Merge pull request #3869 from armorblox/armorblox-sentinel-solution

Playbook, Workbook & Analytic Rule for the Armorblox Sentinel integration
2022-04-13 16:08:42 +05:30 · 2022-04-13 16:08:42 +05:30 · 17401fdb69
--- a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
+++ b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
@ -6,6 +6,7 @@
  "AkamaiSecurityEvents",
  "AlcideKAudit",
  "AlsidForAD",
+  "Armorblox",
  "ApacheHTTPServer",
  "ARGOSCloudSecurity",
  "AristaAwakeSecurity",
--- a/Data/Custom/Armorblox_CL.json
+++ b/Data/Custom/Armorblox_CL.json
@ -9,14 +9,15 @@
        "RawData": "",
        "priority_s": "MEDIUM",
        "tagged_b": "false",
-        "date_t [UTC]": "9/2/2021, 12:10:53.000 AM",
+        "date_t": "2021-09-01T18:40:53.000Z",
        "users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
        "policy_names_s": "[\r\n  \"Social Engineering\"\r\n]",
+        "incident_type_s":"THREAT_INCIDENT_TYPE",
        "title_s": "social_engineering 1 Sep 17:10:52",
        "remediation_actions_s": "[\r\n  \"ALERT\"\r\n]",
        "resolution_state_s": "OPEN_INCIDENT_RESOLUTION_STATE",
        "object_type_s": "CONTENT_MAIL",
-        "id_s": 213,
+        "id_s": "213",
        "research_status_s": "TRUE_POSITIVE",
        "app_name_s": "GOOGLE_GMAIL",
        "external_users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
@ -39,14 +40,15 @@
        "RawData": "",
        "priority_s": "MEDIUM",
        "tagged_b": "false",
-        "date_t [UTC]": "9/2/2021, 12:10:32.000 AM",
+        "date_t": "2021-09-01T18:38:39.000Z",
        "users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
        "policy_names_s": "[\r\n  \"Social Engineering\"\r\n]",
+        "incident_type_s":"THREAT_INCIDENT_TYPE",
        "title_s": "social_engineering 1 Sep 17:10:31",
        "remediation_actions_s": "[\r\n  \"ALERT\"\r\n]",
        "resolution_state_s": "OPEN_INCIDENT_RESOLUTION_STATE",
        "object_type_s": "CONTENT_MAIL",
-        "id_s": 218,
+        "id_s": "218",
        "research_status_s": "TRUE_POSITIVE",
        "app_name_s": "GOOGLE_GMAIL",
        "external_users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
@ -69,14 +71,15 @@
        "RawData": "",
        "priority_s": "MEDIUM",
        "tagged_b": "false",
-        "date_t [UTC]": "9/2/2021, 12:08:39.000 AM",
+        "date_t": "2021-09-01T18:38:39.000Z",
        "users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
        "policy_names_s": "[\r\n  \"Social Engineering\"\r\n]",
+        "incident_type_s":"THREAT_INCIDENT_TYPE",
        "title_s": "social_engineering 1 Sep 17:8:38",
        "remediation_actions_s": "[\r\n  \"ALERT\"\r\n]",
        "resolution_state_s": "OPEN_INCIDENT_RESOLUTION_STATE",
        "object_type_s": "CONTENT_MAIL",
-        "id_s": 216,
+        "id_s": "216",
        "research_status_s": "TRUE_POSITIVE",
        "app_name_s": "GOOGLE_GMAIL",
        "external_users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
@ -99,14 +102,15 @@
        "RawData": "",
        "priority_s": "MEDIUM",
        "tagged_b": "false",
-        "date_t [UTC]": "9/2/2021, 12:06:19.000 AM",
+        "date_t": "2021-09-01T18:36:19.000Z",
        "users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
        "policy_names_s": "[\r\n  \"Social Engineering\"\r\n]",
+        "incident_type_s":"THREAT_INCIDENT_TYPE",
        "title_s": "social_engineering 1 Sep 17:6:19",
