![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Druva_Logo.svg\"){kind=logo}
",
+ "Description": "The [Druva Event CCP Connector] solution provides the capability to ingest to ingest [Druva events]",
+ "Playbooks": [
+ "Playbooks/DruvaQuarantineEnterpriseWorkload/azuredeploy.json",
+ "Playbooks/DruvaQuarantineInsyncWorkloads/azuredeploy.json",
+ "Playbooks/DruvaQuarantineUsingResourceID/azuredeploy.json",
+ "Playbooks/DruvaQuarantineSharePoint/azuredeploy.json",
+ "Playbooks/DruvaQuarantineSharedDrive/azuredeploy.json"
+ ],
+ "Data Connectors": [
+ "Data Connectors/Druva_ccp/Druva_DataConnectorDefinition.json"
+ ],
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\DruvaDataSecurityCloud",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1PConnector": false
+}
diff --git a/Solutions/DruvaDataSecurityCloud/Package/3.0.0.zip b/Solutions/DruvaDataSecurityCloud/Package/3.0.0.zip
new file mode 100644
index 00000000000..2703d3c3a10
Binary files /dev/null and b/Solutions/DruvaDataSecurityCloud/Package/3.0.0.zip differ
diff --git a/Solutions/DruvaDataSecurityCloud/Package/createUiDefinition.json b/Solutions/DruvaDataSecurityCloud/Package/createUiDefinition.json
new file mode 100644
index 00000000000..02c0c14c17e
--- /dev/null
+++ b/Solutions/DruvaDataSecurityCloud/Package/createUiDefinition.json
@@ -0,0 +1,113 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/DruvaDataSecurityCloud/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Druva Event CCP Connector] solution provides the capability to ingest to ingest [Druva events]\n\n**Data Connectors:** 1, **Playbooks:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "dataconnectors",
+ "label": "Data Connectors",
+ "bladeTitle": "Data Connectors",
+ "elements": [
+ {
+ "name": "dataconnectors1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for DruvaDataSecurityCloud. You can get DruvaDataSecurityCloud data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link2",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "name": "playbooks",
+ "label": "Playbooks",
+ "subLabel": {
+ "preValidation": "Configure the playbooks",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Playbooks",
+ "elements": [
+ {
+ "name": "playbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
+ }
+ },
+ {
+ "name": "playbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
diff --git a/Solutions/DruvaDataSecurityCloud/Package/mainTemplate.json b/Solutions/DruvaDataSecurityCloud/Package/mainTemplate.json
new file mode 100644
index 00000000000..a53d4e3faab
--- /dev/null
+++ b/Solutions/DruvaDataSecurityCloud/Package/mainTemplate.json
@@ -0,0 +1,4534 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Druva - support@druva.com",
+ "comments": "Solution template for DruvaDataSecurityCloud"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ }
+ },
+ "variables": {
+ "email": "support@druva.com",
+ "_email": "[variables('email')]",
+ "_solutionName": "DruvaDataSecurityCloud",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "druva-azuresentinel-solution.azure-sentinel-solution-druva",
+ "_solutionId": "[variables('solutionId')]",
+ "DruvaQuarantineEnterpriseWorkload": "DruvaQuarantineEnterpriseWorkload",
+ "_DruvaQuarantineEnterpriseWorkload": "[variables('DruvaQuarantineEnterpriseWorkload')]",
+ "TemplateEmptyArray": "[json('[]')]",
+ "playbookVersion1": "1.0",
+ "playbookContentId1": "DruvaQuarantineEnterpriseWorkload",
+ "_playbookContentId1": "[variables('playbookContentId1')]",
+ "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
+ "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
+ "blanks": "[replace('b', 'b', '')]",
+ "DruvaQuarantineInsyncWorkloads": "DruvaQuarantineInsyncWorkloads",
+ "_DruvaQuarantineInsyncWorkloads": "[variables('DruvaQuarantineInsyncWorkloads')]",
+ "playbookVersion2": "1.0",
+ "playbookContentId2": "DruvaQuarantineInsyncWorkloads",
+ "_playbookContentId2": "[variables('playbookContentId2')]",
+ "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]",
+ "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]",
+ "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]",
+ "DruvaQuarantineUsingResourceID": "DruvaQuarantineUsingResourceID",
+ "_DruvaQuarantineUsingResourceID": "[variables('DruvaQuarantineUsingResourceID')]",
+ "playbookVersion3": "1.0",
+ "playbookContentId3": "DruvaQuarantineUsingResourceID",
+ "_playbookContentId3": "[variables('playbookContentId3')]",
+ "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]",
+ "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]",
+ "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]",
+ "DruvaQuarantineSharePoint": "DruvaQuarantineSharePoint",
+ "_DruvaQuarantineSharePoint": "[variables('DruvaQuarantineSharePoint')]",
+ "playbookVersion4": "1.0",
+ "playbookContentId4": "DruvaQuarantineSharePoint",
+ "_playbookContentId4": "[variables('playbookContentId4')]",
+ "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]",
+ "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]",
+ "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]",
+ "DruvaQuarantineSharedDrive": "DruvaQuarantineSharedDrive",
+ "_DruvaQuarantineSharedDrive": "[variables('DruvaQuarantineSharedDrive')]",
+ "playbookVersion5": "1.0",
+ "playbookContentId5": "DruvaQuarantineSharedDrive",
+ "_playbookContentId5": "[variables('playbookContentId5')]",
+ "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]",
+ "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]",
+ "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]",
+ "dataConnectorCCPVersion": "1.0.0",
+ "_dataConnectorContentIdConnectorDefinition1": "DruvaEventCCPDefinition",
+ "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "_dataConnectorContentIdConnections1": "DruvaEventCCPDefinitionConnections",
+ "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]",
+ "dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Druva_Quarantine_Enterprise_Workloads Playbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion1')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Druva_Quarantine_Enterprise_Workloads",
+ "type": "string",
+ "metadata": {
+ "description": "Name of the Playbook."
+ }
+ },
+ "keyvaultName": {
+ "type": "String",
+ "defaultValue": "Druva-ClientCredential",
+ "metadata": {
+ "description": "Name of the Vault created to store Druva Client Credentials."
+ }
+ }
+ },
+ "variables": {
+ "keyvaultConnectionName": "[[concat('KeyVault-', parameters('PlaybookName'))]",
+ "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/keyvault')]",
+ "_connection-2": "[[variables('connection-2')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[[parameters('PlaybookName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "tags": {
+ "hidden-SentinelTemplateName": "DruvaQuarantineEnterpriseWorkloadsResource",
+ "hidden-SentinelTemplateVersion": "1.0",
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('keyvaultConnectionName'))]"
+ ],
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "api_host": {
+ "defaultValue": "https://apis.druva.com",
+ "type": "String"
+ },
+ "$connections": {
+ "type": "Object"
+ }
+ },
+ "triggers": {
+ "When_a_HTTP_request_is_received": {
+ "type": "Request",
+ "kind": "Http",
+ "inputs": {
+ "schema": {
+ "type": "object",
+ "properties": {
+ "enterprise_resource_name": {
+ "type": "string"
+ },
+ "fromDate": {
+ "type": "string"
+ },
+ "toDate": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ },
+ "actions": {
+ "Generate_Bearer_Token": {
+ "runAfter": {
+ "Get_secret_ClientSecret": [
+ "Succeeded"
+ ]
+ },
+ "type": "Http",
+ "inputs": {
+ "uri": "@{parameters('api_host')}/token",
+ "method": "POST",
+ "headers": {
+ "Authorization": "Basic @{base64(concat(body('Get_secret_ClientId')?['value'], ':', body('Get_secret_ClientSecret')?['value']))}",
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "body": "scope=read&grant_type=client_credentials"
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
+ },
+ "Parse_Bearer_Token": {
+ "runAfter": {
+ "Generate_Bearer_Token": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Generate_Bearer_Token')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "access_token": {
+ "type": "string"
+ },
+ "token_type": {
+ "type": "string"
+ },
+ "expires_in": {
+ "type": "integer"
+ }
+ }
+ }
+ }
+ },
+ "Find_Device": {
+ "runAfter": {
+ "Initialize_Combined_Resources_variable": [
+ "Succeeded"
+ ]
+ },
+ "type": "Http",
+ "inputs": {
+ "uri": "@{parameters('api_host')}/realize/ransomwarerecovery/v1/search/backupset",
+ "method": "GET",
+ "headers": {
+ "Authorization": "Bearer @{body('Parse_Bearer_Token')?['access_token']}"
+ },
+ "queries": {
+ "hostname": "@{triggerBody()?['enterprise_resource_name']}"
+ }
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
+ },
+ "Find_VM_Device": {
+ "runAfter": {
+ "Initialize_Combined_Resources_variable": [
+ "Succeeded"
+ ]
+ },
+ "type": "Http",
+ "inputs": {
+ "uri": "@{parameters('api_host')}/realize/ransomwarerecovery/v1/search/backupset",
+ "method": "GET",
+ "headers": {
+ "Authorization": "Bearer @{body('Parse_Bearer_Token')?['access_token']}"
+ },
+ "queries": {
+ "hostname": "@{triggerBody()?['enterprise_resource_name']}",
+ "serverTypes[]": "3"
+ }
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
+ },
+ "Parse_Resource_Details": {
+ "runAfter": {
+ "Find_Device": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Find_Device')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "resources": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "resourceID": {
+ "type": "integer"
+ },
+ "resourceName": {
+ "type": "string"
+ },
+ "resourceType": {
+ "type": "string"
+ },
+ "resourceStatus": {
+ "type": "string"
+ },
+ "resourceParentName": {
+ "type": "string"
+ },
+ "orgID": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "resourceID",
+ "resourceName",
+ "resourceType",
+ "resourceStatus",
+ "resourceParentName",
+ "orgID"
+ ]
+ }
+ },
+ "nextPageToken": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "Parse_VM_Resource_Details": {
+ "runAfter": {
+ "Find_VM_Device": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Find_VM_Device')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "resources": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "resourceID": {
+ "type": "integer"
+ },
+ "resourceName": {
+ "type": "string"
+ },
+ "resourceType": {
+ "type": "string"
+ },
+ "resourceStatus": {
+ "type": "string"
+ },
+ "resourceParentName": {
+ "type": "string"
+ },
+ "orgID": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "resourceID",
+ "resourceName",
+ "resourceType",
+ "resourceStatus",
+ "resourceParentName",
+ "orgID"
+ ]
+ }
+ },
+ "nextPageToken": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "CombineResponses": {
+ "runAfter": {
+ "Parse_Resource_Details": [
+ "Succeeded"
+ ],
+ "Parse_VM_Resource_Details": [
+ "Succeeded"
