Update playbooks for WatchLists Utilities (#5683)

* Updated existing playbooks instead of adding it in new folder

* Moved files from Playbook folder to Watchlish utilities folder

* Added releaseNotes section

* Updated tags

Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-HostToWatchList/alert-trigger/azuredeploy.json

@@ -4,15 +4,11 @@
     "metadata":  {
         "title":  "Add Host To Watchlist - Alert Trigger",
         "description":  "This playbook will add a host entity from the alert to a new or existing watchlist.",
-        "prerequisites":  "",
-        "postDeployment":  ["1. Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"
-        ],
-        "prerequisitesDeployTemplateFile":  "",
+        "prerequisites":  ["None"],
+        "postDeployment":  ["Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"],
         "lastUpdateTime":  "2022-04-25T00:00:00.000Z",
-        "entities":  [ "Host"
-        ],
-        "tags":  [
-        ],
+        "entities":  [ "Host"],
+        "tags":  [],
         "support":  {
             "tier":  "community",
             "armtemplate":  "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
@@ -20,7 +16,16 @@
         "author":  {
             "name":  "Yaniv Shaha",
             "updated": "Benjamin Kovacevic"
+        },
+        "releaseNotes": [
+        {
+            "version": "1.0.0",
+            "title": "Add Host To Watchlist - Alert Trigger",
+            "notes": [
+            "Initial version"
+            ]
         }
+        ]
     },
     "parameters":  {
         "PlaybookName":  {

Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-HostToWatchList/host-incident-trigger/azuredeploy.json

@@ -3,16 +3,16 @@
     "contentVersion":  "1.0.0.0",
     "metadata":  {
         "title":  "Add Host To Watchlist - Incident Trigger",
-        "description":  "This playbook will add a host entity from the incident to a new or existing watchlist.",
-        "prerequisites":  "",
-        "postDeployment":  ["1. Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"
-        ],
-        "prerequisitesDeployTemplateFile":  "",
-        "lastUpdateTime":  "2022-04-25T00:00:00.000Z",
-        "entities":  [ "Host"
-        ],
-        "tags":  [
-        ],
+        "description":  "This playbook will add a Host entity to a new or existing watchlist.",
+        "prerequisites":  ["None"],
+        "postDeployment":  ["Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"],
+        "mainSteps": [ "**Logical flow to use this playbook**",
+            "1. The analyst finished investigating an incident and one of its findings is a suspicious Host entity.",
+            "2. The analyst wants to enter this entity into a watchlist (can be from block list type or allowed list).",
+            "3. This playbook will run as a manual trigger from the full incident blade or the investigation graph blade, or automatically, and will add host to the selected watchlist."],
+        "lastUpdateTime":  "2022-07-21T00:00:00.000Z",
+        "entities":  [ "Host" ],
+        "tags":  [],
         "support":  {
             "tier":  "community",
             "armtemplate":  "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
@@ -20,7 +20,16 @@
         "author":  {
             "name":  "Yaniv Shaha",
             "updated": "Benjamin Kovacevic"
+        },
+        "releaseNotes": [
+        {
+            "version": "1.0.0",
+            "title": "Add Host To Watchlist - Incident Trigger",
+            "notes": [
+            "Initial version"
+            ]
         }
+        ]
     },
     "parameters":  {
         "PlaybookName":  {

Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-IPToWatchList/alert-trigger/azuredeploy.json

@@ -4,14 +4,11 @@
     "metadata":  {
         "title":  "Add IP To Watchlist - Alert Trigger",
         "description":  "This playbook will add a IP entity from the alert to a new or existing watchlist.",
-        "prerequisites":  "",
-        "postDeployment": ["1. Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"],
-        "prerequisitesDeployTemplateFile":  "",
+        "prerequisites":  ["None"],
+        "postDeployment": ["Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"],
         "lastUpdateTime":  "2022-04-12T00:00:00.000Z",
-        "entities":  [ "IP"
-        ],
-        "tags":  [
-        ],
+        "entities":  ["IP"],
+        "tags":  [],
         "support":  {
             "tier":  "community",
             "armtemplate":  "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
@@ -19,7 +16,16 @@
         "author":  {
             "name":  "Yaniv Shaha",
             "updated": "Benjamin Kovacevic"
+        },
+        "releaseNotes": [
+        {
+          "version": "1.0.0",
+          "title": "Add IP To Watchlist - Alert Trigger",
+          "notes": [
+          "Initial version"
+          ]
         }
+        ]
     },
     "parameters":  {
         "PlaybookName":  {

Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-IPToWatchList/ip-incident-trigger/azuredeploy.json

@@ -3,22 +3,32 @@
     "contentVersion":  "1.0.0.0",
     "metadata":  {
         "title":  "Add IP To Watchlist - Incident Trigger",
-        "description":  "This playbook will add a IP entity from the incident to a new or existing watchlist.",
-        "prerequisites":  "",
-        "postDeployment": ["1. Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"],
-        "prerequisitesDeployTemplateFile":  "",
-        "lastUpdateTime":  "2022-04-12T00:00:00.000Z",
-        "entities":  [
-        ],
-        "tags":  [
-        ],
+        "description":  "This playbook will add a IP entity to a new or existing watchlist.",
+        "mainSteps": [ "**Logical flow to use this playbook**",
+            "1. The analyst finished investigating an incident and one of its findings is a suspicious IP entity.",
+            "2. The analyst wants to enter this entity into a watchlist (can be from block list type or allowed list).",
+            "3. This playbook will run as a manual trigger from the full incident blade or the investigation graph blade, or automatically, and will add host to the selected watchlist."],
+        "prerequisites":  ["None"],
+        "postDeployment": ["Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"],
+        "lastUpdateTime":  "2022-07-21T00:00:00.000Z",
+        "entities": ["IP"],
+        "tags":  [],
         "support":  {
             "tier":  "community",
             "armtemplate":  "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
         },
         "author":  {
             "name":  "Yaniv Shaha, Benjamin Kovacevic"
+        },
+        "releaseNotes": [
+        {
+            "version": "1.0.0",
+            "title": "Add IP To Watchlist - Incident Trigger",
+            "notes": [
+            "Initial version"
+            ]
         }
+        ]
     },
     "parameters":  {
         "PlaybookName":  {

Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-URLToWatchList/alert-trigger/azuredeploy.json

@@ -4,15 +4,11 @@
     "metadata":  {
         "title":  "Add URL To Watchlist - Alert Trigger",
         "description":  "This playbook will add a URL entity from the alert to a new or existing watchlist.",
-        "prerequisites":  "",
-        "postDeployment":  ["1. Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"
-        ],
-        "prerequisitesDeployTemplateFile":  "",
+        "prerequisites":  ["None"],
+        "postDeployment":  ["Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"],
         "lastUpdateTime":  "2022-04-25T00:00:00.000Z",
-        "entities":  [ "URL"
-        ],
-        "tags":  [
-        ],
+        "entities":  ["URL"],
+        "tags":  [],
         "support":  {
             "tier":  "community",
             "armtemplate":  "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
@@ -20,7 +16,16 @@
         "author":  {
             "name":  "Yaniv Shaha",
             "updated": "Benjamin Kovacevic"
+        },
+        "releaseNotes": [
+        {
+          "version": "1.0.0",
+          "title": "Add URL To Watchlist - Alert Trigger",
+          "notes": [
+          "Initial version"
+          ]
         }
+        ]
     },
     "parameters":  {
         "PlaybookName":  {

Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-URLToWatchList/url-incident-trigger/azuredeploy.json

@@ -3,16 +3,12 @@
     "contentVersion":  "1.0.0.0",
     "metadata":  {
         "title":  "Add URL To Watchlist - Incident Trigger",
-        "description":  "This playbook will add a URL entity from the incident to a new or existing watchlist.",
-        "prerequisites":  "",
-        "postDeployment":  ["1. Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"
-        ],
-        "prerequisitesDeployTemplateFile":  "",
-        "lastUpdateTime":  "2022-04-25T00:00:00.000Z",
-        "entities":  [ "URL"
-        ],
-        "tags":  [
-        ],
+        "description":  "This playbook will add a URL entity to a new or existing watchlist.",
+        "prerequisites":  ["None"],
+        "postDeployment":  ["Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"],
+        "lastUpdateTime":  "2022-07-21T00:00:00.000Z",
+        "entities":  [ "URL"],
+        "tags":  [],
         "support":  {
             "tier":  "community",
             "armtemplate":  "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
@@ -20,7 +16,16 @@
         "author":  {
             "name":  "Yaniv Shaha",
             "updated": "Benjamin Kovacevic"
+        },
+        "releaseNotes": [
+        {
+            "version": "1.0.0",
+            "title": "Add URL To Watchlist - Incident Trigger",
+            "notes": [
+            "Initial version"
+            ]
         }
+        ]
     },
     "parameters":  {
         "PlaybookName":  {

Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-UserToWatchList/alert-trigger/azuredeploy.json

@@ -4,15 +4,11 @@
     "metadata":  {
         "title":  "Add User To Watchlist - Alert Trigger",
         "description":  "This playbook will add a user entity from the alert to a new or existing watchlist.",
-        "prerequisites":  "",
-        "postDeployment":  ["1. Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"
-        ],
-        "prerequisitesDeployTemplateFile":  "",
+        "prerequisites":  ["None"],
+        "postDeployment":  ["Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"],
         "lastUpdateTime":  "2022-04-25T00:00:00.000Z",
-        "entities":  [ "Account"
-        ],
-        "tags":  [
-        ],
+        "entities":  ["Account"],
+        "tags":  [],
         "support":  {
             "tier":  "community",
             "armtemplate":  "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
@@ -20,7 +16,16 @@
         "author":  {
             "name":  "Yaniv Shaha",
             "updated": "Benjamin Kovacevic"
+        },
+        "releaseNotes": [
+        {
+          "version": "1.0.0",
+          "title": "Add User To Watchlist - Alert Trigger",
+          "notes": [
+          "Initial version"
+          ]
         }
+        ]
     },
     "parameters":  {
         "PlaybookName":  {

Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-UserToWatchList/user-incident-trigger/azuredeploy.json

@@ -3,16 +3,17 @@
     "contentVersion":  "1.0.0.0",
     "metadata":  {
         "title":  "Add User To Watchlist - Incident Trigger",
-        "description":  "This playbook will add a user entity from the incident to a new or existing watchlist.",
-        "prerequisites":  "",
-        "postDeployment":  ["1. Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"
-        ],
-        "prerequisitesDeployTemplateFile":  "",
-        "lastUpdateTime":  "2022-04-25T00:00:00.000Z",
-        "entities":  [ "Account"
-        ],
-        "tags":  [
+        "description":  "This playbook will add a User entity to a new or existing watchlist.",
+        "prerequisites":  ["None"],
+        "postDeployment":  ["Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"],
+        "mainSteps":  ["**Logical flow to use this playbook**",
+            "1. The analyst finished investigating an incident and one of its findings is a suspicious user entity.",
+            "2. The analyst wants to enter this entity into a watchlist (can be from block list type or allowed list).",
+            "3. This playbook will run as a manual trigger from the full incident blade or the investigation graph blade, or automatically, and will add host to the selected watchlist."
         ],
+        "lastUpdateTime":  "2022-07-21T00:00:00.000Z",
+        "entities":  ["Account"],
+        "tags":  [],
         "support":  {
             "tier":  "community",
             "armtemplate":  "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
@@ -20,7 +21,16 @@
         "author":  {
             "name":  "Yaniv Shaha",
             "updated": "Benjamin Kovacevic"
+        },
+        "releaseNotes": [
+        {
+            "version": "1.0.0",
+            "title": "Add User To Watchlist - Incident Trigger",
+            "notes": [
+            "Initial version"
+            ]
         }
+        ]
     },
     "parameters":  {
         "PlaybookName":  {

Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/alert-trigger/azuredeploy.json

