diff --git a/DataConnectors/AADUserInfo/README.MD b/DataConnectors/AADUserInfo/README.MD
index db740b7d4f..989ad87fd2 100644
--- a/DataConnectors/AADUserInfo/README.MD
+++ b/DataConnectors/AADUserInfo/README.MD
@@ -9,9 +9,7 @@ The easiest way is via the provided ARM templates:
#### 1: Deploy via Azure ARM Template
1. Deploy the template.
-
- 
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FAADUserInfo%2FData%20Conectors%2Fazuredeploy.json)
Alternatively you can deploy the elements manually.
#### 2: Deploy via VS Code
diff --git a/DataConnectors/AWS-S3-AzureFunction/README.MD b/DataConnectors/AWS-S3-AzureFunction/README.MD
index 5c9e260a7b..18f54eef9b 100644
--- a/DataConnectors/AWS-S3-AzureFunction/README.MD
+++ b/DataConnectors/AWS-S3-AzureFunction/README.MD
@@ -18,9 +18,8 @@ Azure Sentinel Data connector to ingest AWS S3 Files using Azure Function App. T
## Installation / Setup Guide
1. Click "Deploy To Azure" (For both Commercial & Azure GOV)
-
-
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FAWS-S3-AzureFunction%2Fazuredeploy_awss3.json)
+[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FAWS-S3-AzureFunction%2Fazuredeploy_awss3.json)
2. Select the preferred **Subscription**, **Resource Group** and **Location**
**Note**
diff --git a/DataConnectors/AWS-SecurityHubFindings/README.md b/DataConnectors/AWS-SecurityHubFindings/README.md
index fe7d06ac54..c1e0392fa1 100644
--- a/DataConnectors/AWS-SecurityHubFindings/README.md
+++ b/DataConnectors/AWS-SecurityHubFindings/README.md
@@ -9,9 +9,9 @@ Ingest all the SecurityHub findings returned by SecurityHub API, ingests only fr
## Deploy AWS SecurityHub Data connector
1. Click "Deploy To Azure" (For both Commercial & Azure GOV)
-
-
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FAWS-S3-AzureFunction%2Fazuredeploy_awss3.json)
+[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FAWS-S3-AzureFunction%2Fazuredeploy_awss3.json)
+
2. Select the preferred **Subscription**, **Resource Group** and **Location**
**Note**
diff --git a/DataConnectors/CEF-VMSS/README.md b/DataConnectors/CEF-VMSS/README.md
index fe6a613f0f..66042086e9 100644
--- a/DataConnectors/CEF-VMSS/README.md
+++ b/DataConnectors/CEF-VMSS/README.md
@@ -16,18 +16,9 @@ The ARM template will deploy everything needed:
The ARM template includes the cloud init files which runs commands on the VM instance when it is deployed.
## Deploy RedHat VMSS
-
-
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FCEF-VMSS%2FCEF-VMSS-RH-Templatev2.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FCEF-VMSS%2FCEF-VMSS-RH-Templatev2.json)
## Deploy Unbuntu VMSS
-
-
-
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FCEF-VMSS%2FCEF-VMSS-UB-Templatev2.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors2FCEF-VMSS%2FCEF-VMSS-UB-Templatev2.json)
\ No newline at end of file
diff --git a/DataConnectors/DocuSign-SecurityEvents/README.md b/DataConnectors/DocuSign-SecurityEvents/README.md
index bcded69040..d9848dd175 100644
--- a/DataConnectors/DocuSign-SecurityEvents/README.md
+++ b/DataConnectors/DocuSign-SecurityEvents/README.md
@@ -64,9 +64,7 @@ It’s only one-time step to collect consent
## Configuration Steps to Deploy Function App
1. Click on Deploy to Azure (For both Commercial & Azure GOV)
-
-
-
+[](https://aka.ms/sentinel-docusignconnector-azuredeploy)
2. Select the preferred **Subscription**, **Resource Group** and **Location**
diff --git a/DataConnectors/Fluentd-VMSS/README.md b/DataConnectors/Fluentd-VMSS/README.md
index 3dcbfbe10c..1de703e3a3 100644
--- a/DataConnectors/Fluentd-VMSS/README.md
+++ b/DataConnectors/Fluentd-VMSS/README.md
@@ -19,18 +19,9 @@ The ARM template includes the cloud init files which runs commands on the VM ins
## Deploy RedHat VMSS
-
-
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FFluentD-VMSS%2FFluentD-VMSS-RH-Templatev2.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors2FFluentD-VMSS%2FFluentD-VMSS-RH-Templatev2.json)
## Deploy Unbuntu VMSS
-
-
-
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FFluentd-VMSS%2FFluentD-VMSS-UB-Templatev2.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors2FFluentD-VMSS%2FFluentD-VMSS-UB-Templatev2.json)
\ No newline at end of file
diff --git a/DataConnectors/GitHub/readme.md b/DataConnectors/GitHub/readme.md
index d720707400..2252e75b46 100644
--- a/DataConnectors/GitHub/readme.md
+++ b/DataConnectors/GitHub/readme.md
@@ -28,9 +28,5 @@ This user will be used to grant access to the Key Vault secret.