+ ]
+ },
+ "type": "Compose",
+ "inputs": [
+ {
+ "resources": "@body('Parse_Resource_Details')?['resources']"
+ },
+ {
+ "resources": "@body('Parse_VM_Resource_Details')?['resources']"
+ }
+ ]
+ },
+ "Initialize_Combined_Resources_variable": {
+ "runAfter": {
+ "Parse_Bearer_Token": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "CombinedResources",
+ "type": "array",
+ "value": "[variables('TemplateEmptyArray')]"
+ }
+ ]
+ }
+ },
+ "For_Each_Response": {
+ "foreach": "@outputs('CombineResponses')",
+ "actions": {
+ "Nested_For_each_": {
+ "foreach": "@item()?['resources']",
+ "actions": {
+ "Append_to_array_variable": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "CombinedResources",
+ "value": "@item()"
+ }
+ }
+ },
+ "type": "Foreach"
+ }
+ },
+ "runAfter": {
+ "Parse_CombineResponses_JSON": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Compose_Resources": {
+ "runAfter": {
+ "For_Each_Responses": [
+ "Succeeded"
+ ]
+ },
+ "type": "Compose",
+ "inputs": {
+ "resources": "@variables('CombinedResources')"
+ }
+ },
+ "If_Resource_Exists": {
+ "actions": {
+ "Resource_JSON": {
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@outputs('Compose_Resources')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "resources": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "resourceID": {
+ "type": "integer"
+ },
+ "resourceName": {
+ "type": "string"
+ },
+ "resourceType": {
+ "type": "string"
+ },
+ "resourceStatus": {
+ "type": "string"
+ },
+ "resourceParentName": {
+ "type": "string"
+ },
+ "orgID": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "resourceID",
+ "resourceName",
+ "resourceType",
+ "resourceStatus",
+ "resourceParentName",
+ "orgID"
+ ]
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "Compose_Resources": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Terminate": {
+ "type": "Terminate",
+ "inputs": {
+ "runStatus": "Failed",
+ "runError": {
+ "code": "500",
+ "message": "Resource Not Found"
+ }
+ }
+ }
+ }
+ },
+ "expression": {
+ "or": [
+ {
+ "equals": [
+ "@variables('ResourceMatch')",
+ "@true"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "For_each_Resource": {
+ "foreach": "@body('Resource_JSON')?['resources']",
+ "actions": {
+ "Quarantine_VM_API": {
+ "type": "Http",
+ "inputs": {
+ "uri": "@{parameters('api_host')}/realize/ransomwarerecovery/v1/quarantineranges/resource/@{item()?['resourceID']}",
+ "method": "POST",
+ "headers": {
+ "accept": "application/json",
+ "Authorization": "Bearer @{body('Parse_Bearer_Token')?['access_token']}",
+ "Content-Type": "application/json"
+ },
+ "body": {
+ "resourceType": "@item()?['resourceType']",
+ "orgID": "@item()?['orgID']",
+ "fromDate": "@triggerBody()?['fromDate']",
+ "toDate": "@triggerBody()?['toDate']"
+ }
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
+ },
+ "Parse_VM_Range_ID_": {
+ "runAfter": {
+ "Quarantine_VM_API": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Quarantine_VM_API')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "rangeID": {
+ "type": "integer"
+ }
+ }
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "If_Resource_Exists": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Get_secret_ClientId": {
+ "runAfter": {
+ "Initialize_variable_Match_Resource": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/secrets/@{encodeURIComponent('Druva-ClientID')}/value"
+ }
+ },
+ "Get_secret_ClientSecret": {
+ "runAfter": {
+ "Get_secret_ClientId": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/secrets/@{encodeURIComponent('Druva-ClientSecret')}/value"
+ }
+ },
+ "check_resourcename": {
+ "actions": {
+ "Compose_Message": {
+ "type": "Compose",
+ "inputs": {
+ "message": "username is not empty"
+ }
+ }
+ },
+ "else": {
+ "actions": {
+ "Terminate_Execution": {
+ "type": "Terminate",
+ "inputs": {
+ "runStatus": "Failed",
+ "runError": {
+ "code": "500",
+ "message": "\"Username is empty\""
+ }
+ }
+ }
+ }
+ },
+ "expression": {
+ "or": [
+ {
+ "not": {
+ "equals": [
+ "@triggerBody()?['enterprise_resource_name']",
+ "@null"
+ ]
+ }
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Initialize_variable_Match_Resource": {
+ "runAfter": {
+ "check_resourcename": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "ResourceMatch",
+ "type": "boolean",
+ "value": false
+ }
+ ]
+ }
+ },
+ "Parse_CombineResponses_JSON": {
+ "runAfter": {
+ "CombineResponses": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@outputs('CombineResponses')",
+ "schema": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "resources": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "resourceID": {
+ "type": "integer"
+ },
+ "resourceName": {
+ "type": "string"
+ },
+ "resourceType": {
+ "type": "string"
+ },
+ "resourceStatus": {
+ "type": "string"
+ },
+ "resourceParentName": {
+ "type": "string"
+ },
+ "orgID": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "resourceID",
+ "resourceName",
+ "resourceType",
+ "resourceStatus",
+ "resourceParentName",
+ "orgID"
+ ]
+ }
+ }
+ },
+ "required": [
+ "resources"
+ ]
+ }
+ }
+ }
+ },
+ "For_Each_Responses": {
+ "foreach": "@outputs('Parse_CombineResponses_JSON')['body']",
+ "actions": {
+ "Nested_For_each": {
+ "foreach": "@item()['resources']",
+ "actions": {
+ "Check_If_Resource_exists": {
+ "actions": {
+ "Set_Match_Resource_True": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "ResourceMatch",
+ "value": true
+ }
+ }
+ },
+ "expression": {
+ "or": [
+ {
+ "equals": [
+ "@item()['resourceParentName']",
+ "@triggerBody()?['enterprise_resource_name']"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "type": "Foreach"
+ }
+ },
+ "runAfter": {
+ "Parse_CombineResponses_JSON": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ }
+ }
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "keyvault": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('keyvaultConnectionName'))]",
+ "connectionName": "[[variables('keyvaultConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2018-07-01-preview",
+ "name": "[[variables('keyvaultConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[[variables('keyvaultConnectionName')]",
+ "connectionState": "Enabled",
+ "parameterValueSet": {
+ "name": "oauthMI",
+ "values": {
+ "vaultName": {
+ "value": "[[parameters('keyvaultName')]"
+ }
+ }
+ },
+ "api": {
+ "id": "[[variables('_connection-2')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
+ "properties": {
+ "parentId": "[variables('playbookId1')]",
+ "contentId": "[variables('_playbookContentId1')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "DruvaDataSecurityCloud",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Druva",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Druva Inc",
+ "email": "support@druva.com",
+ "tier": "Partner",
+ "link": "https://support.druva.com/"
+ }
+ }
+ }
+ ],
+ "metadata": {
+ "title": "Druva Quarantine Playbook for Enterprise Workload",
+ "description": "This playbook uses Druva-Ransomware-Response capabilities to stop the spread of ransomware and avoid reinfection or contamination spread in your enterprise workload",
+ "prerequisites": [
+ "1. Verify ARR (Accelerated Ransomeware Recovery) should be enabled for the respective Device using Resource ID on the Druva Security Cloud Platform.",
+ "2. Generate Druva API Client Credentials",
+ "a. Use the following link to navigate to Druva's documentation page and refer the steps to generate API Client Credentials.",
+ "b. Druva's Documentation Page : https://help.druva.com/en/articles/8580838-create-and-manage-api-credentials",
+ "c. Copy/Paste or Store the creds for future use.",
+ "3. Store Service account credentials in Key Vault Secrets and obtain keyvault name.",
+ "a. Create a Key Vault with name as Druva-ClientCredential",
+ "b. Go to KeyVault -> secrets -> Generate/import and create 'Druva-ClientID' & 'Druva-ClientSecret' for storing client_id and client_secret respectively",
+ "c. Store the secrets obtained for your organization and user from Druva Console UI in the previous step."
+ ],
+ "executionSteps": [
+ "1. Deploy the ARM template:",
+ "a. Open the Azure Portal.",
+ "b. Navigate to 'Deploy a custom template'.",
+ "c. Upload this ARM template file or paste its content.",
+ "d. Provide the necessary parameter values (e.g., KeyVault name, connection name, etc.).",
+ "e. Review and start the deployment.",
+ "2. Validate the deployment:",
+ "a. Check if the resources (e.g., Key Vault, API connections, Logic Apps) are created successfully.",
+ "b. Verify the deployment logs for any errors.",
+ "3. Authorize connections:",
+ "a. Follow the steps in the 'postDeployment' section to authorize connections.",
+ "4. Test the playbook:",
+ "a. Trigger the playbook manually by using the dropdown option as 'run_with_payload'",
+ "b. On triggering a side screen will appear in which there will be a section named as 'Body'.",
+ "c. Inside body paste the json obtained from the README.md file with respective edited values according to your resources.",
+ "d. Hit the 'run' button at the bottom.",
+ "e. Navigate to the playbook home page and check the run history if the run was successful or not."
+ ],
+ "postDeployment": [
+ "**a. Authorize connections**",
+ "Once deployment is complete, authorize each connection.",
+ "1. Login to the Microsoft Azure protal and in the search box Type API Connections.",
+ "2. Find API connection option.",
+ "3. Check for your Created API connection exists. eg. Druva-KeyVault-Connection",
+ "4. Check Status should be ready for the same API Connection.",
+ "**b. Grant permissions**",
+ "Make sure that this playbook and your user has the IAM role permission granted as 'Key Vault Secrets User'."
+ ],
+ "version": "1.0",
+ "category": "Druva-Realize-UDA-Quarantine_snapshots",
+ "tags": [
+ "Ransomware Recovery",
+ "Druva Security",
+ "Unusual Data Activity",
+ "Quarantine Snapshots"
+ ],
+ "lastUpdateTime": "2025-01-08T18:21:38.767Z",
+ "releaseNotes": {
+ "version": "1.0",
+ "title": "[variables('blanks')]",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId1')]",
+ "contentKind": "Playbook",
+ "displayName": "Druva_Quarantine_Enterprise_Workloads",
+ "contentProductId": "[variables('_playbookcontentProductId1')]",
+ "id": "[variables('_playbookcontentProductId1')]",
+ "version": "[variables('playbookVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName2')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Druva_Quarantine_Insync_User_Workloads Playbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion2')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Druva_Quarantine_Insync_User_Workloads",
+ "type": "string",
+ "metadata": {
+ "description": "Name of the Playbook."
+ }
+ },
+ "keyvaultName": {
+ "type": "String",
+ "defaultValue": "Druva-ClientCredential",
+ "metadata": {
+ "description": "Name of the Vault created to store Druva Client Credentials."
