update to new MS Teams action
This commit is contained in:
Benjamin Kovacevic
Родитель
623526fbce
Коммит
430763a1ab
|
|
@ -1,12 +1,12 @@
|
|||
|
||||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "Prompt User - Alert",
|
||||
"description": "This playbook will ask the user if they completed the action from the alert in Azure Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.",
|
||||
"description": "This playbook will ask the user if they completed the action from the alert in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.",
|
||||
"prerequisites": "1. You will need the Team Id and Channel Id.",
|
||||
"lastUpdateTime": "2021-07-14T00:00:00.000Z",
|
||||
"postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections." ],
|
||||
"lastUpdateTime": "2022-03-22T00:00:00.000Z",
|
||||
"entities": [ "Account" ],
|
||||
"tags": [ "Remediation" ],
|
||||
"support": {
|
||||
|
|
@ -22,15 +22,15 @@
|
|||
"type": "string"
|
||||
},
|
||||
"TeamsId": {
|
||||
"metadata": {
|
||||
"description": "Enter the Teams Group ID"
|
||||
},
|
||||
"metadata": {
|
||||
"description": "Enter the Teams Group ID"
|
||||
},
|
||||
"type": "string"
|
||||
},
|
||||
"TeamsChannelId": {
|
||||
"metadata": {
|
||||
"description": "Enter the Teams Channel ID"
|
||||
},
|
||||
"TeamsChannelId": {
|
||||
"metadata": {
|
||||
"description": "Enter the Teams Channel ID"
|
||||
},
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
|
|
@ -103,7 +103,7 @@
|
|||
"tags": {
|
||||
"LogicAppsCategory": "security",
|
||||
"hidden-SentinelTemplateName": "Prompt-User_alert",
|
||||
"hidden-SentinelTemplateVersion": "1.0"
|
||||
"hidden-SentinelTemplateVersion": "1.1"
|
||||
},
|
||||
"identity": {
|
||||
"type": "SystemAssigned"
|
||||
|
|
@ -216,12 +216,13 @@
|
|||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Post_a_message_(V3)": {
|
||||
"Post_message_in_a_chat_or_channel": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"body": {
|
||||
"content": "<p>New alert from Azure Sentinel.<br>\nPlease investigate ASAP.<br>\nSeverity : @{body('Alert_-_Get_incident')?['properties']?['severity']}<br>\nDescription: @{body('Alert_-_Get_incident')?['properties']?['description']}<br>\n<br>\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.</p>",
|
||||
"contentType": "html"
|
||||
"messageBody": "<p>New alert from Azure Sentinel.<br>\nPlease investigate ASAP.<br>\nSeverity : @{body('Alert_-_Get_incident')?['properties']?['severity']}<br>\nDescription: @{body('Alert_-_Get_incident')?['properties']?['description']}<br>\n<br>\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.</p>",
|
||||
"recipient": {
|
||||
"channelId": "[parameters('TeamsChannelId')]",
|
||||
"groupId": "[parameters('TeamsId')]"
|
||||
},
|
||||
"subject": "Incident @{body('Alert_-_Get_incident')?['properties']?['incidentNumber']} - @{body('Alert_-_Get_incident')?['properties']?['title']}"
|
||||
},
|
||||
|
|
@ -231,7 +232,7 @@
|
|||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "[concat('/v3/beta/teams/@{encodeURIComponent(', parameters('TeamsId'),')}/channels/@{encodeURIComponent(', parameters('TeamsChannelId'), ')}/messages')]"
|
||||
"path": "/beta/teams/conversation/message/poster/@{encodeURIComponent('User')}/location/@{encodeURIComponent('Channel')}"
|
||||
},
|
||||
"runAfter": {
|
||||
"Add_comment_to_incident_(V3)_2": [
|
||||
|
|
@ -369,4 +370,4 @@
|
|||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
### 1.1 Added new Post a Teams message action
|
||||
|
||||
- Replaced old Post a Teams message action with the new Post message in a chat or channel action
|
||||
- Update to readme file - adding post deployment steps
|
||||
|
||||
### 1.0
|
||||
|
||||
- Initial version
|
||||
|
|
@ -1,12 +1,12 @@
|
|||
|
||||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"title": "Prompt User - Incident",
|
||||
"description": "This playbook will ask the user if they completed the action from the Incident in Azure Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.",
|
||||
"description": "This playbook will ask the user if they completed the action from the Incident in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.",
|
||||
"prerequisites": "1. You will need the Team Id and Channel Id.",
|
||||
"lastUpdateTime": "2021-07-14T00:00:00.000Z",
|
||||
"postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections." ],
|
||||
"lastUpdateTime": "2022-03-22T00:00:00.000Z",
|
||||
"entities": [ "Account" ],
|
||||
"tags": [ "Remediation" ],
|
||||
"support": {
|
||||
|
|
@ -20,17 +20,17 @@
|
|||
"PlaybookName": {
|
||||
"defaultValue": "Prompt-User-Incident",
|
||||
"type": "string"
|
||||
},
|
||||
"TeamsId": {
|
||||
"metadata": {
|
||||
"description": "Enter the Teams Group ID"
|
||||
},
|
||||
},
|
||||
"TeamsId": {
|
||||
"metadata": {
|
||||
"description": "Enter the Teams Group ID"
|
||||
},
|
||||
"type": "string"
|
||||
},
|
||||
"TeamsChannelId": {
|
||||
"metadata": {
|
||||
"description": "Enter the Teams Channel ID"
|
||||
},
|
||||
"TeamsChannelId": {
|
||||
"metadata": {
|
||||
"description": "Enter the Teams Channel ID"
|
||||
},
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
|
|
@ -103,7 +103,7 @@
|
|||
"tags": {
|
||||
"LogicAppsCategory": "security",
|
||||
"hidden-SentinelTemplateName": "Prompt-User",
|
||||
"hidden-SentinelTemplateVersion": "1.0"
|
||||
"hidden-SentinelTemplateVersion": "1.1"
|
||||
},
|
||||
"identity": {
|
||||
"type": "SystemAssigned"
|
||||
|
|
@ -199,22 +199,23 @@
|
|||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Post_a_message_(V3)": {
|
||||
"Post_message_in_a_chat_or_channel": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"body": {
|
||||
"content": "<p>New alert from Azure Sentinel.<br>\nPlease investigate ASAP.<br>\nSeverity : @{triggerBody()?['object']?['properties']?['severity']}<br>\nDescription: @{triggerBody()?['object']?['properties']?['description']}<br>\n<br>\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.</p>",
|
||||
"contentType": "html"
|
||||
"messageBody": "<p>New alert from Azure Sentinel.<br>\nPlease investigate ASAP.<br>\nSeverity : @{triggerBody()?['object']?['properties']?['severity']}<br>\nDescription: @{triggerBody()?['object']?['properties']?['description']}<br>\n<br>\n@{body('Get_user')?['displayName']} user confirmed they did not complete the action.</p>",
|
||||
"recipient": {
|
||||
"channelId": "[parameters('TeamsChannelId')]",
|
||||
"groupId": "[parameters('TeamsId')]"
|
||||
},
|
||||
"subject": "Incident @{triggerBody()?['object']?['properties']?['incidentNumber']} - @{triggerBody()?['object']?['properties']?['title']}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['teams_1']['connectionId']"
|
||||
"name": "@parameters('$connections')['teams']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "[concat('/v3/beta/teams/@{encodeURIComponent(', parameters('TeamsId'),')}/channels/@{encodeURIComponent(', parameters('TeamsChannelId'), ')}/messages')]"
|
||||
"path": "/beta/teams/conversation/message/poster/@{encodeURIComponent('User')}/location/@{encodeURIComponent('Channel')}"
|
||||
},
|
||||
"runAfter": {
|
||||
"Add_comment_to_incident_(V3)_2": [
|
||||
|
|
@ -352,4 +353,4 @@
|
|||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
### 1.1 Added new Post a Teams message action
|
||||
|
||||
- Replaced old Post a Teams message action with the new Post message in a chat or channel action
|
||||
- Update to readme file - adding post deployment steps
|
||||
|
||||
### 1.0
|
||||
|
||||
- Initial version
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
# Prompt-User
|
||||
author: Nicholas DiCola
|
||||
|
||||
This playbook will ask the user if they completed the action from the Incident in Azure Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.
|
||||
This playbook will ask the user if they completed the action from the Incident in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.
|
||||
|
||||
## Quick Deployment
|
||||
**Deploy with incident trigger** (recommended)
|
||||
|
|
@ -25,6 +25,10 @@ After deployment, you can run this playbook manually on an alert or attach it to
|
|||
|
||||
- [This](https://www.linkedin.com/pulse/3-ways-locate-microsoft-team-id-christopher-barber-/) blog shows some simple methods to get the Team Id. You will need the Team Id and Channel Id.
|
||||
|
||||
## Post deployment
|
||||
|
||||
1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity
|
||||
2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections
|
||||
|
||||
## Screenshots
|
||||
**Incident Trigger**<br>
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче