Cisco Firepower Carbon Black gallery alignments

+ small corrections for Azure Firewall and Cisco ASA

Playbooks/AzureFirewall/AzureFirewall-BlockIP-addToIPGroup/azuredeploy.json

@@ -2,7 +2,7 @@
   "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "metadata": {
-    "title": "BlockIP - Azure Firewall IP groups", 
+    "title": "Block IP - Azure Firewall IP groups", 
     "description": "This playbook allows blocking/allowing IPs in Azure Firewall. It allows to make changes on IP groups, which are attached to rules, instead of make direct changes on Azure Firewall. It also allows using the same IP group for multiple firewalls. [Learn more about IP Groups in Azure Firewall](https://docs.microsoft.com/azure/firewall/ip-groups)<br> When a new Sentinel incident is created: 1. An adaptive card is sent to the SOC channel providing IP address, Virus Total report , showing list of existing firewalls in the Resource group and providing an option to add IP Address to IPGroups or Ignore. 1. If SOC user confirms yes, the IP Address gets added to IPGroups under IPAddress section and incident will get updates with endpoint information, summary of the action taken and virus total scan report. 1. Else, incident will get updates with endpoint information and summary of the action taken.",
     "prerequisites": " 1. Create IP Groups and attach them to Azure Firewall rules. 1. Create a Service Principal which the Azure Firewall connector will use, and grant Contributor permissions to it on the IP groups. ['Detailed instructions'](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AzureFirewall/AzureFirewallConnector#azure-active-directory-service-principal)  1. Deploy Azure Firewall Logic Apps custom connector under the same resource group (see link below). 1. **Permissions required for this playbook** This playbook **Gets** and **Updates** IP groups. 1. To use VirusTotal connector in this playbook, get your [Virus Total API key](https://developers.virustotal.com/v3.0/reference#getting-started). Otherwise, erase these steps or replace them with other TI sources.",
     "prerequisitesDeployTemplateFile": "../AzureFirewallConnector/azuredeploy.json",

Playbooks/CarbonBlack/Playbooks/CarbonBlack-DeviceEnrichment/azuredeploy.json

@@ -2,15 +2,26 @@
   "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "metadata": {
-    "comments": "This playbook used to enrich sentinel incident with device information",
-    "author": "Dharma Reddy, CarbonBlack"
-  },
+    "title": "Endpoint enrichment - Carbon Black", 
+    "description": "This playbook will quarantine the host in Carbon Black. When a new Azure Sentinel incident is created, this playbook: 1. Fetches the device information from Carbon Black 2. Enriches the incident with device information from Carbon Black",
+    "prerequisites": "1. CarbonBlack Custom Connector needs to be deployed prior to the deployment of this playbook under the same resource group. 2. Generate an API key. Refer this link [ how to generate the API Key](https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#creating-an-api-key) 3. [Find Organziation key](https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#creating-an-api-key)",
+    "prerequisitesDeployTemplateFile": "../CarbonBlackConnector/azuredeploy.json",
+    "lastUpdateTime": "2021-06-19T00:00:00.000Z", 
+    "entities": ["Host"], 
+    "tags": ["Enrichment"], 
+    "support": {
+        "tier": "community" 
+    },
+    "author": {
+        "name": "Accenture"
+    }
+},
   "parameters": {
-    "Playbook Name": {
-      "defaultValue": "CarbonBlack-DeviceEnrichment",
+    "PlaybookName": {
+      "defaultValue": "EndpointEnrichment-CarbonBlack",
       "type": "string",
       "metadata": {
-        "description": "Name of the Logic App/Playbook"
+        "description": "Name of the Logic Apps resource to be created"
       }
     },
     "OrganizationKey": {
@@ -22,9 +33,9 @@
     }
   },
   "variables": {
-    "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('Playbook Name'))]",
-    "CarbonBlackConnectionName": "[concat('CarbonBlackCloudConnector-', parameters('Playbook Name'))]",
-    "TeamsConnectionName": "[concat('teamsconnector-', parameters('Playbook Name'))]"
+    "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
+    "CarbonBlackConnectionName": "[concat('CarbonBlackCloudConnector-', parameters('PlaybookName'))]",
+    "TeamsConnectionName": "[concat('teamsconnector-', parameters('PlaybookName'))]"
   },
   "resources": [
     {
@@ -54,12 +65,16 @@
     {
       "type": "Microsoft.Logic/workflows",
       "apiVersion": "2017-07-01",
-      "name": "[parameters('Playbook Name')]",
+      "name": "[parameters('PlaybookName')]",
       "location": "[resourceGroup().location]",
       "dependsOn": [
         "[resourceId('Microsoft.Web/connections', variables('CarbonBlackConnectionName'))]",
         "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
       ],
+      "tags": {
+        "hidden-SentinelTemplateName": "EndpointEnrichment-CarbonBlack",
+        "hidden-SentinelTemplateVersion": "1.0"
+    },
       "properties": {
         "state": "Enabled",
         "definition": {