+ }
+ }
+ },
+ "variables": {
+ "keyvaultConnectionName": "[[concat('KeyVault-', parameters('PlaybookName'))]",
+ "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/keyvault')]",
+ "_connection-2": "[[variables('connection-2')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[[parameters('PlaybookName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "tags": {
+ "hidden-SentinelTemplateName": "DruvaQuarantineInsyncWorkloadsResource",
+ "hidden-SentinelTemplateVersion": "1.0",
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('keyvaultConnectionName'))]"
+ ],
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "resourceTypes": {
+ "defaultValue": [
+ "Endpoint",
+ "OneDrive",
+ "Google Drive"
+ ],
+ "type": "Array"
+ },
+ "api_host": {
+ "defaultValue": "https://apis.druva.com",
+ "type": "String"
+ },
+ "$connections": {
+ "type": "Object"
+ }
+ },
+ "triggers": {
+ "When_a_HTTP_request_is_received": {
+ "type": "Request",
+ "kind": "Http",
+ "inputs": {
+ "schema": {
+ "type": "object",
+ "properties": {
+ "username": {
+ "type": "string"
+ },
+ "fromDate": {
+ "type": "string"
+ },
+ "toDate": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ },
+ "actions": {
+ "Generate_Bearer_Token": {
+ "runAfter": {
+ "Get_secret_ClientSecret": [
+ "Succeeded"
+ ]
+ },
+ "type": "Http",
+ "inputs": {
+ "uri": "@{parameters('api_host')}/token",
+ "method": "POST",
+ "headers": {
+ "Authorization": "Basic @{base64(concat(body('Get_secret_ClientId')?['value'], ':', body('Get_secret_ClientSecret')?['value']))}",
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "body": "scope=read&grant_type=client_credentials"
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
+ },
+ "Parse_Bearer_Token": {
+ "runAfter": {
+ "Generate_Bearer_Token": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Generate_Bearer_Token')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "access_token": {
+ "type": "string"
+ },
+ "token_type": {
+ "type": "string"
+ },
+ "expires_in": {
+ "type": "integer"
+ }
+ }
+ }
+ }
+ },
+ "Find_User": {
+ "runAfter": {
+ "Parse_Bearer_Token": [
+ "Succeeded"
+ ]
+ },
+ "type": "Http",
+ "inputs": {
+ "uri": "@{parameters('api_host')}/realize/ransomwarerecovery/v1/users",
+ "method": "GET",
+ "headers": {
+ "Authorization": "Bearer @{body('Parse_Bearer_Token')?['access_token']}"
+ },
+ "queries": {
+ "users": "@{triggerBody()?['username']}"
+ }
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
+ },
+ "Parse_User_Details": {
+ "runAfter": {
+ "Find_User": [
+ "Succeeded",
+ "TimedOut",
+ "Skipped",
+ "Failed"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Find_User')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "users": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "userID": {
+ "type": "integer"
+ },
+ "userName": {
+ "type": "string"
+ },
+ "emailID": {
+ "type": "string"
+ },
+ "profileID": {
+ "type": "integer"
+ },
+ "storageID": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "userID",
+ "userName",
+ "emailID",
+ "profileID",
+ "storageID"
+ ]
+ }
+ },
+ "totalSize": {
+ "type": "integer"
+ },
+ "nextPageToken": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "Find_Users_Device": {
+ "runAfter": {
+ "Compose_api_host": [
+ "Succeeded"
+ ]
+ },
+ "type": "Http",
+ "inputs": {
+ "uri": "@concat(parameters('api_host'),\n '/realize/ransomwarerecovery/v1/search/device?',\n outputs('Compose_api_host')\n)",
+ "method": "GET",
+ "headers": {
+ "Authorization": "Bearer @{body('Parse_Bearer_Token')?['access_token']}"
+ }
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
+ },
+ "Parse_Device_Details": {
+ "runAfter": {
+ "Find_Users_Device": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Find_Users_Device')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "resources": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "resourceID": {
+ "type": "integer"
+ },
+ "resourceName": {
+ "type": "string"
+ },
+ "resourceType": {
+ "type": "string"
+ },
+ "resourceStatus": {
+ "type": "string"
+ },
+ "userID": {
+ "type": "integer"
+ },
+ "userName": {
+ "type": "string"
+ },
+ "profileID": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "resourceID",
+ "resourceName",
+ "resourceType",
+ "resourceStatus",
+ "userID",
+ "userName",
+ "profileID"
+ ]
+ }
+ },
+ "nextPageToken": {
+ "type": "string"
+ },
+ "isLast": {
+ "type": "boolean"
+ },
+ "errorMessage": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "For_each_user_device": {
+ "foreach": "@body('Parse_Device_Details')?['resources']",
+ "actions": {
+ "Parse_Range_ID": {
+ "runAfter": {
+ "Quarantine_Resource_API": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Quarantine_Resource_API')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "rangeID": {
+ "type": "integer"
+ }
+ }
+ }
+ }
+ },
+ "Quarantine_Resource_API": {
+ "type": "Http",
+ "inputs": {
+ "uri": "@{parameters('api_host')}/realize/ransomwarerecovery/v1/quarantineranges/resource/@{item()?['resourceID']}",
+ "method": "POST",
+ "headers": {
+ "accept": "application/json",
+ "Authorization": "Bearer @{body('Parse_Bearer_Token')?['access_token']}",
+ "Content-Type": "application/json"
+ },
+ "body": {
+ "resourceType": "@item()?['resourceType']",
+ "orgID": -1,
+ "fromDate": "@triggerBody()?['fromDate']",
+ "toDate": "@triggerBody()?['toDate']"
+ }
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "Parse_Device_Details": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "check_username": {
+ "actions": {
+ "Compose_Message": {
+ "type": "Compose",
+ "inputs": {
+ "message": "username is not empty"
+ }
+ }
+ },
+ "else": {
+ "actions": {
+ "Terminate_Execution": {
+ "type": "Terminate",
+ "inputs": {
+ "runStatus": "Failed",
+ "runError": {
+ "code": "500",
+ "message": "\"Username is empty\""
+ }
+ }
+ }
+ }
+ },
+ "expression": {
+ "or": [
+ {
+ "not": {
+ "equals": [
+ "@triggerBody()?['username']",
+ "@null"
+ ]
+ }
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "For_each": {
+ "foreach": "@body('Parse_User_Details')?['users']",
+ "actions": {
+ "Check_If_user_exists": {
+ "actions": {
+ "Set_Match_User_True": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "UserNameMatched",
+ "value": true
+ }
+ },
+ "Append_to_User_array_": {
+ "runAfter": {
+ "Set_Match_User_True": [
+ "Succeeded"
+ ]
+ },
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "UserArray",
+ "value": "@items('For_each')"
+ }
+ }
+ },
+ "expression": {
+ "or": [
+ {
+ "equals": [
+ "@item()?['userName']",
+ "@triggerBody()?['username']"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {
+ "Parse_User_Details": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Compose_api_host": {
+ "runAfter": {
+ "Check_if_User_found_": [
+ "Succeeded"
+ ]
+ },
+ "type": "Compose",
+ "inputs": "@concat(\n 'users[]=',\n string(body('User_JSON')?['users'][0]['userID']),\n '&resourceTypes[]=',\n join(parameters('resourceTypes'), '&resourceTypes[]=')\n)"
+ },
+ "Get_secret_ClientSecret": {
+ "runAfter": {
+ "Get_secret_ClientID": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/secrets/@{encodeURIComponent('Druva-ClientSecret')}/value"
+ }
+ },
+ "Get_secret_ClientID": {
+ "runAfter": {
+ "Initialize_Array": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/secrets/@{encodeURIComponent('Druva-ClientID')}/value"
+ }
+ },
+ "Check_if_User_found_": {
+ "actions": {
+ "User_JSON": {
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@outputs('Compose_Users')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "users": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "userID": {
+ "type": "integer"
+ },
+ "userName": {
+ "type": "string"
+ },
+ "emailID": {
+ "type": "string"
+ },
+ "profileID": {
+ "type": "integer"
+ },
+ "storageID": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "userID",
+ "userName",
+ "emailID",
+ "profileID",
+ "storageID"
+ ]
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "Compose_Users": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Terminate": {
+ "type": "Terminate",
+ "inputs": {
+ "runStatus": "Failed",
+ "runError": {
+ "code": "500",
+ "message": "User Not Found"
+ }
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@variables('UserNameMatched')",
+ "@true"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Initialize_Array": {
+ "runAfter": {
+ "Initialize_variable_Match_User": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "UserArray",
+ "type": "array",
+ "value": "[variables('TemplateEmptyArray')]"
+ }
+ ]
+ }
+ },
+ "Initialize_variable_Match_User": {
+ "runAfter": {
+ "check_username": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "UserNameMatched",
+ "type": "boolean",
+ "value": false
+ }
+ ]
+ }
+ },
+ "Compose_Users": {
+ "runAfter": {
+ "For_each": [
+ "Succeeded"
+ ]
+ },
+ "type": "Compose",
+ "inputs": {
+ "users": "@variables('UserArray')"
+ }
+ }
+ }
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "keyvault": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('keyvaultConnectionName'))]",
+ "connectionName": "[[variables('keyvaultConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2018-07-01-preview",
+ "name": "[[variables('keyvaultConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[[variables('keyvaultConnectionName')]",
+ "connectionState": "Enabled",
+ "parameterValueSet": {
+ "name": "oauthMI",
+ "values": {
+ "vaultName": {
+ "value": "[[parameters('keyvaultName')]"
+ }
+ }
+ },
+ "api": {
+ "id": "[[variables('_connection-2')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]",
+ "properties": {
+ "parentId": "[variables('playbookId2')]",
+ "contentId": "[variables('_playbookContentId2')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "DruvaDataSecurityCloud",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Druva",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Druva Inc",
+ "email": "support@druva.com",
+ "tier": "Partner",
+ "link": "https://support.druva.com/"
+ }
+ }
+ }
+ ],
+ "metadata": {
+ "title": "Druva Quarantine Playbook for inSync Workloads",
+ "description": "This playbook uses Druva-Ransomware-Response capabilities to stop the spread of ransomware and avoid reinfection or contamination spread to your inSync User based workloads.",
+ "prerequisites": [
+ "1. Verify ARR (Accelerated Ransomeware Recovery) should be enabled for the respective Device using Resource ID on the Druva Security Cloud Platform.",
+ "2. Generate Druva API Client Credentials",
+ "a. Use the following link to navigate to Druva's documentation page and refer the steps to generate API Client Credentials.",
+ "b. Druva's Documentation Page : https://help.druva.com/en/articles/8580838-create-and-manage-api-credentials",
+ "c. Copy/Paste or Store the creds for future use.",
+ "3. Store Service account credentials in Key Vault Secrets and obtain keyvault name.",
+ "a. Create a Key Vault with name as Druva-ClientCredential",
+ "b. Go to KeyVault -> secrets -> Generate/import and create 'Druva-ClientID' & 'Druva-ClientSecret' for storing client_id and client_secret respectively",
+ "c. Store the secrets obtained for your organization and user from Druva Console UI in the previous step."
+ ],
+ "executionSteps": [
+ "1. Deploy the ARM template:",
+ "a. Open the Azure Portal.",
+ "b. Navigate to 'Deploy a custom template'.",
+ "c. Upload this ARM template file or paste its content.",
+ "d. Provide the necessary parameter values (e.g., KeyVault name, connection name, etc.).",
+ "e. Review and start the deployment.",
+ "2. Validate the deployment:",
+ "a. Check if the resources (e.g., Key Vault, API connections, Logic Apps) are created successfully.",
+ "b. Verify the deployment logs for any errors.",
+ "3. Authorize connections:",
+ "a. Follow the steps in the 'postDeployment' section to authorize connections.",
+ "4. Test the playbook:",
+ "a. Trigger the playbook manually by using the dropdown option as 'run_with_payload'",
+ "b. On triggering a side screen will appear in which there will be a section named as 'Body'.",
+ "c. Inside body paste the json obtained from the README.md file with respective edited values according to your resources.",
+ "d. Hit the 'run' button at the bottom.",
+ "e. Navigate to the playbook home page and check the run history if the run was successful or not."
+ ],
+ "postDeployment": [
+ "**a. Authorize connections**",
+ "Once deployment is complete, authorize each connection.",
+ "1. Login to the Microsoft Azure protal and in the search box Type API Connections.",
+ "2. Find API connection option.",
+ "3. Check for your Created API connection exists. eg. Druva-KeyVault-Connection",
+ "4. Check Status should be ready for the same API Connection.",
+ "**b. Grant permissions**",
+ "Make sure that this playbook and your user has the IAM role permission granted as 'Key Vault Secrets User'."
