rename from DataConnectors/CohesitySecurity/Helios2Sentinel

rename to "Solutions/CohesitySecurity/Data\\ Connectors/Helios2Sentinel
update to use keyvault instead of apiKey from env.
rename some playbooks.

Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentConsumer/readme.md

@@ -3,11 +3,11 @@ This function picks alerts from the queue and creates the corresponding records
 
 ## Publishing Prerequisites
 1. Create your Sentinel [workspace](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel).
-* __Attention__: It should be the same workspace as created for [IncidentProducer](https://raw.githubusercontent.com/cohesity/Azure-Sentinel/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/readme.md).
+* __Attention__: It should be the same workspace as created for [IncidentProducer](https://raw.githubusercontent.com/cohesity/Azure-Sentinel/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentProducer/readme.md).
 2. [Register](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps) a client application in Azure Active Directory with the Contributor privileges ([steps](https://learn.microsoft.com/azure/healthcare-apis/register-application)).
 * Save _Application (client) ID_, _Directory (tenant) ID_ and _Secret Value_.
 3. Create a new queue in [Azure Storage Accounts](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts) ([steps](https://learn.microsoft.com/azure/storage/queues/storage-quickstart-queues-portal)).
-* __Attention__: It should be the same queue as created for [IncidentProducer](https://raw.githubusercontent.com/cohesity/Azure-Sentinel/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/readme.md).
+* __Attention__: It should be the same queue as created for [IncidentProducer](https://raw.githubusercontent.com/cohesity/Azure-Sentinel/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentProducer/readme.md).
 * Save the connection string
 4. Choose your [resource group](https://portal.azure.com/#view/HubsExtension/BrowseResourceGroups) that you are going to use for the function app.
 5. Choose your [subscription](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade) that you are going to use for the function app.
@@ -38,4 +38,4 @@ followed by
 * Confirm the restart.
 
 ## Testing
-Check that the function successfully runs at  _IncidentConsumer | Functions | Monitor_. If not, please check that you created all environment variables correctly by comparing their names with the ones in [local.settings.json](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/local.settings.json).
+Check that the function successfully runs at  _IncidentConsumer | Functions | Monitor_. If not, please check that you created all environment variables correctly by comparing their names with the ones in [local.settings.json](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentConsumer/local.settings.json).

Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentProducer/readme.md

@@ -10,11 +10,11 @@ This function retrieves ransomware alerts from Cohesity DataHawk and lands them
 * Enter a name for the API key.
 * Select _Save_. The API Key Token is displayed.
 2. Create your Sentinel [workspace](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel).
-* __Attention__: It should be the same workspace as created for [IncidentConsumer](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer#readme).
+* __Attention__: It should be the same workspace as created for [IncidentConsumer](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentConsumer#readme).
 3. [Register](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps) a client application in Azure Active Directory with the Contributor privileges ([steps](https://learn.microsoft.com/azure/healthcare-apis/register-application)).
 * Save _Application (client) ID_, _Directory (tenant) ID_ and _Secret Value_.
 4. Create a new queue in [Azure Storage Accounts](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts) ([steps](https://learn.microsoft.com/azure/storage/queues/storage-quickstart-queues-portal)).
-* __Attention__: It should be the same workspace as created for [IncidentConsumer](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer#readme).
+* __Attention__: It should be the same workspace as created for [IncidentConsumer](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentConsumer#readme).
 * Save the connection string
 5. Create an instance of [Azure Cache for Redis](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Cache%2FRedis) ([steps](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-configure))
 * Save the connection string
@@ -43,4 +43,4 @@ followed by
 * Confirm the restart.
 
 ## Testing
-Check that the function successfully runs at  _IncidentProducer | Functions | Monitor_. If not, please check that you created all environment variables correctly by comparing their names with the ones in [local.settings.json](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/local.settings.json).
+Check that the function successfully runs at  _IncidentProducer | Functions | Monitor_. If not, please check that you created all environment variables correctly by comparing their names with the ones in [local.settings.json](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentProducer/local.settings.json).

Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/readme.md

@@ -9,5 +9,5 @@ Before deployment, please make sure that all prerequisites and pre-deployment st
 * Install [azure-functions-core-tools](https://docs.microsoft.com/azure/azure-functions/functions-run-local).
 
 ## Deployment
-* Deploy [IncidentProducer](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer#readme) function.
-* Deploy [IncidentConsumer](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer#readme) function.
+* Deploy [IncidentProducer](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentProducer#readme) function.
+* Deploy [IncidentConsumer](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentConsumer#readme) function.

Solutions/CohesitySecurity/Package/createUiDefinition.json

@@ -138,7 +138,7 @@
           {
             "name": "playbook3",
             "type": "Microsoft.Common.Section",
-            "label": "SNOW-CreateAndUpdateIncident",
+            "label": "Cohesity_CreateOrUpdate_ServiceNow_Incident",
             "elements": [
               {
                 "name": "playbook3-text",
@@ -151,7 +151,7 @@
                 "name": "playbook3-PlaybookName",
                 "type": "Microsoft.Common.TextBox",
                 "label": "Playbook Name",
-                "defaultValue": "SNOW-CreateAndUpdateIncident",
+                "defaultValue": "Cohesity_CreateOrUpdate_ServiceNow_Incident",
                 "toolTip": "Resource name for the logic app playbook.  No spaces are allowed",
                 "constraints": {
                   "required": true,

Solutions/CohesitySecurity/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/azuredeploy.json

@@ -20,7 +20,7 @@
     },
     "parameters": {
         "PlaybookName": {
-            "defaultValue": "SNOW-CreateAndUpdateIncident",
+            "defaultValue": "Cohesity_CreateOrUpdate_ServiceNow_Incident",
             "type": "string"
         }
     },
@@ -656,7 +656,7 @@
             "type": "Microsoft.Logic/workflows",
             "location": "[resourceGroup().location]",
             "tags": {
-                "hidden-SentinelTemplateName": "SNOW-CreateAndUpdateIncident",
+                "hidden-SentinelTemplateName": "Cohesity_CreateOrUpdate_ServiceNow_Incident",
                 "hidden-SentinelTemplateVersion": "1.0"
             },
             "identity": {
@@ -679,7 +679,7 @@
                 "customParameterValues": {},
                 "parameterValueType": "Alternative",
                 "api": {
-                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Microsoftsentinel')]"
                 }
             }
         },

Solutions/CohesitySecurity/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/readme.md

@@ -1,13 +1,13 @@
-# Cohesity Create or Update ServiceNow Incident 
+# Cohesity Create or Update ServiceNow Incident
 ## Summary
-This playbook creates a ticket in ServiceNow. It can be also used for updating ticket information or closing it. For example, an automation rule can be created to close the ServiceNow ticket by running this playbook when the corresponding Sentinel ticket is closed ([details](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/Servicenow/Playbooks/SNOW-CreateAndUpdateIncident/readme.md)).
+This playbook creates a ticket in ServiceNow. It can be also used for updating ticket information or closing it. For example, an automation rule can be created to close the ServiceNow ticket by running this playbook when the corresponding Sentinel ticket is closed ([details](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/Servicenow/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/readme.md)).
 
 ## Prerequisites
 1. Create an account for [ServiceNow](https://signon.service-now.com/x_snc_sso_auth.do).
 
 ## Deployment instructions
 1. Deploy the playbook by clicking on the "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fcohesity%2FAzure-Sentinel%2FCohesitySecurity.internal%2FSolutions%2FCohesitySecurity%2FPlaybooks%2FSNOW-CreateAndUpdateIncident%2Fazuredeploy.json)
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fcohesity%2FAzure-Sentinel%2FCohesitySecurity.internal%2FSolutions%2FCohesitySecurity%2FPlaybooks%2FCohesity_CreateOrUpdate_ServiceNow_Incident%2Fazuredeploy.json)
 2. Fill in the required parameters:
 * __Playbook Name:__ Enter the playbook name here.
 