Playbooks/CarbonBlack/Playbooks/CarbonBlack-DeviceEnrichment/readme.md

@@ -2,10 +2,10 @@
  ## Summary
  When a new sentinal incident is created,this playbook gets triggered and performs below actions
  1. Fetches the devices information from CarbonBlack
- 2. Enrich the incident with device information by adding a comment to the incident
-     ![Comment example](./Incident_Comment.png)
-
-![CarbonBlack-Enrich Incident With devices information](./CarbonBlack_Enrichment.png)
+ 2. Enrich the incident with device information by adding a comment to the incident<br>
+     ![Comment example](./images/Incident_Comment.png)
+<br>
+![CarbonBlack-Enrich Incident With devices information](./images/designerOverviewLight.png)
 ### Prerequisites 
 1. CarbonBlack Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.
 2. Generate an API key.Refer this link [ how to generate the API Key](https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#creating-an-api-key)

Playbooks/CarbonBlack/Playbooks/CarbonBlack-QuarantineDevice/azuredeploy.json

@@ -2,15 +2,26 @@
   "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "metadata": {
-    "comments": "This playbook automatically quarantine the device and enrich sentinel incident with device information.",
-    "author": "Dharma Reddy, CarbonBlack"
-  },
+    "title": "Isolate endpoint - Carbon Black", 
+    "description": "This playbook will quarantine the host in Carbon Black. When a new Azure Sentinel incident is created, this playbook: 1. Fetches the device information from Carbon Black 2. Quarantines host  3. Enriches the incident with device information from Carbon Black",
+    "prerequisites": "1. CarbonBlack Custom Connector needs to be deployed prior to the deployment of this playbook under the same resource group. 2. Generate an API key. Refer this link [ how to generate the API Key](https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#creating-an-api-key) 3. [Find Organziation key](https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#creating-an-api-key)",
+    "prerequisitesDeployTemplateFile": "../CarbonBlackConnector/azuredeploy.json",
+    "lastUpdateTime": "2021-06-19T00:00:00.000Z", 
+    "entities": ["Host"], 
+    "tags": ["Remediation"], 
+    "support": {
+        "tier": "community" 
+    },
+    "author": {
+        "name": "Accenture"
+    }
+},
   "parameters": {
-    "Playbook Name": {
-      "defaultValue": "CarbonBlack-QuarantineDevice",
+    "PlaybookName": {
+      "defaultValue": "IsolateEndpoint-CarbonBlack",
       "type": "string",
       "metadata": {
-        "description": "Name of the Logic App/Playbook"
+        "description": "Name of the Logic Apps resource to be created"
       }
     },
     "OrganizationKey": {
@@ -22,8 +33,8 @@
     }
   },
   "variables": {
-    "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('Playbook Name'))]",
-    "CarbonBlackConnectionName": "[concat('CarbonBlackCloudConnector-', parameters('Playbook Name'))]"
+    "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
+    "CarbonBlackConnectionName": "[concat('CarbonBlackCloudConnector-', parameters('PlaybookName'))]"
   },
   "resources": [
     {
@@ -43,6 +54,10 @@
       "apiVersion": "2016-06-01",
       "name": "[variables('AzureSentinelConnectionName')]",
       "location": "[resourceGroup().location]",
+      "tags": {
+        "hidden-SentinelTemplateName": "IsolateEndpoint-CarbonBlack",
+        "hidden-SentinelTemplateVersion": "1.0"
+    },
       "properties": {
         "customParameterValues": {},
         "api": {
@@ -53,7 +68,7 @@
     {
       "type": "Microsoft.Logic/workflows",
       "apiVersion": "2017-07-01",
-      "name": "[parameters('Playbook Name')]",
+      "name": "[parameters('PlaybookName')]",
       "location": "[resourceGroup().location]",
       "dependsOn": [
         "[resourceId('Microsoft.Web/connections', variables('CarbonBlackConnectionName'))]",