@@ -4,21 +4,27 @@
     "metadata":  {
         "title":  "Watchlist - Change Incident Severity and Title if User VIP - Alert Trigger",
         "description":  "This playbook leverages Microsoft Sentinel Watchlists in order to adapt the incidents severity which include User entity and check it against VIP user list.",
-        "prerequisites":  "",
-        "postDeployment": ["1. Assign Microsoft Sentinel Responder role to the Playbook's Managed Identity."],
-        "prerequisitesDeployTemplateFile":  "",
+        "prerequisites":  ["None"],
+        "postDeployment": ["Assign Microsoft Sentinel Responder role to the Playbook's Managed Identity."],
         "lastUpdateTime":  "2022-04-12T00:00:00.000Z",
-        "entities":  [
-        ],
-        "tags":  [
-        ],
+        "entities":  [],
+        "tags":  [],
         "support":  {
             "tier":  "community",
             "armtemplate":  "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
         },
         "author":  {
             "name":  "Yaniv Shaha"
+        },
+        "releaseNotes": [
+        {
+          "version": "1.0.0",
+          "title": "Watchlist - Change Incident Severity and Title if User VIP - Alert Trigger",
+          "notes": [
+          "Initial version"
+          ]
         }
+        ]
     },
     "parameters":  {
         "PlaybookName":  {

Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/readme.md

@@ -3,7 +3,7 @@
 author: Yaniv Shasha
 <br><br>
 
-This playbook leverages Azure Sentinel Watchlists in order to adapt the incidents severity which include User entity and check it against VIP user list
+This playbook leverages Microsoft Sentinel Watchlists in order to adapt the incidents severity which include User entity and check it against VIP user list
 <br><br>
 
 ## Logical flow to use this playbook

Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/user-vip-incident-trigger/azuredeploy.json

@@ -3,22 +3,35 @@
     "contentVersion":  "1.0.0.0",
     "metadata":  {
         "title":  "Watchlist - Change Incident Severity and Title if User VIP - Incident Trigger",
-        "description":  "This playbook leverages Microsoft Sentinel Watchlists in order to adapt the incidents severity which include User entity and check it against VIP user list.",
-        "prerequisites":  "",
-        "postDeployment": ["1. Assign Microsoft Sentinel Responder role to the Playbook's Managed Identity."],
-        "prerequisitesDeployTemplateFile":  "",
-        "lastUpdateTime":  "2022-04-12T00:00:00.000Z",
-        "entities":  [
-        ],
-        "tags":  [
+        "description":  "This playbook leverages Microsoft Sentinel Watchlists in order to adapt the incidents severity which include User entity and check it against VIP user list",
+        "prerequisites":  ["None"],
+        "mainSteps": ["**Logical flow to use this playbook**",
+            "For each User account included in the incident or alert (entities of type User):",
+            "1. Check if User is included in the watchlist.",
+            "2. If user is in the watchlist: ",
+            "a. Change the incident severity to Critical",
+            "b. Modify the incident title that include the User name and the text- **VIP User!!!**"
         ],
+        "postDeployment": ["Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"],
+        "lastUpdateTime":  "2022-07-21T00:00:00.000Z",
+        "entities": [],
+        "tags":  [],
         "support":  {
             "tier":  "community",
             "armtemplate":  "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
         },
         "author":  {
             "name":  "Yaniv Shaha"
+        },
+        "releaseNotes": [
+        {
+            "version": "1.0.0",
+            "title": "Watchlist - Change Incident Severity and Title if User VIP - Incident Trigger",
+            "notes": [
+            "Initial version"
+            ]
         }
+        ]
     },
     "parameters":  {
         "PlaybookName":  {

Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/azuredeploy.json

@@ -2,10 +2,11 @@
     "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
     "metadata": {
-        "title": "Watchlist - close incidents with safe IPs ", 
-        "description": "This playbook levarages Azure Sentinel Watchlists in order to close incidents which include IP addresses considered safe.",
-        "prerequisites": ["[Create a watchlist](https://docs.microsoft.com/azure/sentinel/watchlists#create-a-new-watchlist) for safe IPs with ip column named 'ipaddress' (can be changed in 'Run query' step). Watchlist should be located in the same workspace of the incidents."],
-        "lastUpdateTime": "2021-05-30T10:00:00.000Z", 
+        "title": "Watchlist - close incidents with safe IPs", 
+        "description": "This playbook leverages Microsoft Sentinel Watchlists in order to close incidents which include IP addresses considered safe.",
+        "prerequisites": ["None"],
+        "mainSteps": ["For each Ip address included in the alert (entities of type IP): \n\n 1. Check if IP is included in watchlist. \n\n * If IP is in the watchlist, consider the IP saf,. **Add it to Safe IPs array.** \n\n * If IP is not in the watchlist, meaning that we are not sure it is safe, **Add it to not Safe IPs array.** \n\n 2. Add a comment to the incident the list of safe and not safe IPs found. \n\n 3. If the not safe list is empty (length == 0), close the incident as Benign Positive. \n\n \n\n ## Configurations \n\n * Configure the step 'Run query and list results with the identifiers of the Sentinel workspace where the watchlist is stored. \n\n * Configure the identity used in the 'Run query and list results' step with the Log Analytics Reader RBAC role on the Microsoft Sentinel resource group. \n\n * Configure the Managed Identity of the Logic App with the Microsoft Sentinel Responder RBAC role on the Microsoft Sentinel resource group. \n\n * The watchlist used in this example has at list one column named **ipaddress** which stores the safe address. See the csv file attached in this folder as an example. \n\n \n\n <img src='https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerLight1.png'/> \n\n <img src='https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerLight2.png'/> \n\n <img src='https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Watchlist-CloseIncidentKnownIPs/images/commentLight.png'/>"],
+        "lastUpdateTime": "2022-07-22T10:00:00.000Z", 
         "entities": ["Ip"], 
         "tags": ["Triage"], 
         "support": {
@@ -13,7 +14,16 @@
         },
         "author": {
             "name": "Lior Tamir"
+        },
+        "releaseNotes": [
+        {
+            "version": "1.0.0",
+            "title": "Watchlist - close incidents with safe IPs ",
+            "notes": [
+            "Initial version"
+            ]
         }
+        ]
     },
     "parameters": {
         "PlaybookName": {

Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/readme.md

@@ -1,7 +1,7 @@
 # Watchlists-CloseIncidentKnownIP
 author: Lior Tamir
 
-This playbook levarages Azure Sentinel Watchlists in order to close incidents which include IP addresses considered safe.
+This playbook levarages Microsoft Sentinel Watchlists in order to close incidents which include IP addresses considered safe.
 
 For each Ip address included in the alert (entities of type IP):
 1. Check if IP is included in watchlist.
@@ -13,8 +13,8 @@ For each Ip address included in the alert (entities of type IP):
 
 ## Configurations
 * Configure the step "Run query and list results" with the identifiers of the Sentinel workspace where the watchlist is stored.
-* Configure the identity used in the "Run query and list results" step with the Log Analytics Reader RBAC role on the Azure Sentinel resource group.
-* Configure the Managed Idenitty of the Logic App with the Azure Sentinel Responder RBAC role on the Azure Sentinel resource group.
+* Configure the identity used in the "Run query and list results" step with the Log Analytics Reader RBAC role on the Microsoft Sentinel resource group.
+* Configure the Managed Idenitty of the Logic App with the Microsoft Sentinel Responder RBAC role on the Microsoft Sentinel resource group.
 * The watchlist used in this example has at list one column named **ipaddress** which stores the safe address. See the csv file attached in this folder as an example.
 <br><br>
 

Solutions/Watchlists Utilities/Playbooks/Watchlist-InformSubowner-IncidentTrigger/azuredeploy.json