+ ],
+ "version": "1.0",
+ "category": "Druva-Realize-UDA-Quarantine_snapshots",
+ "tags": [
+ "Ransomware Recovery",
+ "Druva Security",
+ "Unusual Data Activity",
+ "Quarantine Snapshots"
+ ],
+ "lastUpdateTime": "2025-01-08T18:21:39.133Z",
+ "releaseNotes": {
+ "version": "1.0",
+ "title": "[variables('blanks')]",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId2')]",
+ "contentKind": "Playbook",
+ "displayName": "Druva_Quarantine_Insync_User_Workloads",
+ "contentProductId": "[variables('_playbookcontentProductId2')]",
+ "id": "[variables('_playbookcontentProductId2')]",
+ "version": "[variables('playbookVersion2')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName3')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Druva_Quarantine_With_Resource_ID_Workloads Playbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion3')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Druva_Quarantine_With_Resource_ID_Workloads",
+ "type": "string",
+ "metadata": {
+ "description": "Name of the Playbook."
+ }
+ },
+ "keyvaultName": {
+ "type": "String",
+ "defaultValue": "Druva-ClientCredential",
+ "metadata": {
+ "description": "Name of the Vault created to store Druva Client Credentials."
+ }
+ }
+ },
+ "variables": {
+ "keyvaultConnectionName": "[[concat('KeyVault-', parameters('PlaybookName'))]",
+ "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/keyvault')]",
+ "_connection-2": "[[variables('connection-2')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[[parameters('PlaybookName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "tags": {
+ "hidden-SentinelTemplateName": "DruvaQuarantineResourceUsingResourceID",
+ "hidden-SentinelTemplateVersion": "1.0",
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('keyvaultConnectionName'))]"
+ ],
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "api_host": {
+ "defaultValue": "https://apis.druva.com",
+ "type": "String"
+ },
+ "$connections": {
+ "type": "Object"
+ }
+ },
+ "triggers": {
+ "When_a_HTTP_request_is_received": {
+ "type": "Request",
+ "kind": "Http",
+ "inputs": {
+ "schema": {
+ "type": "object",
+ "properties": {
+ "resourceID": {
+ "type": "integer"
+ },
+ "resourceType": {
+ "type": "string"
+ },
+ "orgID": {
+ "type": "integer"
+ },
+ "fromDate": {
+ "type": "string"
+ },
+ "toDate": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ },
+ "actions": {
+ "check_resourceID": {
+ "actions": {
+ "Compose_Message": {
+ "type": "Compose",
+ "inputs": {
+ "message": "Resource ID is not empty"
+ }
+ }
+ },
+ "else": {
+ "actions": {
+ "Terminate_Execution": {
+ "type": "Terminate",
+ "inputs": {
+ "runStatus": "Failed",
+ "runError": {
+ "code": "500",
+ "message": "\"Resource ID, Resource Type or ORG ID is empty\""
+ }
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "not": {
+ "equals": [
+ "@triggerBody()?['resourceID']",
+ "@null"
+ ]
+ }
+ },
+ {
+ "not": {
+ "equals": [
+ "@triggerBody()?['resourceType']",
+ "@null"
+ ]
+ }
+ },
+ {
+ "not": {
+ "equals": [
+ "@triggerBody()?['orgID']",
+ "@null"
+ ]
+ }
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Quarantine_Resource_API": {
+ "runAfter": {
+ "Parse_Bearer_Token": [
+ "Succeeded"
+ ]
+ },
+ "type": "Http",
+ "inputs": {
+ "uri": "@{parameters('api_host')}/realize/ransomwarerecovery/v1/quarantineranges/resource/@{triggerBody()?['resourceID']}",
+ "method": "POST",
+ "headers": {
+ "accept": "application/json",
+ "Authorization": "Bearer @{body('Parse_Bearer_Token')?['access_token']}",
+ "Content-Type": "application/json"
+ },
+ "body": {
+ "resourceType": "@triggerBody()?['resourceType']",
+ "orgID": "@triggerBody()?['orgID']",
+ "fromDate": "@triggerBody()?['fromDate']",
+ "toDate": "@triggerBody()?['toDate']"
+ }
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
+ },
+ "Get_secret_ClientId": {
+ "runAfter": {
+ "check_resourceID": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/secrets/@{encodeURIComponent('Druva-ClientID')}/value"
+ }
+ },
+ "Get_secret_ClientSecret": {
+ "runAfter": {
+ "Get_secret_ClientId": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/secrets/@{encodeURIComponent('Druva-ClientSecret')}/value"
+ }
+ },
+ "Generate_Bearer_Token": {
+ "runAfter": {
+ "Get_secret_ClientSecret": [
+ "Succeeded"
+ ]
+ },
+ "type": "Http",
+ "inputs": {
+ "uri": "@{parameters('api_host')}/token",
+ "method": "POST",
+ "headers": {
+ "Authorization": "Basic @{base64(concat(body('Get_secret_ClientId')?['value'], ':', body('Get_secret_ClientSecret')?['value']))}",
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "body": "scope=read&grant_type=client_credentials"
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
+ },
+ "Parse_Bearer_Token": {
+ "runAfter": {
+ "Generate_Bearer_Token": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Generate_Bearer_Token')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "access_token": {
+ "type": "string"
+ },
+ "token_type": {
+ "type": "string"
+ },
+ "expires_in": {
+ "type": "integer"
+ }
+ }
+ }
+ }
+ },
+ "Parse_JSON": {
+ "runAfter": {
+ "Quarantine_Resource_API": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Quarantine_Resource_API')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "rangeID": {
+ "type": "integer"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "keyvault": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('keyvaultConnectionName'))]",
+ "connectionName": "[[variables('keyvaultConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2018-07-01-preview",
+ "name": "[[variables('keyvaultConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[[variables('keyvaultConnectionName')]",
+ "connectionState": "Enabled",
+ "parameterValueSet": {
+ "name": "oauthMI",
+ "values": {
+ "vaultName": {
+ "value": "[[parameters('keyvaultName')]"
+ }
+ }
+ },
+ "api": {
+ "id": "[[variables('_connection-2')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]",
+ "properties": {
+ "parentId": "[variables('playbookId3')]",
+ "contentId": "[variables('_playbookContentId3')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion3')]",
+ "source": {
+ "kind": "Solution",
+ "name": "DruvaDataSecurityCloud",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Druva",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Druva Inc",
+ "email": "support@druva.com",
+ "tier": "Partner",
+ "link": "https://support.druva.com/"
+ }
+ }
+ }
+ ],
+ "metadata": {
+ "title": "Druva Quarantine Using Resource id",
+ "description": "This playbook uses Druva-Ransomware-Response capabilities to stop the spread of ransomware and avoid reinfection or contamination spread to your environment.",
+ "prerequisites": [
+ "1. Verify ARR (Accelerated Ransomeware Recovery) should be enabled for the respective Device using Resource ID on the Druva Security Cloud Platform.",
+ "2. Generate Druva API Client Credentials",
+ "a. Use the following link to navigate to Druva's documentation page and refer the steps to generate API Client Credentials.",
+ "b. Druva's Documentation Page : https://help.druva.com/en/articles/8580838-create-and-manage-api-credentials",
+ "c. Copy/Paste or Store the creds for future use.",
+ "3. Store Service account credentials in Key Vault Secrets and obtain keyvault name.",
+ "a. Create a Key Vault with name as Druva-ClientCredential",
+ "b. Go to KeyVault -> secrets -> Generate/import and create 'Druva-ClientID' & 'Druva-ClientSecret' for storing client_id and client_secret respectively",
+ "c. Store the secrets obtained for your organization and user from Druva Console UI in the previous step."
+ ],
+ "executionSteps": [
+ "1. Deploy the ARM template:",
+ "a. Open the Azure Portal.",
+ "b. Navigate to 'Deploy a custom template'.",
+ "c. Upload this ARM template file or paste its content.",
+ "d. Provide the necessary parameter values (e.g., KeyVault name, connection name, etc.).",
+ "e. Review and start the deployment.",
+ "2. Validate the deployment:",
+ "a. Check if the resources (e.g., Key Vault, API connections, Logic Apps) are created successfully.",
+ "b. Verify the deployment logs for any errors.",
+ "3. Authorize connections:",
+ "a. Follow the steps in the 'postDeployment' section to authorize connections.",
+ "4. Test the playbook:",
+ "a. Trigger the playbook manually by using the dropdown option as 'run_with_payload'",
+ "b. On triggering a side screen will appear in which there will be a section named as 'Body'.",
+ "c. Inside body paste the json obtained from the README.md file with respective edited values according to your resources.",
+ "d. Hit the 'run' button at the bottom.",
+ "e. Navigate to the playbook home page and check the run history if the run was successful or not."
+ ],
+ "postDeployment": [
+ "**a. Authorize connections**",
+ "Once deployment is complete, authorize each connection.",
+ "1. Login to the Microsoft Azure protal and in the search box Type API Connections.",
+ "2. Find API connection option.",
+ "3. Check for your Created API connection exists. eg. Druva-KeyVault-Connection",
+ "4. Check Status should be ready for the same API Connection.",
+ "**b. Grant permissions**",
+ "Make sure that this playbook and your user has the IAM role permission granted as 'Key Vault Secrets User'."
+ ],
+ "version": "1.0",
+ "category": "Druva-Realize-UDA-Quarantine_snapshots",
+ "tags": [
+ "Ransomware Recovery",
+ "Druva Security",
+ "Unusual Data Activity",
+ "Quarantine Snapshots"
+ ],
+ "lastUpdateTime": "2025-01-08T18:21:39.302Z",
+ "releaseNotes": {
+ "version": "1.0",
+ "title": "[variables('blanks')]",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId3')]",
+ "contentKind": "Playbook",
+ "displayName": "Druva_Quarantine_With_Resource_ID_Workloads",
+ "contentProductId": "[variables('_playbookcontentProductId3')]",
+ "id": "[variables('_playbookcontentProductId3')]",
+ "version": "[variables('playbookVersion3')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName4')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Druva_Quarantine_Share_Point Playbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion4')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Druva_Quarantine_Share_Point",
+ "type": "string",
+ "metadata": {
+ "description": "Name of the Playbook."
+ }
+ },
+ "keyvaultName": {
+ "type": "String",
+ "defaultValue": "Druva-ClientCredential",
+ "metadata": {
+ "description": "Name of the Vault created to store Druva Client Credentials."
