diff --git a/Playbooks/Watchlist-Add-HostToWatchList/alert-trigger/azuredeploy.json b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-HostToWatchList/alert-trigger/azuredeploy.json similarity index 98% rename from Playbooks/Watchlist-Add-HostToWatchList/alert-trigger/azuredeploy.json rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-HostToWatchList/alert-trigger/azuredeploy.json index 2e1851d8ff..b62b987262 100644 --- a/Playbooks/Watchlist-Add-HostToWatchList/alert-trigger/azuredeploy.json +++ b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-HostToWatchList/alert-trigger/azuredeploy.json @@ -4,15 +4,11 @@ "metadata": { "title": "Add Host To Watchlist - Alert Trigger", "description": "This playbook will add a host entity from the alert to a new or existing watchlist.", - "prerequisites": "", - "postDeployment": ["1. Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity" - ], - "prerequisitesDeployTemplateFile": "", + "prerequisites": ["None"], + "postDeployment": ["Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"], "lastUpdateTime": "2022-04-25T00:00:00.000Z", - "entities": [ "Host" - ], - "tags": [ - ], + "entities": [ "Host"], + "tags": [], "support": { "tier": "community", "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" @@ -20,7 +16,16 @@ "author": { "name": "Yaniv Shaha", "updated": "Benjamin Kovacevic" + }, + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Add Host To Watchlist - Alert Trigger", + "notes": [ + "Initial version" + ] } + ] }, "parameters": { "PlaybookName": { diff --git a/Playbooks/Watchlist-Add-HostToWatchList/alert-trigger/images/alertTrigger-dark.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-HostToWatchList/alert-trigger/images/alertTrigger-dark.png similarity index 100% rename from Playbooks/Watchlist-Add-HostToWatchList/alert-trigger/images/alertTrigger-dark.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-HostToWatchList/alert-trigger/images/alertTrigger-dark.png diff --git a/Playbooks/Watchlist-Add-HostToWatchList/alert-trigger/images/alertTrigger-light.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-HostToWatchList/alert-trigger/images/alertTrigger-light.png similarity index 100% rename from Playbooks/Watchlist-Add-HostToWatchList/alert-trigger/images/alertTrigger-light.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-HostToWatchList/alert-trigger/images/alertTrigger-light.png diff --git a/Playbooks/Watchlist-Add-HostToWatchList/incident-trigger/azuredeploy.json b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-HostToWatchList/host-incident-trigger/azuredeploy.json similarity index 95% rename from Playbooks/Watchlist-Add-HostToWatchList/incident-trigger/azuredeploy.json rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-HostToWatchList/host-incident-trigger/azuredeploy.json index 0007830f8e..9482912b77 100644 --- a/Playbooks/Watchlist-Add-HostToWatchList/incident-trigger/azuredeploy.json +++ b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-HostToWatchList/host-incident-trigger/azuredeploy.json @@ -3,16 +3,16 @@ "contentVersion": "1.0.0.0", "metadata": { "title": "Add Host To Watchlist - Incident Trigger", - "description": "This playbook will add a host entity from the incident to a new or existing watchlist.", - "prerequisites": "", - "postDeployment": ["1. Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity" - ], - "prerequisitesDeployTemplateFile": "", - "lastUpdateTime": "2022-04-25T00:00:00.000Z", - "entities": [ "Host" - ], - "tags": [ - ], + "description": "This playbook will add a Host entity to a new or existing watchlist.", + "prerequisites": ["None"], + "postDeployment": ["Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"], + "mainSteps": [ "**Logical flow to use this playbook**", + "1. The analyst finished investigating an incident and one of its findings is a suspicious Host entity.", + "2. The analyst wants to enter this entity into a watchlist (can be from block list type or allowed list).", + "3. This playbook will run as a manual trigger from the full incident blade or the investigation graph blade, or automatically, and will add host to the selected watchlist."], + "lastUpdateTime": "2022-07-21T00:00:00.000Z", + "entities": [ "Host" ], + "tags": [], "support": { "tier": "community", "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" @@ -20,7 +20,16 @@ "author": { "name": "Yaniv Shaha", "updated": "Benjamin Kovacevic" + }, + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Add Host To Watchlist - Incident Trigger", + "notes": [ + "Initial version" + ] } + ] }, "parameters": { "PlaybookName": { diff --git a/Playbooks/Watchlist-Add-HostToWatchList/incident-trigger/images/incidentTrigger-dark.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-HostToWatchList/host-incident-trigger/images/incidentTrigger-dark.png similarity index 100% rename from Playbooks/Watchlist-Add-HostToWatchList/incident-trigger/images/incidentTrigger-dark.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-HostToWatchList/host-incident-trigger/images/incidentTrigger-dark.png diff --git a/Playbooks/Watchlist-Add-HostToWatchList/incident-trigger/images/incidentTrigger-light.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-HostToWatchList/host-incident-trigger/images/incidentTrigger-light.png similarity index 100% rename from Playbooks/Watchlist-Add-HostToWatchList/incident-trigger/images/incidentTrigger-light.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-HostToWatchList/host-incident-trigger/images/incidentTrigger-light.png diff --git a/Playbooks/Watchlist-Add-HostToWatchList/readme.md b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-HostToWatchList/readme.md similarity index 100% rename from Playbooks/Watchlist-Add-HostToWatchList/readme.md rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-HostToWatchList/readme.md diff --git a/Playbooks/Watchlist-Add-IPToWatchList/alert-trigger/azuredeploy.json b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-IPToWatchList/alert-trigger/azuredeploy.json similarity index 97% rename from Playbooks/Watchlist-Add-IPToWatchList/alert-trigger/azuredeploy.json rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-IPToWatchList/alert-trigger/azuredeploy.json index a82f6edf6f..90d4236e72 100644 --- a/Playbooks/Watchlist-Add-IPToWatchList/alert-trigger/azuredeploy.json +++ b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-IPToWatchList/alert-trigger/azuredeploy.json @@ -4,14 +4,11 @@ "metadata": { "title": "Add IP To Watchlist - Alert Trigger", "description": "This playbook will add a IP entity from the alert to a new or existing watchlist.", - "prerequisites": "", - "postDeployment": ["1. Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"], - "prerequisitesDeployTemplateFile": "", + "prerequisites": ["None"], + "postDeployment": ["Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"], "lastUpdateTime": "2022-04-12T00:00:00.000Z", - "entities": [ "IP" - ], - "tags": [ - ], + "entities": ["IP"], + "tags": [], "support": { "tier": "community", "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" @@ -19,7 +16,16 @@ "author": { "name": "Yaniv Shaha", "updated": "Benjamin Kovacevic" + }, + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Add IP To Watchlist - Alert Trigger", + "notes": [ + "Initial version" + ] } + ] }, "parameters": { "PlaybookName": { diff --git a/Playbooks/Watchlist-Add-IPToWatchList/alert-trigger/images/alertTrigger-dark.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-IPToWatchList/alert-trigger/images/alertTrigger-dark.png similarity index 100% rename from Playbooks/Watchlist-Add-IPToWatchList/alert-trigger/images/alertTrigger-dark.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-IPToWatchList/alert-trigger/images/alertTrigger-dark.png diff --git a/Playbooks/Watchlist-Add-IPToWatchList/alert-trigger/images/alertTrigger-light.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-IPToWatchList/alert-trigger/images/alertTrigger-light.png similarity index 100% rename from Playbooks/Watchlist-Add-IPToWatchList/alert-trigger/images/alertTrigger-light.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-IPToWatchList/alert-trigger/images/alertTrigger-light.png diff --git a/Playbooks/Watchlist-Add-IPToWatchList/incident-trigger/azuredeploy.json b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-IPToWatchList/ip-incident-trigger/azuredeploy.json similarity index 93% rename from Playbooks/Watchlist-Add-IPToWatchList/incident-trigger/azuredeploy.json rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-IPToWatchList/ip-incident-trigger/azuredeploy.json index 4ed2166ee9..5712334a46 100644 --- a/Playbooks/Watchlist-Add-IPToWatchList/incident-trigger/azuredeploy.json +++ b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-IPToWatchList/ip-incident-trigger/azuredeploy.json @@ -3,22 +3,32 @@ "contentVersion": "1.0.0.0", "metadata": { "title": "Add IP To Watchlist - Incident Trigger", - "description": "This playbook will add a IP entity from the incident to a new or existing watchlist.", - "prerequisites": "", - "postDeployment": ["1. Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"], - "prerequisitesDeployTemplateFile": "", - "lastUpdateTime": "2022-04-12T00:00:00.000Z", - "entities": [ - ], - "tags": [ - ], + "description": "This playbook will add a IP entity to a new or existing watchlist.", + "mainSteps": [ "**Logical flow to use this playbook**", + "1. The analyst finished investigating an incident and one of its findings is a suspicious IP entity.", + "2. The analyst wants to enter this entity into a watchlist (can be from block list type or allowed list).", + "3. This playbook will run as a manual trigger from the full incident blade or the investigation graph blade, or automatically, and will add host to the selected watchlist."], + "prerequisites": ["None"], + "postDeployment": ["Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"], + "lastUpdateTime": "2022-07-21T00:00:00.000Z", + "entities": ["IP"], + "tags": [], "support": { "tier": "community", "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" }, "author": { "name": "Yaniv Shaha, Benjamin Kovacevic" + }, + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Add IP To Watchlist - Incident Trigger", + "notes": [ + "Initial version" + ] } + ] }, "parameters": { "PlaybookName": { diff --git a/Playbooks/Watchlist-Add-IPToWatchList/incident-trigger/images/incidentTrigger-dark.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-IPToWatchList/ip-incident-trigger/images/incidentTrigger-dark.png similarity index 100% rename from Playbooks/Watchlist-Add-IPToWatchList/incident-trigger/images/incidentTrigger-dark.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-IPToWatchList/ip-incident-trigger/images/incidentTrigger-dark.png diff --git a/Playbooks/Watchlist-Add-IPToWatchList/incident-trigger/images/incidentTrigger-light.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-IPToWatchList/ip-incident-trigger/images/incidentTrigger-light.png similarity index 100% rename from Playbooks/Watchlist-Add-IPToWatchList/incident-trigger/images/incidentTrigger-light.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-IPToWatchList/ip-incident-trigger/images/incidentTrigger-light.png diff --git a/Playbooks/Watchlist-Add-IPToWatchList/readme.md b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-IPToWatchList/readme.md similarity index 100% rename from Playbooks/Watchlist-Add-IPToWatchList/readme.md rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-IPToWatchList/readme.md diff --git a/Playbooks/Watchlist-Add-URLToWatchList/alert-trigger/azuredeploy.json b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-URLToWatchList/alert-trigger/azuredeploy.json similarity index 97% rename from Playbooks/Watchlist-Add-URLToWatchList/alert-trigger/azuredeploy.json rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-URLToWatchList/alert-trigger/azuredeploy.json index deff1b5c02..45f27d0853 100644 --- a/Playbooks/Watchlist-Add-URLToWatchList/alert-trigger/azuredeploy.json +++ b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-URLToWatchList/alert-trigger/azuredeploy.json @@ -4,15 +4,11 @@ "metadata": { "title": "Add URL To Watchlist - Alert Trigger", "description": "This playbook will add a URL entity from the alert to a new or existing watchlist.", - "prerequisites": "", - "postDeployment": ["1. Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity" - ], - "prerequisitesDeployTemplateFile": "", + "prerequisites": ["None"], + "postDeployment": ["Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"], "lastUpdateTime": "2022-04-25T00:00:00.000Z", - "entities": [ "URL" - ], - "tags": [ - ], + "entities": ["URL"], + "tags": [], "support": { "tier": "community", "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" @@ -20,7 +16,16 @@ "author": { "name": "Yaniv Shaha", "updated": "Benjamin Kovacevic" + }, + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Add URL To Watchlist - Alert Trigger", + "notes": [ + "Initial version" + ] } + ] }, "parameters": { "PlaybookName": { diff --git a/Playbooks/Watchlist-Add-URLToWatchList/alert-trigger/images/alertTrigger-dark.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-URLToWatchList/alert-trigger/images/alertTrigger-dark.png similarity index 100% rename from Playbooks/Watchlist-Add-URLToWatchList/alert-trigger/images/alertTrigger-dark.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-URLToWatchList/alert-trigger/images/alertTrigger-dark.png diff --git a/Playbooks/Watchlist-Add-URLToWatchList/alert-trigger/images/alertTrigger-light.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-URLToWatchList/alert-trigger/images/alertTrigger-light.png similarity index 100% rename from Playbooks/Watchlist-Add-URLToWatchList/alert-trigger/images/alertTrigger-light.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-URLToWatchList/alert-trigger/images/alertTrigger-light.png diff --git a/Playbooks/Watchlist-Add-URLToWatchList/readme.md b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-URLToWatchList/readme.md similarity index 100% rename from Playbooks/Watchlist-Add-URLToWatchList/readme.md rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-URLToWatchList/readme.md diff --git a/Playbooks/Watchlist-Add-URLToWatchList/incident-trigger/azuredeploy.json b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-URLToWatchList/url-incident-trigger/azuredeploy.json similarity index 96% rename from Playbooks/Watchlist-Add-URLToWatchList/incident-trigger/azuredeploy.json rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-URLToWatchList/url-incident-trigger/azuredeploy.json index d863893145..5b9f287e03 100644 --- a/Playbooks/Watchlist-Add-URLToWatchList/incident-trigger/azuredeploy.json +++ b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-URLToWatchList/url-incident-trigger/azuredeploy.json @@ -3,16 +3,12 @@ "contentVersion": "1.0.0.0", "metadata": { "title": "Add URL To Watchlist - Incident Trigger", - "description": "This playbook will add a URL entity from the incident to a new or existing watchlist.", - "prerequisites": "", - "postDeployment": ["1. Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity" - ], - "prerequisitesDeployTemplateFile": "", - "lastUpdateTime": "2022-04-25T00:00:00.000Z", - "entities": [ "URL" - ], - "tags": [ - ], + "description": "This playbook will add a URL entity to a new or existing watchlist.", + "prerequisites": ["None"], + "postDeployment": ["Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"], + "lastUpdateTime": "2022-07-21T00:00:00.000Z", + "entities": [ "URL"], + "tags": [], "support": { "tier": "community", "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" @@ -20,7 +16,16 @@ "author": { "name": "Yaniv Shaha", "updated": "Benjamin Kovacevic" + }, + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Add URL To Watchlist - Incident Trigger", + "notes": [ + "Initial version" + ] } + ] }, "parameters": { "PlaybookName": { diff --git a/Playbooks/Watchlist-Add-URLToWatchList/incident-trigger/images/incidentTrigger-dark.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-URLToWatchList/url-incident-trigger/images/incidentTrigger-dark.png similarity index 100% rename from Playbooks/Watchlist-Add-URLToWatchList/incident-trigger/images/incidentTrigger-dark.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-URLToWatchList/url-incident-trigger/images/incidentTrigger-dark.png diff --git a/Playbooks/Watchlist-Add-URLToWatchList/incident-trigger/images/incidentTrigger-light.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-URLToWatchList/url-incident-trigger/images/incidentTrigger-light.png similarity index 100% rename from Playbooks/Watchlist-Add-URLToWatchList/incident-trigger/images/incidentTrigger-light.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-URLToWatchList/url-incident-trigger/images/incidentTrigger-light.png diff --git a/Playbooks/Watchlist-Add-UserToWatchList/alert-trigger/azuredeploy.json b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-UserToWatchList/alert-trigger/azuredeploy.json similarity index 97% rename from Playbooks/Watchlist-Add-UserToWatchList/alert-trigger/azuredeploy.json rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-UserToWatchList/alert-trigger/azuredeploy.json index cbbad68e98..9aebdc92b2 100644 --- a/Playbooks/Watchlist-Add-UserToWatchList/alert-trigger/azuredeploy.json +++ b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-UserToWatchList/alert-trigger/azuredeploy.json @@ -4,15 +4,11 @@ "metadata": { "title": "Add User To Watchlist - Alert Trigger", "description": "This playbook will add a user entity from the alert to a new or existing watchlist.", - "prerequisites": "", - "postDeployment": ["1. Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity" - ], - "prerequisitesDeployTemplateFile": "", + "prerequisites": ["None"], + "postDeployment": ["Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"], "lastUpdateTime": "2022-04-25T00:00:00.000Z", - "entities": [ "Account" - ], - "tags": [ - ], + "entities": ["Account"], + "tags": [], "support": { "tier": "community", "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" @@ -20,7 +16,16 @@ "author": { "name": "Yaniv Shaha", "updated": "Benjamin Kovacevic" + }, + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Add User To Watchlist - Alert Trigger", + "notes": [ + "Initial version" + ] } + ] }, "parameters": { "PlaybookName": { diff --git a/Playbooks/Watchlist-Add-UserToWatchList/alert-trigger/images/alertTrigger-dark.