@@ -16,13 +16,12 @@ This playbook creates a ticket in ServiceNow. It can be also used for updating t
 * Go to _Logic Apps_.
 * Choose your app (playbook).
 * Select _Development Tools\API Connections_.
-* Select a connection you'd like to authorize. Usually, such a connection contains your playbook name. For example, if your playbook is called **My-SNOW-CreateAndUpdateIncident**, then the connection _can_ be called _Service-Now-_**My-SNOW-CreateAndUpdateIncident**.
-* Click on _General\Edit API Connection_.
-* Enter path to your instance, e.g. dev12345.
+* Select a connection you'd like to authorize.
+* Click on General\Edit API Connection.
+* Enter path to your instance, e.g. https://dev12345.service-now.com.
 * Enter username.
 * Enter password.
 * Click Save.
-**Note:** Your ServiceNow credentials can be found in your ServiceNow instance account profile (see _Instance Action\Manage Instance Password_).
 
 Alternatively, you can follow these steps to achieve the same goal. This would be especially useful if the previous steps didn’t work for you.
 * Go to _Logic Apps_.
@@ -38,15 +37,5 @@ Alternatively, you can follow these steps to achieve the same goal. This would b
 * Choose the _Access Control (IAM)_ option from the left pane.
 * Click on _Add > Add Role Assignment_ and add _Microsoft Sentinel Responder_ managed identity role to the playbook.
 
-3. (Recommendation). Create automation rule to close ServiceNow tickets when the corresponding ticket is closed.
-* Choose _Automation_ in the _Configuration_ pane.
-* Select _Create/Automation rule_.
-* In the _Create new automation rule_ window, enter your new rule name, e.g. _Close ServiceNow Ticket_.
-* In the _Trigger_ list, select _When incident is updated_.
-* Add the condition _Tag contains_ **SNOW System ID:**.
-* Add the condition _Status chaged to_ **Close**.
-* In _Actions/Run playbook_ select your playbook.
-* Click _Apply_.
-
 #  References
- - [Cohesity support documentation](https://docs.cohesity.com/ui/login?redirectPath=%2FHomePage%2FContent%2FTechGuides%2FTechnicalGuides.htm).
+ - [Cohesity support documentation](https://docs.cohesity.com/ui/login?redirectPath=%2FHomePage%2FContent%2FTechGuides%2FTechnicalGuides.htm)

Solutions/CohesitySecurity/Playbooks/Cohesity_Restore_From_Last_Snapshot/azuredeploy.json

@@ -26,7 +26,8 @@
     },
     "variables": {
         "AzureblobConnectionName": "[concat('Azureblob-', parameters('PlaybookName'))]",
-        "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]"
+        "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
+        "KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]"
     },
     "resources": [{
             "properties": {
@@ -190,12 +191,29 @@
                                 }
                             }
                         },
-                        "HTTP": {
+                        "Get_secret": {
                             "runAfter": {
                                 "Get_object_from_blob_content": [
                                     "Succeeded"
                                 ]
                             },
+                            "type": "ApiConnection",
+                            "inputs": {
+                                "host": {
+                                    "connection": {
+                                        "name": "@parameters('$connections')['keyvault']['connectionId']"
+                                    }
+                                },
+                                "method": "get",
+                                "path": "/secrets/@{encodeURIComponent('ApiKey')}/value"
+                            }
+                        },
+                        "HTTP": {
+                            "runAfter": {
+                                "Get_secret": [
+                                    "Succeeded"
+                                ]
+                            },
                             "type": "Http",
                             "inputs": {
                                 "body": {
@@ -218,7 +236,7 @@
                                 },
                                 "headers": {
                                     "Content-Type": "application/json",
-                                    "apiKey": "33e44eac-ce99-46df-7f4e-9ac39446a66e",
+                                    "apiKey": "@body('Get_secret')?['value']",
                                     "clusterid": "@{body('Get_cid_from_blob_content')}"
                                 },
                                 "method": "POST",
@@ -271,6 +289,11 @@
                                         "type": "ManagedServiceIdentity"
                                     }
                                 }
+                            },
+                            "keyvault": {
+                                "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]",
+                                "connectionName": "[variables('KeyvaultConnectionName')]",
+                                "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]"
                             }
                         }
                     }
@@ -289,7 +312,8 @@
             "apiVersion": "2019-05-01",
             "dependsOn": [
                 "[resourceId('Microsoft.Web/connections', variables('AzureblobConnectionName'))]",
-                "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]"
+                "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+                "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]"
             ]
         },
         {
@@ -320,6 +344,20 @@
                     "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
                 }
             }
+        },
+        {
+            "type": "Microsoft.Web/connections",
+            "apiVersion": "2016-06-01",
+            "name": "[variables('KeyvaultConnectionName')]",
+            "location": "[resourceGroup().location]",
+            "kind": "V1",
+            "properties": {
+                "displayName": "[variables('KeyvaultConnectionName')]",
+                "customParameterValues": {},
+                "api": {
+                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]"
+                }
+            }
         }
     ]
 }