+ }
+ }
+ },
+ "variables": {
+ "keyvaultConnectionName": "[[concat('KeyVault-', parameters('PlaybookName'))]",
+ "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/keyvault')]",
+ "_connection-2": "[[variables('connection-2')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[[parameters('PlaybookName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "tags": {
+ "hidden-SentinelTemplateName": "DruvaQuarantineSharePointResource",
+ "hidden-SentinelTemplateVersion": "1.0",
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('keyvaultConnectionName'))]"
+ ],
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "api_host": {
+ "defaultValue": "https://apis.druva.com",
+ "type": "String"
+ },
+ "$connections": {
+ "type": "Object"
+ }
+ },
+ "triggers": {
+ "When_a_HTTP_request_is_received": {
+ "type": "Request",
+ "kind": "Http",
+ "inputs": {
+ "schema": {
+ "type": "object",
+ "properties": {
+ "share_point_site": {
+ "type": "string"
+ },
+ "fromDate": {
+ "type": "string"
+ },
+ "toDate": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ },
+ "actions": {
+ "check_share_point_site": {
+ "actions": {
+ "Compose_Message": {
+ "type": "Compose",
+ "inputs": {
+ "message": "Share Point Site is not empty"
+ }
+ }
+ },
+ "else": {
+ "actions": {
+ "Terminate_Execution": {
+ "type": "Terminate",
+ "inputs": {
+ "runStatus": "Failed",
+ "runError": {
+ "code": "500",
+ "message": "\"Share Point Site is Empty\""
+ }
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "not": {
+ "equals": [
+ "@triggerBody()?['share_point_site']",
+ "@null"
+ ]
+ }
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Get_secret_ClientId": {
+ "runAfter": {
+ "Initialize_Array": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/secrets/@{encodeURIComponent('Druva-ClientID')}/value"
+ }
+ },
+ "Get_secret_ClientSecret": {
+ "runAfter": {
+ "Get_secret_ClientId": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/secrets/@{encodeURIComponent('Druva-ClientSecret')}/value"
+ }
+ },
+ "Generate_Bearer_Token": {
+ "runAfter": {
+ "Get_secret_ClientSecret": [
+ "Succeeded"
+ ]
+ },
+ "type": "Http",
+ "inputs": {
+ "uri": "@{parameters('api_host')}/token",
+ "method": "POST",
+ "headers": {
+ "Authorization": "Basic @{base64(concat(body('Get_secret_ClientId')?['value'], ':', body('Get_secret_ClientSecret')?['value']))}",
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "body": "scope=read&grant_type=client_credentials"
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
+ },
+ "Parse_Bearer_Token": {
+ "runAfter": {
+ "Generate_Bearer_Token": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Generate_Bearer_Token')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "access_token": {
+ "type": "string"
+ },
+ "token_type": {
+ "type": "string"
+ },
+ "expires_in": {
+ "type": "integer"
+ }
+ }
+ }
+ }
+ },
+ "Find_Share_Point_Sites": {
+ "runAfter": {
+ "Parse_Bearer_Token": [
+ "Succeeded"
+ ]
+ },
+ "type": "Http",
+ "inputs": {
+ "uri": "@{parameters('api_host')}/realize/ransomwarerecovery/v1/search/sharepoint-sites",
+ "method": "GET",
+ "headers": {
+ "Authorization": "Bearer @{body('Parse_Bearer_Token')?['access_token']}"
+ },
+ "queries": {
+ "siteTitlePrefix": "@{triggerBody()?['share_point_site']}"
+ }
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
+ },
+ "Parse_SharePoint_Site_JSON": {
+ "runAfter": {
+ "Find_Share_Point_Sites": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Find_Share_Point_Sites')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "siteCollections": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "resourceID": {
+ "type": "integer"
+ },
+ "resourceName": {
+ "type": "string"
+ },
+ "resourceType": {
+ "type": "string"
+ },
+ "resourceStatus": {
+ "type": "string"
+ },
+ "resourceParentName": {
+ "type": "string"
+ },
+ "siteType": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "resourceID",
+ "resourceName",
+ "resourceType",
+ "resourceStatus",
+ "resourceParentName",
+ "siteType"
+ ]
+ }
+ },
+ "nextPageToken": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "Initialize_variable_Match_Share_Point_Site": {
+ "runAfter": {
+ "check_share_point_site": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "SharePointSiteMatched",
+ "type": "boolean",
+ "value": false
+ }
+ ]
+ }
+ },
+ "Initialize_Array": {
+ "runAfter": {
+ "Initialize_variable_Match_Share_Point_Site": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "SharePointSiteArray",
+ "type": "array",
+ "value": "[variables('TemplateEmptyArray')]"
+ }
+ ]
+ }
+ },
+ "For_each": {
+ "foreach": "@outputs('Parse_SharePoint_Site_JSON')?['body']?['siteCollections']",
+ "actions": {
+ "Check_If_Share_Point_Site_exists": {
+ "actions": {
+ "Set_Match_Share_Point_Site_True": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "SharePointSiteMatched",
+ "value": true
+ }
+ },
+ "Append_to_Share_Point_Site_array_variable": {
+ "runAfter": {
+ "Set_Match_Share_Point_Site_True": [
+ "Succeeded"
+ ]
+ },
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "SharePointSiteArray",
+ "value": "@items('For_each')"
+ }
+ }
+ },
+ "expression": {
+ "or": [
+ {
+ "equals": [
+ "@item()?['resourceParentName']",
+ "@triggerBody()?['share_point_site']"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {
+ "Parse_SharePoint_Site_JSON": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Compose_SiteCollections": {
+ "runAfter": {
+ "For_each": [
+ "Succeeded"
+ ]
+ },
+ "type": "Compose",
+ "inputs": {
+ "siteCollections": "@variables('SharePointSiteArray')"
+ }
+ },
+ "Check_if_Site_Collection_found_": {
+ "actions": {
+ "Site_Collection_JSON": {
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@outputs('Compose_SiteCollections')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "siteCollections": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "resourceID": {
+ "type": "integer"
+ },
+ "resourceName": {
+ "type": "string"
+ },
+ "resourceType": {
+ "type": "string"
+ },
+ "resourceStatus": {
+ "type": "string"
+ },
+ "resourceParentName": {
+ "type": "string"
+ },
+ "siteType": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "resourceID",
+ "resourceName",
+ "resourceType",
+ "resourceStatus",
+ "resourceParentName",
+ "siteType"
+ ]
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "Compose_SiteCollections": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Terminate": {
+ "type": "Terminate",
+ "inputs": {
+ "runStatus": "Failed",
+ "runError": {
+ "code": "500",
+ "message": "Site Collections Not Found"
+ }
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@variables('SharePointSiteMatched')",
+ "@true"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "For_each_Site_Collection": {
+ "foreach": "@outputs('Site_Collection_JSON')?['body']?['siteCollections']",
+ "actions": {
+ "Quarantine_Site_Collection_API": {
+ "type": "Http",
+ "inputs": {
+ "uri": "@{parameters('api_host')}/realize/ransomwarerecovery/v1/quarantineranges/resource/@{item()?['resourceID']}",
+ "method": "POST",
+ "headers": {
+ "accept": "application/json",
+ "Authorization": "Bearer @{body('Parse_Bearer_Token')?['access_token']}",
+ "Content-Type": "application/json"
+ },
+ "body": {
+ "resourceType": "@item()?['resourceType']",
+ "orgID": "@null",
+ "fromDate": "@triggerBody()?['fromDate']",
+ "toDate": "@triggerBody()?['toDate']"
+ }
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
+ },
+ "Parse_Share_Point_Site_Range_ID": {
+ "runAfter": {
+ "Quarantine_Site_Collection_API": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Quarantine_Site_Collection_API')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "rangeID": {
+ "type": "integer"
+ }
+ }
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "Check_if_Site_Collection_found_": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ }
+ }
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "keyvault": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('keyvaultConnectionName'))]",
+ "connectionName": "[[variables('keyvaultConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2018-07-01-preview",
+ "name": "[[variables('keyvaultConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[[variables('keyvaultConnectionName')]",
+ "connectionState": "Enabled",
+ "parameterValueSet": {
+ "name": "oauthMI",
+ "values": {
+ "vaultName": {
+ "value": "[[parameters('keyvaultName')]"
+ }
+ }
+ },
+ "api": {
+ "id": "[[variables('_connection-2')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]",
+ "properties": {
+ "parentId": "[variables('playbookId4')]",
+ "contentId": "[variables('_playbookContentId4')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion4')]",
+ "source": {
+ "kind": "Solution",
+ "name": "DruvaDataSecurityCloud",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Druva",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Druva Inc",
+ "email": "support@druva.com",
+ "tier": "Partner",
+ "link": "https://support.druva.com/"
+ }
+ }
+ }
+ ],
+ "metadata": {
+ "title": "Druva Quarantine Playbook for Sharepoint",
+ "description": "This playbook uses Druva-Ransomware-Response capabilities to stop the spread of ransomware and avoid reinfection or contamination spread in your sharepoint",
+ "prerequisites": [
+ "1. Verify ARR (Accelerated Ransomeware Recovery) should be enabled for the respective Device using Resource ID on the Druva Security Cloud Platform.",
+ "2. Generate Druva API Client Credentials",
+ "a. Use the following link to navigate to Druva's documentation page and refer the steps to generate API Client Credentials.",
+ "b. Druva's Documentation Page : https://help.druva.com/en/articles/8580838-create-and-manage-api-credentials",
+ "c. Copy/Paste or Store the creds for future use.",
+ "3. Store Service account credentials in Key Vault Secrets and obtain keyvault name.",
+ "a. Create a Key Vault with name as Druva-ClientCredential",
+ "b. Go to KeyVault -> secrets -> Generate/import and create 'Druva-ClientID' & 'Druva-ClientSecret' for storing client_id and client_secret respectively",
+ "c. Store the secrets obtained for your organization and user from Druva Console UI in the previous step."
+ ],
+ "executionSteps": [
+ "1. Deploy the ARM template:",
+ "a. Open the Azure Portal.",
+ "b. Navigate to 'Deploy a custom template'.",
+ "c. Upload this ARM template file or paste its content.",
+ "d. Provide the necessary parameter values (e.g., KeyVault name, connection name, etc.).",
+ "e. Review and start the deployment.",
+ "2. Validate the deployment:",
+ "a. Check if the resources (e.g., Key Vault, API connections, Logic Apps) are created successfully.",
+ "b. Verify the deployment logs for any errors.",
+ "3. Authorize connections:",
+ "a. Follow the steps in the 'postDeployment' section to authorize connections.",
+ "4. Test the playbook:",
+ "a. Trigger the playbook manually by using the dropdown option as 'run_with_payload'",
+ "b. On triggering a side screen will appear in which there will be a section named as 'Body'.",
+ "c. Inside body paste the json obtained from the README.md file with respective edited values according to your resources.",
+ "d. Hit the 'run' button at the bottom.",
+ "e. Navigate to the playbook home page and check the run history if the run was successful or not."
+ ],
+ "postDeployment": [
+ "**a. Authorize connections**",
+ "Once deployment is complete, authorize each connection.",
+ "1. Login to the Microsoft Azure protal and in the search box Type API Connections.",
+ "2. Find API connection option.",
+ "3. Check for your Created API connection exists. eg. Druva-KeyVault-Connection",
+ "4. Check Status should be ready for the same API Connection.",
+ "**b. Grant permissions**",
+ "Make sure that this playbook and your user has the IAM role permission granted as 'Key Vault Secrets User'."