Playbooks/CarbonBlack/Playbooks/CarbonBlack-QuarantineDevice/readme.md

@@ -3,10 +3,12 @@
  When a new sentinal incident is created,this playbook gets triggered and performs below actions
  1. Fetches the devices information from CarbonBlack
  2. Quarantine the device
- 2. Enrich the incident with device information by fetching from CarbonBlack
+ 3. Enrich the incident with device information by fetching from CarbonBlack<br>
+    ![CarbonBlack-Enrich Incident With devices information](./images/Incident_Comment.png)
 
 
-![CarbonBlack-Enrich Incident With devices information](./CarbonBlack-QuarantineDevice.png)
+![CarbonBlack-Enrich Incident With devices information](./images/designerOverviewLight1.png)<br>
+![CarbonBlack-Enrich Incident With devices information](./images/designerOverviewLight2.png)
 
 ### Prerequisites 
 1. CarbonBlack Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.

Playbooks/CarbonBlack/Playbooks/CarbonBlack-TakeDeviceActionFromTeams/azuredeploy.json

@@ -2,12 +2,23 @@
   "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "metadata": {
-    "comments": "This playbook used to quarantine device or assigned policy via CarbonBlack connector.",
-    "author": "Dharma Reddy, CarbonBlack"
-  },
+    "title": "Endpoint take action from Teams - Carbon Black", 
+    "description": "When a new sentinal incident is created,this playbook. <br> 1. Fetches the host information from CarbonBlack <br> 2. Sends an adaptive card to the SOC Teams channel, lets the analyst decide on action: Quarantine the device or Update the policy based on SOC action <br> 3. Posts a comment on the incident with the information collected from the carbon black and summary of the actions taken<br> 4. If selected, closes the incident",
+    "prerequisites": "1. CarbonBlack Custom Connector needs to be deployed prior to the deployment of this playbook under the same resource group. 2. Generate an API key. Refer this link [ how to generate the API Key](https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#creating-an-api-key) 3. [Find Organziation key](https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#creating-an-api-key)",
+    "prerequisitesDeployTemplateFile": "../CarbonBlackConnector/azuredeploy.json",
+    "lastUpdateTime": "2021-06-19T00:00:00.000Z", 
+    "entities": ["Host"], 
+    "tags": ["Remediation", "Teams bot"], 
+    "support": {
+        "tier": "community" 
+    },
+    "author": {
+        "name": "Accenture"
+    }
+},
   "parameters": {
-    "Playbook Name": {
-      "defaultValue": "CarbonBlack-TakeDeviceActionFromTeams",
+    "PlaybookName": {
+      "defaultValue": "EndpointTakeActionFromTeams-CarbonBlack",
       "type": "string",
       "metadata": {
         "description": "Name of the Logic App/Playbook"
@@ -43,9 +54,9 @@
     }
   },
   "variables": {
-    "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('Playbook Name'))]",
-    "CarbonBlackConnectionName": "[concat('CarbonBlackCloudConnector-', parameters('Playbook Name'))]",
-    "TeamsConnectionName": "[concat('teamsconnector-', parameters('Playbook Name'))]"
+    "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
+    "CarbonBlackConnectionName": "[concat('CarbonBlackCloudConnector-', parameters('PlaybookName'))]",
+    "TeamsConnectionName": "[concat('teamsconnector-', parameters('PlaybookName'))]"
   },
   "resources": [
     {
@@ -87,13 +98,17 @@
     {
       "type": "Microsoft.Logic/workflows",
       "apiVersion": "2017-07-01",
-      "name": "[parameters('Playbook Name')]",
+      "name": "[parameters('PlaybookName')]",
       "location": "[resourceGroup().location]",
       "dependsOn": [
         "[resourceId('Microsoft.Web/connections', variables('CarbonBlackConnectionName'))]",
         "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
         "[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]"
       ],
+      "tags": {
+        "hidden-SentinelTemplateName": "EndpointResponseTeams-CarbonBlack",
+        "hidden-SentinelTemplateVersion": "1.0"
+    },
       "properties": {
         "state": "Enabled",
         "definition": {

