Adding metadata, adding hidden-tags, support-tier

2021-06-17 15:12:57 +03:00 · 2021-06-17 15:12:57 +03:00 · b860963615
--- a/Playbooks/.template/incident-trigger/azuredeploy.json
+++ b/Playbooks/.template/incident-trigger/azuredeploy.json
@ -9,7 +9,7 @@
        "entities": [""], 
        "tags": [""], 
        "support": {
-            "kind": "community" 
+            "tier": "community" 
        },
        "author": {
            "name": "Author"
--- a/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json
+++ b/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json
@ -2,17 +2,23 @@
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "metadata": {
-        "comments": "This playbook will disable the user in Azure Active Directoy and add a comment to the incident",
-        "author": "Nicholas DiCola"
+        "title": "Block AAD user", 
+        "description": "For each account entity included in the alert, this playbook will disable the user in Azure Active Directoy and add a comment to the incident that contains this alert",
+        "prerequisites": "",
+        "lastUpdateTime": "2021-05-30T10:00:00.000Z", 
+        "entities": ["Account"], 
+        "tags": ["Remidiation"], 
+        "support": {
+            "tier": "community" 
+        },
+        "author": {
+            "name": "Nicholas DiCola"
+        }
    },
    "parameters": {
        "PlaybookName": {
            "defaultValue": "Block-AADUser",
            "type": "string"
-        },
-        "UserName": {
-            "defaultValue": "<username>@<domain>",
-            "type": "string"
        }
    },
    "variables": {
@ -26,7 +32,7 @@
            "name": "[variables('AzureADConnectionName')]",
            "location": "[resourceGroup().location]",
            "properties": {
-                "displayName": "[parameters('UserName')]",
+                "displayName": "[variables('AzureADConnectionName')]",
                "customParameterValues": {},
                "api": {
                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
@ -40,7 +46,7 @@
            "location": "[resourceGroup().location]",
            "kind": "V1",
            "properties": {
-                "displayName": "[parameters('PlaybookName')]",
+                "displayName": "[variables('AzureSentinelConnectionName')]",
                "customParameterValues": {},
                "parameterValueType": "Alternative",
                "api": {
--- a/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json
+++ b/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json
@ -2,14 +2,14 @@
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "metadata": {
-        "title": "Identity Protection response from Teams", 
+        "title": "Block AAD user", 
        "description": "For each account entity included in the incident, this playbook will disable the user in Azure Active Directoy and add a comment to the incident",
        "prerequisites": "",
        "lastUpdateTime": "2021-05-30T10:00:00.000Z", 
        "entities": ["Account"], 
        "tags": ["Remidiation"], 
        "support": {
-            "kind": "community" 
+            "tier": "community" 
        },
        "author": {
            "name": "Nicholas DiCola"
@ -19,10 +19,6 @@
        "PlaybookName": {
            "defaultValue": "Block-AADUser",
            "type": "string"
-        },
-        "UserName": {
-            "defaultValue": "<username>@<domain>",
-            "type": "string"
        }
    },
    "variables": {
@ -36,7 +32,7 @@
            "name": "[variables('AzureADConnectionName')]",
            "location": "[resourceGroup().location]",
            "properties": {
-                "displayName": "[parameters('UserName')]",
+                "displayName": "[variables('AzureADConnectionName')]",
                "customParameterValues": {},
                "api": {
                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
@ -50,7 +46,7 @@
            "location": "[resourceGroup().location]",
            "kind": "V1",
            "properties": {
-                "displayName": "[parameters('PlaybookName')]",
+                "displayName": "[variables('AzureSentinelConnectionName')]",
                "customParameterValues": {},
                "parameterValueType": "Alternative",
                "api": {
--- a/Playbooks/Change-Incident-Severity/incident-trigger/azuredeploy.json
+++ b/Playbooks/Change-Incident-Severity/incident-trigger/azuredeploy.json
@ -9,7 +9,7 @@
        "entities": ["Account"], 
        "tags": ["Triage"], 
        "support": {
-            "kind": "community" 
+            "tier": "community" 
        },
        "author": {
            "name": "Yaniv Shasha"
--- a/Playbooks/Confirm-AADRiskyUser/incident-trigger/azuredeploy.json