        "remediation_actions_s": "[\r\n  \"ALERT\"\r\n]",
        "resolution_state_s": "OPEN_INCIDENT_RESOLUTION_STATE",
        "object_type_s": "CONTENT_MAIL",
-        "id_s": 214,
+        "id_s": "214",
        "research_status_s": "TRUE_POSITIVE",
        "app_name_s": "GOOGLE_GMAIL",
        "external_users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
@ -129,14 +133,15 @@
        "RawData": "",
        "priority_s": "MEDIUM",
        "tagged_b": "false",
-        "date_t [UTC]": "9/2/2021, 12:05:24.000 AM",
+        "date_t": "2021-09-01T18:35:24.000Z",
        "users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
        "policy_names_s": "[\r\n  \"Social Engineering\"\r\n]",
+        "incident_type_s":"THREAT_INCIDENT_TYPE",
        "title_s": "social_engineering 1 Sep 17:5:23",
        "remediation_actions_s": "[\r\n  \"ALERT\"\r\n]",
        "resolution_state_s": "OPEN_INCIDENT_RESOLUTION_STATE",
        "object_type_s": "CONTENT_MAIL",
-        "id_s": 217,
+        "id_s": "217",
        "research_status_s": "TRUE_POSITIVE",
        "app_name_s": "GOOGLE_GMAIL",
        "external_users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
@ -159,14 +164,15 @@
        "RawData": "",
        "priority_s": "HIGH",
        "tagged_b": "false",
-        "date_t [UTC]": "9/1/2021, 8:45:57.000 PM",
+        "date_t": "2021-09-01T15:15:57.000Z",
        "users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
        "policy_names_s": "[\r\n  \"Phish URL (Attachment)\"\r\n]",
+        "incident_type_s":"THREAT_INCIDENT_TYPE",
        "title_s": "This is RANDOMTEXT test 2021-09-01 13:45",
        "remediation_actions_s": "[\r\n  \"ALERT\"\r\n]",
        "resolution_state_s": "OPEN_INCIDENT_RESOLUTION_STATE",
        "object_type_s": "CONTENT_MAIL",
-        "id_s": 215,
+        "id_s": "215",
        "research_status_s": "TRUE_POSITIVE",
        "app_name_s": "GOOGLE_GMAIL",
        "external_users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
@ -189,14 +195,15 @@
        "RawData": "",
        "priority_s": "HIGH",
        "tagged_b": "false",
-        "date_t [UTC]": "9/1/2021, 5:53:31.000 PM",
+        "date_t": "2021-09-01T12:23:31.000Z",
        "users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
        "policy_names_s": "[\r\n  \"Phish URL (Attachment)\"\r\n]",
+        "incident_type_s":"DLP_INCIDENT_TYPE",
        "title_s": "This is RANDOMTEXT test 2021-09-01 10:53",
        "remediation_actions_s": "[\r\n  \"ALERT\"\r\n]",
        "resolution_state_s": "OPEN_INCIDENT_RESOLUTION_STATE",
        "object_type_s": "CONTENT_MAIL",
-        "id_s": 212,
+        "id_s": "212",
        "research_status_s": "TRUE_POSITIVE",
        "app_name_s": "GOOGLE_GMAIL",
        "external_users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
@ -219,14 +226,15 @@
        "RawData": "",
        "priority_s": "MEDIUM",
        "tagged_b": "false",
-        "date_t [UTC]": "8/31/2021, 10:59:42.000 PM",
+        "date_t": "2021-08-31T17:29:42.000Z",
        "users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
        "policy_names_s": "[\r\n  \"Extortion\"\r\n]",
+        "incident_type_s":"ABUSE_INCIDENT_TYPE",
        "title_s": "This is EXTORTION test 2021-08-31 15:59",
        "remediation_actions_s": "[\r\n  \"ALERT\"\r\n]",
        "resolution_state_s": "OPEN_INCIDENT_RESOLUTION_STATE",
