fix: metadata object added, F5 hardcoded value

2022-08-29 00:49:36 +03:00 · 2022-08-29 00:49:36 +03:00 · 4ff88e5ed0
--- a/MasterPlaybooks/Remediation-IP/CiscoASA-BlockIP-Nested-Remediation/azuredeploy.json
+++ b/MasterPlaybooks/Remediation-IP/CiscoASA-BlockIP-Nested-Remediation/azuredeploy.json
@ -317,5 +317,19 @@
                }
            }
        }
-    ]
+    ],
+    "metadata":{
+        "title": "Cisco ASA - Add or remove IP Addresses from a Network Object Group",
+        "description": "This playbook allows blocking/allowing of IPs in Cisco ASA, using a Network Object Group. This allows making changes to a Network Object Group members, instead of making Access Control Entries. The Network Object Group itself should be part of an Access Control Entry.",
+        "prerequisites": "1. This playbook template is based on Azure Sentinel HTTP trigger 2. Cisco ASA custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector [doc page](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CiscoASA/Playbooks/CustomConnector). 3. In Cisco ASA there needs to be a Network Object Group. You can create a Network Object Group using Cisco ASDM, [Configure a Network Object Group](https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/asdm76/firewall/asdm-76-firewall-config/access-objects.html#ariaid-title6), or using the CLI, [Configuring a Network Object Group](https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/acl_objects.html#86292). The Network Object Group can be blocked using an access rule, [Configure Access Rules](https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/asdm76/firewall/asdm-76-firewall-config/access-rules.html#ID-2124-00000152)",
+        "lastUpdateTime": "2022-08-29T10:43:00Z",
+        "entities": ["ip"],
+        "tags": ["Remediation", "Incident management"],
+        "support": {
+            "tier": "microsoft"
+        },
+        "author": {
+            "name": "microsoft"
+        }
+    }
 }
--- a/MasterPlaybooks/Remediation-IP/CiscoFirepower-BlockIP-Nested-Remediation/azuredeploy.json
+++ b/MasterPlaybooks/Remediation-IP/CiscoFirepower-BlockIP-Nested-Remediation/azuredeploy.json
@ -601,5 +601,19 @@
                }
            }
        }
-    ]
+    ],
+    "metadata":{
+        "title": "Cisco Firepower - Add IP Addresses to a Network Group object",
+        "description": "This playbook allows blocking of IPs in Cisco Firepower, using a Network Group object. This allows making changes to a Network Group selected members, instead of making Access List Entries. The Network Group object itself should be part of an Access List Entry.",
+        "prerequisites": "1. Cisco Firepower custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector [doc pages](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/CiscoFirepower/CustomConnector). 2. In Cisco Firepower there needs to be a Network Group object. [Creating Network Objects](https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/reusable_objects.html#ariaid-title15)",
+        "lastUpdateTime": "2022-08-29T10:43:00Z",
+        "entities": ["ip"],
+        "tags": ["Remediation", "Incident management"],
+        "support": {
+            "tier": "microsoft"
+        },
+        "author": {
+            "name": "microsoft"
+        }
+    }
 }
--- a/MasterPlaybooks/Remediation-IP/CiscoFirepower-BlockIP-Nested-Remediation/readme.md
+++ b/MasterPlaybooks/Remediation-IP/CiscoFirepower-BlockIP-Nested-Remediation/readme.md
@ -23,7 +23,7 @@ When this playbook gets triggered performs below actions:

 ## Prerequisites
 1. Cisco Firepower custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector [doc pages](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/CiscoFirepower/CustomConnector).
-1. In Cisco Firepower there needs to be a Network Group object. [Creating Network Objects](https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/reusable_objects.html#ariaid-title15)
+2. In Cisco Firepower there needs to be a Network Group object. [Creating Network Objects](https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/reusable_objects.html#ariaid-title15)

