diff --git a/Solutions/Australian Cyber Security Centre/Data/system_generated_metadata.json b/Solutions/Australian Cyber Security Centre/Data/system_generated_metadata.json
new file mode 100644
index 00000000000..5987ce4f7d1
--- /dev/null
+++ b/Solutions/Australian Cyber Security Centre/Data/system_generated_metadata.json
@@ -0,0 +1,31 @@
+{
+ "Name": "Australian Cyber Security Centre",
+ "Author": "Microsoft - support@microsoft.com",
+ "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/ACSClogo.svg\"width=\"75px\"height=\"75px\")
",
+ "Description": "This solution allows customers to share threat intelligence with the Australian Cyber Security Centre (ACSC) through the Cyber Threat Intelligence Sharing (CTIS) program. This solution contains a playbook that can be used to get indicators from Microsoft Sentinel and convert them into STIX bundles to be posted to the CTIS TAXII 2.1 server as a Contributing Partner. This solution is only available to deeded ACSC partners that have completed onboarding to the CTIS program. Credentials will be provided during the onboarding process. For more information please contact community@ctis-au.org or visit the [ACSC Partner Portal](https://partners.cyber.gov.au/login?ec=302&startURL=%2Fs%2F).",
+ "Metadata": "SolutionMetadata.json",
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Australian Cyber Security Centre\\",
+ "Version": "3.0.2",
+ "TemplateSpec": true,
+ "Is1PConnector": true,
+ "publisherId": "azuresentinel",
+ "offerId": "azure-sentinel-solution-australiancybersecurity",
+ "providers": [
+ "Australian Cyber Security Centre"
+ ],
+ "categories": {
+ "domains": [
+ "Security - Threat Intelligence"
+ ]
+ },
+ "firstPublishDate": "2022-11-23",
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ },
+ "Playbooks": [
+ "Playbooks/AusCtisExportTaggedIndicators/azuredeploy.json"
+ ]
+}
diff --git a/Solutions/Australian Cyber Security Centre/Package/3.0.2.zip b/Solutions/Australian Cyber Security Centre/Package/3.0.2.zip
index 9bf4ad46028..1f695679556 100644
Binary files a/Solutions/Australian Cyber Security Centre/Package/3.0.2.zip and b/Solutions/Australian Cyber Security Centre/Package/3.0.2.zip differ
diff --git a/Solutions/Australian Cyber Security Centre/Package/createUiDefinition.json b/Solutions/Australian Cyber Security Centre/Package/createUiDefinition.json
index 363760b46db..cd62ffa9a4f 100644
--- a/Solutions/Australian Cyber Security Centre/Package/createUiDefinition.json
+++ b/Solutions/Australian Cyber Security Centre/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Australian%20Cyber%20Security%20Centre/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThis solution allows customers to share threat intelligence with the Australian Cyber Security Centre (ACSC) through the Cyber Threat Intelligence Sharing (CTIS) program. This solution contains a playbook that can be used to get indicators from Microsoft Sentinel and convert them into STIX bundles to be posted to the CTIS TAXII 2.1 server as a Contributing Partner. This solution is only available to deeded ACSC partners that have completed onboarding to the CTIS program. Credentials will be provided during the onboarding process. For more information please contact community@ctis-au.org or visit the [ACSC Partner Portal](https://partners.cyber.gov.au/login?ec=302&startURL=%2Fs%2F).\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThis solution allows customers to share threat intelligence with the Australian Cyber Security Centre (ACSC) through the Cyber Threat Intelligence Sharing (CTIS) program. This solution contains a playbook that can be used to get indicators from Microsoft Sentinel and convert them into STIX bundles to be posted to the CTIS TAXII 2.1 server as a Contributing Partner. This solution is only available to deeded ACSC partners that have completed onboarding to the CTIS program. Credentials will be provided during the onboarding process. For more information please contact community@ctis-au.org or visit the [ACSC Partner Portal](https://partners.cyber.gov.au/login?ec=302&startURL=%2Fs%2F).\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/Australian Cyber Security Centre/Package/mainTemplate.json b/Solutions/Australian Cyber Security Centre/Package/mainTemplate.json
index 361b09b2f1a..07f380d23e3 100644
--- a/Solutions/Australian Cyber Security Centre/Package/mainTemplate.json
+++ b/Solutions/Australian Cyber Security Centre/Package/mainTemplate.json
@@ -30,12 +30,12 @@
