From 1646e5f355391cdbd1eb6e8b37749210d4d200c2 Mon Sep 17 00:00:00 2001
From: Yaniv Shasha <yanivsh@microsoft.com>
Date: Thu, 11 Jun 2020 18:40:42 +0300
Subject: [PATCH] commit 2 changes

---
 .../azuredeploy.json                          | 27 ++++++++++++++++---
 .../Get-SentinelAlertsEvidence/readme.md      |  1 +
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/Playbooks/Get-SentinelAlertsEvidence/azuredeploy.json b/Playbooks/Get-SentinelAlertsEvidence/azuredeploy.json
index 83cc1f717b..613c94e19f 100644
--- a/Playbooks/Get-SentinelAlertsEvidence/azuredeploy.json
+++ b/Playbooks/Get-SentinelAlertsEvidence/azuredeploy.json
@@ -21,6 +21,10 @@
         "AzureSentinelLogAnalyticsWorkspaceResourceGroupName": {
         "defaultValue": "yourAzureSentinelworkspaceRGname",
         "type": "string"
+        },
+        "EventsNumber": {
+            "defaultValue": 10,
+            "type": "int"
         }
     },
     "variables": {
@@ -110,6 +114,23 @@
                         }
                     },
                     "actions": {
+                            "Initialize_variable": {
+                            "runAfter": {
+                                "Parse_JSON_2": [
+                                    "Succeeded"
+                                ]
+                            },
+                            "type": "InitializeVariable",
+                            "inputs": {
+                                "variables": [
+                                    {
+                                        "name": "EventsNumber",
+                                        "type": "integer",
+                                        "value": "[parameters('EventsNumber')]"
+                                    }
+                                ]
+                            }
+                        },
                         "Parse_JSON": {
                             "runAfter": {},
                             "type": "ParseJson",
@@ -1158,13 +1179,13 @@
                         },
                         "Run_query_and_list_results_2": {
                             "runAfter": {
-                                "Parse_JSON_2": [
+                                "Initialize_variable": [
                                     "Succeeded"
                                 ]
                             },
                             "type": "ApiConnection",
                             "inputs": {
-                                "body": "set query_datetimescope_column = \"TimeGenerated\";\nset query_datetimescope_from = datetime(@{body('Parse_JSON_2')?['Query Start Time UTC']});\nset query_datetimescope_to = datetime(@{body('Parse_JSON_2')?['Query End Time UTC']});\n@{body('Parse_JSON_2')?['Query']} | take 20",
+                                "body": "set query_datetimescope_column = \"TimeGenerated\";\nset query_datetimescope_from = datetime(@{body('Parse_JSON_2')?['Query Start Time UTC']});\nset query_datetimescope_to = datetime(@{body('Parse_JSON_2')?['Query End Time UTC']});\n@{body('Parse_JSON_2')?['Query']} | top @{variables('EventsNumber')} by TimeGenerated desc ",
                                 "host": {
                                     "connection": {
                                         "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
@@ -1190,7 +1211,7 @@
                             "type": "ApiConnection",
                             "inputs": {
                                 "body": {
-                                    "ContentData": "@{base64(concat('{','\n','\"body\":\"',body('Parse_JSON_3'),'\",','\n','  \"Alert\": \"',triggerBody()?['AlertDisplayName'],'\",','\n','  \"AlertEntites\": \"',triggerBody()?['Entities'],'\",','\n','  \"AlertsDescription\": \"',triggerBody()?['Description'],'\"','\n','}'))}"
+                                 "ContentData": "@{base64(concat('\"{','\n','\"Alert Display Name\": \"',triggerBody()?['AlertDisplayName'],'\",','\n','\"Alert URI\":\"',triggerBody()?['AlertUri'],'\",','\n','\"Product Name\":\"',triggerBody()?['ProductName'],'\",','\n','\"AlertEntites\":\"',triggerBody()?['Entities'],'\",','\n','\"AlertsDescription\": \"',triggerBody()?['Description'],'\",','\n','\"Product Name\":\"',triggerBody()?['ProductName'],',','\n','\"Severity\":\"',triggerBody()?['Severity'],'\",','\n','\"System Alert Id\":\"',triggerBody()?['SystemAlertId'],'\",','\n','\"Alert Time\":\"',triggerBody()?['TimeGenerated'],',','\n','\"Resource Group\":\"',triggerBody()?['WorkspaceResourceGroup'],'\",','\n','\"Subscription Id\":\"',triggerBody()?['WorkspaceSubscriptionId'],'\",','\n','\"Alert type\":\"',triggerBody()?['AlertType'],'\",','\n','\"Extended Properties\":\"',triggerBody()?['ExtendedProperties'],'\",','\n','\"Provider Alert ID\":\"',triggerBody()?['ProviderAlertId'],'\",','\n','\"Alert Start Time\":\"',triggerBody()?['StartTimeUtc'],'\",','\n','\"Alert End time\":\"',triggerBody()?['EndTimeUtc'],'\",','\n','\"Events\":\"',json(string(body('Parse_JSON_3'))),'\",','\n','}\"','\n','\n','\n'))}"
                                 },
                                 "host": {
                                     "connection": {
diff --git a/Playbooks/Get-SentinelAlertsEvidence/readme.md b/Playbooks/Get-SentinelAlertsEvidence/readme.md
index daf59e6466..0bd90f1089 100644
--- a/Playbooks/Get-SentinelAlertsEvidence/readme.md
+++ b/Playbooks/Get-SentinelAlertsEvidence/readme.md
@@ -14,6 +14,7 @@ https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-create  or use an e
 4. fill the above information:<br>
 - Azure Sentinel Workspace Name<br>
 - Azure Sentinel Workspace resource group name<br>
+- number of event you want to bring(default value is 10 last events )<br>
 
 4.	Once the playbook is deployed, Modify the “Run query and list results” actions and point it to your Azure sentinel workspace.<br>
 5.	Next, configure the "send event" actions to use your Event Hub that created earlier.<br>