update readme
updated instructions added a few screenshots
This commit is contained in:
Родитель
8fd8ed0f2a
Коммит
4709f8efb0
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 25 KiB |
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 50 KiB |
|
@ -1,7 +1,7 @@
|
|||
# Update-BulkIncidents
|
||||
authors: Priscila Viana, Nathan Swift
|
||||
|
||||
This Logic App will act as listner, you can pass json object to a HTTP Endpoint to use KQL query to discover Azure Sentinel Security Incidents through the SecurityIncident table you wish to bulk change on. It includes a method to slective update by array []. It also includes a method to bulk change all
|
||||
This Logic App will act as listener, you can pass json object to a HTTP Endpoint to use KQL query to discover Azure Sentinel Security Incidents through the SecurityIncident table you wish to bulk change on. It includes a method to slective update by array []. It also includes a method to bulk change all
|
||||
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FUpdate-BulkIncidents%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://aka.ms/deploytoazurebutton"/>
|
||||
|
@ -12,10 +12,18 @@ This Logic App will act as listner, you can pass json object to a HTTP Endpoint
|
|||
|
||||
**Additional Post Install Notes:**
|
||||
|
||||
The Logic App requires the SecurityIncident Table preview | You need to change the KQL Query within the action to close selective Security incidents else it will bulk close all Incidents creates. There is a seprate path as well so if you want to bulk close all security incidents via API you can, need to turn on MSI and assign RBAC 'Reader' role to the Logic App at the RG of the Azure Sentinel Workspace.
|
||||
The Logic App requires the SecurityIncident Table preview | The Logic App creates and uses a Managed System Identity (MSI) to Read All Azure Sentinel Incidents for Sample #3.
|
||||
|
||||
Assign RBAC 'Reader' role to the Logic App at the Azure Sentinel Workspace level.
|
||||
|
||||
**Usage Notes**
|
||||
|
||||
To obtain your Logic App URI to make POST calls to, go to the Logic App designer mode and the first action and copy the URI
|
||||
|
||||
<img src="https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Update-BulkIncidents/images/logicappedit.png"/>
|
||||
|
||||
<img src="https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Update-BulkIncidents/images/logicappuri.png"/>
|
||||
|
||||
You can use Postman, PowerShell, or your favorite shell to send a JSON body to the Logic App Endpoint. Below are some code examples of usage.
|
||||
|
||||
At this time the Logic App can only bulk update the Status of Azure Sentinel Incidents.
|
||||
|
@ -82,4 +90,5 @@ $json = @"
|
|||
```
|
||||
# Invoke call to Logic App
|
||||
Invoke-WebRequest -Uri $uri -Method Post -Body $json -Headers $header
|
||||
```
|
||||
```
|
||||
|
||||
|
|
Загрузка…
Ссылка в новой задаче