@@ -3,9 +3,13 @@
     "contentVersion": "1.0.0.0",
 	"metadata": {
         "title": "Watchlists - Inform Subscription Owner", 
-        "description": "Use Microsoft Sentinel watchlists and a playbook to contact the subscription owner of the affected resource automatically. This template uses the subscription owner level, but you can implement this solution for any specified resource owner.<br>[Learn more](https://docs.microsoft.com/azure/sentinel/automate-playbook-watchlist)",
-        "prerequisites": ["Create a Watchlist that this playbook will query: <br /> 1.Create an input comma-separated value (CSV) file with the following columns: SubscriptionId, SubscriptionName, OwnerName, OwnerEmail, where each row represents a subscription in an Azure tenant. <br /> 2. Upload the table to the Microsoft Sentinel Watchlist area. Make a note of the value you use as the Watchlist Alias, as you'll use it to query this watchlist from the playbook."],
-        "lastUpdateTime": "2021-11-26T00:00:00.000Z", 
+        "description": "This playbook leverages Microsoft Sentinel Watchlists in order to get the relevant subscription owner contact details, and inform about an ASC alert that occured in that subscription. It uses Microsoft Teams and Office 365 Outlook as ways to inform the sub owner.",
+        "prerequisites": ["None"],
+        "mainSteps": ["Note: This playbook utilizes two features currently in Preview.",
+            "* Microsoft Sentinel Watchlists",
+            "* Microsoft Sentinel Incident Trigger \n\n <img src='https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Watchlist-InformSubowner-IncidentTrigger/images/designerView.png'/>"
+        ],
+        "lastUpdateTime": "2022-07-21T00:00:00.000Z", 
         "entities": ["AzureResource"], 
         "tags": ["Notification"], 
         "support": {
@@ -13,7 +17,16 @@
         },
         "author": {
             "name": "Lior Tamir"
+        },
+        "releaseNotes": [
+        {
+            "version": "1.0.0",
+            "title": "Watchlists - Inform Subscription Owner",
+            "notes": [
+            "Initial version"
+            ]
         }
+        ]
     },
     "parameters": {
         "PlaybookName": {
@@ -138,11 +151,11 @@
                             "Post_a_message_as_the_Flow_bot_to_a_user": {
                                 "inputs": {
                                     "body": {
-                                        "messageBody": " Hi  @{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['OwnerName']}\n\nA new alert was triggered on your subscription: @{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['SubscriptionName']} by Azure Security Center.\n\nAn incident was created in Azure Sentinel.\n\nAlert title: @{items('For_each_Alert')?['properties']?['alertDisplayName']}\n\nDescription: @{items('For_each_Alert')?['properties']?['description']}\n\nThe Azure resource that triggered the alert:\n@{first(body('Filter_array_to_get_AzureResource_identifier'))['resourceId']}\n\nLink to the ASC alert:  @{items('For_each_Alert')?['properties']?['alertLink']}\n\nLink to the Azure Sentinel incident: @{triggerBody()?['object']?['properties']?['incidentUrl']}",
-                                        "messageTitle": "New alert from Azure Sentinel in your subscription",
+                                        "messageBody": " Hi  @{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['OwnerName']}\n\nA new alert was triggered on your subscription: @{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['SubscriptionName']} by Azure Security Center.\n\nAn incident was created in Microsoft Sentinel.\n\nAlert title: @{items('For_each_Alert')?['properties']?['alertDisplayName']}\n\nDescription: @{items('For_each_Alert')?['properties']?['description']}\n\nThe Azure resource that triggered the alert:\n@{first(body('Filter_array_to_get_AzureResource_identifier'))['resourceId']}\n\nLink to the ASC alert:  @{items('For_each_Alert')?['properties']?['alertLink']}\n\nLink to the Microsoft Sentinel incident: @{triggerBody()?['object']?['properties']?['incidentUrl']}",
+                                        "messageTitle": "New alert from Microsoft Sentinel in your subscription",
                                         "recipient": {
                                             "isAlert": true,
-                                            "summary": "New Alert from Azure Sentinel in subscription @{body('Parse_JSON_to_get_subscriptionId')?['properties']?['effectiveSubscriptionId']}",