Note: there are two parsers (here)[https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/GitHub] to make the logs useful
## Deploy the Logic App template
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FGitHub%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FGitHub%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/DataConnectors/GithubFunction/readme.md b/DataConnectors/GithubFunction/readme.md
index 5948fca41d..88b7f652a4 100644
--- a/DataConnectors/GithubFunction/readme.md
+++ b/DataConnectors/GithubFunction/readme.md
@@ -15,9 +15,9 @@ A GitHub API Token is required. See the documentation to learn more about the [G
## Configuration Steps to Deploy Function App
1. Click on Deploy to Azure (For both Commercial & Azure GOV)
-
-
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FGithubFunction%2Fazuredeploy.json)
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FGithubFunction%2Fazuredeploy.json)
+
2. Select the preferred **Subscription**, **Resource Group** and **Location**
diff --git a/DataConnectors/Logstash-VMSS/README.md b/DataConnectors/Logstash-VMSS/README.md
index 7e6c3961a4..52b79ebef1 100644
--- a/DataConnectors/Logstash-VMSS/README.md
+++ b/DataConnectors/Logstash-VMSS/README.md
@@ -16,18 +16,9 @@ The ARM template will deploy everything needed:
The ARM template includes the cloud init files which runs commands on the VM instance when it is deployed.
## Deploy RedHat VMSS
-
-
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FLogstash-VMSS%2FLogstash-VMSS-RH-Templatev2.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors2FLogstash-VMSS%2FLogstash-VMSS-RH-Templatev2.json)
## Deploy Unbuntu VMSS
-
-
-
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FLogstash-VMSS%2FLogstash-VMSS-UB-Templatev2.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors2FLogstash-VMSS%2FLogstash-VMSS-UB-Templatev2.json)
\ No newline at end of file
diff --git a/DataConnectors/MCASActivityFunction/readme.md b/DataConnectors/MCASActivityFunction/readme.md
index 40aafd5bb1..f7a43fce62 100644
--- a/DataConnectors/MCASActivityFunction/readme.md
+++ b/DataConnectors/MCASActivityFunction/readme.md
@@ -12,9 +12,8 @@ A MCAS API Token is required. See the documentation to learn more about the [API
## Configuration Steps to Deploy Function App
1. Click on Deploy to Azure (For both Commercial & Azure GOV)
-
-
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FMCASActivityFunction%2Fazuredeploy.json)
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FMCASActivityFunction%2Fazuredeploy.json)
2. Select the preferred **Subscription**, **Resource Group** and **Location**
diff --git a/DataConnectors/MCASActivityPlaybook/readme.md b/DataConnectors/MCASActivityPlaybook/readme.md
index 5f0ee97876..e421bb72cb 100644
--- a/DataConnectors/MCASActivityPlaybook/readme.md
+++ b/DataConnectors/MCASActivityPlaybook/readme.md
@@ -25,9 +25,5 @@ There are a number of configuration steps required to deploy the Logic App playb
Note: there is a parsers (here)[https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/MCAS] to make the logs more readable
## Deploy the Logic App template
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FMCASActivityPlaybook%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FMCASActivityPlaybook%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/DataConnectors/O365 Data/readme.md b/DataConnectors/O365 Data/readme.md
index 4c2223e90f..c47ade24cb 100644
--- a/DataConnectors/O365 Data/readme.md
+++ b/DataConnectors/O365 Data/readme.md
@@ -105,9 +105,7 @@ Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.offic
Thanks to the published ARM template the deployment of the [Azure Funtion App](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/O365%20Data) is done with just a few clicks.
1. Click to **Deploy the template / Deploy to Azure** below.
-
-
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FO365%20Data%2Fazuredeploy.json)
2. Now it is time to use the noted details from previous steps.
- Select the right **Subscription**, **Resource Group** and **Region** where you what to deploy the Azure Funtion App.
diff --git a/DataConnectors/OneLogin/readme.md b/DataConnectors/OneLogin/readme.md
index ee0ce36d73..4af9f0e51e 100644
--- a/DataConnectors/OneLogin/readme.md
+++ b/DataConnectors/OneLogin/readme.md
@@ -7,16 +7,12 @@ The easiest way is via the provided ARM templates:
#### 1: Deploy via Azure ARM Template
1. Deploy the template.
-
-
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FOneLogin%2Fazuredeploy.json)
2. Deploy permissions for the function to the Key Vault.
-
-
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FOneLogin%2Fazuredeploy_kv.json)
Alternatively you can deploy the elements manually.
diff --git a/DataConnectors/Zoom/readme.md b/DataConnectors/Zoom/readme.md
index 67cb843154..92e25c34dd 100644
--- a/DataConnectors/Zoom/readme.md
+++ b/DataConnectors/Zoom/readme.md
@@ -7,15 +7,11 @@ The easiest way is via the provided ARM templates:
#### 1: Deploy via Azure ARM Template
1. Deploy the template.
-
-
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FZoom%2Fazuredeploy.json)
2. Deploy permissions for the function to the Key Vault.
-
-
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FZoom%2Fazuredeploy_kv.json)
Alternatively you can deploy the elements manually.
#### 2: Deploy via VS Code
diff --git a/Playbooks/Restrict-MDEUrl/readme.md b/Playbooks/Restrict-MDEUrl/readme.md
index 9925ac03ec..6c95c052fa 100644
--- a/Playbooks/Restrict-MDEUrl/readme.md
+++ b/Playbooks/Restrict-MDEUrl/readme.md
@@ -10,23 +10,15 @@ After deployment, attach this playbook to an **automation rule** so it runs when
[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules)
-
- 
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRestrict-MDEUrl%2Fincident-trigger%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRestrict-MDEUrl%2Fincident-trigger%2Fazuredeploy.json)
**Deploy with alert trigger**
After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will rune when an alert is created.
-
-
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRestrict-MDEUrl%2Falert-trigger%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRestrict-MDEUrl%2Falert-trigger%2Fazuredeploy.json)
## Prerequisites
- **For Gov Only** You will need to update the HTTP action URL to the correct URL documented [here](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/gov?view=o365-worldwide#api)
@@ -48,4 +40,4 @@ New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.Obje
**Incident Trigger**
**Alert Trigger**
-
\ No newline at end of file
+
diff --git a/Playbooks/Revoke-AADSignInSessions/readme.md b/Playbooks/Revoke-AADSignInSessions/readme.md
index 976d80fd2a..13e2127d92 100644
--- a/Playbooks/Revoke-AADSignInSessions/readme.md
+++ b/Playbooks/Revoke-AADSignInSessions/readme.md
@@ -10,23 +10,15 @@ After deployment, attach this playbook to an **automation rule** so it runs when
[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules)
-
-
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRevoke-AADSignInSessions%2Fincident-trigger%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRevoke-AADSignInSessions%2Fincident-trigger%2Fazuredeploy.json)
**Deploy with alert trigger**
After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will rune when an alert is created.
