Updated ARM template with formatted email

2021-09-29 13:43:24 -07:00 · 2021-09-29 13:43:24 -07:00 · 3c078dd1b7
--- a/Playbooks/Send-AnalyticalRulesHealthNotifications/azuredeploy.json
+++ b/Playbooks/Send-AnalyticalRulesHealthNotifications/azuredeploy.json
@ -1,4 +1,20 @@
 {
+	"metadata": {
+		"prerequisites": "",
+		"lastUpdateTime": "9/29/2021",
+		"title": "Send-AnalyticalRulesHealthNotifications",
+		"prerequisitesDeployTemplateFile": "",
+		"support": {
+			"tier": "community"
+		},
+		"tags": [],
+		"author": {
+			"name": "Sreedhar Ande"
+		},
+		"description": "Send notifications on Azure Sentinel Analytical Rules - auto-disabled rules",
+		"entities": []
+	},
+	"contentVersion": "1.0.0.0",
 	"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
 	"resources": [
 		{
@ -13,28 +29,28 @@
 							"defaultValue": {},
 							"type": "Object"
 						},
+						"ChannelId": {
+							"defaultValue": "[parameters('ChannelId')]",
+							"type": "String"
+						},
 						"CurrentSubscriptionId": {
 							"defaultValue": "[subscription().subscriptionId]",
 							"type": "String"
 						},
-						"WorkspaceName": {
-							"defaultValue": "[parameters('AzureSentinelWorkspaceName')]",
-							"type": "String"
-						},
-						"ResourceGroupName": {
-							"defaultValue": "[parameters('AzureSentinelResourceGroupName')]",
-							"type": "String"
-						},
 						"MailingList": {
 							"defaultValue": "[parameters('MailingList')]",
 							"type": "String"
 						},
+						"ResourceGroupName": {
+							"defaultValue": "[parameters('AzureSentinelResourceGroupName')]",
+							"type": "String"
+						},
 						"TeamsId": {
 							"defaultValue": "[parameters('TeamsId')]",
 							"type": "String"
 						},
-						"ChannelId": {
-							"defaultValue": "[parameters('ChannelId')]",
+						"WorkspaceName": {
+							"defaultValue": "[parameters('AzureSentinelWorkspaceName')]",
 							"type": "String"
 						}
 					},
@ -52,8 +68,63 @@
 						}
 					},
 					"actions": {
+						"Analytical_Rules": {
+							"runAfter": {},
+							"type": "InitializeVariable",
+							"inputs": {
+								"variables": [
+									{
+										"name": "AutoDisabledAnalyticalRules",
+										"type": "array"
+									}
+								]
+							}
+						},
+						"Channel_Id": {
+							"runAfter": {
+								"Teams_Id": [
+									"Succeeded"
+								]
+							},
+							"type": "InitializeVariable",
+							"inputs": {
+								"variables": [
+									{
+										"name": "ChannelId",
+										"type": "string",
+										"value": "@parameters('ChannelId')"
+									}
+								]
+							}
+						},
 						"Condition_2": {
 							"actions": {
+								"Create_HTML_table": {
+									"runAfter": {},
+									"type": "Table",
+									"inputs": {
+										"columns": [
+											{
+												"header": "Rule Name",
+												"value": "@item()?['Rule Name']"
+											},
+											{
+												"header": "Reason",
+												"value": "@item()?['Reason']"
+											},
+											{
+												"header": "KQL Query",
+												"value": "@item()?['KQL Query']"
+											},
+											{
+												"header": "Severity",
+												"value": "@item()?['Severity']"
+											}
+										],
+										"format": "HTML",
+										"from": "@variables('AutoDisabledAnalyticalRules')"
+									}
+								},
 								"Post_message_in_a_chat_or_channel": {
 									"runAfter": {
 										"Send_an_email_(V2)": [
@ -63,7 +134,7 @@
 									"type": "ApiConnection",
 									"inputs": {
 										"body": {