+                                            "summary": "New Alert from Microsoft Sentinel in subscription @{body('Parse_JSON_to_get_subscriptionId')?['properties']?['effectiveSubscriptionId']}",
                                             "to": "@{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['OwnerEmail']}"
                                         }
                                     },
@@ -160,8 +173,8 @@
                             "Send_an_email_(V2)": {
                                 "inputs": {
                                     "body": {
-                                        "Body": "<p><strong>&nbsp;Hi &nbsp; </strong><strong>@{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['OwnerName']}</strong><strong><br>\n<br>\nA new alert was triggered on your subscription: </strong><strong>@{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['SubscriptionName']}</strong><strong>  by Azure Security Center.<br>\n<br>\nAn incident was created in Azure Sentinel.<br>\n<br>\n</strong>Alert title: <strong></strong><strong>@{items('For_each_Alert')?['properties']?['alertDisplayName']}</strong><strong><br>\n<br>\n</strong>Description:<strong> </strong><strong>@{items('For_each_Alert')?['properties']?['description']}</strong><strong><br>\n<br>\n</strong>The <strong>Azure resource</strong> that triggered the alert:<strong><br>\n</strong><strong>@{first(body('Filter_array_to_get_AzureResource_identifier'))['resourceId']}</strong><strong><br>\n<br>\n</strong>Link to the<strong> ASC alert: &nbsp;</strong><strong>@{items('For_each_Alert')?['properties']?['alertLink']}</strong><strong><br>\n<br>\n</strong>Link to the <strong>Azure Sentinel incident: </strong><strong>@{triggerBody()?['object']?['properties']?['incidentUrl']}</strong><strong></strong></p>",
-                                        "Subject": "New Alert from Azure Sentinel in subscription @{body('Parse_JSON_to_get_subscriptionId')?['properties']?['effectiveSubscriptionId']}",
+                                        "Body": "<p><strong>&nbsp;Hi &nbsp; </strong><strong>@{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['OwnerName']}</strong><strong><br>\n<br>\nA new alert was triggered on your subscription: </strong><strong>@{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['SubscriptionName']}</strong><strong>  by Azure Security Center.<br>\n<br>\nAn incident was created in Microsoft Sentinel.<br>\n<br>\n</strong>Alert title: <strong></strong><strong>@{items('For_each_Alert')?['properties']?['alertDisplayName']}</strong><strong><br>\n<br>\n</strong>Description:<strong> </strong><strong>@{items('For_each_Alert')?['properties']?['description']}</strong><strong><br>\n<br>\n</strong>The <strong>Azure resource</strong> that triggered the alert:<strong><br>\n</strong><strong>@{first(body('Filter_array_to_get_AzureResource_identifier'))['resourceId']}</strong><strong><br>\n<br>\n</strong>Link to the<strong> ASC alert: &nbsp;</strong><strong>@{items('For_each_Alert')?['properties']?['alertLink']}</strong><strong><br>\n<br>\n</strong>Link to the <strong>Microsoft Sentinel incident: </strong><strong>@{triggerBody()?['object']?['properties']?['incidentUrl']}</strong><strong></strong></p>",
+                                        "Subject": "New Alert from Microsoft Sentinel in subscription @{body('Parse_JSON_to_get_subscriptionId')?['properties']?['effectiveSubscriptionId']}",
                                         "To": "@{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['OwnerEmail']}"
                                     },
                                     "host": {

Solutions/Watchlists Utilities/Playbooks/Watchlist-InformSubowner-IncidentTrigger/readme.md

@@ -1,13 +1,13 @@
 # Watchlists-InformSubowner-IncidentTrigger
 author: Lior Tamir
 
-This playbook levarages Azure Sentinel Watchlists in order to get the relevant subscription owner contact details, and inform about an ASC alert that occured in that subscription.
+This playbook leverages Microsoft Sentinel Watchlists in order to get the relevant subscription owner contact details, and inform about an ASC alert that occured in that subscription.
 It uses Microsoft Teams and Office 365 Outlook as ways to inform the sub owner.
 
 
 Note: This playbook utilizes two features currently in Preview.
-* Azure Sentinel Watchlists
-* Azure Sentinel Incident Trigger
+* Microsoft Sentinel Watchlists
+* Microsoft Sentinel Incident Trigger
 <br><br>
 
 <img src="https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Watchlist-InformSubowner-IncidentTrigger/images/designerView.png"/><br><br>