}
},
"foreach": "@body('Alert_-_Get_hosts')?['Hosts']",
"runAfter": {},
"type": "Foreach"
}
},
"foreach": "@body('Alert_-_Get_URLs')?['Urls']",
"runAfter": {
"Alert_-_Get_URLs": [
"Succeeded"
]
},
"type": "Foreach"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/subscribe"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "/subscriptions/<>/resourceGroups/<>/providers/Microsoft.Web/connections/azuresentinel",
"connectionName": "azuresentinel",
"id": "/subscriptions/<>/providers/Microsoft.Web/locations/<>/managedApis/azuresentinel"
},
"office365": {
"connectionId": "/subscriptions/<>/resourceGroups/<>/providers/Microsoft.Web/connections/office365-6",
"connectionName": "office365-6",
"id": "/subscriptions/<>/providers/Microsoft.Web/locations/<>/managedApis/office365"
}
}
}
}
} 
Kommentare