-											"messageBody": "<p>!!! ATTENTION NEEDED !!!<br>\nFollowing Sentinel Analytical Rules from @{variables('LogAnalyticsWorkspaceName')} has been Auto Disabled.<br>\n<br>\n@{variables('AutoDisabledAnalyticalRules')}</p>",
+											"messageBody": "<p>!!! ATTENTION NEEDED !!!<br>\nFollowing Sentinel Analytical Rules from @{variables('LogAnalyticsWorkspaceName')} has been Auto Disabled.<br>\n<br>\n@{body('Create_HTML_table')}</p>",
 											"recipient": {
 												"channelId": "@variables('ChannelId')",
 												"groupId": "@variables('TeamsId')"
@ -79,11 +150,15 @@
 									}
 								},
 								"Send_an_email_(V2)": {
-									"runAfter": {},
+									"runAfter": {
+										"Create_HTML_table": [
+											"Succeeded"
+										]
+									},
 									"type": "ApiConnection",
 									"inputs": {
 										"body": {
-											"Body": "<p><span style=\"font-family: verdana\">!!! ATTENTION NEEDED !!!<br>\nFollowing Sentinel Analytical Rules from </span><span style=\"font-family: verdana\">@{variables('LogAnalyticsWorkspaceName')}</span><span style=\"font-family: verdana\"> has been Auto Disabled.<br>\n<br>\n</span><span style=\"font-family: verdana\">@{variables('AutoDisabledAnalyticalRules')}</span><span style=\"font-family: verdana\"></span></p>",
+											"Body": "<p><span style=\"font-family: Segoe UI\">!!! ATTENTION NEEDED !!!<br>\nFollowing Sentinel Analytical Rules from </span><span style=\"font-family: Segoe UI\">@{variables('LogAnalyticsWorkspaceName')}</span><span style=\"font-family: Segoe UI\"> has been Auto Disabled.<br>\n<br>\n</span><span style=\"font-family: Segoe UI\">@{body('Create_HTML_table')}</span><span style=\"font-family: Segoe UI\"></span></p>",
 											"Importance": "High",
 											"Subject": "!!!IMPORTANT!!! Analytical Rule disabled",
 											"To": "@{variables('MailingList')}"
@ -121,11 +196,25 @@
 								"Condition": {
 									"actions": {
 										"Append_to_array_variable": {
-											"runAfter": {},
+											"runAfter": {
+												"Compose": [
+													"Succeeded"
+												]
+											},
 											"type": "AppendToArrayVariable",
 											"inputs": {
 												"name": "AutoDisabledAnalyticalRules",
-												"value": "@items('For_Each')?['properties']?['displayName']"
+												"value": "@outputs('Compose')"
+											}
+										},
+										"Compose": {
+											"runAfter": {},
+											"type": "Compose",
+											"inputs": {
+												"KQL Query": "@items('For_Each')?['properties']?['query']",
+												"Reason": "@items('For_Each')?['properties']?['description']",
+												"Rule Name": "@items('For_Each')?['properties']?['displayName']",
+												"Severity": "@items('For_Each')?['properties']?['severity']"
 											}
 										}
 									},
@ -137,6 +226,12 @@
 													"@items('For_each')?['properties']?['displayName']",
 													"AUTO DISABLED"
 												]
+											},
+											{
+												"equals": [
+													"@items('For_Each')?['properties']?['enabled']",
+													false
+												]
 											}
 										]
 									},
@ -165,18 +260,6 @@
 								"uri": "https://management.azure.com/subscriptions/@{variables('SubscriptionId')}/resourceGroups/@{variables('LogAnalyticsResourceGroup')}/providers/Microsoft.OperationalInsights/workspaces/@{variables('LogAnalyticsWorkspaceName')}/providers/Microsoft.SecurityInsights/alertRules?api-version=2020-01-01"
 							}
 						},
-						"Analytical_Rules_-_Disabled": {
-							"runAfter": {},
-							"type": "InitializeVariable",
-							"inputs": {
-								"variables": [
-									{
