Update instructions
This commit is contained in:
Lior Tamir
Родитель
9cdc0fea75
Коммит
41954b5b32
|
|
@ -12,7 +12,7 @@ Once you have created a playbook that you want to export to share, please follow
|
|||
1. [Create ARM Template](#Create-ARM-Template)
|
||||
1. [Add metadata to the ARM Template](#Add-Metadata)
|
||||
1. [Create Readme file](#Create-Readme-file)
|
||||
1. [Create a Pull Request](#prerequisites)
|
||||
1. [Create a Pull Request](#Create-a-pull-request)
|
||||
|
||||
|
||||
## Playbook conventions and guidlines
|
||||
|
|
@ -38,9 +38,8 @@ Please take screenshots of dark and light Azure theme (can be configured from se
|
|||
|
||||
## Create ARM Template
|
||||
|
||||
In most cases, the final ARM template will look [like this](./simpletemplateexample.json).
|
||||
To generate most of it, please go to the Logic Apps resource in Azure.
|
||||
1. Click **Export Template** from the resource menu in Azure Portal.
|
||||
The core of part of the ARM template is generated from the Logic Apps resource. After generating it, additional updates are required, explained in this section.
|
||||
1. To generate the core part of the ARM template, please go to the Logic Apps resource in Azure. Click **Export Template** from the resource menu in Azure Portal.
|
||||
1. Copy the contents of the template.
|
||||
1. Using VS code, create a JSON file with the name "azuredeploy.json".
|
||||
1. Paste the code into the new file.
|
||||
|
|
@ -69,16 +68,14 @@ In the parameters section, remove all and add the following minimum fields. User
|
|||
|
||||
|
||||
6. **Variables**<br>Create 2 variables for each connection the playbook is using: connection name, and display name (to be presented as a choice in future playbooks that uses this connector).
|
||||
* To construct a string variable, use this following snippet. Make sure to replace the `connectorname` with actual name of the connector.
|
||||
For example, if you are using Azure Active Directory and Azure Sentinel connections in the playbook, then create two variables with actual connection names. The variables will be the connection names. Here we are creating a connection name using the connection (AzureAD) and "-" and the playbook name.
|
||||
To construct a string variable, use this following snippet. Make sure to replace the `connectorname` with actual name of the connector.
|
||||
For example, if you are using Azure Active Directory and Azure Sentinel connections in the playbook, then create a variable for each with actual connection name. Here we are creating a connection name using the connection (AzureAD) and "-" and the playbook name.
|
||||
For example:
|
||||
|
||||
```json
|
||||
"variables": {
|
||||
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
|
||||
"AzureSentinelConnectionDisplayName": "[concat('Azure Sentinel - ', parameters('PlaybookName'))]",
|
||||
"AzureADConnectionName": "[concat('azuread-', parameters('PlaybookName'))]",
|
||||
"AzureADConnectionDisplayName": "[concat('Azure AD -', parameters('PlaybookName'))]",
|
||||
... // other connections
|
||||
},
|
||||
|
||||
|
|
@ -152,13 +149,13 @@ In the `Microsoft.Logic/workflows` resource under `parameters / $connections`, t
|
|||
"$connections": {
|
||||
"value": {
|
||||
"azuread": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]",
|
||||
"connectionName": "[variables('AzureADConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureADConnectionName'))]", //using the variable we created
|
||||
"connectionName": "[variables('AzureADConnectionName')]", //using the variable we created
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]" // same string we used to create the resource
|
||||
},
|
||||
"azuresentinel": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", //using the variable we created
|
||||
"connectionName": "[variables('AzureSentinelConnectionName')]", //using the variable we created
|
||||
"connectionName": "[variables('AzureSentinelConnectionName')]", //using the variable we created
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" // same string we used to create the resource
|
||||
}
|
||||
}
|
||||
|
|
@ -267,9 +264,9 @@ locate here the deployment buttons (replace PlaybookFolderName)
|
|||
[Extended guidance for creating Azure Deploy button can be found here.](https://docs.microsoft.com/azure/azure-resource-manager/templates/deploy-to-azure-button)
|
||||
|
||||
|
||||
## Create a Pull request
|
||||
## Create a pull request
|
||||
Please locate the following files under a folder named by PlaybookName, which includes:
|
||||
* azuredeploy.json ([ARM Template](#templatize))
|
||||
* azuredeploy.json ([ARM Template](#Create-ARM-Template))
|
||||
* readme.md ([Readme file](#Create-Readme-file))
|
||||
* images folder ([screenshots](#Create-screenshots) folder)
|
||||
* ImageDark1.png
|
||||
|
|
|
|||
|
|
@ -1,110 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata":{
|
||||
"title": "Identity Protection Response From Teams",
|
||||
"description": "This playbook uses Azure Identity Protection features in order to responde to risky users. Attach this playbook to alert creation rules which expects to have entities of type Account attached to. When a new Azure Sentinel alert is created, the playbook iterates over the identities involved in the alert. The Microsoft Teams bot will post an adaptive card in the SOC channel, including the potential risky user information given by Azure AD Identity Protection. It will offer to configure the response on the Azure Sentinel incident and Identity Protection risky user with few clicks, directly from Teams.",
|
||||
"lastUpdateTime": "2021-05-18T10:00:15.123Z",
|
||||
"entities": ["Account"],
|
||||
"tags": ["identity protection", "Teams Bot"],
|
||||
"source": {
|
||||
"kind": "Community"
|
||||
},
|
||||
"author": {
|
||||
"Company": "Microsoft", // optional
|
||||
"name": "Lior Tamir"
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"Playbook Name": {
|
||||
"defaultValue": "IdentityProtectionResponseFromTeams",
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"description": "Name of the Logic Apps resource to be created"
|
||||
}
|
||||
},
|
||||
... // more parameters required to this playbook
|
||||
},
|
||||
"variables": {
|
||||
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
|
||||
"AzureSentinelConnectionDisplayName": "[concat('Azure Sentinel - ', parameters('PlaybookName'))]"
|
||||
... // 2 variables for each one of the connections (name and display name)
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('AzureSentinelConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"displayName": "[variables('AzureSentinelConnectionDisplayName')]",
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
... // A resource for each API connection required in this playbook
|
||||
|
||||
{
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"apiVersion": "2017-07-01",
|
||||
"name": "[parameters('PlaybookName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"tags": {
|
||||
"hidden-SentinelTemplateName": "Get-IPReputation",
|
||||
"hidden-SentinelTemplateVersion": "1.0"
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||
... // A dependency for each API connection required in this playbook
|
||||
],
|
||||
"properties": {
|
||||
"state": "Enabled",
|
||||
"definition": {
|
||||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"defaultValue": {},
|
||||
"type": "Object"
|
||||
}
|
||||
},
|
||||
"triggers": {
|
||||
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
|
||||
"type": "ApiConnectionWebhook",
|
||||
"inputs": {
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"path": "/incident-creation"
|
||||
}
|
||||
}
|
||||
},
|
||||
"actions": {
|
||||
... // The actions in this playbook
|
||||
},
|
||||
|
||||
"outputs": {}
|
||||
},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"value": {
|
||||
"azuresentinel": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||
"connectionName": "[variables('AzureSentinelConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
Загрузка…
Ссылка в новой задаче