+++ b/Playbooks/Confirm-AADRiskyUser/incident-trigger/azuredeploy.json
@ -9,7 +9,7 @@
        "entities": [ "Account" ],
        "tags": [ "Remidiation" ],
        "support": {
-            "kind": "community"
+            "tier": "community"
        },
        "author": {
            "name": "Nicholas DiCola"
--- a/Playbooks/Create-AzureDevOpsTask/alert-trigger/azuredeploy.json
+++ b/Playbooks/Create-AzureDevOpsTask/alert-trigger/azuredeploy.json
@ -5,10 +5,6 @@
        "PlaybookName": {
            "defaultValue": "Create-AzureDevOpsTask",
            "type": "string"
-        },
-        "UserName": {
-            "defaultValue": "<username>@<domain>",
-            "type": "string"
        }
    },
    "variables": {
@ -23,7 +19,7 @@
            "location": "[resourceGroup().location]",
            "kind": "V1",
            "properties": {
-                "displayName": "[parameters('PlaybookName')]",
+                "displayName": "[variables('AzureSentinelConnectionName')]",
                "customParameterValues": {},
                "parameterValueType": "Alternative",
                "api": {
@ -37,7 +33,7 @@
            "name": "[variables('AzureDevOpsConnectionName')]",
            "location": "[resourceGroup().location]",
            "properties": {
-                "displayName": "[parameters('UserName')]",
+                "displayName": "[variables('AzureDevOpsConnectionName')]",
                "customParameterValues": {
                },
                "api": {
--- a/Playbooks/Create-AzureDevOpsTask/incident-trigger/azuredeploy.json
+++ b/Playbooks/Create-AzureDevOpsTask/incident-trigger/azuredeploy.json
@ -19,10 +19,6 @@
        "PlaybookName": {
            "defaultValue": "Create-AzureDevOpsTask",
            "type": "string"
-        },
-        "UserName": {
-            "defaultValue": "<username>@<domain>",
-            "type": "string"
        }
    },
    "variables": {
@ -37,7 +33,7 @@
            "location": "[resourceGroup().location]",
            "kind": "V1",
            "properties": {
-                "displayName": "[parameters('PlaybookName')]",
+                "displayName": "[variables('AzureSentinelConnectionName')]",
                "customParameterValues": {},
                "parameterValueType": "Alternative",
                "api": {
@ -51,7 +47,7 @@
            "name": "[variables('AzureDevOpsConnectionName')]",
            "location": "[resourceGroup().location]",
            "properties": {
-                "displayName": "[parameters('UserName')]",
+                "displayName": "[variables('AzureDevOpsConnectionName')]",
                "customParameterValues": {
                },
                "api": {
@ -64,6 +60,10 @@
            "apiVersion": "2017-07-01",
            "name": "[parameters('PlaybookName')]",
            "location": "[resourceGroup().location]",
+            "tags": {
+                "hidden-SentinelTemplateName": "Create-AzureDevOpsTask",
+                "hidden-SentinelTemplateVersion": "1.0"
+            },
            "identity": {
                "type": "SystemAssigned"
            },
--- a/Playbooks/Create-Jira-Issue/alert-trigger/azuredeploy.json
+++ b/Playbooks/Create-Jira-Issue/alert-trigger/azuredeploy.json
@ -9,7 +9,7 @@
        "entities": [],
        "tags": [ "Sync" ],
        "support": {
-            "kind": "community"
+            "tier": "community"
        },
        "author": {
            "name": "Yaniv Shasha and Benjamin Kovacevic"
--- a/Playbooks/Create-Jira-Issue/incident-trigger/azuredeploy.json
+++ b/Playbooks/Create-Jira-Issue/incident-trigger/azuredeploy.json
@ -9,7 +9,7 @@
        "entities": [],
        "tags": [ "Sync" ],
        "support": {
-            "kind": "community"
+            "tier": "community"
        },
        "author": {
            "name": "Yaniv Shasha and Benjamin Kovacevic"
--- a/Playbooks/Create-SNOW-record/alert-trigger/azuredeploy.json
+++ b/Playbooks/Create-SNOW-record/alert-trigger/azuredeploy.json
@ -9,7 +9,7 @@
        "entities": [],
        "tags": [ "Sync" ],
        "support": {
-            "kind": "community"
+            "tier": "community"
        },
        "author": {
            "name": "Yaniv Shasha and Benjamin Kovacevic"
--- a/Playbooks/Create-SNOW-record/incident-trigger/azuredeploy.json
+++ b/Playbooks/Create-SNOW-record/incident-trigger/azuredeploy.json
@ -9,7 +9,7 @@
        "entities": [],
        "tags": [ "Sync" ],
        "support": {
-            "kind": "community"
+            "tier": "community"
        },
        "author": {
            "name": "Yaniv Shasha and Benjamin Kovacevic"
--- a/Playbooks/Create-Zendesk-Ticket/azuredeploy.json
+++ b/Playbooks/Create-Zendesk-Ticket/azuredeploy.json
@ -9,7 +9,7 @@
        "entities": [], 
        "tags": ["Sync"], 
        "support": {
