fixed image path

2022-08-11 11:15:56 +05:30 · 2022-08-11 11:15:56 +05:30 · ee35f0d7d1
--- a/Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/azuredeploy.json
+++ b/Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/azuredeploy.json
@ -5,7 +5,7 @@
        "title": "Watchlist - close incidents with safe IPs", 
        "description": "This playbook leverages Microsoft Sentinel Watchlists in order to close incidents which include IP addresses considered safe.",
        "prerequisites": ["None"],
-        "mainSteps": ["For each Ip address included in the alert (entities of type IP): \n\n 1. Check if IP is included in watchlist. \n\n * If IP is in the watchlist, consider the IP saf,. **Add it to Safe IPs array.** \n\n * If IP is not in the watchlist, meaning that we are not sure it is safe, **Add it to not Safe IPs array.** \n\n 2. Add a comment to the incident the list of safe and not safe IPs found. \n\n 3. If the not safe list is empty (length == 0), close the incident as Benign Positive. \n\n \n\n ## Configurations \n\n * Configure the step 'Run query and list results with the identifiers of the Sentinel workspace where the watchlist is stored. \n\n * Configure the identity used in the 'Run query and list results' step with the Log Analytics Reader RBAC role on the Microsoft Sentinel resource group. \n\n * Configure the Managed Identity of the Logic App with the Microsoft Sentinel Responder RBAC role on the Microsoft Sentinel resource group. \n\n * The watchlist used in this example has at list one column named **ipaddress** which stores the safe address. See the csv file attached in this folder as an example. \n\n \n\n <img src='https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerLight1.png'/> \n\n <img src='https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerLight2.png'/> \n\n <img src='https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/commentLight.png'/>"],
+        "mainSteps": ["For each Ip address included in the alert (entities of type IP): \n\n 1. Check if IP is included in watchlist. \n\n * If IP is in the watchlist, consider the IP saf,. **Add it to Safe IPs array.** \n\n * If IP is not in the watchlist, meaning that we are not sure it is safe, **Add it to not Safe IPs array.** \n\n 2. Add a comment to the incident the list of safe and not safe IPs found. \n\n 3. If the not safe list is empty (length == 0), close the incident as Benign Positive. \n\n \n\n ## Configurations \n\n * Configure the step 'Run query and list results with the identifiers of the Sentinel workspace where the watchlist is stored. \n\n * Configure the identity used in the 'Run query and list results' step with the Log Analytics Reader RBAC role on the Microsoft Sentinel resource group. \n\n * Configure the Managed Identity of the Logic App with the Microsoft Sentinel Responder RBAC role on the Microsoft Sentinel resource group. \n\n * The watchlist used in this example has at list one column named **ipaddress** which stores the safe address. See the csv file attached in this folder as an example. \n\n \n\n <img src='https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Watchlists%20Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerLight1.png'/> \n\n <img src='https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Watchlists%20Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/designerLight2.png'/> \n\n <img src='https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Watchlists%20Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/images/commentLight.png'/>"],
        "lastUpdateTime": "2022-07-22T10:00:00.000Z", 
        "entities": ["Ip"], 
        "tags": ["Triage"],