-
-
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRevoke-AADSignInSessions%2Falert-trigger%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRevoke-AADSignInSessions%2Falert-trigger%2Fazuredeploy.json)
## Prerequisites
@@ -51,3 +43,4 @@ New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.Obje
**Alert Trigger**
+
diff --git a/Playbooks/Run-AzureVMPacketCapture/readme.md b/Playbooks/Run-AzureVMPacketCapture/readme.md
index 7301d8a933..32902284de 100644
--- a/Playbooks/Run-AzureVMPacketCapture/readme.md
+++ b/Playbooks/Run-AzureVMPacketCapture/readme.md
@@ -3,12 +3,8 @@ author: Nathan Swift
This playbook will take start a packet capture on a Azure VM Windows or Linux using Network Watcher, the capture will run for ten minutes, and will be stored on a blob storage account.
-
- 
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRun-AzureVMPacketCapture%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRun-AzureVMPacketCapture%2Fazuredeploy.json)
**Additional Post Install Notes:**
@@ -16,4 +12,4 @@ The Logic App creates and uses a Managed System Identity (MSI) to authenticate a
Assign RBAC 'Reader' role to the Logic App at the Subscription level.
Assign RBAC 'Virtual Machine Contributor' role to the Logic App at the Subscription level.
-Assign RBAC 'Network Contributor' role to the Logic App at the Subscription level.
\ No newline at end of file
+Assign RBAC 'Network Contributor' role to the Logic App at the Subscription level.
diff --git a/Playbooks/Run-MDEAntivirus/readme.md b/Playbooks/Run-MDEAntivirus/readme.md
index e21c24f1ed..9daa6c6ed6 100644
--- a/Playbooks/Run-MDEAntivirus/readme.md
+++ b/Playbooks/Run-MDEAntivirus/readme.md
@@ -10,22 +10,15 @@ After deployment, attach this playbook to an **automation rule** so it runs when
[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules)
-
-
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRun-MDEAntivirus%2Fincident-trigger%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRun-MDEAntivirus%2Fincident-trigger%2Fazuredeploy.json)
**Deploy with alert trigger**
After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will rune when an alert is created.
-
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRun-MDEAntivirus%2Falert-trigger%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FRun-MDEAntivirus%2Falert-trigger%2Fazuredeploy.json)
## Prerequisites
@@ -47,4 +40,4 @@ New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.Obje
**Incident Trigger**
**Alert Trigger**
-
\ No newline at end of file
+
diff --git a/Playbooks/Save-NamedLocations/readme.md b/Playbooks/Save-NamedLocations/readme.md
index 35dd42516f..9342f9fb36 100644
--- a/Playbooks/Save-NamedLocations/readme.md
+++ b/Playbooks/Save-NamedLocations/readme.md
@@ -9,9 +9,5 @@ An app registration should be created with permissions: Policy.Read.All.
This playbook uses an Azure Function to convert CIDR ranges to IP-addresses.
The function is deployed from the zip file which can be found in this repo.
-
-
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSave-NamedLocations%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSave-NamedLocations%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Send-ConnectorHealthStatus/readme.md b/Playbooks/Send-ConnectorHealthStatus/readme.md
index 375222cbed..b06716cd38 100644
--- a/Playbooks/Send-ConnectorHealthStatus/readme.md
+++ b/Playbooks/Send-ConnectorHealthStatus/readme.md
@@ -53,11 +53,7 @@ union withsource=TableName1 *
-
-
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-ConnectorHealthStatus%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2Send-ConnectorHealthStatus%2Fazuredeploy.json)
-This solution was built in close collaboration with Jeremy Tan, Benjamin Kovacevic & Javier Soriano
+This solution was built in close collaboration with Jeremy Tan, Benjamin Kovacevic & Javier Soriano
\ No newline at end of file
diff --git a/Playbooks/Send-IngestionCostAlert/readme.md b/Playbooks/Send-IngestionCostAlert/readme.md
index f1d65093a5..afb608f525 100644
--- a/Playbooks/Send-IngestionCostAlert/readme.md
+++ b/Playbooks/Send-IngestionCostAlert/readme.md
@@ -235,10 +235,5 @@ In the final step below sends out an e-mail to the specified recipient list and
-
-
-
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-IngestionCostAlert%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2Send-IngestionCostAlert%2Fazuredeploy.json)
diff --git a/Playbooks/Send-UrlReport/ReadMe.md b/Playbooks/Send-UrlReport/ReadMe.md
index 22a80122b8..19889201ed 100644
--- a/Playbooks/Send-UrlReport/ReadMe.md
+++ b/Playbooks/Send-UrlReport/ReadMe.md
@@ -3,9 +3,5 @@ author: yaniv Shasha and Yehuda Tognder
This playbook will take each URL entity and query VirusTotal for URL Report (https://developers.virustotal.com/reference#url-report). You will need to register to thier community for an API key.
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-UrlReport%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-UrlReport%2Fazuredeploy.json)
diff --git a/Playbooks/Send-basic-email/README.md b/Playbooks/Send-basic-email/README.md
index efb67859dd..cbe4ce3dd7 100644
--- a/Playbooks/Send-basic-email/README.md
+++ b/Playbooks/Send-basic-email/README.md
@@ -8,9 +8,10 @@ An O365 account to be used to send email notification
(The user account will be used in O365 connector (Send an email).)