        "object_type_s": "CONTENT_MAIL",
-        "id_s": 211,
+        "id_s": "211",
        "research_status_s": "TRUE_POSITIVE",
        "app_name_s": "GOOGLE_GMAIL",
        "external_users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
@ -249,14 +257,15 @@
        "RawData": "",
        "priority_s": "MEDIUM",
        "tagged_b": "false",
-        "date_t [UTC]": "8/31/2021, 10:53:10.000 PM",
+        "date_t": "2021-08-31T17:23:10.000Z",
        "users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
        "policy_names_s": "[\r\n  \"Extortion\"\r\n]",
+        "incident_type_s":"ABUSE_INCIDENT_TYPE",
        "title_s": "This is EXTORTION test 2021-08-31 15:53",
        "remediation_actions_s": "[\r\n  \"ALERT\"\r\n]",
        "resolution_state_s": "OPEN_INCIDENT_RESOLUTION_STATE",
        "object_type_s": "CONTENT_MAIL",
-        "id_s": 209,
+        "id_s": "209",
        "research_status_s": "TRUE_POSITIVE",
        "app_name_s": "GOOGLE_GMAIL",
        "external_users_s": "[\r\n  {\r\n    \"name\": \"sanitized\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
@ -279,14 +288,15 @@
        "RawData": "",
        "priority_s": "MEDIUM",
        "tagged_b": "false",
-        "date_t [UTC]": "8/31/2021, 10:35:10.000 PM",
+        "date_t": "2021-08-31T17:05:10.000Z",
        "users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
        "policy_names_s": "[\r\n  \"Extortion\"\r\n]",
+        "incident_type_s":"ABUSE_INCIDENT_TYPE",
        "title_s": "This is EXTORTION test 2021-08-31 15:35",
        "remediation_actions_s": "[\r\n  \"ALERT\"\r\n]",
        "resolution_state_s": "OPEN_INCIDENT_RESOLUTION_STATE",
        "object_type_s": "CONTENT_MAIL",
-        "id_s": 210,
+        "id_s": "210",
        "research_status_s": "TRUE_POSITIVE",
        "app_name_s": "GOOGLE_GMAIL",
        "external_users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
@ -309,14 +319,15 @@
        "RawData": "",
        "priority_s": "MEDIUM",
        "tagged_b": "false",
-        "date_t [UTC]": "8/31/2021, 10:31:38.000 PM",
+        "date_t": "2021-08-31T17:01:38.000Z",
        "users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
        "policy_names_s": "[\r\n  \"Extortion\"\r\n]",
+        "incident_type_s":"ABUSE_INCIDENT_TYPE",
        "title_s": "This is EXTORTION test 2021-08-31 15:31",
        "remediation_actions_s": "[\r\n  \"ALERT\"\r\n]",
        "resolution_state_s": "OPEN_INCIDENT_RESOLUTION_STATE",
        "object_type_s": "CONTENT_MAIL",
-        "id_s": 208,
+        "id_s": "208",
        "research_status_s": "TRUE_POSITIVE",
        "app_name_s": "GOOGLE_GMAIL",
        "external_users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
@ -339,14 +350,15 @@
        "RawData": "",
        "priority_s": "MEDIUM",
        "tagged_b": "false",
-        "date_t [UTC]": "8/31/2021, 9:51:07.000 PM",
+        "date_t": "2021-08-31T16:21:07.000Z",
        "users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
        "policy_names_s": "[\r\n  \"Extortion\"\r\n]",
+        "incident_type_s":"ABUSE_INCIDENT_TYPE",
        "title_s": "This is EXTORTION test 2021-08-31 14:51",
        "remediation_actions_s": "[\r\n  \"ALERT\"\r\n]",
        "resolution_state_s": "OPEN_INCIDENT_RESOLUTION_STATE",
        "object_type_s": "CONTENT_MAIL",
-        "id_s": 207,
+        "id_s": "207",
        "research_status_s": "TRUE_POSITIVE",