-            "kind": "community" 
+            "tier": "community" 
        },
        "author": {
            "name": "Lior Tamir"
--- a/Playbooks/Dismiss-AADRiskyUser/incident-trigger/azuredeploy.json
+++ b/Playbooks/Dismiss-AADRiskyUser/incident-trigger/azuredeploy.json
@ -9,7 +9,7 @@
        "entities": [ "Account" ],
        "tags": [ "Remediation" ],
        "support": {
-            "kind": "community"
+            "tier": "community"
        },
        "author": {
            "name": "Nicholas DiCola"
--- a/Playbooks/Get-ASCRecommendations/incident-trigger/azuredeploy.json
+++ b/Playbooks/Get-ASCRecommendations/incident-trigger/azuredeploy.json
@ -9,7 +9,7 @@
        "entities": [ "Account" ],
        "tags": [ "Enrich" ],
        "support": {
-            "kind": "community"
+            "tier": "community"
        },
        "author": {
            "name": "Nicholas DiCola"
--- a/Playbooks/Get-MDEInvestigationPackage/incident-trigger/azuredeploy.json
+++ b/Playbooks/Get-MDEInvestigationPackage/incident-trigger/azuredeploy.json
@ -9,7 +9,7 @@
        "entities": [ "Host" ],
        "tags": [ "Repsond" ],
        "support": {
-            "kind": "community"
+            "tier": "community"
        },
        "author": {
            "name": "Nicholas DiCola"
--- a/Playbooks/Get-VirusTotalFileInfo/incident-trigger/azuredeploy.json
+++ b/Playbooks/Get-VirusTotalFileInfo/incident-trigger/azuredeploy.json
@ -9,7 +9,7 @@
        "entities": [ "FileHash" ],
        "tags": [ "Enrich" ],
        "support": {
-            "kind": "community"
+            "tier": "community"
        },
        "author": {
            "name": "Nicholas DiCola"
--- a/Playbooks/Get-VirusTotalIPReport/incident-trigger/azuredeploy.json
+++ b/Playbooks/Get-VirusTotalIPReport/incident-trigger/azuredeploy.json
@ -9,7 +9,7 @@
            "entities": ["IP"], 
            "tags": ["Enrich"], 
            "support": {
-                "kind": "community" 
+                "tier": "community" 
            },
            "author": {
                "name": "Nicholas DiCola"
--- a/Playbooks/Prompt-User/alert-trigger/azuredeploy.json
+++ b/Playbooks/Prompt-User/alert-trigger/azuredeploy.json
@ -3,18 +3,24 @@
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "metadata": {
-        "comments": "This playbook will ask the user if they completed the action from the Incident in Azure Sentinel.  If so, it will close the incident and add a comment.  If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.",
-        "author": "Nicholas DiCola"
+        "title": "Prompt User",
+        "description": "This playbook will ask the user if they completed the action from the alert in Azure Sentinel.  If so, it will close the incident and add a comment.  If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.",
+        "prerequisites": "1. You will need the Team Id and Channel Id.",
+        "lastUpdateTime": "2021-06-03T00:00:00.000Z",
+        "entities": [ "Account" ],
+        "tags": [ "Repsond" ],
+        "support": {
+            "tier": "community"
+        },
+        "author": {
+            "name": "Nicholas DiCola"
+        }
    },
    "parameters": {
        "PlaybookName": {
            "defaultValue": "Prompt-User",
            "type": "string"
        },
-        "UserName": {
-            "defaultValue": "<username>@<domain>",
-            "type": "string"
-        },
        "TeamsId": {
            "defaultValue": "Enter the Teams Group ID",
            "type": "string"
@ -37,7 +43,7 @@
            "name": "[variables('AzureADConnectionName')]",
            "location": "[resourceGroup().location]",
            "properties": {
-                "displayName": "[parameters('UserName')]",
+                "displayName": "[variables('AzureADConnectionName')]",
                "customParameterValues": {},
                "api": {
                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
@ -51,7 +57,7 @@
            "location": "[resourceGroup().location]",
            "kind": "V1",
            "properties": {
-                "displayName": "[parameters('PlaybookName')]",
+                "displayName": "[variables('AzureSentinelConnectionName')]",
                "customParameterValues": {},
                "parameterValueType": "Alternative",
                "api": {
@ -65,7 +71,7 @@
            "name": "[variables('Office365ConnectionName')]",
            "location": "[resourceGroup().location]",
            "properties": {
-                "displayName": "[parameters('UserName')]",
+                "displayName": "[variables('Office365ConnectionName')]",
                "customParameterValues": {},
                "api": {
                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
@ -78,7 +84,7 @@