## Deployment:
+
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-basic-email%2Fazuredeploy.json)
-[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-basic-email%2Fazuredeploy.json)
-
+[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-basic-email%2Fazuredeploy.json)
+
## Post-deployment
### Configure connections
diff --git a/Playbooks/Send-email-with-formatted-incident-report/readme.md b/Playbooks/Send-email-with-formatted-incident-report/readme.md
index 9e1862aab3..5a4c2f938f 100644
--- a/Playbooks/Send-email-with-formatted-incident-report/readme.md
+++ b/Playbooks/Send-email-with-formatted-incident-report/readme.md
@@ -9,9 +9,9 @@ An O365 account to be used to send email notification
Link with company logo. No formating since size is defined in the Playbook. Linke example - https://azure.microsoft.com/svghandler/azure-sentinel
## Deployment:
+
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-email-with-formatted-incident-report%2Fazuredeploy.json)
-[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-email-with-formatted-incident-report%2Fazuredeploy.json)
-
+[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-email-with-formatted-incident-report%2Fazuredeploy.json)
## Post-deployment
diff --git a/Playbooks/Sentinel-Incident-Action-RiskIQ-Reputation-All/readme.md b/Playbooks/Sentinel-Incident-Action-RiskIQ-Reputation-All/readme.md
index 560ebb322a..a1b5e00370 100644
--- a/Playbooks/Sentinel-Incident-Action-RiskIQ-Reputation-All/readme.md
+++ b/Playbooks/Sentinel-Incident-Action-RiskIQ-Reputation-All/readme.md
@@ -3,9 +3,5 @@ author: Brandon Dixon, RiskIQ
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Azure Sentinel. You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html).
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Action-RiskIQ-Reputation-All%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Action-RiskIQ-Reputation-All%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Sentinel-Incident-Action-RiskIQ-Reputation-Domain/readme.md b/Playbooks/Sentinel-Incident-Action-RiskIQ-Reputation-Domain/readme.md
index af2598aef1..fec9a4a6c8 100644
--- a/Playbooks/Sentinel-Incident-Action-RiskIQ-Reputation-Domain/readme.md
+++ b/Playbooks/Sentinel-Incident-Action-RiskIQ-Reputation-Domain/readme.md
@@ -3,9 +3,5 @@ author: Brandon Dixon, RiskIQ
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Azure Sentinel. You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html).
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Action-RiskIQ-Reputation-Domain%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Action-RiskIQ-Reputation-Domain%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Sentinel-Incident-Action-RiskIQ-Reputation-IP/readme.md b/Playbooks/Sentinel-Incident-Action-RiskIQ-Reputation-IP/readme.md
index 385220a514..e02ec8e7b5 100644
--- a/Playbooks/Sentinel-Incident-Action-RiskIQ-Reputation-IP/readme.md
+++ b/Playbooks/Sentinel-Incident-Action-RiskIQ-Reputation-IP/readme.md
@@ -3,9 +3,5 @@ author: Brandon Dixon, RiskIQ
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Azure Sentinel. You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html).
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Action-RiskIQ-Reputation-IP%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Action-RiskIQ-Reputation-IP%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-PassiveDns-All/readme.md b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-PassiveDns-All/readme.md
index a086e11a8f..5a4fcb7041 100644
--- a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-PassiveDns-All/readme.md
+++ b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-PassiveDns-All/readme.md
@@ -3,9 +3,5 @@ author: Brandon Dixon, RiskIQ
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Azure Sentinel. You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html).
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Data-PassiveDns-All%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Data-PassiveDns-All%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-PassiveDns-Domain/readme.md b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-PassiveDns-Domain/readme.md
index 7af1224680..2a0af50ff0 100644
--- a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-PassiveDns-Domain/readme.md
+++ b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-PassiveDns-Domain/readme.md
@@ -3,9 +3,5 @@ author: Brandon Dixon, RiskIQ
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Azure Sentinel. You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html).
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Data-PassiveDns-Domain%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Data-PassiveDns-Domain%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-PassiveDns-IP/readme.md b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-PassiveDns-IP/readme.md
index 029b6b0906..c30b0e20b6 100644
--- a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-PassiveDns-IP/readme.md
+++ b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-PassiveDns-IP/readme.md
@@ -3,9 +3,5 @@ author: Brandon Dixon, RiskIQ
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Azure Sentinel. You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html).
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Data-PassiveDns-IP%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Data-PassiveDns-IP%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Summary-All/readme.md b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Summary-All/readme.md
index 1f4624b640..9b22915676 100644
--- a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Summary-All/readme.md
+++ b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Summary-All/readme.md
@@ -3,9 +3,5 @@ author: Brandon Dixon, RiskIQ
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Azure Sentinel. You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html).
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Data-Summary-All%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Data-Summary-All%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Summary-Domain/readme.md b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Summary-Domain/readme.md
index 62eae3f139..4e325649a5 100644
--- a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Summary-Domain/readme.md
+++ b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Summary-Domain/readme.md
@@ -3,9 +3,5 @@ author: Brandon Dixon, RiskIQ
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Azure Sentinel. You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html).
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Data-Summary-Domain%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Data-Summary-Domain%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Summary-IP/readme.md b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Summary-IP/readme.md
index cfcd39fb46..34f4b62afb 100644
--- a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Summary-IP/readme.md
+++ b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Summary-IP/readme.md
@@ -3,9 +3,5 @@ author: Brandon Dixon, RiskIQ
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Azure Sentinel. You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html).
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Data-Summary-IP%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Data-Summary-IP%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Whois-All/readme.md b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Whois-All/readme.md
index 15a96758a5..ca7ded2d50 100644
--- a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Whois-All/readme.md
+++ b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Whois-All/readme.md
@@ -3,9 +3,5 @@ author: Brandon Dixon, RiskIQ
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Azure Sentinel. You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html).