-										"name": "AutoDisabledAnalyticalRules",
-										"type": "array"
-									}
-								]
-							}
-						},
 						"Log_Analytics_Resource_group_Name": {
 							"runAfter": {
 								"SubscriptionId": [
@ -228,7 +311,7 @@
 								]
 							}
 						},
-						"Teams_Id": {
+				        "Teams_Id": {
 							"runAfter": {
 								"Mailing_List": [
 									"Succeeded"
@ -453,7 +536,7 @@
 						},
 						"SubscriptionId": {
 							"runAfter": {
-								"Analytical_Rules_-_Disabled": [
+								"Analytical_Rules": [
 									"Succeeded"
 								]
 							},
@ -520,23 +603,23 @@
 							}
 						}
 					},
+					"ChannelId": {
+						"value": "[parameters('ChannelId')]"
+					},
 					"CurrentSubscriptionId": {
 						"value": "[subscription().subscriptionId]"
 					},
-					"WorkspaceName": {
-						"value": "[parameters('AzureSentinelWorkspaceName')]"
-					},
-					"ResourceGroupName": {
-						"value": "[parameters('AzureSentinelResourceGroupName')]"
-					},
 					"MailingList": {
 						"value": "[parameters('MailingList')]"
 					},
+					"ResourceGroupName": {
+						"value": "[parameters('AzureSentinelResourceGroupName')]"
+					},
 					"TeamsId": {
 						"value": "[parameters('TeamsId')]"
 					},
-					"ChannelId": {
-						"value": "[parameters('ChannelId')]"
+					"WorkspaceName": {
+						"value": "[parameters('AzureSentinelWorkspaceName')]"
 					}
 				}
 			},
@ -559,39 +642,38 @@
 			]
 		},
 		{
-			"location": "[resourceGroup().location]",
-			"kind": "V1",
+			"apiVersion": "2016-06-01",
+			"name": "[variables('office365ConnectionName')]",
 			"properties": {
 				"customParameterValues": {},
+				"displayName": "[variables('office365ConnectionName')]",
 				"api": {
 					"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
-				},
-				"displayName": "[variables('office365ConnectionName')]"
+				}
 			},
-			"name": "[variables('office365ConnectionName')]",
+			"location": "[resourceGroup().location]",
 			"type": "Microsoft.Web/connections",
-			"apiVersion": "2016-06-01"
+			"kind": "V1"
 		},
 		{
-			"location": "[resourceGroup().location]",
-			"kind": "V1",
+			"apiVersion": "2016-06-01",
+			"name": "[variables('teamsConnectionName')]",
 			"properties": {
 				"customParameterValues": {},
+				"displayName": "[variables('teamsConnectionName')]",
 				"api": {
 					"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/teams')]"
-				},
-				"displayName": "[variables('teamsConnectionName')]"
+				}
 			},
-			"name": "[variables('teamsConnectionName')]",
+			"location": "[resourceGroup().location]",
 			"type": "Microsoft.Web/connections",
-			"apiVersion": "2016-06-01"
+			"kind": "V1"
 		}
 	],
 	"variables": {
-		"office365ConnectionName": "[concat('office365-', parameters('PlaybookName'))]",
-		"teamsConnectionName": "[concat('teams-', parameters('PlaybookName'))]"
+		"teamsConnectionName": "[concat('teams-', parameters('PlaybookName'))]",
+		"office365ConnectionName": "[concat('office365-', parameters('PlaybookName'))]"
 	},
-	"contentVersion": "1.0.0.0",
 	"parameters": {
 		"PlaybookName": {
 			"defaultValue": "Send-AnalyticalRulesHealthNotifications",
@ -629,20 +711,5 @@
 				"description": "Specifies ChannelId"
 			}
 		}
-	},
-	"metadata": {
-		"prerequisitesDeployTemplateFile": "",
-		"prerequisites": "",
-		"tags": [],
-		"entities": [],
-		"description": "Send notifications on Azure Sentinel Analytical Rules - auto-disabled rules",
-		"lastUpdateTime": "9/24/2021",
-		"title": "Send-AnalyticalRulesHealthNotifications",
-		"author": {
-			"name": "Sreedhar Ande"
-		},
-		"support": {
-			"tier": "community"
-		}
 	}
 }