diff --git a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json index bd313b8b01f..2a6069ffa23 100644 --- a/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json +++ b/Solutions/Australian Cyber Security Centre/Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json @@ -173,185 +173,203 @@ "For_each_IncidentID_create_a_Grouping": { "foreach": "@variables('IncidentIDLabelsForGrouping')", "actions": { - "Condition_to_check_if_Grouping_for_IncidentID_is_already_created": { + "Condition_to_check_if_Indicator_is_not_part_of_any_Incident_skip_Grouping": { "actions": { - "Append_to_array_TempIncidentArray": { - "runAfter": { - "Grouping_Object_Composition": [ - "Succeeded" - ] - }, - "type": "AppendToArrayVariable", - "inputs": { - "name": "TempIncidentIdArray", - "value": "@split(items('For_each_IncidentID_create_a_Grouping'), ';')[2]" - } - }, - "For_each_combination_extract_IndicatorId_and_MarkingRefObj": { - "foreach": "@body('Extract_Goruping_details_for_each_Indicatorids')", + "Condition_to_check_if_Grouping_for_IncidentID_is_already_created": { "actions": { - "Append_to_array_GroupingConfidence": { + "Append_to_array_TempIncidentArray": { "runAfter": { - "Append_to_array_GroupingIndicators": [ + "Grouping_Object_Composition": [ "Succeeded" ] }, "type": "AppendToArrayVariable", "inputs": { - "name": "GroupingConfidence", - "value": "@int(split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[1])" + "name": "TempIncidentIdArray", + "value": "@split(items('For_each_IncidentID_create_a_Grouping'), ';')[2]" } }, - "Append_to_array_GroupingDescription": { + "For_each_combination_extract_IndicatorId_and_MarkingRefObj": { + "foreach": "@body('Extract_Goruping_details_for_each_Indicatorids')", + "actions": { + "Append_to_array_GroupingConfidence": { + "runAfter": { + "Append_to_array_GroupingIndicators": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "GroupingConfidence", + "value": "@int(split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[1])" + } + }, + "Append_to_array_GroupingDescription": { + "runAfter": { + "Append_to_array_GroupingMarkingRefObjs": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "GroupingDescription", + "value": "@split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[4]" + } + }, + "Append_to_array_GroupingIndicators": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "GroupingIndicators", + "value": "@split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[0]" + } + }, + "Append_to_array_GroupingMarkingRefObjs": { + "runAfter": { + "Append_to_array_GroupingConfidence": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "GroupingMarkingRefObjs", + "value": "@split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[3]" + } + } + }, + "runAfter": {}, + "type": "Foreach" + }, + "Grouping_Object_Composition": { + "actions": { + "Append_GroupObj_to_Indicators_array": { + "runAfter": { + "Compose_Group_Object": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Indicators", + "value": "@outputs('Compose_Group_Object')" + } + }, + "Compose_Group_Object": { + "runAfter": {}, + "type": "Compose", + "inputs": { + "confidence": "@min(variables('GroupingConfidence'))", + "context": "suspicious-activity", + "created": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", + "created_by_ref": "@variables('CreatedByRefObjId')", + "description": "@first(variables('GroupingDescription'))", + "id": "grouping--@{guid()}", + "modified": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", + "object_marking_refs": "@union(variables('GroupingMarkingRefObjs'), variables('GroupingMarkingRefObjs'))", + "object_refs": "@union(variables('GroupingIndicators'), variables('GroupingIndicators'))", + "spec_version": "2.1", + "type": "grouping" + } + } + }, "runAfter": { - "Append_to_array_GroupingMarkingRefObjs": [ + "For_each_combination_extract_IndicatorId_and_MarkingRefObj": [ "Succeeded" ] }, - "type": "AppendToArrayVariable", - "inputs": { - "name": "GroupingDescription", - "value": "@split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[4]" - } + "type": "Scope" }, - "Append_to_array_GroupingIndicators": { - "runAfter": {}, - "type": "AppendToArrayVariable", + "Reset_Array_GroupingConfidence": { + "runAfter": { + "Reset_Array_GroupingIndicators": [ + "Succeeded" + ] + }, + "type": "SetVariable", "inputs": { - "name": "GroupingIndicators", - "value": "@split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[0]" + "name": "GroupingConfidence", + "value": [] } }, - "Append_to_array_GroupingMarkingRefObjs": { + "Reset_Array_GroupingDescription": { "runAfter": { - "Append_to_array_GroupingConfidence": [ + "Reset_Array_GroupingMarkingRefObjs": [ "Succeeded" ] }, - "type": "AppendToArrayVariable", + "type": "SetVariable", "inputs": { - "name": "GroupingMarkingRefObjs", - "value": "@split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[3]" + "name": "GroupingDescription", + "value": [] } - } - }, - "runAfter": {}, - "type": "Foreach" - }, - "Grouping_Object_Composition": { - "actions": { - "Append_GroupObj_to_Indicators_array": { + }, + "Reset_Array_GroupingIndicators": { "runAfter": { - "Compose_Group_Object": [ + "Append_to_array_TempIncidentArray": [ "Succeeded" ] }, - "type": "AppendToArrayVariable", + "type": "SetVariable", "inputs": { - "name": "Indicators", - "value": "@outputs('Compose_Group_Object')" + "name": "GroupingIndicators", + "value": [] } }, - "Compose_Group_Object": { - "runAfter": {}, - "type": "Compose", + "Reset_Array_GroupingMarkingRefObjs": { + "runAfter": { + "Reset_Array_GroupingConfidence": [ + "Succeeded" + ] + }, + "type": "SetVariable", "inputs": { - "confidence": "@min(variables('GroupingConfidence'))", - "context": "suspicious-activity", - "created": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", - "created_by_ref": "@variables('CreatedByRefObjId')", - "description": "@first(variables('GroupingDescription'))", - "id": "grouping--@{guid()}", - "modified": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')", - "object_marking_refs": "@union(variables('GroupingMarkingRefObjs'), variables('GroupingMarkingRefObjs'))", - "object_refs": "@union(variables('GroupingIndicators'), variables('GroupingIndicators'))", - "spec_version": "2.1", - "type": "grouping" + "name": "GroupingMarkingRefObjs", + "value": [] } } }, "runAfter": { - "For_each_combination_extract_IndicatorId_and_MarkingRefObj": [ - "Succeeded" - ] - }, - "type": "Scope" - }, - "Reset_Array_GroupingConfidence": { - "runAfter": { - "Reset_Array_GroupingDescription": [ - "Succeeded" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "GroupingConfidence", - "value": [] - } - }, - "Reset_Array_GroupingDescription": { - "runAfter": { - "Reset_Array_GroupingMarkingRefObjs": [ + "Extract_Goruping_details_for_each_Indicatorids": [ "Succeeded" ] }, - "type": "SetVariable", - "inputs": { - "name": "GroupingDescription", - "value": [] - } - }, - "Reset_Array_GroupingIndicators": { - "runAfter": { - "Append_to_array_TempIncidentArray": [ - "Succeeded" + "expression": { + "and": [ + { + "not": { + "equals": [ + "@contains(variables('TempIncidentIdArray'), split(items('For_each_IncidentID_create_a_Grouping'), ';')[2])", + "@true" + ] + } + } ] }, - "type": "SetVariable", - "inputs": { - "name": "GroupingIndicators", - "value": [] - } + "type": "If" }, - "Reset_Array_GroupingMarkingRefObjs": { - "runAfter": { - "Reset_Array_GroupingIndicators": [ - "Succeeded" - ] - }, - "type": "SetVariable", + "Extract_Goruping_details_for_each_Indicatorids": { + "runAfter": {}, + "type": "Query", "inputs": { - "name": "GroupingMarkingRefObjs", - "value": [] + "from": "@variables('IncidentIDLabelsForGrouping')", + "where": "@equals(split(items('For_each_IncidentID_create_a_Grouping'), ';')[2], split(item(), ';')[2])" } } }, - "runAfter": { - "Extract_Goruping_details_for_each_Indicatorids": [ - "Succeeded" - ] - }, + "runAfter": {}, "expression": { "and": [ { "not": { "equals": [ - "@contains(variables('TempIncidentIdArray'), split(items('For_each_IncidentID_create_a_Grouping'), ';')[2])", - "@true" + "@split(items('For_each_IncidentID_create_a_Grouping'), ';')[2]", + "NoIncident" ] } } ] }, "type": "If" - }, - "Extract_Goruping_details_for_each_Indicatorids": { - "runAfter": {}, - "type": "Query", - "inputs": { - "from": "@variables('IncidentIDLabelsForGrouping')", - "where": "@equals(split(items('For_each_IncidentID_create_a_Grouping'), ';')[2], split(item(), ';')[2])" - } } }, "runAfter": {},