Playbooks/CarbonBlack/Playbooks/CarbonBlack-TakeDeviceActionFromTeams/readme.md

@@ -5,16 +5,12 @@
  2. Sends an adaptive card to the SOC Teams channel, let the analyst decide on action:
     Quarantine the device or Update the policy based on SOC action
 
-    ![card example](./adaptiveCard.png)
+    ![card example](./images/adaptiveCard.png)
 
  3. Add a comment to the incident with the information collected from the carbon black, summary of the actions taken and close the incident
-     ![Comment example](./Incident_Comment.png)
+     ![Comment example](./images/Incident_Comment.png)
 
 
-**Playbook overview**
-
-![CarbonBlack-Enrich Incident With devices information](./CarbonBlack-TakeDeviceActionFromTeams.png
-)
 ### Prerequisites 
 1. CarbonBlack Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.
 2. Generate an API key.Refer this link [ how to generate the API Key](https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#creating-an-api-key)

Playbooks/CarbonBlack/azuredeploy.json

@@ -102,7 +102,7 @@
           "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Playbooks/CarbonBlack/Playbooks/CarbonBlack-TakeDeviceActionFromTeams/azuredeploy.json"
         },
         "parameters": {
-          "Playbook Name": {
+          "PlaybookName": {
             "Value": "[parameters('CarbonBlack-TakeDeviceActionFromTeams_Playbook_Name')]"
           },
           "OrganizationKey": {
@@ -133,7 +133,7 @@
           "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Playbooks/CarbonBlack/Playbooks/CarbonBlack-DeviceEnrichment/azuredeploy.json"
         },
         "parameters": {
-          "Playbook Name": {
+          "PlaybookName": {
             "Value": "[parameters('CarbonBlack-DeviceEnrichment_Playbook_Name')]"
           },
           "OrganizationKey": {
@@ -155,7 +155,7 @@
           "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Playbooks/CarbonBlack/Playbooks/CarbonBlack-QuarantineDevice/azuredeploy.json"
         },
         "parameters": {
-          "Playbook Name": {
+          "PlaybookName": {
             "Value": "[parameters('CarbonBlack-QuarantineDevice_Playbook_Name')]"
           },
           "OrganizationKey": {

Playbooks/CiscoASA/CiscoASA-AddIPtoNetworkObjectGroup/azuredeploy.json

@@ -2,7 +2,7 @@
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
     "metadata": {
-        "title": "BlockIP - Cisco ASA", 
+        "title": "Block IP - Cisco ASA", 
         "description": "This playbook allows blocking/allowing of IPs in Cisco ASA, using a Network Object Group. The Network Object Group itself should be part of an Access Control Entry. When a new Sentinel incident is created: 1. Check if IP are already a member of the Network Object Group. 2. An adaptive card is sent to a Teams channel with information about the incident and giving the option to block/unblock the IPs by adding/removing them to the Network Object Group",
         "prerequisites": "1. In Cisco ASA there needs to be a Network Object Group. You can create a Network Object Group using Cisco ASDM, [Configure a Network Object Group](https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/asdm76/firewall/asdm-76-firewall-config/access-objects.html#ariaid-title6), or using the CLI, [Configuring a Network Object Group](https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/acl_objects.html#86292). The Network Object Group can be blocked using an access rule, [Configure Access Rules](https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/asdm76/firewall/asdm-76-firewall-config/access-rules.html#ID-2124-00000152). 1. Cisco ASA custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. 1. To authenticate the connector, in Cisco ASA create a local user and allow it to use the REST API. Depending on the playbook used the user needs to be able to add members to a network object group or create access control entries, by default that requires privilege level 15.",
         "prerequisitesDeployTemplateFile": "../CustomConnector/azuredeploy.json",
@@ -13,7 +13,7 @@
             "tier": "community" 
         },
         "author": {
-            "name": "Accenture"
+            "name": "Wortell"
         }
     },
     "parameters": {
@@ -21,7 +21,7 @@
             "defaultValue": "CiscoASA-AddIPtoNetworkObjectGroup",
             "type": "String",
             "metadata": {
-                "description": "Name of the Logic App/Playbook"
+                "description": "Name of the Logic Apps resource to be created"
             }
         },
         "Cisco ASA Connector name": {

Playbooks/CiscoFirepower/CiscoFirepower-BlockFQDN-NetworkGroup/azuredeploy.json

@@ -1,12 +1,27 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
+    "metadata": {
+        "title": "Block URL - Cisco Firepower", 
+        "description": "This playbook allows blocking/allowing of URLs in Cisco Firepower, using a Network Group Object . The Network Group itself should be part of an Access Control Entry. When a new Sentinel incident is created: 1. For the URLs of the incident we extract the FQDN 2. For the FQDNs we check if they are already selected for the Network Group object 3. For the FQDNs not already selected for the Network Group object we check if there is an existing FQDN object in Cisco Firepower, if it does not exist we create it 4. We add the FQDN object to the Network Group object, so it gets blocked 5. Comment is added to Azure Sentinel incident",
+        "prerequisites": "In Cisco Firepower there needs to be a Network Group object. [Creating Network Objects](https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/reusable_objects.html#ariaid-title15) 2. Cisco Firepower custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the [connector doc](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/CiscoFirepower/CustomConnector#deployment-instructions)",
+        "prerequisitesDeployTemplateFile": "../CustomConnector/azuredeploy.json",
+        "lastUpdateTime": "2021-06-19T00:00:00.000Z", 
+        "entities": ["Url"], 
+        "tags": ["Remediation"], 
+        "support": {
+            "tier": "community" 
+        },
+        "author": {
+            "name": "Wortell"
+        }
+    },
     "parameters": {
-        "Playbook Name": {
-            "defaultValue": "CiscoFirepower-BlockFQDN-NetworkGroup",
+        "PlaybookName": {
+            "defaultValue": "BlockURL-CiscoFirepower-NetworkGroup",
             "type": "String",
             "metadata": {
-                "description": "Name of the Logic App/Playbook"
+                "description": "Name of the Logic Apps resource to be created"
             }
         },
         "Cisco Firepower Connector name": {
@@ -24,8 +39,8 @@
         }
     },
     "variables": {
-        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('Playbook Name'))]",
-        "CiscoFirepowerConnectionName": "[concat('ciscofirepowerconnector-', parameters('Playbook Name'))]"
+        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
+        "CiscoFirepowerConnectionName": "[concat('ciscofirepowerconnector-', parameters('PlaybookName'))]"
     },
     "resources": [
         {
@@ -55,12 +70,16 @@
         {
             "type": "Microsoft.Logic/workflows",
             "apiVersion": "2017-07-01",
-            "name": "[parameters('Playbook Name')]",
+            "name": "[parameters('PlaybookName')]",
             "location": "[resourceGroup().location]",
             "dependsOn": [
                 "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
                 "[resourceId('Microsoft.Web/connections', variables('CiscoFirepowerConnectionName'))]"
             ],
+            "tags": {
+                "hidden-SentinelTemplateName": "BlockURL-CiscoFirepower",
+                "hidden-SentinelTemplateVersion": "1.0"
+            },
             "properties": {
                 "state": "Enabled",
                 "definition": {

Playbooks/CiscoFirepower/CiscoFirepower-BlockFQDN-NetworkGroup/readme.md

@@ -18,13 +18,14 @@ When a new Sentinel incident is created, this playbook gets triggered and perfor
 
 **Plabook overview:**
 
-![Playbook overview](./Images/BlockFQDN-NetworkGroup-LogicApp.png)
+
+![Playbook overview](./Images/designerOverviewLight1.png)
+![Playbook overview](./Images/designerOverviewLight2.png)
 
 
 ### Prerequisites
-1. **This playbook template is based on Azure Sentinel Incident Trigger which is currently in Private Preview (Automation Rules).** You can change the trigger to the Sentinel Alert trigger in cases you are not part of the Private Preview.
-2. Cisco Firepower custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector doc pages.
-3. In Cisco Firepower there needs to be a Network Group object. [Creating Network Objects](https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/reusable_objects.html#ariaid-title15)
+1. Cisco Firepower custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector doc pages.
+2. In Cisco Firepower there needs to be a Network Group object. [Creating Network Objects](https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/reusable_objects.html#ariaid-title15)
 