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-UserToWatchList/alert-trigger/images/alertTrigger-dark.png similarity index 100% rename from Playbooks/Watchlist-Add-UserToWatchList/alert-trigger/images/alertTrigger-dark.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-UserToWatchList/alert-trigger/images/alertTrigger-dark.png diff --git a/Playbooks/Watchlist-Add-UserToWatchList/alert-trigger/images/alertTrigger-light.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-UserToWatchList/alert-trigger/images/alertTrigger-light.png similarity index 100% rename from Playbooks/Watchlist-Add-UserToWatchList/alert-trigger/images/alertTrigger-light.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-UserToWatchList/alert-trigger/images/alertTrigger-light.png diff --git a/Playbooks/Watchlist-Add-UserToWatchList/readme.md b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-UserToWatchList/readme.md similarity index 100% rename from Playbooks/Watchlist-Add-UserToWatchList/readme.md rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-UserToWatchList/readme.md diff --git a/Playbooks/Watchlist-Add-UserToWatchList/incident-trigger/azuredeploy.json b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-UserToWatchList/user-incident-trigger/azuredeploy.json similarity index 93% rename from Playbooks/Watchlist-Add-UserToWatchList/incident-trigger/azuredeploy.json rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-UserToWatchList/user-incident-trigger/azuredeploy.json index 88ce9ea149..6b06ba96a9 100644 --- a/Playbooks/Watchlist-Add-UserToWatchList/incident-trigger/azuredeploy.json +++ b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-UserToWatchList/user-incident-trigger/azuredeploy.json @@ -3,16 +3,17 @@ "contentVersion": "1.0.0.0", "metadata": { "title": "Add User To Watchlist - Incident Trigger", - "description": "This playbook will add a user entity from the incident to a new or existing watchlist.", - "prerequisites": "", - "postDeployment": ["1. Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity" - ], - "prerequisitesDeployTemplateFile": "", - "lastUpdateTime": "2022-04-25T00:00:00.000Z", - "entities": [ "Account" - ], - "tags": [ + "description": "This playbook will add a User entity to a new or existing watchlist.", + "prerequisites": ["None"], + "postDeployment": ["Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"], + "mainSteps": ["**Logical flow to use this playbook**", + "1. The analyst finished investigating an incident and one of its findings is a suspicious user entity.", + "2. The analyst wants to enter this entity into a watchlist (can be from block list type or allowed list).", + "3. This playbook will run as a manual trigger from the full incident blade or the investigation graph blade, or automatically, and will add host to the selected watchlist." ], + "lastUpdateTime": "2022-07-21T00:00:00.000Z", + "entities": ["Account"], + "tags": [], "support": { "tier": "community", "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" @@ -20,7 +21,16 @@ "author": { "name": "Yaniv Shaha", "updated": "Benjamin Kovacevic" + }, + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Add User To Watchlist - Incident Trigger", + "notes": [ + "Initial version" + ] } + ] }, "parameters": { "PlaybookName": { diff --git a/Playbooks/Watchlist-Add-UserToWatchList/incident-trigger/images/incidentTrigger-dark.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-UserToWatchList/user-incident-trigger/images/incidentTrigger-dark.png similarity index 100% rename from Playbooks/Watchlist-Add-UserToWatchList/incident-trigger/images/incidentTrigger-dark.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-UserToWatchList/user-incident-trigger/images/incidentTrigger-dark.png diff --git a/Playbooks/Watchlist-Add-UserToWatchList/incident-trigger/images/incidentTrigger-light.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-UserToWatchList/user-incident-trigger/images/incidentTrigger-light.png similarity index 100% rename from Playbooks/Watchlist-Add-UserToWatchList/incident-trigger/images/incidentTrigger-light.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-Add-UserToWatchList/user-incident-trigger/images/incidentTrigger-light.png diff --git a/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/VIPUserswatchlistexample.csv b/Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/VIPUserswatchlistexample.csv similarity index 100% rename from Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/VIPUserswatchlistexample.csv rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/VIPUserswatchlistexample.csv diff --git a/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/alert-trigger/azuredeploy.json b/Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/alert-trigger/azuredeploy.json similarity index 96% rename from Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/alert-trigger/azuredeploy.json rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/alert-trigger/azuredeploy.json index 9208771880..dbddb24b50 100644 --- a/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/alert-trigger/azuredeploy.json +++ b/Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/alert-trigger/azuredeploy.json @@ -4,21 +4,27 @@ "metadata": { "title": "Watchlist - Change Incident Severity and Title if User VIP - Alert Trigger", "description": "This playbook leverages Microsoft Sentinel Watchlists in order to adapt the incidents severity which include User entity and check it against VIP user list.", - "prerequisites": "", - "postDeployment": ["1. Assign Microsoft Sentinel Responder role to the Playbook's Managed Identity."], - "prerequisitesDeployTemplateFile": "", + "prerequisites": ["None"], + "postDeployment": ["Assign Microsoft Sentinel Responder role to the Playbook's Managed Identity."], "lastUpdateTime": "2022-04-12T00:00:00.000Z", - "entities": [ - ], - "tags": [ - ], + "entities": [], + "tags": [], "support": { "tier": "community", "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" }, "author": { "name": "Yaniv Shaha" + }, + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Watchlist - Change Incident Severity and Title if User VIP - Alert Trigger", + "notes": [ + "Initial version" + ] } + ] }, "parameters": { "PlaybookName": { diff --git a/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/alert-trigger/images/alertTrigger-dark.