}
},
"variables": {
+ "solutionId": "azuresentinel.azure-sentinel-solution-australiancybersecurity",
+ "_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Australian Cyber Security Centre",
"_solutionVersion": "3.0.2",
- "solutionId": "azuresentinel.azure-sentinel-solution-australiancybersecurity",
- "_solutionId": "[variables('solutionId')]",
"AusCtisExportTaggedIndicators": "AusCtisExportTaggedIndicators",
"_AusCtisExportTaggedIndicators": "[variables('AusCtisExportTaggedIndicators')]",
"TemplateEmptyArray": "[json('[]')]",
@@ -215,181 +215,198 @@
"For_each_IncidentID_create_a_Grouping": {
"foreach": "@variables('IncidentIDLabelsForGrouping')",
"actions": {
- "Condition_to_check_if_Grouping_for_IncidentID_is_already_created": {
+ "Condition_to_check_if_Indicator_is_not_part_of_any_Incident_skip_Grouping": {
"actions": {
- "Append_to_array_TempIncidentArray": {
- "runAfter": {
- "Grouping_Object_Composition": [
- "Succeeded"
- ]
- },
- "type": "AppendToArrayVariable",
- "inputs": {
- "name": "TempIncidentIdArray",
- "value": "@split(items('For_each_IncidentID_create_a_Grouping'), ';')[2]"
- }
- },
- "For_each_combination_extract_IndicatorId_and_MarkingRefObj": {
- "foreach": "@body('Extract_Goruping_details_for_each_Indicatorids')",
+ "Condition_to_check_if_Grouping_for_IncidentID_is_already_created": {
"actions": {
- "Append_to_array_GroupingConfidence": {
+ "Append_to_array_TempIncidentArray": {
"runAfter": {
- "Append_to_array_GroupingIndicators": [
+ "Grouping_Object_Composition": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
- "name": "GroupingConfidence",
- "value": "@int(split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[1])"
+ "name": "TempIncidentIdArray",
+ "value": "@split(items('For_each_IncidentID_create_a_Grouping'), ';')[2]"
}
},
- "Append_to_array_GroupingDescription": {
+ "For_each_combination_extract_IndicatorId_and_MarkingRefObj": {
+ "foreach": "@body('Extract_Goruping_details_for_each_Indicatorids')",
+ "actions": {
+ "Append_to_array_GroupingConfidence": {
+ "runAfter": {
+ "Append_to_array_GroupingIndicators": [
+ "Succeeded"
+ ]
+ },
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "GroupingConfidence",
+ "value": "@int(split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[1])"
+ }
+ },
+ "Append_to_array_GroupingDescription": {
+ "runAfter": {
+ "Append_to_array_GroupingMarkingRefObjs": [
+ "Succeeded"
+ ]
+ },
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "GroupingDescription",
+ "value": "@split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[4]"
+ }
+ },
+ "Append_to_array_GroupingIndicators": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "GroupingIndicators",
+ "value": "@split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[0]"
+ }
+ },
+ "Append_to_array_GroupingMarkingRefObjs": {
+ "runAfter": {
+ "Append_to_array_GroupingConfidence": [
+ "Succeeded"
+ ]
+ },
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "GroupingMarkingRefObjs",
+ "value": "@split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[3]"
+ }
+ }
+ },
+ "type": "Foreach"
+ },
+ "Grouping_Object_Composition": {
+ "actions": {
+ "Append_GroupObj_to_Indicators_array": {
+ "runAfter": {
+ "Compose_Group_Object": [
+ "Succeeded"
+ ]
+ },
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "Indicators",
+ "value": "@outputs('Compose_Group_Object')"
+ }
+ },
+ "Compose_Group_Object": {
+ "type": "Compose",
+ "inputs": {
+ "confidence": "@min(variables('GroupingConfidence'))",
+ "context": "suspicious-activity",
+ "created": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')",
+ "created_by_ref": "@variables('CreatedByRefObjId')",
+ "description": "@first(variables('GroupingDescription'))",
+ "id": "grouping--@{guid()}",
+ "modified": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')",
+ "object_marking_refs": "@union(variables('GroupingMarkingRefObjs'), variables('GroupingMarkingRefObjs'))",
+ "object_refs": "@union(variables('GroupingIndicators'), variables('GroupingIndicators'))",
+ "spec_version": "2.1",
+ "type": "grouping"
+ }
+ }
+ },
"runAfter": {
- "Append_to_array_GroupingMarkingRefObjs": [
+ "For_each_combination_extract_IndicatorId_and_MarkingRefObj": [
"Succeeded"
]
},
- "type": "AppendToArrayVariable",
- "inputs": {
- "name": "GroupingDescription",
- "value": "@split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[4]"
- }
+ "type": "Scope"
},
- "Append_to_array_GroupingIndicators": {
- "type": "AppendToArrayVariable",