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Data-Whois-All%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Data-Whois-All%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Whois-Domain/readme.md b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Whois-Domain/readme.md
index 83f84ff464..b0bc7fa40c 100644
--- a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Whois-Domain/readme.md
+++ b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Whois-Domain/readme.md
@@ -3,9 +3,5 @@ author: Brandon Dixon, RiskIQ
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Azure Sentinel. You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html).
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Data-Whois-Domain%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Data-Whois-Domain%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Whois-IP/readme.md b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Whois-IP/readme.md
index 25242e9792..2a0dac8c31 100644
--- a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Whois-IP/readme.md
+++ b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Data-Whois-IP/readme.md
@@ -3,9 +3,5 @@ author: Brandon Dixon, RiskIQ
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Azure Sentinel. You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html).
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Data-Whois-IP%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Data-Whois-IP%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Intel-Summary-All/readme.md b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Intel-Summary-All/readme.md
index baffe5b94b..f652eb1ab1 100644
--- a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Intel-Summary-All/readme.md
+++ b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Intel-Summary-All/readme.md
@@ -3,9 +3,5 @@ author: Brandon Dixon, RiskIQ
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Azure Sentinel. You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html).
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Intel-Summary-All%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Intel-Summary-All%2Fazuredeploy.json)
diff --git a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Intel-Summary-Domain/readme.md b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Intel-Summary-Domain/readme.md
index ffac61c6bd..1ce91feb43 100644
--- a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Intel-Summary-Domain/readme.md
+++ b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Intel-Summary-Domain/readme.md
@@ -3,9 +3,5 @@ author: Brandon Dixon, RiskIQ
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Azure Sentinel. You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html).
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Intel-Summary-Domain%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Intel-Summary-Domain%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Intel-Summary-IP/readme.md b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Intel-Summary-IP/readme.md
index 2fd11ea436..94065d1f7c 100644
--- a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Intel-Summary-IP/readme.md
+++ b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Intel-Summary-IP/readme.md
@@ -3,9 +3,5 @@ author: Brandon Dixon, RiskIQ
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Azure Sentinel. You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html).
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Intel-Summary-IP%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Intel-Summary-IP%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Reputation-Summary-All/readme.md b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Reputation-Summary-All/readme.md
index 5983d28721..3d29a741f1 100644
--- a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Reputation-Summary-All/readme.md
+++ b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Reputation-Summary-All/readme.md
@@ -3,9 +3,5 @@ author: Brandon Dixon, RiskIQ
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Azure Sentinel. You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html).
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Reputation-Summary-All%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Reputation-Summary-All%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Reputation-Summary-Domain/readme.md b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Reputation-Summary-Domain/readme.md
index d30ef5d6df..9ab36432da 100644
--- a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Reputation-Summary-Domain/readme.md
+++ b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Reputation-Summary-Domain/readme.md
@@ -3,9 +3,5 @@ author: Brandon Dixon, RiskIQ
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Azure Sentinel. You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html).
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Reputation-Summary-Domain%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Reputation-Summary-Domain%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Reputation-Summary-IP/readme.md b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Reputation-Summary-IP/readme.md
index bb4c06c7bb..3d603db5a5 100644
--- a/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Reputation-Summary-IP/readme.md
+++ b/Playbooks/Sentinel-Incident-Enrich-RiskIQ-Reputation-Summary-IP/readme.md
@@ -3,9 +3,5 @@ author: Brandon Dixon, RiskIQ
This playbook uses the RiskIQ PassiveTotal connector to automatically enrich incidents generated by Azure Sentinel. You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html).
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Reputation-Summary-IP%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Incident-Enrich-RiskIQ-Reputation-Summary-IP%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Sentinel-Intel-Action-RiskIQ-Intel-Article-Ingest/readme.md b/Playbooks/Sentinel-Intel-Action-RiskIQ-Intel-Article-Ingest/readme.md
index 7e0903dba8..5540266738 100644
--- a/Playbooks/Sentinel-Intel-Action-RiskIQ-Intel-Article-Ingest/readme.md
+++ b/Playbooks/Sentinel-Intel-Action-RiskIQ-Intel-Article-Ingest/readme.md
@@ -3,9 +3,5 @@ author: Brandon Dixon, RiskIQ
This playbook will populate the Microsoft Security Graph for Azure Sentinel with indicators from RiskIQ articles. You need a valid community or enterprise in order to use the connector and playbook. To learn more about the service and request a trial key, [register for free](https://community.riskiq.com/) or see the [API documentation](https://api.passivetotal.org/index.html).
-
-
-
-
-
-
\ No newline at end of file
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Intel-Action-RiskIQ-Intel-Article-Ingest%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSentinel-Intel-Action-RiskIQ-Intel-Article-Ingest%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Sync-IncidentsWithJIRA/readme.md b/Playbooks/Sync-IncidentsWithJIRA/readme.md
index 67613cfa12..bb85181dc9 100644
--- a/Playbooks/Sync-IncidentsWithJIRA/readme.md
+++ b/Playbooks/Sync-IncidentsWithJIRA/readme.md
@@ -145,12 +145,10 @@ A lot of JIRA Custom fields are used within these Logic Apps. It's important to
For more information about the different custom fields used, please check the JIRA Configuration.
### Sync Incidents from Sentinel to JIRA
-
-
-
-
-
-
+
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSync-IncidentsWithJIRA%2FPlaybooks%2FSync-Incidents.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSync-IncidentsWithJIRA%2FPlaybooks%2FSync-Incidents.json)
+
This Logic App will create a new incident in JIRA when an incident in Sentinel is created.