 <a name="deployment-instructions"></a>
 ### Deployment instructions 
--- a/MasterPlaybooks/Remediation-IP/CiscoUmbrella-BlockIP-Nested-Remediation/azuredeploy.json
+++ b/MasterPlaybooks/Remediation-IP/CiscoUmbrella-BlockIP-Nested-Remediation/azuredeploy.json
@ -249,5 +249,19 @@
                }
            }
        }
-    ]
+    ],
+    "metadata":{
+        "title": "CiscoUmbrella-AddIpToDestinationList",
+        "description": "When  this playbook gets triggered and performs the following actions: 1. Retrieves all destinations lists from Cisco Umbrella. 2. Adds all IP to all destination list received in previous step. 3. Creates comment about action taken.",
+        "prerequisites": "1. Prior to the deployment of this playbook, Cisco Umbrella Management API Connector needs to be deployed under the same subscription. 2. Obtain Cisco Umbrella Management API credentials. Refer to Cisco Umbrella Management API Custom Connector documentation. 3. Obtain Cisco Umbrella Organiztion Id",
+        "lastUpdateTime": "2022-08-29T10:43:00Z",
+        "entities": ["ip"],
+        "tags": ["Remediation", "Incident management"],
+        "support": {
+            "tier": "microsoft"
+        },
+        "author": {
+            "name": "microsoft"
+        }
+    }
 }
--- a/MasterPlaybooks/Remediation-IP/CiscoUmbrella-BlockIP-Nested-Remediation/readme.md
+++ b/MasterPlaybooks/Remediation-IP/CiscoUmbrella-BlockIP-Nested-Remediation/readme.md
@ -6,7 +6,7 @@ When  this playbook gets triggered and performs the following actions:

 1. Retrieves all destinations lists from Cisco Umbrella.
 2. Adds all IP to all destination list received in previous step.
-4. Creates comment about action taken.
+3. Creates comment about action taken.

 <img src="./Images/playbook_screenshot.png" width="50%"/><br>

--- a/MasterPlaybooks/Remediation-IP/F5-BlockIP-Nested-Remediation/azuredeploy.json
+++ b/MasterPlaybooks/Remediation-IP/F5-BlockIP-Nested-Remediation/azuredeploy.json
@ -310,7 +310,7 @@
                                                            "host": {
                                                                "triggerName": "manual",
                                                                "workflow": {
-                                                                    "id": "/subscriptions/3102b8f9-10e3-49bf-8712-51c184fddef5/resourceGroups/Socprime/providers/Microsoft.Logic/workflows/F5BigIP_Base"
+                                                                    "id": "[variables('F5BigIP_Base_id')]"
                                                                }
                                                            }
                                                        },
@ -454,7 +454,7 @@
                                "host": {
                                    "triggerName": "manual",
                                    "workflow": {
-                                        "id": "/subscriptions/3102b8f9-10e3-49bf-8712-51c184fddef5/resourceGroups/Socprime/providers/Microsoft.Logic/workflows/F5BigIP_Base"
+                                        "id": "[variables('F5BigIP_Base_id')]"
                                    }
                                }
                            },
@ -719,5 +719,19 @@
        }
      }
    }
-  ]
+  ],
+    "metadata":{
+        "title": "F5 BIG-IP Block IP Playbook",
+        "description": "When this playbook gets triggered performs the below actions: 1. Fetches a list of potentially malicious IP addresses. 2. For each IP address in the list, checks if the IP address is present in IP Address list of F5 BIG-IP firewall. 3. If IP address not present in IP address list, then adds the IP address to IP address list.",
+        "prerequisites": "1. Deploy the F5 BIG-IP Base Playbook before the deployment of this playbook under the same subscription and same resource group and under the same location/region. Capture the name of the playbook during deployment. 2. A Firewall policy rule should be created for blocking of IP. 3. An address list should be created for blocking IP. 4. The address list should be a part of Firewall policy rule.",
+        "lastUpdateTime": "2022-08-29T10:43:00Z",
+        "entities": ["ip"],
+        "tags": ["Remediation", "Incident management"],
+        "support": {
+            "tier": "microsoft"
+        },
+        "author": {
+            "name": "microsoft"
+        }
+    }
 }
--- a/MasterPlaybooks/Remediation-IP/MDE-BlockIP-Nested-Remediation/azuredeploy.json
+++ b/MasterPlaybooks/Remediation-IP/MDE-BlockIP-Nested-Remediation/azuredeploy.json
@ -209,5 +209,19 @@
                }
            }
        }
-    ]
+    ],
+    "metadata":{
+        "title": "Restrict-MDEIpAddress",
+        "description": "This playbook will take IP entities and generate alert and block threat indicators for each IP in MDE for 90 days.",
+        "prerequisites": "**For Gov Only** You will need to update the HTTP action URL to the correct URL documented [here](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/gov?view=o365-worldwide#api)",
+        "lastUpdateTime": "2022-08-29T10:43:00Z",
+        "entities": ["ip"],
+        "tags": ["Remediation", "Incident management"],
+        "support": {
+            "tier": "microsoft"
+        },
+        "author": {
+            "name": "microsoft"
+        }
+    }
 }