        "app_name_s": "GOOGLE_GMAIL",
        "external_users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
@ -369,14 +381,15 @@
        "RawData": "",
        "priority_s": "HIGH",
        "tagged_b": "false",
-        "date_t [UTC]": "8/31/2021, 9:23:57.000 PM",
+        "date_t": "2021-08-31T15:53:57.000Z",
        "users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
        "policy_names_s": "[\r\n  \"PII Tax Number\"\r\n]",
+        "incident_type_s":"DLP_INCIDENT_TYPE",
        "title_s": "Tax Number Test 31 Aug 14:23:56",
        "remediation_actions_s": "[\r\n  \"ALERT\"\r\n]",
        "resolution_state_s": "OPEN_INCIDENT_RESOLUTION_STATE",
        "object_type_s": "CONTENT_MAIL",
-        "id_s": 206,
+        "id_s": "206",
        "research_status_s": "TRUE_POSITIVE",
        "app_name_s": "GOOGLE_GMAIL",
        "external_users_s": "[\r\n  {\r\n    \"name\": \"sanitized@sanitized.com\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
@ -399,14 +412,15 @@
        "RawData": "",
        "priority_s": "HIGH",
        "tagged_b": "false",
-        "date_t [UTC]": "8/31/2021, 9:23:10.000 PM",
+        "date_t": "2021-08-31T15:53:10.000Z",
        "users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
        "policy_names_s": "[\r\n  \"PCI IBAN\"\r\n]",
+        "incident_type_s":"DLP_INCIDENT_TYPE",
        "title_s": "IBAN Test 31 Aug 14:23:10",
        "remediation_actions_s": "[\r\n  \"ALERT\"\r\n]",
        "resolution_state_s": "OPEN_INCIDENT_RESOLUTION_STATE",
        "object_type_s": "CONTENT_MAIL",
-        "id_s": 203,
+        "id_s": "203",
        "research_status_s": "TRUE_POSITIVE",
        "app_name_s": "GOOGLE_GMAIL",
        "external_users_s": "[\r\n  {\r\n    \"name\": \"sanitized@sanitized.com\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
@ -429,14 +443,15 @@
        "RawData": "",
        "priority_s": "HIGH",
        "tagged_b": "false",
-        "date_t [UTC]": "8/31/2021, 9:22:43.000 PM",
+        "date_t": "2021-08-31T15:52:43.000Z",
        "users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
        "policy_names_s": "[\r\n  \"PCI Bank Account Number\"\r\n]",
+        "incident_type_s":"DLP_INCIDENT_TYPE",
        "title_s": "Bank Account Test 31 Aug 14:22:43",
        "remediation_actions_s": "[\r\n  \"ALERT\"\r\n]",
        "resolution_state_s": "OPEN_INCIDENT_RESOLUTION_STATE",
        "object_type_s": "CONTENT_MAIL",
-        "id_s": 202,
+        "id_s": "202",
        "research_status_s": "TRUE_POSITIVE",
        "app_name_s": "GOOGLE_GMAIL",
        "external_users_s": "[\r\n  {\r\n    \"name\": \"sanitized@sanitized.com\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
@ -459,14 +474,15 @@
        "RawData": "",
        "priority_s": "HIGH",
        "tagged_b": "false",
-        "date_t [UTC]": "8/31/2021, 9:21:02.000 PM",
+        "date_t": "2021-08-31T15:51:02.000Z",
        "users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
        "policy_names_s": "[\r\n  \"PCI Credit Card Number\"\r\n]",
+        "incident_type_s":"DLP_INCIDENT_TYPE",
        "title_s": "CC Test 31 Aug 14:21:2",
        "remediation_actions_s": "[\r\n  \"ALERT\"\r\n]",
        "resolution_state_s": "OPEN_INCIDENT_RESOLUTION_STATE",
        "object_type_s": "CONTENT_MAIL",
-        "id_s": 205,
+        "id_s": "205",
        "research_status_s": "TRUE_POSITIVE",