It uses the 'Incident Trigger' from Sentinel and is triggered by an Automation Rule (see Sentinel Configuration).
This Logic App does the following:
@@ -170,12 +168,10 @@ If you do not use organizations in JIRA, you can remove the switch.
### Sync status from JIRA to Sentinel
-
-
-
-
-
-
+
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSync-IncidentsWithJIRA%2FPlaybooks%2FSync-Status.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSync-IncidentsWithJIRA%2FPlaybooks%2FSync-Status.json)
+
This Logic App will change the status in Sentinel when the status has been changed in JIRA.
It uses an HTTP trigger which is triggered from a JIRA Automation Rule.
It's important you use the same closure reason in JIRA as the ones in Sentinel, otherwise the sync will fail.
@@ -184,12 +180,10 @@ It uses one connections:
* One connection to Sentinel through a Service Principal (to be configured when deploying the Logic App)
### Sync assigned user from JIRA to Sentinel
-
-
-
-
-
-
+
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSync-IncidentsWithJIRA%2FPlaybooks%2FSync-AssignedUser.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSync-IncidentsWithJIRA%2FPlaybooks%2FSync-AssignedUser.json)
+
When a incident is assigned in JIRA, this will assign the correct user inside of Azure Sentinel.
It uses an HTTP trigger which is triggered from a JIRA Automation Rule when the assigned user of an incident is changed.
@@ -200,12 +194,10 @@ There is a check built-in to make sure that JIRA provides the assigned user. Som
* One connection to a Key Vault to retrieve the Secret for the Service Principal with AAD permissions (also configured when deploying the Logic App)
### Add a link to the JIRA incident to the Sentinel incident
-
-
-
-
-
-
+
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSync-IncidentsWithJIRA%2FPlaybooks%2FAdd-JIRALinkComment.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSync-IncidentsWithJIRA%2FPlaybooks%2FAdd-JIRALinkComment.json)
+
This Logic App will add a URL to the JIRA incident as a comment to the Sentinel Incident.
It uses an HTTP trigger which is triggered from a JIRA Automation Rule.
@@ -214,12 +206,10 @@ It uses one connections:
* One connection to Sentinel through a Service Principal (to be configured when deploying the Logic App)
## 5. Deploy Azure Function
-
-
-
-
-
-
+
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSync-IncidentsWithJIRA%2FPlaybooks%2FSync-Status.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSync-IncidentsWithJIRA%2FPlaybooks%2FSync-Status.json)
+
To sync incident comments from JIRA to Azure Sentinel an Azure Function is used. This Function App contains one Powershell Function.
There are two types of comments in JIRA: internal and public comments. This script will only sync the public comments, so that customers don't have access to the internal ones.
@@ -252,4 +242,4 @@ For actions, choose 'Run Playbook' and select the 'Sync-Incidents' Playbook.
After this solution, you are able to work on Azure Sentinel incidents while staying in your trusted ITSM tool.
This tool should take care of any previous synchronization issues between the JIRA and Sentinel.
-For any issues with the tool or requested improvements, feel free to create an issue on Github or contact me through [Twitter](https://twitter.com/thijslecomte).
\ No newline at end of file
+For any issues with the tool or requested improvements, feel free to create an issue on Github or contact me through [Twitter](https://twitter.com/thijslecomte).
diff --git a/Playbooks/Sync-Sentinel-Incident-Comments-To-M365Defender/readme.md b/Playbooks/Sync-Sentinel-Incident-Comments-To-M365Defender/readme.md
index 4cf682311c..33ce924ea3 100644
--- a/Playbooks/Sync-Sentinel-Incident-Comments-To-M365Defender/readme.md
+++ b/Playbooks/Sync-Sentinel-Incident-Comments-To-M365Defender/readme.md
@@ -3,12 +3,8 @@ author: Prateek Taneja, Benjamin Kovacevic
This Playbook synchronizes the comments made to Microsoft 365 Defender Incidents in Azure Sentinel to comments in the corresponding Incident in the Microsoft 365 Defender portal. The LogicApp looks for comments added to Incidents in the past 24 hours and writes these comments to the corresponding M365 incident in the M365 Security and Compliance exprience available at https://security.microsoft.com
-
- 
-
-
-
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSync-Sentinel-Incident-Comments-To-M365Defender%2Fazuredeploy.json)
+[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSync-Sentinel-Incident-Comments-To-M365Defender%2Fazuredeploy.json)
Deploying this playbook requires the following steps:
@@ -45,4 +41,4 @@ NOTE: The secret is displayed only once, so make sure you copy and save it NOW s
Back on the application that was registered in Step 1, copy the Directory (tenant) ID and the Application (client) ID
--------------------------------------------------------------------------------------------
\ No newline at end of file
+-------------------------------------------------------------------------------------------
diff --git a/Playbooks/TritonDetectionAndResponse/readme.md b/Playbooks/TritonDetectionAndResponse/readme.md
index 21288cfa20..5971d9a900 100644
--- a/Playbooks/TritonDetectionAndResponse/readme.md
+++ b/Playbooks/TritonDetectionAndResponse/readme.md
@@ -12,9 +12,5 @@ This playbook allows users to validate any PLC programming command which is perf
### This playbook currently leverages Incident Trigger which is in Private Preview.
-
-
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FTritonDetectionAndResponse%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FTritonDetectionAndResponse%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Unisolate-MDEMachine/readme.md b/Playbooks/Unisolate-MDEMachine/readme.md
index 14f781aec4..97c706f0e7 100644
--- a/Playbooks/Unisolate-MDEMachine/readme.md
+++ b/Playbooks/Unisolate-MDEMachine/readme.md
@@ -10,24 +10,15 @@ After deployment, attach this playbook to an **automation rule** so it runs when
[Learn more about automation rules](https://docs.microsoft.com/azure/sentinel/automate-incident-handling-with-automation-rules#creating-and-managing-automation-rules)
-
-
-
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FUnisolate-MDEMachine%2Fincident-trigger%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FUnisolate-MDEMachine%2Fincident-trigger%2Fazuredeploy.json)
**Deploy with alert trigger**
After deployment, you can run this playbook manually on an alert or attach it to an **analytics rule** so it will rune when an alert is created.