+ ],
+ "version": "1.0",
+ "category": "Druva-Realize-UDA-Quarantine_snapshots",
+ "tags": [
+ "Ransomware Recovery",
+ "Druva Security",
+ "Unusual Data Activity",
+ "Quarantine Snapshots"
+ ],
+ "lastUpdateTime": "2025-01-08T18:21:39.553Z",
+ "releaseNotes": {
+ "version": "1.0",
+ "title": "[variables('blanks')]",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId4')]",
+ "contentKind": "Playbook",
+ "displayName": "Druva_Quarantine_Share_Point",
+ "contentProductId": "[variables('_playbookcontentProductId4')]",
+ "id": "[variables('_playbookcontentProductId4')]",
+ "version": "[variables('playbookVersion4')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName5')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Druva_Quarantine_Shared_Drive Playbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion5')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Druva_Quarantine_Shared_Drive",
+ "type": "string",
+ "metadata": {
+ "description": "Name of the Playbook."
+ }
+ },
+ "keyvaultName": {
+ "type": "String",
+ "defaultValue": "Druva-ClientCredential",
+ "metadata": {
+ "description": "Name of the Vault created to store Druva Client Credentials."
+ }
+ }
+ },
+ "variables": {
+ "keyvaultConnectionName": "[[concat('KeyVault-', parameters('PlaybookName'))]",
+ "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/keyvault')]",
+ "_connection-2": "[[variables('connection-2')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[[parameters('PlaybookName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "tags": {
+ "hidden-SentinelTemplateName": "DruvaQuarantineSharedDriveResource",
+ "hidden-SentinelTemplateVersion": "1.0",
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('keyvaultConnectionName'))]"
+ ],
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "api_host": {
+ "defaultValue": "https://apis.druva.com",
+ "type": "String"
+ },
+ "$connections": {
+ "type": "Object"
+ }
+ },
+ "triggers": {
+ "When_a_HTTP_request_is_received": {
+ "type": "Request",
+ "kind": "Http",
+ "inputs": {
+ "schema": {
+ "type": "object",
+ "properties": {
+ "shared_drive": {
+ "type": "string"
+ },
+ "fromDate": {
+ "type": "string"
+ },
+ "toDate": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ },
+ "actions": {
+ "check_Shared_Drive": {
+ "actions": {
+ "Compose_Message": {
+ "type": "Compose",
+ "inputs": {
+ "message": "Shared Drive is not empty"
+ }
+ }
+ },
+ "else": {
+ "actions": {
+ "Terminate_Execution": {
+ "type": "Terminate",
+ "inputs": {
+ "runStatus": "Failed",
+ "runError": {
+ "code": "500",
+ "message": "\"Shared Drive is Empty\""
+ }
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "not": {
+ "equals": [
+ "@triggerBody()?['shared_drive']",
+ "@null"
+ ]
+ }
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Initialize_variable_Match_Shared_Drive": {
+ "runAfter": {
+ "check_Shared_Drive": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "SharedDriveMatched",
+ "type": "boolean",
+ "value": false
+ }
+ ]
+ }
+ },
+ "Initialize_Array": {
+ "runAfter": {
+ "Initialize_variable_Match_Shared_Drive": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "SharedDriveArray",
+ "type": "array",
+ "value": "[variables('TemplateEmptyArray')]"
+ }
+ ]
+ }
+ },
+ "Get_secret_ClientId": {
+ "runAfter": {
+ "Initialize_Array": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/secrets/@{encodeURIComponent('Druva-ClientID')}/value"
+ }
+ },
+ "Get_secret_ClientSecret": {
+ "runAfter": {
+ "Get_secret_ClientId": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/secrets/@{encodeURIComponent('Druva-ClientSecret')}/value"
+ }
+ },
+ "Generate_Bearer_Token": {
+ "runAfter": {
+ "Get_secret_ClientSecret": [
+ "Succeeded"
+ ]
+ },
+ "type": "Http",
+ "inputs": {
+ "uri": "@{parameters('api_host')}/token",
+ "method": "POST",
+ "headers": {
+ "Authorization": "Basic @{base64(concat(body('Get_secret_ClientId')?['value'], ':', body('Get_secret_ClientSecret')?['value']))}",
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "body": "scope=read&grant_type=client_credentials"
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
+ },
+ "Parse_Bearer_Token": {
+ "runAfter": {
+ "Generate_Bearer_Token": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Generate_Bearer_Token')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "access_token": {
+ "type": "string"
+ },
+ "token_type": {
+ "type": "string"
+ },
+ "expires_in": {
+ "type": "integer"
+ }
+ }
+ }
+ }
+ },
+ "Find_Shared_Drives": {
+ "runAfter": {
+ "Parse_Bearer_Token": [
+ "Succeeded"
+ ]
+ },
+ "type": "Http",
+ "inputs": {
+ "uri": "@{parameters('api_host')}/realize/ransomwarerecovery/v1/search/shareddrive-accounts",
+ "method": "GET",
+ "headers": {
+ "Authorization": "Bearer @{body('Parse_Bearer_Token')?['access_token']}"
+ },
+ "queries": {
+ "accountTitlePrefix": "@{triggerBody()?['shared_drive']}"
+ }
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
+ },
+ "Share_Drive_JSON": {
+ "runAfter": {
+ "Find_Shared_Drives": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Find_Shared_Drives')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "accountList": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "resourceID": {
+ "type": "integer"
+ },
+ "resourceName": {
+ "type": "string"
+ },
+ "resourceType": {
+ "type": "string"
+ },
+ "resourceStatus": {
+ "type": "string"
+ },
+ "resourceParentName": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "resourceID",
+ "resourceName",
+ "resourceType",
+ "resourceStatus",
+ "resourceParentName"
+ ]
+ }
+ },
+ "nextPageToken": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "For_each": {
+ "foreach": "@outputs('Share_Drive_JSON')?['body']?['accountList']",
+ "actions": {
+ "Check_If_Shared_Drive_exists": {
+ "actions": {
+ "Set_Match_Shared_Drive_True": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "SharedDriveMatched",
+ "value": true
+ }
+ },
+ "Append_to_Shared_Drive_array_variable": {
+ "runAfter": {
+ "Set_Match_Shared_Drive_True": [
+ "Succeeded"
+ ]
+ },
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "SharedDriveArray",
+ "value": "@items('For_each')"
+ }
+ }
+ },
+ "expression": {
+ "or": [
+ {
+ "equals": [
+ "@item()?['resourceName']",
+ "@triggerBody()?['shared_drive']"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {
+ "Share_Drive_JSON": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Compose_SharedDrive_Collections": {
+ "runAfter": {
+ "For_each": [
+ "Succeeded"
+ ]
+ },
+ "type": "Compose",
+ "inputs": {
+ "accountList": "@variables('SharedDriveArray')"
+ }
+ },
+ "Check_if_Shared_Drive_found": {
+ "actions": {
+ "Account_List_JSON": {
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@outputs('Compose_SharedDrive_Collections')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "accountList": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "resourceID": {
+ "type": "integer"
+ },
+ "resourceName": {
+ "type": "string"
+ },
+ "resourceType": {
+ "type": "string"
+ },
+ "resourceStatus": {
+ "type": "string"
+ },
+ "resourceParentName": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "resourceID",
+ "resourceName",
+ "resourceType",
+ "resourceStatus",
+ "resourceParentName"
+ ]
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "Compose_SharedDrive_Collections": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Terminate": {
+ "type": "Terminate",
+ "inputs": {
+ "runStatus": "Failed",
+ "runError": {
+ "code": "500",
+ "message": "Site Collections Not Found"
+ }
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@variables('SharedDriveMatched')",
+ "@true"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "For_each_Shared_Drive_Collection": {
+ "foreach": "@outputs('Account_List_JSON')?['body']?['accountList']",
+ "actions": {
+ "Quarantine_Account_List_API": {
+ "type": "Http",
+ "inputs": {
+ "uri": "@{parameters('api_host')}/realize/ransomwarerecovery/v1/quarantineranges/resource/@{item()?['resourceID']}",
+ "method": "POST",
+ "headers": {
+ "accept": "application/json",
+ "Authorization": "Bearer @{body('Parse_Bearer_Token')?['access_token']}",
+ "Content-Type": "application/json"
+ },
+ "body": {
+ "resourceType": "@item()?['resourceType']",
+ "orgID": "@null",
+ "fromDate": "@triggerBody()?['fromDate']",
+ "toDate": "@triggerBody()?['toDate']"
+ }
+ },
+ "runtimeConfiguration": {
+ "contentTransfer": {
+ "transferMode": "Chunked"
+ }
+ }
+ },
+ "Parse_Shared_Drive_Range_ID_": {
+ "runAfter": {
+ "Quarantine_Account_List_API": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Quarantine_Account_List_API')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "rangeID": {
+ "type": "integer"
+ }
+ }
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "Check_if_Shared_Drive_found": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ }
+ }
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "keyvault": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('keyvaultConnectionName'))]",
+ "connectionName": "[[variables('keyvaultConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2018-07-01-preview",
+ "name": "[[variables('keyvaultConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[[variables('keyvaultConnectionName')]",
+ "connectionState": "Enabled",
+ "parameterValueSet": {
+ "name": "oauthMI",
+ "values": {
+ "vaultName": {
+ "value": "[[parameters('keyvaultName')]"
+ }
+ }
+ },
+ "api": {
+ "id": "[[variables('_connection-2')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]",
+ "properties": {
+ "parentId": "[variables('playbookId5')]",
+ "contentId": "[variables('_playbookContentId5')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion5')]",
+ "source": {
+ "kind": "Solution",
+ "name": "DruvaDataSecurityCloud",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Druva",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Druva Inc",
+ "email": "support@druva.com",
+ "tier": "Partner",
+ "link": "https://support.druva.com/"
+ }
+ }
+ }
+ ],
+ "metadata": {
+ "title": "Druva Quarantine Playbook for Shared Drive",
+ "description": "This playbook uses Druva-Ransomware-Response capabilities to stop the spread of ransomware and avoid reinfection or contamination spread to your shared drives.",
+ "prerequisites": [
+ "1. Verify ARR (Accelerated Ransomeware Recovery) should be enabled for the respective Device using Resource ID on the Druva Security Cloud Platform.",
+ "2. Generate Druva API Client Credentials",
+ "a. Use the following link to navigate to Druva's documentation page and refer the steps to generate API Client Credentials.",
+ "b. Druva's Documentation Page : https://help.druva.com/en/articles/8580838-create-and-manage-api-credentials",
+ "c. Copy/Paste or Store the creds for future use.",
+ "3. Store Service account credentials in Key Vault Secrets and obtain keyvault name.",
+ "a. Create a Key Vault with name as Druva-ClientCredential",
+ "b. Go to KeyVault -> secrets -> Generate/import and create 'Druva-ClientID' & 'Druva-ClientSecret' for storing client_id and client_secret respectively",
+ "c. Store the secrets obtained for your organization and user from Druva Console UI in the previous step."
+ ],
+ "executionSteps": [
+ "1. Deploy the ARM template:",
+ "a. Open the Azure Portal.",
+ "b. Navigate to 'Deploy a custom template'.",
+ "c. Upload this ARM template file or paste its content.",
+ "d. Provide the necessary parameter values (e.g., KeyVault name, connection name, etc.).",
+ "e. Review and start the deployment.",
+ "2. Validate the deployment:",
+ "a. Check if the resources (e.g., Key Vault, API connections, Logic Apps) are created successfully.",
+ "b. Verify the deployment logs for any errors.",
+ "3. Authorize connections:",
+ "a. Follow the steps in the 'postDeployment' section to authorize connections.",
+ "4. Test the playbook:",
+ "a. Trigger the playbook manually by using the dropdown option as 'run_with_payload'",
+ "b. On triggering a side screen will appear in which there will be a section named as 'Body'.",
+ "c. Inside body paste the json obtained from the README.md file with respective edited values according to your resources.",
+ "d. Hit the 'run' button at the bottom.",
+ "e. Navigate to the playbook home page and check the run history if the run was successful or not."