+ "Reset_Array_GroupingConfidence": {
+ "runAfter": {
+ "Reset_Array_GroupingIndicators": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
"inputs": {
- "name": "GroupingIndicators",
- "value": "@split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[0]"
+ "name": "GroupingConfidence",
+ "value": "[variables('TemplateEmptyArray')]"
}
},
- "Append_to_array_GroupingMarkingRefObjs": {
+ "Reset_Array_GroupingDescription": {
"runAfter": {
- "Append_to_array_GroupingConfidence": [
+ "Reset_Array_GroupingMarkingRefObjs": [
"Succeeded"
]
},
- "type": "AppendToArrayVariable",
+ "type": "SetVariable",
"inputs": {
- "name": "GroupingMarkingRefObjs",
- "value": "@split(items('For_each_combination_extract_IndicatorId_and_MarkingRefObj'), ';')[3]"
+ "name": "GroupingDescription",
+ "value": "[variables('TemplateEmptyArray')]"
}
- }
- },
- "type": "Foreach"
- },
- "Grouping_Object_Composition": {
- "actions": {
- "Append_GroupObj_to_Indicators_array": {
+ },
+ "Reset_Array_GroupingIndicators": {
"runAfter": {
- "Compose_Group_Object": [
+ "Append_to_array_TempIncidentArray": [
"Succeeded"
]
},
- "type": "AppendToArrayVariable",
+ "type": "SetVariable",
"inputs": {
- "name": "Indicators",
- "value": "@outputs('Compose_Group_Object')"
+ "name": "GroupingIndicators",
+ "value": "[variables('TemplateEmptyArray')]"
}
},
- "Compose_Group_Object": {
- "type": "Compose",
+ "Reset_Array_GroupingMarkingRefObjs": {
+ "runAfter": {
+ "Reset_Array_GroupingConfidence": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
"inputs": {
- "confidence": "@min(variables('GroupingConfidence'))",
- "context": "suspicious-activity",
- "created": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')",
- "created_by_ref": "@variables('CreatedByRefObjId')",
- "description": "@first(variables('GroupingDescription'))",
- "id": "grouping--@{guid()}",
- "modified": "@formatDateTime(string(utcNow()), 'yyyy-MM-ddTHH:mm:ss.ffffffK')",
- "object_marking_refs": "@union(variables('GroupingMarkingRefObjs'), variables('GroupingMarkingRefObjs'))",
- "object_refs": "@union(variables('GroupingIndicators'), variables('GroupingIndicators'))",
- "spec_version": "2.1",
- "type": "grouping"
+ "name": "GroupingMarkingRefObjs",
+ "value": "[variables('TemplateEmptyArray')]"
}
}
},
"runAfter": {
- "For_each_combination_extract_IndicatorId_and_MarkingRefObj": [
- "Succeeded"
- ]
- },
- "type": "Scope"
- },
- "Reset_Array_GroupingConfidence": {
- "runAfter": {
- "Reset_Array_GroupingDescription": [
- "Succeeded"
- ]
- },
- "type": "SetVariable",
- "inputs": {
- "name": "GroupingConfidence",
- "value": "[variables('TemplateEmptyArray')]"
- }
- },
- "Reset_Array_GroupingDescription": {
- "runAfter": {
- "Reset_Array_GroupingMarkingRefObjs": [
+ "Extract_Goruping_details_for_each_Indicatorids": [
"Succeeded"
]
},
- "type": "SetVariable",
- "inputs": {
- "name": "GroupingDescription",
- "value": "[variables('TemplateEmptyArray')]"
- }
- },
- "Reset_Array_GroupingIndicators": {
- "runAfter": {
- "Append_to_array_TempIncidentArray": [
- "Succeeded"
+ "expression": {
+ "and": [
+ {
+ "not": {
+ "equals": [
+ "@contains(variables('TempIncidentIdArray'), split(items('For_each_IncidentID_create_a_Grouping'), ';')[2])",
+ "@true"
+ ]
+ }
+ }
]
},
- "type": "SetVariable",
- "inputs": {
- "name": "GroupingIndicators",
- "value": "[variables('TemplateEmptyArray')]"
- }
+ "type": "If"
},
- "Reset_Array_GroupingMarkingRefObjs": {
- "runAfter": {
- "Reset_Array_GroupingIndicators": [
- "Succeeded"
- ]
- },
- "type": "SetVariable",
+ "Extract_Goruping_details_for_each_Indicatorids": {
+ "type": "Query",
"inputs": {
- "name": "GroupingMarkingRefObjs",
- "value": "[variables('TemplateEmptyArray')]"
+ "from": "@variables('IncidentIDLabelsForGrouping')",
+ "where": "@equals(split(items('For_each_IncidentID_create_a_Grouping'), ';')[2], split(item(), ';')[2])"
}
}
},
- "runAfter": {
- "Extract_Goruping_details_for_each_Indicatorids": [
- "Succeeded"
- ]
- },
"expression": {
"and": [
{
"not": {
"equals": [
- "@contains(variables('TempIncidentIdArray'), split(items('For_each_IncidentID_create_a_Grouping'), ';')[2])",
- "@true"
+ "@split(items('For_each_IncidentID_create_a_Grouping'), ';')[2]",
+ "NoIncident"
]
}
}
]
},
"type": "If"
- },
- "Extract_Goruping_details_for_each_Indicatorids": {
- "type": "Query",
- "inputs": {
- "from": "@variables('IncidentIDLabelsForGrouping')",
- "where": "@equals(split(items('For_each_IncidentID_create_a_Grouping'), ';')[2], split(item(), ';')[2])"
- }
}
},
"type": "Foreach",