-
-
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FUnisolate-MDEMachine%2Falert-trigger%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FUnisolate-MDEMachine%2Falert-trigger%2Fazuredeploy.json)
## Prerequisites
@@ -49,4 +40,4 @@ New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.Obje
**Incident Trigger**
**Alert Trigger**
-
\ No newline at end of file
+
diff --git a/Playbooks/Update-BulkIncidents/readme.md b/Playbooks/Update-BulkIncidents/readme.md
index 53d7a11568..ea651f8be1 100644
--- a/Playbooks/Update-BulkIncidents/readme.md
+++ b/Playbooks/Update-BulkIncidents/readme.md
@@ -3,12 +3,8 @@ authors: Priscila Viana, Nathan Swift
This Logic App will act as listener, you can pass json object to a HTTP Endpoint to use KQL query to discover Azure Sentinel Security Incidents through the SecurityIncident table you wish to bulk change on. It includes a method to selective update by array [].
-
-
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FUpdate-BulkIncidents%2Fazuredeploy.json)
+[]("https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FUpdate-BulkIncidents%2Fazuredeploy.json)
**Additional Post Install Notes:**
@@ -71,4 +67,4 @@ $json = @"
}
}
"@
-```
\ No newline at end of file
+```
diff --git a/Playbooks/Update-Watchlist-With-NamedLocation/Readme.md b/Playbooks/Update-Watchlist-With-NamedLocation/Readme.md
index 57a86b04f3..d0a7c0f67f 100644
--- a/Playbooks/Update-Watchlist-With-NamedLocation/Readme.md
+++ b/Playbooks/Update-Watchlist-With-NamedLocation/Readme.md
@@ -8,7 +8,7 @@ version: 1.0
This Logic App runs on a scheduled basis (every 7 days by default) and checks if new IP ranges have been added to your Named Location. If there are new IP ranges, they will be added to your preexisting Azure Sentinel Watchlist, which you can then use in queries, analytics, hunting queries, etc. for correlation.
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FUpdate-Watchlist-With-NamedLocation%2Fazuredeploy.json)
-[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FUpdate-Watchlist-With-NamedLocation%2Fazuredeploy.json)
+[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FUpdate-Watchlist-With-NamedLocation%2Fazuredeploy.json)
## Pre-requisites
diff --git a/Playbooks/Watchlist-Add-HostToWatchList/readme.md b/Playbooks/Watchlist-Add-HostToWatchList/readme.md
index e1427077f9..647f57c6e8 100644
--- a/Playbooks/Watchlist-Add-HostToWatchList/readme.md
+++ b/Playbooks/Watchlist-Add-HostToWatchList/readme.md
@@ -47,12 +47,5 @@ This playbook will add a Host entity to a new or existing watchlist.
-
-
-
-
-
-
-
-
-
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FWatchlist-Add-HostToWatchList%2Fazuredeploy.json)
+[]("https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FWatchlist-Add-HostToWatchList%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Watchlist-Add-IPToWatchList/readme.md b/Playbooks/Watchlist-Add-IPToWatchList/readme.md
index 18873f466b..f71941b453 100644
--- a/Playbooks/Watchlist-Add-IPToWatchList/readme.md
+++ b/Playbooks/Watchlist-Add-IPToWatchList/readme.md
@@ -46,12 +46,5 @@ This playbook will add a IP entity to a new or existing watchlist.
-
-
-
-
-
-
-
-
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FWatchlist-Add-IPToWatchList%2Fazuredeploy.json)
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FWatchlist-Add-IPToWatchList%2Fazuredeploy.json
diff --git a/Playbooks/Watchlist-Add-URLToWatchList/readme.md b/Playbooks/Watchlist-Add-URLToWatchList/readme.md
index 5533265eec..ab9b9e0e9b 100644
--- a/Playbooks/Watchlist-Add-URLToWatchList/readme.md
+++ b/Playbooks/Watchlist-Add-URLToWatchList/readme.md
@@ -46,12 +46,5 @@ This playbook will add a URL entity to a new or existing watchlist.
-
-
-
-
-
-
-
-
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FWatchlist-Add-URLToWatchList%2Fazuredeploy.json)
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FWatchlist-Add-URLToWatchList%2Fazuredeploy.json)
diff --git a/Playbooks/Watchlist-Add-UserToWatchList/readme.md b/Playbooks/Watchlist-Add-UserToWatchList/readme.md
index 672a811f18..b7a6fe63f9 100644
--- a/Playbooks/Watchlist-Add-UserToWatchList/readme.md
+++ b/Playbooks/Watchlist-Add-UserToWatchList/readme.md
@@ -46,12 +46,5 @@ This playbook will add a User entity to a new or existing watchlist.