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/alert-trigger/images/alertTrigger-dark.png similarity index 100% rename from Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/alert-trigger/images/alertTrigger-dark.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/alert-trigger/images/alertTrigger-dark.png diff --git a/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/alert-trigger/images/alertTrigger-light.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/alert-trigger/images/alertTrigger-light.png similarity index 100% rename from Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/alert-trigger/images/alertTrigger-light.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/alert-trigger/images/alertTrigger-light.png diff --git a/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/readme.md b/Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/readme.md similarity index 94% rename from Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/readme.md rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/readme.md index 1b7cd2301c..6104d7dbaf 100644 --- a/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/readme.md +++ b/Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/readme.md @@ -3,7 +3,7 @@ author: Yaniv Shasha

-This playbook leverages Azure Sentinel Watchlists in order to adapt the incidents severity which include User entity and check it against VIP user list +This playbook leverages Microsoft Sentinel Watchlists in order to adapt the incidents severity which include User entity and check it against VIP user list

## Logical flow to use this playbook diff --git a/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/incident-trigger/azuredeploy.json b/Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/user-vip-incident-trigger/azuredeploy.json similarity index 92% rename from Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/incident-trigger/azuredeploy.json rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/user-vip-incident-trigger/azuredeploy.json index eb3e426315..7d034c0e8b 100644 --- a/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/incident-trigger/azuredeploy.json +++ b/Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/user-vip-incident-trigger/azuredeploy.json @@ -3,22 +3,35 @@ "contentVersion": "1.0.0.0", "metadata": { "title": "Watchlist - Change Incident Severity and Title if User VIP - Incident Trigger", - "description": "This playbook leverages Microsoft Sentinel Watchlists in order to adapt the incidents severity which include User entity and check it against VIP user list.", - "prerequisites": "", - "postDeployment": ["1. Assign Microsoft Sentinel Responder role to the Playbook's Managed Identity."], - "prerequisitesDeployTemplateFile": "", - "lastUpdateTime": "2022-04-12T00:00:00.000Z", - "entities": [ - ], - "tags": [ + "description": "This playbook leverages Microsoft Sentinel Watchlists in order to adapt the incidents severity which include User entity and check it against VIP user list", + "prerequisites": ["None"], + "mainSteps": ["**Logical flow to use this playbook**", + "For each User account included in the incident or alert (entities of type User):", + "1. Check if User is included in the watchlist.", + "2. If user is in the watchlist: ", + "a. Change the incident severity to Critical", + "b. Modify the incident title that include the User name and the text- **VIP User!!!**" ], + "postDeployment": ["Assign Microsoft Sentinel Contributor role to the Playbook's Managed Identity"], + "lastUpdateTime": "2022-07-21T00:00:00.000Z", + "entities": [], + "tags": [], "support": { "tier": "community", "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" }, "author": { "name": "Yaniv Shaha" + }, + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Watchlist - Change Incident Severity and Title if User VIP - Incident Trigger", + "notes": [ + "Initial version" + ] } + ] }, "parameters": { "PlaybookName": { diff --git a/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/incident-trigger/images/incidentTrigger-dark.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/user-vip-incident-trigger/images/incidentTrigger-dark.png similarity index 100% rename from Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/incident-trigger/images/incidentTrigger-dark.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/user-vip-incident-trigger/images/incidentTrigger-dark.png diff --git a/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/incident-trigger/images/incidentTrigger-light.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/user-vip-incident-trigger/images/incidentTrigger-light.png similarity index 100% rename from Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/incident-trigger/images/incidentTrigger-light.