        "app_name_s": "GOOGLE_GMAIL",
        "external_users_s": "[\r\n  {\r\n    \"name\": \"sanitized@sanitized.com\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
@ -489,14 +505,15 @@
        "RawData": "",
        "priority_s": "HIGH",
        "tagged_b": "false",
-        "date_t [UTC]": "8/31/2021, 9:19:39.000 PM",
+        "date_t": "2021-08-31T15:49:39.000Z",
        "users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
        "policy_names_s": "[\r\n  \"PCI Credit Card Number\"\r\n]",
+        "incident_type_s":"DLP_INCIDENT_TYPE",
        "title_s": "CC Test 31 Aug 14:19:39",
        "remediation_actions_s": "[\r\n  \"ALERT\"\r\n]",
        "resolution_state_s": "OPEN_INCIDENT_RESOLUTION_STATE",
        "object_type_s": "CONTENT_MAIL",
-        "id_s": 204,
+        "id_s": "204",
        "research_status_s": "TRUE_POSITIVE",
        "app_name_s": "GOOGLE_GMAIL",
        "external_users_s": "[\r\n  {\r\n    \"name\": \"sanitized@sanitized.com\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
@ -519,14 +536,15 @@
        "RawData": "",
        "priority_s": "HIGH",
        "tagged_b": "false",
-        "date_t [UTC]": "8/31/2021, 9:18:37.000 PM",
+        "date_t": "2021-08-31T15:48:37.000Z",
        "users_s": "[\r\n  {\r\n    \"name\": \"Name\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
        "policy_names_s": "[\r\n  \"PCI Credit Card Number\"\r\n]",
+        "incident_type_s":"DLP_INCIDENT_TYPE",
        "title_s": "CC Test 31 Aug 14:18:36",
        "remediation_actions_s": "[\r\n  \"ALERT\"\r\n]",
        "resolution_state_s": "OPEN_INCIDENT_RESOLUTION_STATE",
        "object_type_s": "CONTENT_MAIL",
-        "id_s": 201,
+        "id_s": "201",
        "research_status_s": "TRUE_POSITIVE",
        "app_name_s": "GOOGLE_GMAIL",
        "external_users_s": "[\r\n  {\r\n    \"name\": \"sanitized@sanitized.com\",\r\n    \"email\": \"sanitized@sanitized.com\",\r\n    \"is_vip\": false\r\n  }\r\n]",
--- a/Rules/ArmorbloxNeedsReviewAlert.yaml
+++ b/Rules/ArmorbloxNeedsReviewAlert.yaml
@ -0,0 +1,41 @@
+id: 322d4765-be6b-4868-9e3f-138a4f339dd6
+name: Armorblox Needs Review Alert
+description: |
+  'This rule generates an alert for an Armorblox incident where the remediation action is "Needs Review".'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: Armorblox
+    dataTypes:
+      - Armorblox_CL
+queryFrequency: 10m
+queryPeriod: 10m
+triggerOperator: GreaterThan
+triggerThreshold: 0
+query: Armorblox_CL| where remediation_actions_s contains "Needs Review"
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: 10m
+    matchingMethod: AllEntities
+    groupByEntities: []
+    groupByAlertDetails: []
+    groupByCustomDetails: []
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+alertDetailsOverride:
+  alertDisplayNameFormat: Alert from Armorblox
+  alertDescriptionFormat: 'Incident {{id_s}} generated at {{date_t}} needs review '
+  alertTacticsColumnName:
+  alertSeverityColumnName: priority_s
+customDetails:
+  IncidentId: id_s
+  RemediationAction: remediation_actions_s
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+version: 1.0.0
+kind: Scheduled
--- a/Solutions/Armorblox/Playbooks/README.md
+++ b/Solutions/Armorblox/Playbooks/README.md
@ -0,0 +1,28 @@
+# Needs-Review-Incident-Email-Notification
+**Author:** Armorblox
+
+This playbook will send an email notification when a new incident is created in Azure Sentinel.
+## Pre-requisites
+An O365 account to be used to send email notification. The user account will be used in O365 connector (Send an email).
+
+## Parameters
+Notification Email - The receiver's mail address.
+
+## Deployment                                                                                         
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Farmorblox%2FAzure-Sentinel%2Fxoriant%2FSolutions%2FArmorblox%2FPlaybooks%2Fazuredeploy.json)
+[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Farmorblox%2FAzure-Sentinel%2xoriant%2FSolutions%2FArmorblox%2FPlaybooks%2Fazuredeploy.json)
+ 
+
+## Post-deployment
+
+### Configure connections
+Once this Playbooks template is deployed, you will need to go into the Logic App, edit it and click on each of the steps that require an authenticated connection to your tenant and complete the connection process. These steps will have an exclamation mark showing that the connection needs to be completed. Make sure to also open the "For each" step which also contains a step that requires an authenticated connection.<br>
+Note:  Emails sent with this playbook will be from the user that creates the connection.
+
+### Attach the playbook
+After deployment, attach this playbook to the `Armorblox Needs Review` analytic rule so it runs when the alert is created.</br>
+Note: Playbook is disabled by default. Please enable it before assigning to the Automation rule.
+
+## Screenshots
+### Playbook screenshot
+![Playbook](./images/Playbook_Send-email-alert.png)
--- a/Solutions/Armorblox/Playbooks/azuredeploy.json
+++ b/Solutions/Armorblox/Playbooks/azuredeploy.json
@ -0,0 +1,138 @@
+{
+   "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "PlaybookName": {
+            "defaultValue": "Armorblox",
+            "type": "String"
+        },
+        "NotificationEmail": {
+            "type": "String",
+            "metadata": {
+                "description": "Alert details will be sent to this email (ex. soc@xyz.com)"
+            }
+        }
+    },
+    "variables": {
+        "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
+        "o365ConnectionName": "[concat('o365-', parameters('PlaybookName'))]"
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Web/connections",
+            "apiVersion": "2016-06-01",
+            "name": "[variables('AzureSentinelConnectionName')]",
+            "location": "[resourceGroup().location]",
+            "properties": {
+                "displayName": "[parameters('PlaybookName')]",
+                "customParameterValues": {},
+                "parameterValueType": "Alternative",
+                "api": {
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Web/connections",
+            "apiVersion": "2016-06-01",
+            "name": "[variables('o365ConnectionName')]",
+            "location": "[resourceGroup().location]",
+            "properties": {
+                "displayName": "[parameters('PlaybookName')]",
+                "customParameterValues": {},
+                "api": {
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Logic/workflows",
+            "apiVersion": "2017-07-01",
+            "name": "[parameters('PlaybookName')]",
+            "location": "[resourceGroup().location]",
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "dependsOn": [
+                "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+                "[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]"
+            ],
+            "properties": {
+                "state": "Disabled",
+                "definition": {
+                    "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+                    "contentVersion": "1.0.0.0",
+                    "parameters": {
+                        "$connections": {
+                            "defaultValue": {},
+                            "type": "Object"
+                        },
+                        "to": {
+                            "defaultValue": "[parameters('NotificationEmail')]",
+                            "type": "String"
+                        }
+                    },
+                    "triggers": {
+                        "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
+                            "type": "ApiConnectionWebhook",
+                            "inputs": {
+                                "body": {
+                                    "callback_url": "@{listCallbackUrl()}"
+                                },
+                                "host": {
+                                    "connection": {
+                                        "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                                    }