Solutions/CohesitySecurity/Playbooks/Cohesity_Send_Incident_Email/azuredeploy.json

@@ -78,9 +78,9 @@
                                 }]
                             }
                         },
-                        "Send_an_email_(V2)": {
+                        "Send_email_(V2)": {
                             "runAfter": {
-                                "Set_variable": [
+                                "Set_variable_2": [
                                     "Succeeded"
                                 ]
                             },
@@ -101,7 +101,7 @@
                                 "path": "/v2/Mail"
                             }
                         },
-                        "Set_variable": {
+                        "Set_variable_2": {
                             "runAfter": {
                                 "Initialize_variable": [
                                     "Succeeded"

Solutions/CohesitySecurity/readme.md

@@ -14,13 +14,13 @@ __Disclaimer:__ You can skip these steps and use one of the pre-built packages f
 4. Follow [readme.md](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/README.md) for post-build manual validation.
 
 ## Deployment
-The package consists of the following Azure functions ([install pre-requisites](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel#readme))
-* _IncidentProducer_ to retrieve Helios alerts via a special REST API ([deployment steps](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/readme.md))
-* _IncidentConsumer_ to create incidents in MS Sentinel ([deployment steps](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/readme.md))
+The package consists of the following Azure functions ([install pre-requisites](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel#readme))
+* _IncidentProducer_ to retrieve Helios alerts via a special REST API ([deployment steps](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentProducer/readme.md))
+* _IncidentConsumer_ to create incidents in MS Sentinel ([deployment steps](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/CohesitySecurity/Data\ Connectors/Helios2Sentinel/IncidentConsumer/readme.md))
 
 It also has a few playbooks for automation.
 * *Cohesity_Send_Incident_Email* to send an email to the recipient with the incident details ([deployment steps](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Playbooks/Cohesity_Send_Incident_Email#readme.md)).
-* *Cohesity_CreateOrUpdate_ServiceNow_Incident* to create and update the incident in the ServiceNow platform ([deployment steps](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Playbooks/SNOW-CreateAndUpdateIncident#readme.md)).
+* *Cohesity_CreateOrUpdate_ServiceNow_Incident* to create and update the incident in the ServiceNow platform ([deployment steps](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident#readme.md)).
 * *Cohesity_Restore_From_Last_Snapshot* to restore data from the latest clean snapshot in Helios ([deployment steps](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Playbooks/Cohesity_Restore_From_Last_Snapshot#readme.md))
 
 ## Misc

Tools/Create-Azure-Sentinel-Solution/input/Solution_CohesitySecurity.json

@@ -5,7 +5,7 @@
     "Playbooks": [
         "Playbooks/Cohesity_Send_Incident_Email/azuredeploy.json",
         "Playbooks/Cohesity_Restore_From_Last_Snapshot/azuredeploy.json",
-        "Playbooks/SNOW-CreateAndUpdateIncident/azuredeploy.json"
+        "Playbooks/Cohesity_CreateOrUpdate_ServiceNow_Incident/azuredeploy.json"
     ],
     "BasePath": "Solutions/CohesitySecurity",
     "Version": "2.0.0",