hazcod/logicapp-canary.json

## logicapp-canary.json
{
    "definition": {
        "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
        "actions": {
            "Condition": {
                "actions": {
                    "Terminate": {
                        "inputs": {
                            "runStatus": "Cancelled"
                        },
                        "runAfter": {},
                        "type": "Terminate"
                    }
                },
                "else": {
                    "actions": {
                        "Create_incident": {
                            "inputs": {
                                "body": {
                                    "description": "An office window was loaded for an account that was not a legitimate microsoft domain, indicating an AiTM attach such as evilnginx2.\n\nDomain: @{triggerOutputs()?['headers']?['Referer']}\n\n",
                                    "severity": "High",
                                    "status": "New",
                                    "title": "AiTM Phishing Attempt detected"
                                },
                                "host": {
                                    "connection": {
                                        "name": "@parameters('$connections')['azuresentinel']['connectionId']"
                                    }
                                },
                                "method": "put",
                                "path": "/Incidents/subscriptions/@{encodeURIComponent('SUBSCRIPTION-ID-HERE')}/resourceGroups/@{encodeURIComponent('SIEM')}/workspaces/@{encodeURIComponent('RESOURCEGROUP-HERE')}"
                            },
                            "runAfter": {},
                            "type": "ApiConnection"
                        }
                    }
                },
                "expression": {
                    "or": [
                        {
                            "startsWith": [
                                "@triggerOutputs()?['headers']?['Referer']",
                                "https://login.microsoftonline.com/"
                            ]
                        },
                        {
                            "startsWith": [
                                "@triggerOutputs()?['headers']?['Referer']",
                                "https://login.microsoft.com/"
                            ]
                        },
                        {
                            "not": {
                                "startsWith": [
                                    "@triggerOutputs()?['headers']?['Referer']",
                                    "h"
                                ]
                            }
                        }
                    ]
                },
                "runAfter": {},
                "type": "If"
            }
        },
        "contentVersion": "1.0.0.0",
        "outputs": {},
        "parameters": {
            "$connections": {
                "defaultValue": {},
                "type": "Object"
            }
        },
        "triggers": {
            "manual": {
                "conditions": [],
                "inputs": {
                    "method": "GET",
                    "relativePath": "/"
                },
                "kind": "Http",
                "type": "Request"
            }
        }
    },
    "parameters": {
        "$connections": {
            "value": {
                "azuresentinel": {
                    "connectionId": "/subscriptions/SUBSCRIPTION-ID-HERE/resourceGroups/SIEM/providers/Microsoft.Web/connections/azuresentinel",
                    "connectionName": "azuresentinel",
                    "id": "/subscriptions/SUBSCRIPTION-ID-HERE/providers/Microsoft.Web/locations/westeurope/managedApis/azuresentinel"
                }
            }
        }
    }
}
	{
	"definition": {
	"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
	"actions": {
	"Condition": {
	"actions": {
	"Terminate": {
	"inputs": {
	"runStatus": "Cancelled"
	},
	"runAfter": {},
	"type": "Terminate"
	}
	},
	"else": {
	"actions": {
	"Create_incident": {
	"inputs": {
	"body": {
	"description": "An office window was loaded for an account that was not a legitimate microsoft domain, indicating an AiTM attach such as evilnginx2.\n\nDomain: @{triggerOutputs()?['headers']?['Referer']}\n\n",
	"severity": "High",
	"status": "New",
	"title": "AiTM Phishing Attempt detected"
	},
	"host": {
	"connection": {
	"name": "@parameters('$connections')['azuresentinel']['connectionId']"
	}
	},
	"method": "put",
	"path": "/Incidents/subscriptions/@{encodeURIComponent('SUBSCRIPTION-ID-HERE')}/resourceGroups/@{encodeURIComponent('SIEM')}/workspaces/@{encodeURIComponent('RESOURCEGROUP-HERE')}"
	},
	"runAfter": {},
	"type": "ApiConnection"
	}
	}
	},
	"expression": {
	"or": [
	{
	"startsWith": [
	"@triggerOutputs()?['headers']?['Referer']",
	"https://login.microsoftonline.com/"
	]
	},
	{
	"startsWith": [
	"@triggerOutputs()?['headers']?['Referer']",
	"https://login.microsoft.com/"
	]
	},
	{
	"not": {
	"startsWith": [
	"@triggerOutputs()?['headers']?['Referer']",
	"h"
	]
	}
	}
	]
	},
	"runAfter": {},
	"type": "If"
	}
	},
	"contentVersion": "1.0.0.0",
	"outputs": {},
	"parameters": {
	"$connections": {
	"defaultValue": {},
	"type": "Object"
	}
	},
	"triggers": {
	"manual": {
	"conditions": [],
	"inputs": {
	"method": "GET",
	"relativePath": "/"
	},
	"kind": "Http",
	"type": "Request"
	}
	}
	},
	"parameters": {
	"$connections": {
	"value": {
	"azuresentinel": {
	"connectionId": "/subscriptions/SUBSCRIPTION-ID-HERE/resourceGroups/SIEM/providers/Microsoft.Web/connections/azuresentinel",
	"connectionName": "azuresentinel",
	"id": "/subscriptions/SUBSCRIPTION-ID-HERE/providers/Microsoft.Web/locations/westeurope/managedApis/azuresentinel"
	}
	}
	}
	}
	}