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/user-vip-incident-trigger/images/incidentTrigger-light.png diff --git a/Playbooks/Watchlist-CloseIncidentKnownIPs/azuredeploy.json b/Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/azuredeploy.json similarity index 89% rename from Playbooks/Watchlist-CloseIncidentKnownIPs/azuredeploy.json rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/azuredeploy.json index 1f04648b8a..9d52bcaaa8 100644 --- a/Playbooks/Watchlist-CloseIncidentKnownIPs/azuredeploy.json +++ b/Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/azuredeploy.json @@ -2,10 +2,11 @@ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "Watchlist - close incidents with safe IPs ", - "description": "This playbook levarages Azure Sentinel Watchlists in order to close incidents which include IP addresses considered safe.", - "prerequisites": ["[Create a watchlist](https://docs.microsoft.com/azure/sentinel/watchlists#create-a-new-watchlist) for safe IPs with ip column named 'ipaddress' (can be changed in 'Run query' step). Watchlist should be located in the same workspace of the incidents."], - "lastUpdateTime": "2021-05-30T10:00:00.000Z", + "title": "Watchlist - close incidents with safe IPs", + "description": "This playbook leverages Microsoft Sentinel Watchlists in order to close incidents which include IP addresses considered safe.", + "prerequisites": ["None"], + "mainSteps": ["For each Ip address included in the alert (entities of type IP): \n\n 1. Check if IP is included in watchlist. \n\n * If IP is in the watchlist, consider the IP saf,. **Add it to Safe IPs array.** \n\n * If IP is not in the watchlist, meaning that we are not sure it is safe, **Add it to not Safe IPs array.** \n\n 2. Add a comment to the incident the list of safe and not safe IPs found. \n\n 3. If the not safe list is empty (length == 0), close the incident as Benign Positive. \n\n \n\n ## Configurations \n\n * Configure the step 'Run query and list results with the identifiers of the Sentinel workspace where the watchlist is stored. \n\n * Configure the identity used in the 'Run query and list results' step with the Log Analytics Reader RBAC role on the Microsoft Sentinel resource group. \n\n * Configure the Managed Identity of the Logic App with the Microsoft Sentinel Responder RBAC role on the Microsoft Sentinel resource group. \n\n * The watchlist used in this example has at list one column named **ipaddress** which stores the safe address. See the csv file attached in this folder as an example. \n\n \n\n \n\n \n\n "], + "lastUpdateTime": "2022-07-22T10:00:00.000Z", "entities": ["Ip"], "tags": ["Triage"], "support": { @@ -13,7 +14,16 @@ }, "author": { "name": "Lior Tamir" + }, + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Watchlist - close incidents with safe IPs ", + "notes": [ + "Initial version" + ] } + ] }, "parameters": { "PlaybookName": { diff --git a/Playbooks/Watchlist-CloseIncidentKnownIPs/images/commentDark.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/commentDark.png similarity index 100% rename from Playbooks/Watchlist-CloseIncidentKnownIPs/images/commentDark.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/commentDark.png diff --git a/Playbooks/Watchlist-CloseIncidentKnownIPs/images/commentLight.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/commentLight.png similarity index 100% rename from Playbooks/Watchlist-CloseIncidentKnownIPs/images/commentLight.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/commentLight.png diff --git a/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerDark1.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerDark1.png similarity index 100% rename from Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerDark1.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerDark1.png diff --git a/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerDark2.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerDark2.png similarity index 100% rename from Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerDark2.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerDark2.png diff --git a/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerLight1.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerLight1.png similarity index 100% rename from Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerLight1.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerLight1.png diff --git a/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerLight2.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerLight2.png similarity index 100% rename from Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerLight2.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerLight2.png diff --git a/Playbooks/Watchlist-CloseIncidentKnownIPs/ipwatchlistexample.csv b/Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/ipwatchlistexample.csv similarity index 100% rename from Playbooks/Watchlist-CloseIncidentKnownIPs/ipwatchlistexample.csv rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/ipwatchlistexample.csv diff --git a/Playbooks/Watchlist-CloseIncidentKnownIPs/readme.md b/Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/readme.md similarity index 83% rename from Playbooks/Watchlist-CloseIncidentKnownIPs/readme.md rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/readme.md index e4de6427c4..c98934d4d5 100644 --- a/Playbooks/Watchlist-CloseIncidentKnownIPs/readme.md +++ b/Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/readme.md @@ -1,7 +1,7 @@ # Watchlists-CloseIncidentKnownIP author: Lior Tamir -This playbook levarages Azure Sentinel Watchlists in order to close incidents which include IP addresses considered safe. +This playbook levarages Microsoft Sentinel Watchlists in order to close incidents which include IP addresses considered safe. For each Ip address included in the alert (entities of type IP): 1. Check if IP is included in watchlist. @@ -13,8 +13,8 @@ For each Ip address included in the alert (entities of type IP): ## Configurations * Configure the step "Run query and list results" with the identifiers of the Sentinel workspace where the watchlist is stored. -* Configure the identity used in the "Run query and list results" step with the Log Analytics Reader RBAC role on the Azure Sentinel resource group. -* Configure the Managed Idenitty of the Logic App with the Azure Sentinel Responder RBAC role on the Azure Sentinel resource group. +* Configure the identity used in the "Run query and list results" step with the Log Analytics Reader RBAC role on the Microsoft Sentinel resource group. +* Configure the Managed Idenitty of the Logic App with the Microsoft Sentinel Responder RBAC role on the Microsoft Sentinel resource group. * The watchlist used in this example has at list one column named **ipaddress** which stores the safe address. See the csv file attached in this folder as an example.