+ ],
+ "postDeployment": [
+ "**a. Authorize connections**",
+ "Once deployment is complete, authorize each connection.",
+ "1. Login to the Microsoft Azure protal and in the search box Type API Connections.",
+ "2. Find API connection option.",
+ "3. Check for your Created API connection exists. eg. Druva-KeyVault-Connection",
+ "4. Check Status should be ready for the same API Connection.",
+ "**b. Grant permissions**",
+ "Make sure that this playbook and your user has the IAM role permission granted as 'Key Vault Secrets User'."
+ ],
+ "version": "1.0",
+ "category": "Druva-Realize-UDA-Quarantine_snapshots",
+ "tags": [
+ "Ransomware Recovery",
+ "Druva Security",
+ "Unusual Data Activity",
+ "Quarantine Snapshots"
+ ],
+ "lastUpdateTime": "2025-01-08T18:21:39.777Z",
+ "releaseNotes": {
+ "version": "1.0",
+ "title": "[variables('blanks')]",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId5')]",
+ "contentKind": "Playbook",
+ "displayName": "Druva_Quarantine_Shared_Drive",
+ "contentProductId": "[variables('_playbookcontentProductId5')]",
+ "id": "[variables('_playbookcontentProductId5')]",
+ "version": "[variables('playbookVersion5')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "displayName": "Druva Events Connector",
+ "contentKind": "DataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "DruvaEventCCPDefinition",
+ "title": "Druva Events Connector",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "Provides capability to ingest the druva events from druva apis",
+ "graphQueriesTableName": "DruvaSecurityEvents_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total Security Events",
+ "legend": "Druva Security events received",
+ "baseQuery": "{{graphQueriesTableName}}"
+ },
+ {
+ "metricName": "Total platform events",
+ "legend": "Druva platform events received",
+ "baseQuery": "DruvaPlatformEvents_CL"
+ },
+ {
+ "metricName": "Total insync events",
+ "legend": "Druva insync events received",
+ "baseQuery": "DruvaInsyncEvents_CL"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Sample of Druva security events",
+ "query": "{{graphQueriesTableName}}\n| take 10"
+ },
+ {
+ "description": "Sample of Druva platform events",
+ "query": "DruvaPlatformEvents_CL\n| take 10"
+ },
+ {
+ "description": "Sample of Druva insync events",
+ "query": "DruvaInsyncEvents_CL\n| take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time=max(TimeGenerated) \n | where isnotempty(Time)"
+ },
+ {
+ "name": "DruvaPlatformEvents_CL",
+ "lastDataReceivedQuery": "DruvaPlatformEvents_CL\n | summarize Time=max(TimeGenerated) \n | where isnotempty(Time)"
+ },
+ {
+ "name": "DruvaInsyncEvents_CL",
+ "lastDataReceivedQuery": "DruvaInsyncEvents_CL\n | summarize Time=max(TimeGenerated) \n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permission are required",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Druva API Access",
+ "description": "Druva api requires a client id and client secret to authenticate"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">Note: Configurations to connect to Druva Rest API\n"
+ },
+ {
+ "description": "Step 1: Create Crdentials from Druva Console: https://help.druva.com/en/articles/8580838-create-and-manage-api-credentials\n"
+ },
+ {
+ "description": "Step 2: Enter the hostname public cloud its apis.druva.com\n"
+ },
+ {
+ "description": "Step 3: Get client id and client secret key\n"
+ },
+ {
+ "description": "Provide required values:\n",
+ "instructions": [
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "hostname",
+ "placeholder": "Example: apis.druva.com",
+ "type": "text",
+ "name": "hostname"
+ }
+ },
+ {
+ "type": "OAuthForm",
+ "parameters": {
+ "clientIdLabel": "Client ID",
+ "clientSecretLabel": "Client Secret",
+ "connectButtonLabel": "Connect",
+ "disconnectButtonLabel": "Diconnect"
+ }
+ }
+ ],
+ "tittle": "Connect to Druva API to start collecting logs in microft sentinel"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Druva",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Druva Inc",
+ "email": "support@druva.com",
+ "tier": "Partner",
+ "link": "https://support.druva.com/"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "DruvaDCR",
+ "apiVersion": "2022-06-01",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "[parameters('workspace-location')]",
+ "kind": "[variables('blanks')]",
+ "properties": {
+ "dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]",
+ "streamDeclarations": {
+ "Custom-DruvaSecurityEvents_CL": {
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "id",
+ "type": "int"
+ },
+ {
+ "name": "globalCustomerId",
+ "type": "string"
+ },
+ {
+ "name": "occurenceTime",
+ "type": "int"
+ },
+ {
+ "name": "area",
+ "type": "string"
+ },
+ {
+ "name": "category",
+ "type": "string"
+ },
+ {
+ "name": "type",
+ "type": "string"
+ },
+ {
+ "name": "syslogSeverity",
+ "type": "int"
+ },
+ {
+ "name": "syslogFacility",
+ "type": "int"
+ },
+ {
+ "name": "details",
+ "type": "string"
+ }
+ ]
+ },
+ "Custom-DruvaPlatformEvents_CL": {
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "category",
+ "type": "string"
+ },
+ {
+ "name": "details",
+ "type": "dynamic"
+ },
+ {
+ "name": "feature",
+ "type": "string"
+ },
+ {
+ "name": "globalID",
+ "type": "string"
+ },
+ {
+ "name": "timeStamp",
+ "type": "int"
+ },
+ {
+ "name": "productID",
+ "type": "int"
+ },
+ {
+ "name": "syslogFacility",
+ "type": "int"
+ },
+ {
+ "name": "syslogSeverity",
+ "type": "int"
+ },
+ {
+ "name": "type",
+ "type": "string"
+ }
+ ]
+ },
+ "Custom-DruvaInsyncEvents_CL": {
+ "columns": [
+ {
+ "name": "eventType",
+ "type": "string"
+ },
+ {
+ "name": "eventState",
+ "type": "string"
+ },
+ {
+ "name": "eventID",
+ "type": "int"
+ },
+ {
+ "name": "eventDetails",
+ "type": "string"
+ },
+ {
+ "name": "timestamp",
+ "type": "datetime"
+ },
+ {
+ "name": "initiator",
+ "type": "string"
+ },
+ {
+ "name": "ip",
+ "type": "string"
+ },
+ {
+ "name": "profileID",
+ "type": "string"
+ },
+ {
+ "name": "profileName",
+ "type": "string"
+ },
+ {
+ "name": "inSyncUserID",
+ "type": "string"
+ },
+ {
+ "name": "inSyncUserName",
+ "type": "string"
+ },
+ {
+ "name": "inSyncUserEmail",
+ "type": "string"
+ },
+ {
+ "name": "inSyncDataSourceID",
+ "type": "string"
+ },
+ {
+ "name": "inSyncDataSourceName",
+ "type": "string"
+ },
+ {
+ "name": "clientOS",
+ "type": "string"
+ },
+ {
+ "name": "clientVersion",
+ "type": "string"
+ },
+ {
+ "name": "severity",
+ "type": "int"
+ },
+ {
+ "name": "facility",
+ "type": "int"
+ }
+ ]
+ }
+ },
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[variables('workspaceResourceId')]",
+ "name": "[parameters('workspace')]"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Custom-DruvaSecurityEvents_CL"
+ ],
+ "destinations": [
+ "[parameters('workspace')]"
+ ],
+ "transformKql": "source\n| extend TimeGenerated = datetime_add('second',occurenceTime,make_datetime(1970,1,1)) \n| extend event_type = type\n| project-away occurenceTime, type\n| extend id = tostring(id) // Convert 'id' to string and rename to EventUid\n| project-rename EventUid = id\n\n",
+ "outputStream": "Custom-DruvaSecurityEvents_CL"
+ },
+ {
+ "streams": [
+ "Custom-DruvaPlatformEvents_CL"
+ ],
+ "destinations": [
+ "[parameters('workspace')]"
+ ],
+ "transformKql": "source\n| extend TimeGenerated = datetime_add('second',timeStamp,make_datetime(1970,1,1))\n| extend event_type = type\n| project-away timeStamp, type\n",
+ "outputStream": "Custom-DruvaPlatformEvents_CL"
+ },
+ {
+ "streams": [
+ "Custom-DruvaInsyncEvents_CL"
+ ],
+ "destinations": [
+ "[parameters('workspace')]"
+ ],
+ "transformKql": "source\n| extend TimeGenerated = timestamp\n| extend eventID = tostring(eventID)\n| project-rename EventUid = eventID\n| project-away timestamp\n",
+ "outputStream": "Custom-DruvaInsyncEvents_CL"
+ }
+ ]
+ }
+ },
+ {
+ "name": "DruvaSecurityEvents_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[[parameters('workspace-location')]",
+ "properties":{
+ "schema": {
+ "name": "DruvaSecurityEvents_CL",
+ "columns": [
+ {
+ "name": "area",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "category",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "details",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "globalCustomerId",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "syslogFacility",
+ "type": "int",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "syslogSeverity",
+ "type": "int",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "event_type",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "EventUid",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "DruvaPlatformEvents_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[[parameters('workspace-location')]",
+ "properties":{
+ "schema": {
+ "name": "DruvaPlatformEvents_CL",
+ "columns": [
+ {
+ "name": "category",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "details",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "feature",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "globalID",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "productID",
+ "type": "int",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "syslogFacility",
+ "type": "int",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "syslogSeverity",
+ "type": "int",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "event_type",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "DruvaInsyncEvents_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[[parameters('workspace-location')]",
+ "properties": {
+ "schema": {
+ "name": "DruvaInsyncEvents_CL",
+ "columns": [
+ {
+ "name": "clientOS",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "clientVersion",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "eventDetails",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "eventState",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "eventType",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "facility",
+ "type": "int",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "initiator",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "inSyncDataSourceID",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "inSyncDataSourceName",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "inSyncUserEmail",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "inSyncUserID",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "inSyncUserName",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "ip",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "profileID",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "profileName",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "severity",
+ "type": "int",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "EventUid",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ }
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "DruvaEventCCPDefinition",
+ "title": "Druva Events Connector",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "Provides capability to ingest the druva events from druva apis",
+ "graphQueriesTableName": "DruvaSecurityEvents_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total Security Events",
+ "legend": "Druva Security events received",
+ "baseQuery": "{{graphQueriesTableName}}"
+ },
+ {
+ "metricName": "Total platform events",
+ "legend": "Druva platform events received",
+ "baseQuery": "DruvaPlatformEvents_CL"
+ },
+ {
+ "metricName": "Total insync events",
+ "legend": "Druva insync events received",
+ "baseQuery": "DruvaInsyncEvents_CL"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Sample of Druva security events",
+ "query": "{{graphQueriesTableName}}\n| take 10"
+ },
+ {
+ "description": "Sample of Druva platform events",
+ "query": "DruvaPlatformEvents_CL\n| take 10"
+ },
+ {