-
-
-
-
-
-
-
-
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FFWatchlist-Add-UserToWatchList%2Fazuredeploy.json)
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FWatchlist-Add-UserToWatchList%2Fazuredeploy.json
\ No newline at end of file
diff --git a/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/readme.md b/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/readme.md
index 09af53dfa8..0deb3b7bcb 100644
--- a/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/readme.md
+++ b/Playbooks/Watchlist-ChangeIncidentSeverityandTitleIFUserVIP/readme.md
@@ -19,9 +19,5 @@ For each IP:
-
-
-
-
-
-
\ No newline at end of file
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FWatchlist-ChangeIncidentSeverityandTitleIFUserVIP%2Fazuredeploy.json)
+[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FWatchlist-ChangeIncidentSeverityandTitleIFUserVIP%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Watchlist-CloseIncidentKnownIPs/readme.md b/Playbooks/Watchlist-CloseIncidentKnownIPs/readme.md
index 07374af5eb..e8288b1efc 100644
--- a/Playbooks/Watchlist-CloseIncidentKnownIPs/readme.md
+++ b/Playbooks/Watchlist-CloseIncidentKnownIPs/readme.md
@@ -23,9 +23,5 @@ Update incident by the results:
-
-
-
-
-
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FWatchlist-CloseIncidentKnownIPs%2Fazuredeploy.json)
+[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FWatchlist-CloseIncidentKnownIPs%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Watchlist-InformSubowner-IncidentTrigger/readme.md b/Playbooks/Watchlist-InformSubowner-IncidentTrigger/readme.md
index 511d54d7a4..84d2cf030b 100644
--- a/Playbooks/Watchlist-InformSubowner-IncidentTrigger/readme.md
+++ b/Playbooks/Watchlist-InformSubowner-IncidentTrigger/readme.md
@@ -12,10 +12,5 @@ Note: This playbook utilizes two features currently in Preview.
-
-
-
-
-
-
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FWatchlist-InformSubowner-IncidentTrigger%2Fazuredeploy.json)
+[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FWatchlist-InformSubowner-IncidentTrigger%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Playbooks/Watchlist-SendSQLData-Watchlist/readme.md b/Playbooks/Watchlist-SendSQLData-Watchlist/readme.md
index 365090a5ed..f2fc234156 100644
--- a/Playbooks/Watchlist-SendSQLData-Watchlist/readme.md
+++ b/Playbooks/Watchlist-SendSQLData-Watchlist/readme.md
@@ -56,9 +56,5 @@ Click on Authorize to log in with your user, and don't forget to save.
-
-
-
-
-
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FWatchlist-SendSQLData-Watchlist%2Fazuredeploy.json)
+[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FWatchlist-SendSQLData-Watchlist%2Fazuredeploy.json)
diff --git a/Playbooks/Zscaler-add-Domains-to-URL-Category/README.md b/Playbooks/Zscaler-add-Domains-to-URL-Category/README.md
index d3b1837921..852b0152c6 100644
--- a/Playbooks/Zscaler-add-Domains-to-URL-Category/README.md
+++ b/Playbooks/Zscaler-add-Domains-to-URL-Category/README.md
@@ -35,12 +35,8 @@ You will need the following items to enter in to the template settings during de
This deployment template contains two resources: An integration account and a logic app. The integration account is a requirement for executing javascript code, which is an operation used by the logicapp.
-
-
-
-
-
-
+([]()https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2Zscaler-add-Domains-to-URL-Category%2Fmaster%2Fazuredeploy.json)
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FZscaler-add-Domains-to-URL-Category%2Fmaster%2Fazuredeploy.json)
#
First we will need to configure the Zscaler API Roles, API Admin Accounts, and gather the necessary information to fill in the ARM deployment template.
diff --git a/Tools/Sentinel-All-In-One/ARMTemplates/README.md b/Tools/Sentinel-All-In-One/ARMTemplates/README.md
index a5cfcad1bd..91edd415e4 100644
--- a/Tools/Sentinel-All-In-One/ARMTemplates/README.md
+++ b/Tools/Sentinel-All-In-One/ARMTemplates/README.md
@@ -24,4 +24,4 @@ The template performs the following tasks:
- Enables Scheduled analytics rules that apply to all the enabled connectors
-[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FSentinel-All-In-One%2FARMTemplates%2Fazuredeploy.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FSentinel-All-In-One%2FARMTemplates%2FcreateUiDefinition.json)
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FSentinel-All-In-One%2FARMTemplates%2Fazuredeploy.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FSentinel-All-In-One%2FARMTemplates%2FcreateUiDefinition.json)
diff --git a/Tools/UploadToBlobLookupTables/readme.md b/Tools/UploadToBlobLookupTables/readme.md
index 8750485ea2..751ac34d80 100644
--- a/Tools/UploadToBlobLookupTables/readme.md
+++ b/Tools/UploadToBlobLookupTables/readme.md
@@ -12,9 +12,7 @@ There are 2 deployment Options.
#### 1: Deploy via Azure ARM Template
1. Deploy the template.
-
-
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FUploadToBlobLookupTables%2Fazuredeploy.json)
#### 2: Deploy via VS Code
Note: You will need to prepare VS code for Azure function development. See https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-powershell#prerequisites
diff --git a/Watchlists/Azure-Public-IPs/readme.md b/Watchlists/Azure-Public-IPs/readme.md
index f62d37309f..db44921e04 100644
--- a/Watchlists/Azure-Public-IPs/readme.md
+++ b/Watchlists/Azure-Public-IPs/readme.md
@@ -31,7 +31,4 @@ To deploy, users will need:
10. Click "Create".
11. Within a minute or two, the template should deploy and the Watchlist should appear within the Azure Sentinel environment.
-
-
-
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FWatchlists%2FAzure-Public-IPs%2Fazuredeploy.json)
\ No newline at end of file
diff --git a/Watchlists/NOBELIUM-TI/readme.md b/Watchlists/NOBELIUM-TI/readme.md
index c59cfa206d..19b5233398 100644
--- a/Watchlists/NOBELIUM-TI/readme.md
+++ b/Watchlists/NOBELIUM-TI/readme.md
@@ -34,7 +34,4 @@ To deploy, users will need:
10. Click "Create".
11. Within a minute or two, the template should deploy and the Watchlist should appear within the Azure Sentinel environment.
-
-
-
-
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FWatchlists%2FNOBELIUM-TI%2Fazuredeploy.json)
\ No newline at end of file