+                                },
+                                "path": "/subscribe"
+                            }
+                        }
+                    },
+                    "actions": {
+                        "Send_an_email_(V2)": {
+                            "runAfter": {},
+                            "type": "ApiConnection",
+                            "inputs": {
+                                "body": {
+                                    "Body": "<p>Hello,<br>\n<br>\n@{triggerBody()?['Description']}<br>\n<br>\nThank you</p>",
+                                    "Subject": "@triggerBody()?['AlertDisplayName']",
+                                    "To": "@parameters('to')"
+                                },
+                                "host": {
+                                    "connection": {
+                                        "name": "@parameters('$connections')['office365']['connectionId']"
+                                    }
+                                },
+                                "method": "post",
+                                "path": "/v2/Mail"
+                            }
+                        }
+                    },
+                    "outputs": {}
+                },
+                "parameters": {
+                    "$connections": {
+                        "value": {
+                            "azuresentinel": {
+                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+                                "connectionName": "[variables('AzureSentinelConnectionName')]",
+                                "connectionProperties": {
+                                    "authentication": {
+                                        "type": "ManagedServiceIdentity"
+                                    }
+                                },
+                                 "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+                            },
+                            "office365": {
+                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
+                                "connectionName": "[variables('o365ConnectionName')]",
+                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
+
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    ]
+}
--- a/Solutions/Armorblox/Playbooks/images/Playbook_Send-email-alert.png
+++ b/Solutions/Armorblox/Playbooks/images/Playbook_Send-email-alert.png
--- a/Solutions/Armorblox/Workbooks/ArmorbloxOverview.json
+++ b/Solutions/Armorblox/Workbooks/ArmorbloxOverview.json
@ -0,0 +1,236 @@
+{
+  "version": "Notebook/1.0",
+  "items": [
+    {
+      "type": 1,
+      "content": {
+        "json": "## INCIDENTS FROM ARMORBLOX"
+      },
+      "name": "text - 0",
+      "styleSettings": {
+        "margin": "5px",
+        "padding": "5px"
+      }
+    },
+    {
+      "type": 9,
+      "content": {
+        "version": "KqlParameterItem/1.0",
+        "parameters": [
+          {
+            "id": "57bfc245-223e-4ef2-892a-35f9b3049ee0",
+            "version": "KqlParameterItem/1.0",
+            "name": "TimeRange",
+            "type": 4,
+            "description": "INCIDENTS FROM SELECTED TIME RANGE",
+            "isRequired": true,
+            "value": {
+              "durationMs": 259200000
+            },
+            "typeSettings": {
+              "selectableValues": [
+                {
+                  "durationMs": 300000
+                },
+                {
+                  "durationMs": 900000
+                },
+                {
+                  "durationMs": 1800000
+                },
+                {
+                  "durationMs": 3600000
+                },
+                {
+                  "durationMs": 14400000
+                },
+                {
+                  "durationMs": 43200000
+                },
+                {
+                  "durationMs": 86400000
+                },
+                {
+                  "durationMs": 172800000
+                },
+                {
+                  "durationMs": 259200000
+                },
+                {
+                  "durationMs": 604800000
+                },
+                {
+                  "durationMs": 1209600000
+                },
+                {
+                  "durationMs": 2419200000
+                },
+                {
+                  "durationMs": 2592000000
+                },
+                {
+                  "durationMs": 5184000000
+                },
+                {
+                  "durationMs": 7776000000
+                }
+              ]
+            },
+            "timeContext": {
+              "durationMs": 86400000
+            }
