update readme

updated instructions added a few screenshots
2020-08-18 19:56:43 -04:00 · 2020-08-18 19:56:43 -04:00 · 4709f8efb0
--- a/Playbooks/Update-BulkIncidents/images/logicappedit.png
+++ b/Playbooks/Update-BulkIncidents/images/logicappedit.png
--- a/Playbooks/Update-BulkIncidents/images/logicappuri.png
+++ b/Playbooks/Update-BulkIncidents/images/logicappuri.png
--- a/Playbooks/Update-BulkIncidents/readme.md
+++ b/Playbooks/Update-BulkIncidents/readme.md
@ -1,7 +1,7 @@
 # Update-BulkIncidents
 authors: Priscila Viana, Nathan Swift

-This Logic App will act as listner, you can pass json object to a HTTP Endpoint to use KQL query to discover Azure Sentinel Security Incidents through the SecurityIncident table you wish to bulk change on. It includes a method to slective update by array []. It also includes a method to bulk change all
+This Logic App will act as listener, you can pass json object to a HTTP Endpoint to use KQL query to discover Azure Sentinel Security Incidents through the SecurityIncident table you wish to bulk change on. It includes a method to slective update by array []. It also includes a method to bulk change all

 <a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FUpdate-BulkIncidents%2Fazuredeploy.json" target="_blank">
    <img src="https://aka.ms/deploytoazurebutton"/>
@ -12,10 +12,18 @@ This Logic App will act as listner, you can pass json object to a HTTP Endpoint

 **Additional Post Install Notes:**

-The Logic App requires the SecurityIncident Table preview | You need to change the KQL Query within the action to close selective Security incidents else it will bulk close all Incidents creates. There is a seprate path as well so if you want to bulk close all security incidents via API you can, need to turn on MSI and assign RBAC 'Reader' role to the Logic App at the RG of the Azure Sentinel Workspace.
+The Logic App requires the SecurityIncident Table preview | The Logic App creates and uses a Managed System Identity (MSI) to Read All Azure Sentinel Incidents for Sample #3. 
+
+Assign RBAC 'Reader' role to the Logic App at the Azure Sentinel Workspace level.

 **Usage Notes**

+To obtain your Logic App URI to make POST calls to, go to the Logic App designer mode and the first action and copy the URI 
+
+<img src="https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Update-BulkIncidents/images/logicappedit.png"/>
+
+<img src="https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Update-BulkIncidents/images/logicappuri.png"/>
+
 You can use Postman, PowerShell, or your favorite shell to send a JSON body to the Logic App Endpoint. Below are some code examples of usage.

 At this time the Logic App can only bulk update the Status of Azure Sentinel Incidents.
@ -82,4 +90,5 @@ $json = @"
 ```
 # Invoke call to Logic App
 Invoke-WebRequest -Uri $uri -Method Post -Body $json -Headers $header
-```
+```
+