 <a name="deployment-instructions"></a>
 ### Deployment instructions 

Playbooks/CiscoFirepower/CiscoFirepower-BlockIP-NetworkGroup/azuredeploy.json

@@ -1,12 +1,27 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
+    "metadata": {
+        "title": "Block IP - Cisco Firepower", 
+        "description": "This playbook allows blocking/allowing of IPs in Cisco Firepower, using a Network Group Object . The Network Group itself should be part of an Access Control Entry. When a new Sentinel incident is created: 1. Check if IP are already a member of the Network Group. 2. For the IPs not already selected for the Network Group object, add it so it gets blocked 3. Comment is added to Azure Sentinel incident",
+        "prerequisites": "In Cisco Firepower there needs to be a Network Group object. [Creating Network Objects](https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/reusable_objects.html#ariaid-title15) 2. Cisco Firepower custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the [connector doc](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/CiscoFirepower/CustomConnector#deployment-instructions)",
+        "prerequisitesDeployTemplateFile": "../CustomConnector/azuredeploy.json",
+        "lastUpdateTime": "2021-06-19T00:00:00.000Z", 
+        "entities": ["Ip"], 
+        "tags": ["Remediation"], 
+        "support": {
+            "tier": "community" 
+        },
+        "author": {
+            "name": "Wortell"
+        }
+    },
     "parameters": {
-        "Playbook Name": {
-            "defaultValue": "CiscoFirepower-BlockIP-NetworkGroup",
+        "PlaybookName": {
+            "defaultValue": "BlockIP-CiscoFirepower",
             "type": "String",
             "metadata": {
-                "description": "Name of the Logic App/Playbook"
+                "description": "Name of the Logic Apps resource to be created"
             }
         },
         "Cisco Firepower Connector name": {
@@ -24,8 +39,8 @@
         }
     },
     "variables": {
-        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('Playbook Name'))]",
-        "CiscoFirepowerConnectionName": "[concat('ciscofirepowerconnector-', parameters('Playbook Name'))]"
+        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
+        "CiscoFirepowerConnectionName": "[concat('ciscofirepowerconnector-', parameters('PlaybookName'))]"
     },
     "resources": [
         {
@@ -55,12 +70,16 @@
         {
             "type": "Microsoft.Logic/workflows",
             "apiVersion": "2017-07-01",
-            "name": "[parameters('Playbook Name')]",
+            "name": "[parameters('PlaybookName')]",
             "location": "[resourceGroup().location]",
             "dependsOn": [
                 "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
                 "[resourceId('Microsoft.Web/connections', variables('CiscoFirepowerConnectionName'))]"
             ],
+            "tags": {
+                "hidden-SentinelTemplateName": "BlockIP-CiscoFirepower",
+                "hidden-SentinelTemplateVersion": "1.0"
+            },
             "properties": {
                 "state": "Enabled",
                 "definition": {

Playbooks/CiscoFirepower/CiscoFirepower-BlockIP-NetworkGroup/readme.md

@@ -7,22 +7,22 @@ This playbook allows blocking of IPs in Cisco Firepower, using a **Network Group
 When a new Sentinel incident is created, this playbook gets triggered and performs below actions.
 1. For the IPs we check if they are already selected for the Network Group object
 2. For the IPs not already selected for the Network Group object, add it so it gets blocked
-3. Comment is added to Azure Sentinel incident
+3. Comment is added to Azure Sentinel incident<br>
     ![Azure Sentinel comment](./Images/BlockIP-NetworkGroup-AzureSentinel-Comments.png)
 
 ** IP is added to Cisco Firepower Network Group object:**
-
+<br>
 ![Cisco Firepower Network Group object](./Images/BlockIP-NetworkGroup-CiscoFirepowerAdd.png)
 
 **Plabook overview:**
 
-![Playbook overview](./Images/BlockIP-NetworkGroup-LogicApp.png)
+![Playbook overview](./Images/designerOverviewLight1.png)
+![Playbook overview](./Images/designerOverviewLight2.png)
 