+          }
+        ],
+        "style": "pills",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "name": "parameters - 1"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Armorblox_CL\r\n| sort by TimeGenerated desc\r\n| where TimeGenerated {TimeRange}\r\n| summarize count() by priority_s\r\n",
+        "size": 1,
+        "timeContext": {
+          "durationMs": 259200000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "piechart",
+        "chartSettings": {
+          "yAxis": [
+            "count_"
+          ],
+          "showLegend": true
+        }
+      },
+      "customWidth": "50",
+      "name": "query - 3",
+      "styleSettings": {
+        "margin": "5",
+        "padding": "5",
+        "showBorder": true
+      }
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Armorblox_CL\r\n| sort by TimeGenerated desc\r\n| where TimeGenerated {TimeRange}\r\n| summarize count() by incident_type_s\r\n",
+        "size": 1,
+        "timeContext": {
+          "durationMs": 259200000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "piechart"
+      },
+      "customWidth": "50",
+      "name": "query - 4",
+      "styleSettings": {
+        "margin": "5",
+        "padding": "5",
+        "showBorder": true
+      }
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Armorblox_CL\r\n| sort by TimeGenerated desc\r\n| where TimeGenerated {TimeRange} and incident_type_s=='THREAT_INCIDENT_TYPE'\r\n| extend policy = substring(policy_names_s, 1, strlen(policy_names_s)-2)\r\n| summarize count() by policy\r\n",
+        "size": 1,
+        "timeContext": {
+          "durationMs": 259200000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "piechart",
+        "tileSettings": {
+          "showBorder": false,
+          "titleContent": {
+            "columnMatch": "policy_names_s",
+            "formatter": 1
+          },
+          "leftContent": {
+            "columnMatch": "count_",
+            "formatter": 12,
+            "formatOptions": {
+              "palette": "auto"
+            },
+            "numberFormat": {
+              "unit": 17,
+              "options": {
+                "maximumSignificantDigits": 3,
+                "maximumFractionDigits": 2
+              }
+            }
+          }
+        }
+      },
+      "customWidth": "50",
+      "name": "query - 6",
+      "styleSettings": {
+        "margin": "5",
+        "padding": "5",
+        "showBorder": true
+      }
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Armorblox_CL\r\n| sort by TimeGenerated desc\r\n| where TimeGenerated {TimeRange} and incident_type_s=='DLP_INCIDENT_TYPE'\r\n| extend policy = substring(policy_names_s, 1, strlen(policy_names_s)-2)\r\n| summarize count() by policy\r\n",
+        "size": 1,
+        "timeContext": {
+          "durationMs": 259200000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "piechart"
+      },
+      "customWidth": "50",
+      "name": "query - 7",
+      "styleSettings": {
+        "margin": "5",
+        "padding": "5",
+        "showBorder": true
+      }
+    },
+    {
+      "type": 1,
+      "content": {
+        "json": "## INCIDENTS"
+      },
+      "name": "text - 5"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "Armorblox_CL\r\n| project TimeGenerated, date_t, id_s, priority_s, policy_names_s, title_s, remediation_actions_s, resolution_state_s, research_status_s\r\n| project-rename OccurredDate=date_t, IncidentId=id_s, Priority=priority_s, Subject=title_s, RemediationAction=remediation_actions_s, ResolutionState=resolution_state_s, ResearchStatus=research_status_s\r\n| where TimeGenerated {TimeRange}\r\n| sort by TimeGenerated desc\r\n",
+        "size": 0,
+        "timeContext": {
+          "durationMs": 259200000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "name": "query - 2",
+      "styleSettings": {
+        "margin": "5",
+        "padding": "5",
+        "showBorder": true
+      }
+    }
+  ],
+  "fallbackResourceIds": [],
+  "fromTemplateId": "sentinel-ArmorbloxOverview",
+  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+}
--- a/Solutions/Armorblox/Workbooks/images/preview/ArmorbloxOverviewBlack01.png
+++ b/Solutions/Armorblox/Workbooks/images/preview/ArmorbloxOverviewBlack01.png
--- a/Solutions/Armorblox/Workbooks/images/preview/ArmorbloxOverviewBlack02.png
+++ b/Solutions/Armorblox/Workbooks/images/preview/ArmorbloxOverviewBlack02.png
--- a/Solutions/Armorblox/Workbooks/images/preview/ArmorbloxOverviewWhite01.png
+++ b/Solutions/Armorblox/Workbooks/images/preview/ArmorbloxOverviewWhite01.png
--- a/Solutions/Armorblox/Workbooks/images/preview/ArmorbloxOverviewWhite02.png
+++ b/Solutions/Armorblox/Workbooks/images/preview/ArmorbloxOverviewWhite02.png