+ "description": "Sample of Druva insync events",
+ "query": "DruvaInsyncEvents_CL\n| take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time=max(TimeGenerated) \n | where isnotempty(Time)"
+ },
+ {
+ "name": "DruvaPlatformEvents_CL",
+ "lastDataReceivedQuery": "DruvaPlatformEvents_CL\n | summarize Time=max(TimeGenerated) \n | where isnotempty(Time)"
+ },
+ {
+ "name": "DruvaInsyncEvents_CL",
+ "lastDataReceivedQuery": "DruvaInsyncEvents_CL\n | summarize Time=max(TimeGenerated) \n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permission are required",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Druva API Access",
+ "description": "Druva api requires a client id and client secret to authenticate"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">Note: Configurations to connect to Druva Rest API\n"
+ },
+ {
+ "description": "Step 1: Create Crdentials from Druva Console: https://help.druva.com/en/articles/8580838-create-and-manage-api-credentials\n"
+ },
+ {
+ "description": "Step 2: Enter the hostname public cloud its apis.druva.com\n"
+ },
+ {
+ "description": "Step 3: Get client id and client secret key\n"
+ },
+ {
+ "description": "Provide required values:\n",
+ "instructions": [
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "hostname",
+ "placeholder": "Example: apis.druva.com",
+ "type": "text",
+ "name": "hostname"
+ }
+ },
+ {
+ "type": "OAuthForm",
+ "parameters": {
+ "clientIdLabel": "Client ID",
+ "clientSecretLabel": "Client Secret",
+ "connectButtonLabel": "Connect",
+ "disconnectButtonLabel": "Diconnect"
+ }
+ }
+ ],
+ "tittle": "Connect to Druva API to start collecting logs in microft sentinel"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Druva",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Druva Inc",
+ "email": "support@druva.com",
+ "tier": "Partner",
+ "link": "https://support.druva.com/"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "displayName": "Druva Events Connector",
+ "contentKind": "ResourcesDataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {
+ "ClientId": {
+ "defaultValue": "-NA-",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "ClientSecret": {
+ "defaultValue": "-NA-",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "hostname": {
+ "defaultValue": "Enter hostname value",
+ "type": "string",
+ "minLength": 1
+ },
+ "connectorDefinitionName": {
+ "defaultValue": "Druva Events Connector",
+ "type": "string",
+ "minLength": 1
+ },
+ "workspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "string"
+ },
+ "dcrConfig": {
+ "defaultValue": {
+ "dataCollectionEndpoint": "data collection Endpoint",
+ "dataCollectionRuleImmutableId": "data collection rule immutableId"
+ },
+ "type": "object"
+ },
+ "AuthorizationCode": {
+ "defaultValue": "-NA-",
+ "type": "securestring",
+ "minLength": 1
+ }
+ },
+ "variables": {
+ "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]"
+ },
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Druva",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Druva Inc",
+ "email": "support@druva.com",
+ "tier": "Partner",
+ "link": "https://support.druva.com/"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'DruvaSecurityEventsPolling')]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "DruvaEventCCPDefinition",
+ "dataType": "DruvaSecurityEvents_CL",
+ "dcrConfig": {
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]",
+ "streamName": "Custom-DruvaSecurityEvents_CL"
+ },
+ "auth": {
+ "type": "OAuth2",
+ "clientSecret": "[[parameters('ClientSecret')]",
+ "clientId": "[[parameters('ClientId')]",
+ "tokenEndpoint": "[[concat('https://', parameters('hostname'), '/token')]",
+ "tokenEndpointHeaders": {
+ "Accept": "application/json",
+ "Content-Type": "application/x-www-form-urlencoded",
+ "Authorization": "[[concat('Basic ', base64(concat(parameters('ClientId'), ':', parameters('ClientSecret'))))]"
+ },
+ "TokenEndpointQueryParameters": {},
+ "grantType": "client_credentials"
+ },
+ "request": {
+ "apiEndpoint": "[[concat('https://', parameters('hostname'), '/realize/eventmanagement/v1/events/tracker')]",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 15,
+ "httpMethod": "GET",
+ "retryCount": 3,
+ "timeoutInSeconds": 30,
+ "headers": {
+ "Accept": "application/json"
+ }
+ },
+ "paging": {
+ "pagingType": "PersistentToken",
+ "nextPageTokenJsonPath": "$.nextTrackerToken",
+ "nextPageParaName": "trackerToken"
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.events"
+ ],
+ "format": "json"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'DruvaPlatformEventsPolling')]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "DruvaEventCCPDefinition",
+ "dataType": "DruvaPlatformEvents_CL",
+ "dcrConfig": {
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]",
+ "streamName": "Custom-DruvaPlatformEvents_CL"
+ },
+ "auth": {
+ "type": "OAuth2",
+ "clientSecret": "[[parameters('ClientSecret')]",
+ "clientId": "[[parameters('ClientId')]",
+ "tokenEndpoint": "[[concat('https://', parameters('hostname'), '/token')]",
+ "tokenEndpointHeaders": {
+ "Accept": "application/json",
+ "Content-Type": "application/x-www-form-urlencoded",
+ "Authorization": "[[concat('Basic ', base64(concat(parameters('ClientId'), ':', parameters('ClientSecret'))))]"
+ },
+ "TokenEndpointQueryParameters": {},
+ "grantType": "client_credentials"
+ },
+ "request": {
+ "apiEndpoint": "[[concat('https://', parameters('hostname'), '/platform/eventmanagement/v2/events')]",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 15,
+ "httpMethod": "GET",
+ "retryCount": 3,
+ "timeoutInSeconds": 30,
+ "headers": {
+ "Accept": "application/json"
+ }
+ },
+ "paging": {
+ "pagingType": "PersistentToken",
+ "nextPageTokenJsonPath": "$.nextPageToken",
+ "nextPageParaName": "pageToken"
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.events"
+ ],
+ "format": "json"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'DruvaInsyncEventsPolling')]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "DruvaEventCCPDefinition",
+ "dataType": "DruvaInsyncEvents_CL",
+ "dcrConfig": {
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]",
+ "streamName": "Custom-DruvaInsyncEvents_CL"
+ },
+ "auth": {
+ "type": "OAuth2",
+ "clientSecret": "[[parameters('ClientSecret')]",
+ "clientId": "[[parameters('ClientId')]",
+ "tokenEndpoint": "[[concat('https://', parameters('hostname'), '/token')]",
+ "tokenEndpointHeaders": {
+ "Accept": "application/json",
+ "Content-Type": "application/x-www-form-urlencoded",
+ "Authorization": "[[concat('Basic ', base64(concat(parameters('ClientId'), ':', parameters('ClientSecret'))))]"
+ },
+ "TokenEndpointQueryParameters": {},
+ "grantType": "client_credentials"
+ },
+ "request": {
+ "apiEndpoint": "[[concat('https://', parameters('hostname'), '/insync/eventmanagement/v2/events')]",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 15,
+ "httpMethod": "GET",
+ "retryCount": 3,
+ "timeoutInSeconds": 30,
+ "headers": {
+ "Accept": "application/json"
+ }
+ },
+ "paging": {
+ "pagingType": "PersistentToken",
+ "nextPageTokenJsonPath": "$.tracker",
+ "nextPageParaName": "tracker"
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.events"
+ ],
+ "format": "json"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "version": "3.0.0",
+ "kind": "Solution",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "DruvaDataSecurityCloud",
+ "publisherDisplayName": "Druva Inc",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe [Druva Event CCP Connector] solution provides the capability to ingest to ingest [Druva events]
\nData Connectors: 1, Playbooks: 5
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "DruvaDataSecurityCloud",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Druva",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Druva Inc",
+ "email": "support@druva.com",
+ "tier": "Partner",
+ "link": "https://support.druva.com/"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_DruvaQuarantineEnterpriseWorkload')]",
+ "version": "[variables('playbookVersion1')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_DruvaQuarantineInsyncWorkloads')]",
+ "version": "[variables('playbookVersion2')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_DruvaQuarantineUsingResourceID')]",
+ "version": "[variables('playbookVersion3')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_DruvaQuarantineSharePoint')]",
+ "version": "[variables('playbookVersion4')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_DruvaQuarantineSharedDrive')]",
+ "version": "[variables('playbookVersion5')]"
+ },
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2024-12-24",
+ "providers": [
+ "Druva"
+ ],
+ "categories": {
+ "domains": [
+ "Security - Others"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
diff --git a/Solutions/DruvaDataSecurityCloud/Package/testParameters.json b/Solutions/DruvaDataSecurityCloud/Package/testParameters.json
new file mode 100644
index 00000000000..554801e41b7
--- /dev/null
+++ b/Solutions/DruvaDataSecurityCloud/Package/testParameters.json
@@ -0,0 +1,38 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ }
+}
diff --git a/Solutions/DruvaDataSecurityCloud/Playbooks/DruvaQuarantineEnterpriseWorkload/README.md b/Solutions/DruvaDataSecurityCloud/Playbooks/DruvaQuarantineEnterpriseWorkload/README.md
new file mode 100644
index 00000000000..e9850d52a09
--- /dev/null
+++ b/Solutions/DruvaDataSecurityCloud/Playbooks/DruvaQuarantineEnterpriseWorkload/README.md
@@ -0,0 +1,60 @@
+# Druva Quarantine Enterprise Workload Resource
+
+## Summary
+
+This playbook uses Druva-Ransomware-Response capabilities to stop the spread of ransomware and avoid reinfection or contamination spread to your environment.
+
+### Prerequisites
+
+1. Verify ARR (Accelerated Ransomeware Recovery) should be enabled for the respective Device using Resource ID on the [Druva Security Cloud Platform](https://console.druva.com/).
+2. Generate Druva API Client Credentials
+ * Use the following link to navigate to Druva's documentation page and refer the steps to generate API Client Credentials.
+ * [Druva's Documentation Page](https://help.druva.com/en/articles/8580838-create-and-manage-api-credentials)
+ * Copy/Paste or Store the creds for future use.
+3. Store Service account credentials in Key Vault Secrets and obtain keyvault name.
+ * Create a Key Vault with name as Druva-ClientCredential
+ * Go to KeyVault -> secrets -> Generate/import and create 'Druva-ClientID' & 'Druva-ClientSecret' for storing client_id and client_secret respectively.
+ * Store the secrets obtained for your organization and user from Druva Console UI in the previous step.
+
+### Deployment instructions
+
+1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
+2. Fill in the required parameters:
+ * PlaybookName: Name by which you want to deploy the playbook.
+ * keyvaultName: Name of keyvault where secrets are stored.
+3. Validate the deployment:
+ * Check if the resources (e.g., Key Vault, API connections, Logic Apps) are created successfully.
+ * Verify the deployment logs for any errors.
+4. Authorize connections:
+ * Follow the steps in the 'postDeployment' section to authorize connections.
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FDruvaDataSecurityCloud%2FPlaybooks%2FDruvaQuarantineEnterpriseWorkload%2Fazuredeploy.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FDruvaDataSecurityCloud%2FPlaybooks%2FDruvaQuarantineEnterpriseWorkload%2Fazuredeploy.json)
+
+### Post-Deployment instructions
+
+#### a. Authorize connections
+
+Once deployment is complete, authorize each connection keyvault.
+
+1. Login to the Microsoft Azure protal and in the search box Type API Connections.
+2. Find API connection option.
+3. Check for your Created API connection exists. eg.