 
-### Prerequisites
-1. **This playbook template is based on Azure Sentinel Incident Trigger which is currently in Private Preview (Automation Rules).** You can change the trigger to the Sentinel Alert trigger in cases you are not part of the Private Preview.
-2. Cisco Firepower custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector doc pages.
-3. In Cisco Firepower there needs to be a Network Group object. [Creating Network Objects](https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/reusable_objects.html#ariaid-title15)
+## Prerequisites
+1. Cisco Firepower custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector doc pages.
+1. In Cisco Firepower there needs to be a Network Group object. [Creating Network Objects](https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/reusable_objects.html#ariaid-title15)
 
 <a name="deployment-instructions"></a>
 ### Deployment instructions 
@@ -36,8 +36,8 @@ When a new Sentinel incident is created, this playbook gets triggered and perfor
     * Cisco Firepower Connector name: Enter the name of the Cisco Firepower custom connector (default value:CiscoFirepowerConnector)
     * Network Group object name: The name of the Network Group object.
 
-### Post-Deployment instructions 
-#### a. Authorize connections
+## Post-Deployment instructions 
+### a. Authorize connections
 Once deployment is complete, you will need to authorize each connection.
 1.	Click the Azure Sentinel connection resource
 2.	Click edit API connection
@@ -46,6 +46,6 @@ Once deployment is complete, you will need to authorize each connection.
 5.	Click Save
 6.	Repeat steps for other connections such as Cisco Firepower (For authorizing the Cisco Firepower API connection, the username and password needs to be provided)
 
-#### b. Configurations in Sentinel
+### b. Configurations in Sentinel
 1. In Azure sentinel analytical rules should be configured to trigger an incident with IP Entity.
 2. Configure the automation rules to trigger this playbook

Playbooks/CiscoFirepower/CiscoFirepower-BlockIP-Teams/azuredeploy.json

@@ -1,8 +1,23 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
+    "metadata": {
+        "title": "Block IP - Take Action from Teams - Cisco Firepower", 
+        "description": "When a new incident is created, this playbook iterates on the IPs included and: <br> 1. For each IP checks if it is already selected for the Network Group object. <br>2. An adaptive card is sent to a Teams channel with information about the incident and giving the option to ignore an IP, or depdening on it's current status block it by adding it to the Network Group object or unblock it by removing it from the Network Group object<br>3. The chosen changes are applied to the Network Group object<br> 4. Comment is added to Azure Sentinel incident",
+        "prerequisites": "In Cisco Firepower there needs to be a Network Group object. [Creating Network Objects](https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/reusable_objects.html#ariaid-title15) 2. Cisco Firepower custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the [connector doc](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/CiscoFirepower/CustomConnector#deployment-instructions)",
+        "prerequisitesDeployTemplateFile": "../CustomConnector/azuredeploy.json",
+        "lastUpdateTime": "2021-06-19T00:00:00.000Z", 
+        "entities": ["Ip"], 
+        "tags": ["Remediation", "Teams bot"], 
+        "support": {
+            "tier": "community" 
+        },
+        "author": {
+            "name": "Wortell"
+        }
+    },
     "parameters": {
-        "Playbook Name": {
+        "PlaybookName": {
             "defaultValue": "CiscoFirepower-BlockIP-Teams",
             "type": "String",
             "metadata": {
@@ -24,9 +39,9 @@
         }
     },
     "variables": {
-        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('Playbook Name'))]",
-        "TeamsConnectionName": "[concat('teamsconnector-', parameters('Playbook Name'))]",
-        "CiscoFirepowerConnectionName": "[concat('ciscofirepowerconnector-', parameters('Playbook Name'))]"
+        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
+        "TeamsConnectionName": "[concat('teamsconnector-', parameters('PlaybookName'))]",
+        "CiscoFirepowerConnectionName": "[concat('ciscofirepowerconnector-', parameters('PlaybookName'))]"
     },
     "resources": [
         {
@@ -68,7 +83,7 @@
         {
             "type": "Microsoft.Logic/workflows",
             "apiVersion": "2017-07-01",
-            "name": "[parameters('Playbook Name')]",
+            "name": "[parameters('PlaybookName')]",
             "location": "[resourceGroup().location]",
             "dependsOn": [
                 "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",