diff --git a/Playbooks/Watchlist-InformSubowner-IncidentTrigger/azuredeploy.json b/Solutions/Watchlists Utilities/Playbooks/Watchlist-InformSubowner-IncidentTrigger/azuredeploy.json similarity index 88% rename from Playbooks/Watchlist-InformSubowner-IncidentTrigger/azuredeploy.json rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-InformSubowner-IncidentTrigger/azuredeploy.json index b81816ed24..1637ffe120 100644 --- a/Playbooks/Watchlist-InformSubowner-IncidentTrigger/azuredeploy.json +++ b/Solutions/Watchlists Utilities/Playbooks/Watchlist-InformSubowner-IncidentTrigger/azuredeploy.json @@ -3,9 +3,13 @@ "contentVersion": "1.0.0.0", "metadata": { "title": "Watchlists - Inform Subscription Owner", - "description": "Use Microsoft Sentinel watchlists and a playbook to contact the subscription owner of the affected resource automatically. This template uses the subscription owner level, but you can implement this solution for any specified resource owner.
[Learn more](https://docs.microsoft.com/azure/sentinel/automate-playbook-watchlist)", - "prerequisites": ["Create a Watchlist that this playbook will query:
1.Create an input comma-separated value (CSV) file with the following columns: SubscriptionId, SubscriptionName, OwnerName, OwnerEmail, where each row represents a subscription in an Azure tenant.
2. Upload the table to the Microsoft Sentinel Watchlist area. Make a note of the value you use as the Watchlist Alias, as you'll use it to query this watchlist from the playbook."], - "lastUpdateTime": "2021-11-26T00:00:00.000Z", + "description": "This playbook leverages Microsoft Sentinel Watchlists in order to get the relevant subscription owner contact details, and inform about an ASC alert that occured in that subscription. It uses Microsoft Teams and Office 365 Outlook as ways to inform the sub owner.", + "prerequisites": ["None"], + "mainSteps": ["Note: This playbook utilizes two features currently in Preview.", + "* Microsoft Sentinel Watchlists", + "* Microsoft Sentinel Incident Trigger \n\n " + ], + "lastUpdateTime": "2022-07-21T00:00:00.000Z", "entities": ["AzureResource"], "tags": ["Notification"], "support": { @@ -13,7 +17,16 @@ }, "author": { "name": "Lior Tamir" + }, + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Watchlists - Inform Subscription Owner", + "notes": [ + "Initial version" + ] } + ] }, "parameters": { "PlaybookName": { @@ -138,11 +151,11 @@ "Post_a_message_as_the_Flow_bot_to_a_user": { "inputs": { "body": { - "messageBody": " Hi @{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['OwnerName']}\n\nA new alert was triggered on your subscription: @{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['SubscriptionName']} by Azure Security Center.\n\nAn incident was created in Azure Sentinel.\n\nAlert title: @{items('For_each_Alert')?['properties']?['alertDisplayName']}\n\nDescription: @{items('For_each_Alert')?['properties']?['description']}\n\nThe Azure resource that triggered the alert:\n@{first(body('Filter_array_to_get_AzureResource_identifier'))['resourceId']}\n\nLink to the ASC alert: @{items('For_each_Alert')?['properties']?['alertLink']}\n\nLink to the Azure Sentinel incident: @{triggerBody()?['object']?['properties']?['incidentUrl']}", - "messageTitle": "New alert from Azure Sentinel in your subscription", + "messageBody": " Hi @{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['OwnerName']}\n\nA new alert was triggered on your subscription: @{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['SubscriptionName']} by Azure Security Center.\n\nAn incident was created in Microsoft Sentinel.\n\nAlert title: @{items('For_each_Alert')?['properties']?['alertDisplayName']}\n\nDescription: @{items('For_each_Alert')?['properties']?['description']}\n\nThe Azure resource that triggered the alert:\n@{first(body('Filter_array_to_get_AzureResource_identifier'))['resourceId']}\n\nLink to the ASC alert: @{items('For_each_Alert')?['properties']?['alertLink']}\n\nLink to the Microsoft Sentinel incident: @{triggerBody()?['object']?['properties']?['incidentUrl']}", + "messageTitle": "New alert from Microsoft Sentinel in your subscription", "recipient": { "isAlert": true, - "summary": "New Alert from Azure Sentinel in subscription @{body('Parse_JSON_to_get_subscriptionId')?['properties']?['effectiveSubscriptionId']}", + "summary": "New Alert from Microsoft Sentinel in subscription @{body('Parse_JSON_to_get_subscriptionId')?['properties']?['effectiveSubscriptionId']}", "to": "@{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['OwnerEmail']}" } }, @@ -160,8 +173,8 @@ "Send_an_email_(V2)": { "inputs": { "body": { - "Body": "

 Hi   @{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['OwnerName']}
\n
\nA new alert was triggered on your subscription:
@{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['SubscriptionName']} by Azure Security Center.
