commit 2 changes

2020-06-11 18:40:42 +03:00 · 2020-06-11 18:40:42 +03:00 · 1646e5f355
--- a/Playbooks/Get-SentinelAlertsEvidence/azuredeploy.json
+++ b/Playbooks/Get-SentinelAlertsEvidence/azuredeploy.json
@ -21,6 +21,10 @@
        "AzureSentinelLogAnalyticsWorkspaceResourceGroupName": {
        "defaultValue": "yourAzureSentinelworkspaceRGname",
        "type": "string"
+        },
+        "EventsNumber": {
+            "defaultValue": 10,
+            "type": "int"
        }
    },
    "variables": {
@ -110,6 +114,23 @@
                        }
                    },
                    "actions": {
+                            "Initialize_variable": {
+                            "runAfter": {
+                                "Parse_JSON_2": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "InitializeVariable",
+                            "inputs": {
+                                "variables": [
+                                    {
+                                        "name": "EventsNumber",
+                                        "type": "integer",
+                                        "value": "[parameters('EventsNumber')]"
+                                    }
+                                ]
+                            }
+                        },
                        "Parse_JSON": {
                            "runAfter": {},
                            "type": "ParseJson",
@ -1158,13 +1179,13 @@
                        },
                        "Run_query_and_list_results_2": {
                            "runAfter": {
-                                "Parse_JSON_2": [
+                                "Initialize_variable": [
                                    "Succeeded"
                                ]
                            },
                            "type": "ApiConnection",
                            "inputs": {
-                                "body": "set query_datetimescope_column = \"TimeGenerated\";\nset query_datetimescope_from = datetime(@{body('Parse_JSON_2')?['Query Start Time UTC']});\nset query_datetimescope_to = datetime(@{body('Parse_JSON_2')?['Query End Time UTC']});\n@{body('Parse_JSON_2')?['Query']} | take 20",
+                                "body": "set query_datetimescope_column = \"TimeGenerated\";\nset query_datetimescope_from = datetime(@{body('Parse_JSON_2')?['Query Start Time UTC']});\nset query_datetimescope_to = datetime(@{body('Parse_JSON_2')?['Query End Time UTC']});\n@{body('Parse_JSON_2')?['Query']} | top @{variables('EventsNumber')} by TimeGenerated desc ",
                                "host": {
                                    "connection": {
                                        "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
@ -1190,7 +1211,7 @@
                            "type": "ApiConnection",
                            "inputs": {
                                "body": {
-                                    "ContentData": "@{base64(concat('{','\n','\"body\":\"',body('Parse_JSON_3'),'\",','\n','  \"Alert\": \"',triggerBody()?['AlertDisplayName'],'\",','\n','  \"AlertEntites\": \"',triggerBody()?['Entities'],'\",','\n','  \"AlertsDescription\": \"',triggerBody()?['Description'],'\"','\n','}'))}"
+                                 "ContentData": "@{base64(concat('\"{','\n','\"Alert Display Name\": \"',triggerBody()?['AlertDisplayName'],'\",','\n','\"Alert URI\":\"',triggerBody()?['AlertUri'],'\",','\n','\"Product Name\":\"',triggerBody()?['ProductName'],'\",','\n','\"AlertEntites\":\"',triggerBody()?['Entities'],'\",','\n','\"AlertsDescription\": \"',triggerBody()?['Description'],'\",','\n','\"Product Name\":\"',triggerBody()?['ProductName'],',','\n','\"Severity\":\"',triggerBody()?['Severity'],'\",','\n','\"System Alert Id\":\"',triggerBody()?['SystemAlertId'],'\",','\n','\"Alert Time\":\"',triggerBody()?['TimeGenerated'],',','\n','\"Resource Group\":\"',triggerBody()?['WorkspaceResourceGroup'],'\",','\n','\"Subscription Id\":\"',triggerBody()?['WorkspaceSubscriptionId'],'\",','\n','\"Alert type\":\"',triggerBody()?['AlertType'],'\",','\n','\"Extended Properties\":\"',triggerBody()?['ExtendedProperties'],'\",','\n','\"Provider Alert ID\":\"',triggerBody()?['ProviderAlertId'],'\",','\n','\"Alert Start Time\":\"',triggerBody()?['StartTimeUtc'],'\",','\n','\"Alert End time\":\"',triggerBody()?['EndTimeUtc'],'\",','\n','\"Events\":\"',json(string(body('Parse_JSON_3'))),'\",','\n','}\"','\n','\n','\n'))}"
                                },
                                "host": {
                                    "connection": {
--- a/Playbooks/Get-SentinelAlertsEvidence/readme.md
+++ b/Playbooks/Get-SentinelAlertsEvidence/readme.md
@ -14,6 +14,7 @@ https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-create  or use an e
 4. fill the above information:<br>
 - Azure Sentinel Workspace Name<br>
 - Azure Sentinel Workspace resource group name<br>
+- number of event you want to bring(default value is 10 last events )<br>

 4.	Once the playbook is deployed, Modify the “Run query and list results” actions and point it to your Azure sentinel workspace.<br>
 5.	Next, configure the "send event" actions to use your Event Hub that created earlier.<br>