            "name": "[variables('TeamsConnectionName')]",
            "location": "[resourceGroup().location]",
            "properties": {
-                "displayName": "[parameters('UserName')]",
+                "displayName": "[variables('TeamsConnectionName')]",
                "customParameterValues": {},
                "api": {
                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/teams')]"
--- a/Playbooks/Prompt-User/incident-trigger/azuredeploy.json
+++ b/Playbooks/Prompt-User/incident-trigger/azuredeploy.json
@ -3,14 +3,14 @@
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "metadata": {
-        "title": "Prompt-User",
+        "title": "Prompt User",
        "description": "This playbook will ask the user if they completed the action from the Incident in Azure Sentinel.  If so, it will close the incident and add a comment.  If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.",
-        "prerequisites": "1. You will need the Team Id and Chat Id.",
+        "prerequisites": "1. You will need the Team Id and Channel Id.",
        "lastUpdateTime": "2021-06-03T00:00:00.000Z",
        "entities": [ "Account" ],
        "tags": [ "Repsond" ],
        "support": {
-            "kind": "community"
+            "tier": "community"
        },
        "author": {
            "name": "Nicholas DiCola"
@ -21,10 +21,6 @@
            "defaultValue": "Prompt-User",
            "type": "string"
        },
-        "UserName": {
-            "defaultValue": "<username>@<domain>",
-            "type": "string"
-        },
        "TeamsId": {
            "defaultValue": "Enter the Teams Group ID",
            "type": "string"
@ -47,7 +43,7 @@
            "name": "[variables('AzureADConnectionName')]",
            "location": "[resourceGroup().location]",
            "properties": {
-                "displayName": "[parameters('UserName')]",
+                "displayName": "[variables('AzureADConnectionName')]",
                "customParameterValues": {},
                "api": {
                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]"
@ -61,7 +57,7 @@
            "location": "[resourceGroup().location]",
            "kind": "V1",
            "properties": {
-                "displayName": "[parameters('PlaybookName')]",
+                "displayName": "[variables('AzureSentinelConnectionName')]",
                "customParameterValues": {},
                "parameterValueType": "Alternative",
                "api": {
@ -75,7 +71,7 @@
            "name": "[variables('Office365ConnectionName')]",
            "location": "[resourceGroup().location]",
            "properties": {
-                "displayName": "[parameters('UserName')]",
+                "displayName": "[variables('Office365ConnectionName')]",
                "customParameterValues": {},
                "api": {
                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
@ -88,7 +84,7 @@
            "name": "[variables('TeamsConnectionName')]",
            "location": "[resourceGroup().location]",
            "properties": {
-                "displayName": "[parameters('UserName')]",
+                "displayName": "[variables('TeamsConnectionName')]",
                "customParameterValues": {},
                "api": {
                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/teams')]"
--- a/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json
+++ b/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json
@ -9,7 +9,7 @@
        "entities": [ "Account" ],
        "tags": [ "Repsond" ],
        "support": {
-            "kind": "community"
+            "tier": "community"
        },
        "author": {
            "name": "Nicholas DiCola"
--- a/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json
+++ b/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json
@ -9,7 +9,7 @@
        "entities": [ "Account" ],
        "tags": [ "Repsond" ],
        "support": {
-            "kind": "community"
+            "tier": "community"
        },
        "author": {
            "name": "Nicholas DiCola"
--- a/Playbooks/Send-basic-email/azuredeploy.json
+++ b/Playbooks/Send-basic-email/azuredeploy.json
@ -9,7 +9,7 @@
        "entities": [],
        "tags": [ "Basics", "Notification" ],
        "support": {
-            "kind": "community"
+            "tier": "community"
        },
        "author": {
            "name": "Benjamin Kovacevic"
--- a/Playbooks/Send-email-with-formatted-incident-report/azuredeploy.json
+++ b/Playbooks/Send-email-with-formatted-incident-report/azuredeploy.json
@ -9,7 +9,7 @@
        "entities": [],
        "tags": [ "Basics", "Notification" ],
        "support": {
-            "kind": "community"
+            "tier": "community"
        },
        "author": {
            "name": "Benjamin Kovacevic"