\n
\nAn incident was created in Azure Sentinel.
\n
\n
Alert title: @{items('For_each_Alert')?['properties']?['alertDisplayName']}
\n
\n
Description: @{items('For_each_Alert')?['properties']?['description']}
\n
\n
The Azure resource that triggered the alert:
\n
@{first(body('Filter_array_to_get_AzureResource_identifier'))['resourceId']}
\n
\n
Link to the ASC alert:  @{items('For_each_Alert')?['properties']?['alertLink']}
\n
\n
Link to the Azure Sentinel incident: @{triggerBody()?['object']?['properties']?['incidentUrl']}

", - "Subject": "New Alert from Azure Sentinel in subscription @{body('Parse_JSON_to_get_subscriptionId')?['properties']?['effectiveSubscriptionId']}", + "Body": "

 Hi   @{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['OwnerName']}
\n
\nA new alert was triggered on your subscription:
@{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['SubscriptionName']} by Azure Security Center.
\n
\nAn incident was created in Microsoft Sentinel.
\n
\n
Alert title: @{items('For_each_Alert')?['properties']?['alertDisplayName']}
\n
\n
Description: @{items('For_each_Alert')?['properties']?['description']}
\n
\n
The Azure resource that triggered the alert:
\n
@{first(body('Filter_array_to_get_AzureResource_identifier'))['resourceId']}
\n
\n
Link to the ASC alert:  @{items('For_each_Alert')?['properties']?['alertLink']}
\n
\n
Link to the Microsoft Sentinel incident: @{triggerBody()?['object']?['properties']?['incidentUrl']}

", + "Subject": "New Alert from Microsoft Sentinel in subscription @{body('Parse_JSON_to_get_subscriptionId')?['properties']?['effectiveSubscriptionId']}", "To": "@{body('Run_query_and_list_results_-_Get_Watchlist')?['value'][0]['OwnerEmail']}" }, "host": { diff --git a/Playbooks/Watchlist-InformSubowner-IncidentTrigger/images/designerView.png b/Solutions/Watchlists Utilities/Playbooks/Watchlist-InformSubowner-IncidentTrigger/images/designerView.png similarity index 100% rename from Playbooks/Watchlist-InformSubowner-IncidentTrigger/images/designerView.png rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-InformSubowner-IncidentTrigger/images/designerView.png diff --git a/Playbooks/Watchlist-InformSubowner-IncidentTrigger/readme.md b/Solutions/Watchlists Utilities/Playbooks/Watchlist-InformSubowner-IncidentTrigger/readme.md similarity index 76% rename from Playbooks/Watchlist-InformSubowner-IncidentTrigger/readme.md rename to Solutions/Watchlists Utilities/Playbooks/Watchlist-InformSubowner-IncidentTrigger/readme.md index 84d2cf030b..72683f0d60 100644 --- a/Playbooks/Watchlist-InformSubowner-IncidentTrigger/readme.md +++ b/Solutions/Watchlists Utilities/Playbooks/Watchlist-InformSubowner-IncidentTrigger/readme.md @@ -1,13 +1,13 @@ # Watchlists-InformSubowner-IncidentTrigger author: Lior Tamir -This playbook levarages Azure Sentinel Watchlists in order to get the relevant subscription owner contact details, and inform about an ASC alert that occured in that subscription. +This playbook leverages Microsoft Sentinel Watchlists in order to get the relevant subscription owner contact details, and inform about an ASC alert that occured in that subscription. It uses Microsoft Teams and Office 365 Outlook as ways to inform the sub owner. Note: This playbook utilizes two features currently in Preview. -* Azure Sentinel Watchlists -* Azure Sentinel Incident Trigger +* Microsoft Sentinel Watchlists +* Microsoft Sentinel Incident Trigger