fix: metadata objects added, master playbook hardcoded value, banner issue

MasterPlaybooks/Remediation-Host/CiscoMeraki-Remediation-Host/azuredeploy.json

@@ -900,7 +900,7 @@
             }
         },
         {
-            "type": "MICROSOFT.WEB/CONNECTIONS",
+            "type": "Microsoft.Web/connections",
             "apiVersion": "2016-06-01",
             "name": "[variables('Meraki_Connection')]",
             "location": "[resourceGroup().location]",
@@ -922,5 +922,18 @@
                 }
             }
         }
-    ]
+    ],
+    "metadata":{
+        "title": "Cisco Meraki Block Device Client Playbook",
+        "description": " When this playbook gets triggered and performs the below actions: 1. Fetches a list of device clients with suspicious activity. 2. For each client in the list, checks if the client is blocked by any network of the organization.  - If client does not exist in network, then  comment is created saying client not found.  - If client exists in network, check policy rule associated with client. If client policy does not exist in the network, then comment is created saying client policy not found. If client policy exists in the network as Blocked, then comment is created saying client blocked using client policy. If client policy exists in the network as Whitelisted, then comment is created saying client allowed using client policy. If client policy exists in the network as group policy, then check the group policy details and comment is created saying client blocked using client policy. If client policy exists in the network as Normal, then client is blocked by playbook.Comment is created saying Client blocked by playbook. - Add incident Comment from all the cases. 3. Responses with status 'Closed' and reason as  - For allowed Client - 'BenignPositive - SuspiciousButExpected'  - For blocked Client - 'TruePositive - SuspiciousActivity'",
+        "prerequisites": "1. Deploy the Cisco Meraki Custom Connector before the deployment of this playbook under the same subscription and same resource group. Capture the name of the connector during deployment. 2. Cisco Meraki API Key should be known to establish a connection with Cisco Meraki Custom Connector. [Refer here](https://developer.cisco.com/meraki/api-v1/#!getting-started/authorization) 3. Organization name should be known. [Refer here](https://developer.cisco.com/meraki/api-v1/#!getting-started/find-your-organization-id) 4. Network name should be known.[Refer here](https://developer.cisco.com/meraki/api-v1/#!getting-started/find-your-network-id)\n5. Network Group Policy name should be known. [Refer here](./Images/Scheduling-FromOneDay.png)",
+        "lastUpdateTime": "2022-08-29T10:43:00Z",
+        "entities": ["host"],
+        "tags": ["Remediation", "Incident management"],
+        "support": {
+            "tier": "microsoft"
+        },
+        "author": {
+            "name": "microsoft"
+        }
 }

MasterPlaybooks/Remediation-Host/MDEIsolate-Remediation-Host/azurdeploy.json

@@ -256,5 +256,19 @@
                 }
             }
         }
-    ]
+    ],
+        "metadata":{
+            "title": "Isolate-MDEMachine",
+            "description": "This playbook will isolate (full) the machine in Microsoft Defender for Endpoint.",
+            "prerequisites": "You will need to grant Machine.Isolate permissions to the managed identity.",
+            "lastUpdateTime": "2022-08-29T10:43:00Z",
+            "entities": ["host"],
+            "tags": ["Remediation", "Incident management"],
+            "support": {
+                "tier": "microsoft"
+            },
+            "author": {
+                "name": "microsoft"
+            }
+    }
 }

