From 0dc89b2eba3dbb32a4aaf652126aaa03bf7658b9 Mon Sep 17 00:00:00 2001
From: Oleh Speka <oleh.speka@socprime.com>
Date: Wed, 7 Sep 2022 04:13:56 +0300
Subject: [PATCH] moved meraki metadata to top of the file, prerequisites to
 array

---
 .../azuredeploy.json                          | 34 +++++++++++--------
 .../azurdeploy.json                           |  4 ++-
 2 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/MasterPlaybooks/Remediation-Host/CiscoMeraki-Remediation-Host/azuredeploy.json b/MasterPlaybooks/Remediation-Host/CiscoMeraki-Remediation-Host/azuredeploy.json
index 263c505ad9..c59c71719e 100644
--- a/MasterPlaybooks/Remediation-Host/CiscoMeraki-Remediation-Host/azuredeploy.json
+++ b/MasterPlaybooks/Remediation-Host/CiscoMeraki-Remediation-Host/azuredeploy.json
@@ -1,6 +1,24 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
+    "metadata":{
+        "title": "Cisco Meraki Block Device Client Playbook",
+        "description": " When this playbook gets triggered and performs the below actions: 1. Fetches a list of device clients with suspicious activity. 2. For each client in the list, checks if the client is blocked by any network of the organization.  - If client does not exist in network, then  comment is created saying client not found.  - If client exists in network, check policy rule associated with client. If client policy does not exist in the network, then comment is created saying client policy not found. If client policy exists in the network as Blocked, then comment is created saying client blocked using client policy. If client policy exists in the network as Whitelisted, then comment is created saying client allowed using client policy. If client policy exists in the network as group policy, then check the group policy details and comment is created saying client blocked using client policy. If client policy exists in the network as Normal, then client is blocked by playbook.Comment is created saying Client blocked by playbook. - Add incident Comment from all the cases. 3. Responses with status 'Closed' and reason as  - For allowed Client - 'BenignPositive - SuspiciousButExpected'  - For blocked Client - 'TruePositive - SuspiciousActivity'",
+        "prerequisites": [
+            "1. Deploy the Cisco Meraki Custom Connector before the deployment of this playbook under the same subscription and same resource group. Capture the name of the connector during deployment.",
+            "2. Cisco Meraki API Key should be known to establish a connection with Cisco Meraki Custom Connector. [Refer here](https://developer.cisco.com/meraki/api-v1/#!getting-started/authorization)",
+            "3. Organization name should be known. [Refer here](https://developer.cisco.com/meraki/api-v1/#!getting-started/find-your-organization-id) 4. Network name should be known.[Refer here](https://developer.cisco.com/meraki/api-v1/#!getting-started/find-your-network-id)\n5. Network Group Policy name should be known. [Refer here](./Images/Scheduling-FromOneDay.png)"
+        ],
+        "lastUpdateTime": "2022-08-29T10:43:00Z",
+        "entities": ["host"],
+        "tags": ["Remediation", "Incident management"],
+        "support": {
+            "tier": "microsoft"
+        },
+        "author": {
+            "name": "microsoft"
+        }
+    },
     "parameters": {
         "PlaybookName": {
             "defaultValue": "Block-Device-Client-Meraki-Nested",
@@ -922,19 +940,5 @@
                 }
             }
         }
-    ],
-    "metadata":{
-        "title": "Cisco Meraki Block Device Client Playbook",
-        "description": " When this playbook gets triggered and performs the below actions: 1. Fetches a list of device clients with suspicious activity. 2. For each client in the list, checks if the client is blocked by any network of the organization.  - If client does not exist in network, then  comment is created saying client not found.  - If client exists in network, check policy rule associated with client. If client policy does not exist in the network, then comment is created saying client policy not found. If client policy exists in the network as Blocked, then comment is created saying client blocked using client policy. If client policy exists in the network as Whitelisted, then comment is created saying client allowed using client policy. If client policy exists in the network as group policy, then check the group policy details and comment is created saying client blocked using client policy. If client policy exists in the network as Normal, then client is blocked by playbook.Comment is created saying Client blocked by playbook. - Add incident Comment from all the cases. 3. Responses with status 'Closed' and reason as  - For allowed Client - 'BenignPositive - SuspiciousButExpected'  - For blocked Client - 'TruePositive - SuspiciousActivity'",
-        "prerequisites": "1. Deploy the Cisco Meraki Custom Connector before the deployment of this playbook under the same subscription and same resource group. Capture the name of the connector during deployment. 2. Cisco Meraki API Key should be known to establish a connection with Cisco Meraki Custom Connector. [Refer here](https://developer.cisco.com/meraki/api-v1/#!getting-started/authorization) 3. Organization name should be known. [Refer here](https://developer.cisco.com/meraki/api-v1/#!getting-started/find-your-organization-id) 4. Network name should be known.[Refer here](https://developer.cisco.com/meraki/api-v1/#!getting-started/find-your-network-id)\n5. Network Group Policy name should be known. [Refer here](./Images/Scheduling-FromOneDay.png)",
-        "lastUpdateTime": "2022-08-29T10:43:00Z",
-        "entities": ["host"],
-        "tags": ["Remediation", "Incident management"],
-        "support": {
-            "tier": "microsoft"
-        },
-        "author": {
-            "name": "microsoft"
-        }
-    }
+    ]
 }
\ No newline at end of file
diff --git a/MasterPlaybooks/Remediation-Host/MDEIsolate-Remediation-Host/azurdeploy.json b/MasterPlaybooks/Remediation-Host/MDEIsolate-Remediation-Host/azurdeploy.json
index 1b79388e15..ec27e470f0 100644
--- a/MasterPlaybooks/Remediation-Host/MDEIsolate-Remediation-Host/azurdeploy.json
+++ b/MasterPlaybooks/Remediation-Host/MDEIsolate-Remediation-Host/azurdeploy.json
@@ -4,7 +4,9 @@
     "metadata": {
         "title": "Isolate endpoint - MDE",
         "description": "This playbook will isolate (full) the machine in Microsoft Defender for Endpoint.",
-        "prerequisites": "You will need to grant Machine.Isolate permissions to the managed identity.",
+        "prerequisites": [
+            "You will need to grant Machine.Isolate permissions to the managed identity."
+        ],
         "lastUpdateTime": "2022-08-29T10:43:00Z",
         "entities": [ "Host" ],
         "tags": [ "Remediation" ],