MasterPlaybooks/Remediation-Host/azuredeploy.json

@@ -10,7 +10,7 @@
       "3. Response from individual playbooks are returned to master playbook for incident comment. "
     ],
     "prerequisites": [
-      "Atlease one of the below mentioned nested playbooks must be deployed prior to deployment of this playbook under same subscription and same resource group. Capture the name of all deployed playbooks during deployment.",
+      "At least one of the below mentioned nested playbooks must be deployed prior to deployment of this playbook under same subscription and same resource group. Capture the name of all deployed playbooks during deployment.",
       "- CarbonBlack-Remediation-Host is a nested playbook that handles remidiation for Azure Firewall.",
       "- Crowdstrike-Remediation-Host is a nested playbook that handles remidiation for Forcepoint."
     ],
@@ -66,7 +66,9 @@
     "AzureSentinelConnectionName": "[concat('azuresentienl-',parameters('MasterPlaybookName'))]",
     "Defaultplaybookname": "MSDefaultNestedPlaybook",
     "CarbonBlackID": "[ if(not(empty(parameters('CarbonBlackPlaybookName'))),parameters('CarbonBlackPlaybookName'),variables('Defaultplaybookname'))]",
-    "CrowdstrikeID": "[ if(not(empty(parameters('CrowdstrikePlaybookName'))),parameters('CrowdstrikePlaybookName'),variables('Defaultplaybookname'))]"
+    "CrowdstrikeID": "[ if(not(empty(parameters('CrowdstrikePlaybookName'))),parameters('CrowdstrikePlaybookName'),variables('Defaultplaybookname'))]",
+    "CiscoMerakiID": "[ if(not(empty(parameters('CiscoMerakiPlaybookName'))),parameters('CiscoMerakiPlaybookName'),variables('Defaultplaybookname'))]",
+    "MDEIsolateID": "[ if(not(empty(parameters('MDEIsolatePlaybookName'))),parameters('MDEIsolatePlaybookName'),variables('Defaultplaybookname'))]"
   },
   "resources": [
     {
@@ -155,7 +157,7 @@
                             "host": {
                                 "triggerName": "manual",
                                 "workflow": {
-                                    "id": "/subscriptions/3102b8f9-10e3-49bf-8712-51c184fddef5/resourceGroups/Socprime/providers/Microsoft.Logic/workflows/CarbonBlack-QuarantineDevice"
+                                    "id":  "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name ,'/providers/Microsoft.Logic/workflows/', variables('CarbonBlackID'))]"
                                 }
                             }
                         },
@@ -231,7 +233,7 @@
                             "host": {
                                 "triggerName": "manual",
                                 "workflow": {
-                                    "id": "/subscriptions/3102b8f9-10e3-49bf-8712-51c184fddef5/resourceGroups/Socprime/providers/Microsoft.Logic/workflows/Block-Device-Client-Meraki-Nested"
+                                    "id":  "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name ,'/providers/Microsoft.Logic/workflows/', variables('CiscoMerakiID'))]"
                                 }
                             }
                         },
@@ -351,7 +353,7 @@
                             "host": {
                                 "triggerName": "manual",
                                 "workflow": {
-                                    "id": "/subscriptions/3102b8f9-10e3-49bf-8712-51c184fddef5/resourceGroups/Socprime/providers/Microsoft.Logic/workflows/Crowdstrike_ContainHost"
+                                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name ,'/providers/Microsoft.Logic/workflows/', variables('CrowdstrikeID'))]"
                                 }
                             }
                         },
@@ -480,7 +482,7 @@
                             "host": {
                                 "triggerName": "manual",
                                 "workflow": {
-                                    "id": "/subscriptions/3102b8f9-10e3-49bf-8712-51c184fddef5/resourceGroups/Socprime/providers/Microsoft.Logic/workflows/Isolate-MDEMachine-Nested"
+                                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name ,'/providers/Microsoft.Logic/workflows/', variables('MDEIsolateID'))]"
                                 }
                             }
                         },

MasterPlaybooks/Remediation-Host/readme.md

@@ -20,12 +20,13 @@ If a malicious host is detected from the Azure sentinel, master playbook calls a
 
 
  ## Pre-requisites for deployment
-Atlease one of the below mentioned nested playbooks must be deployed prior to deployment of this playbook under same subscription and same resource group and the same location/region. Capture the name of all the deployed playbooks during deployment.
+At least one of the below-mentioned nested playbooks must be deployed prior to deployment of this playbook under same subscription and same resource group and the same location/region. Capture the name of all the deployed playbooks during deployment.
 
 - [CarbonBlack-Remediation-Host](/MasterPlaybook-Host-Remediation/CarbonBlack-Remediation-Host/azuredeploy.json) is a nested playbook that handles remidiation for CarbonBlack.  
-- [Crowdstrike-Remediation-Host](/MasterPlaybook-Host-Remediation/Crowdstrike-Remediation-Host/azuredeploy.json) is a nested playbook that handles remidiation for Crowdstrike.  
-
-If any one of the above mentioned playbooks are not deployed then default playbook will deploy in its place.
+- [Crowdstrike-Remediation-Host](/MasterPlaybook-Host-Remediation/Crowdstrike-Remediation-Host/azuredeploy.json) is a nested playbook that handles remidiation for Crowdstrike.
+- [CiscoMeraki-Remediation-Host](/MasterPlaybook-Host-Remediation/CiscoMeraki-Remediation-Host/azuredeploy.json) is a nested playbook that handles remidiation for CiscoMeraki.
+- [MDEIsolate-Remediation-Host](/MasterPlaybook-Host-Remediation/MDEIsolate-Remediation-Host/azuredeploy.json) is a nested playbook that handles remidiation for MDE.
+If any one of the above-mentioned playbooks are not deployed then default playbook will deploy in its place.
 
 ## Nested Playbook Structure