From ee35f0d7d1538c9553792a57f658d58ba97f8f18 Mon Sep 17 00:00:00 2001
From: v-laanjana <105694882+v-laanjana@users.noreply.github.com>
Date: Thu, 11 Aug 2022 11:15:56 +0530
Subject: [PATCH] fixed image path
---
.../Playbooks/Watchlist-CloseIncidentKnownIPs/azuredeploy.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/azuredeploy.json b/Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/azuredeploy.json
index 71641173a2..2989316db1 100644
--- a/Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/azuredeploy.json
+++ b/Solutions/Watchlists Utilities/Playbooks/Watchlist-CloseIncidentKnownIPs/azuredeploy.json
@@ -5,7 +5,7 @@
"title": "Watchlist - close incidents with safe IPs",
"description": "This playbook leverages Microsoft Sentinel Watchlists in order to close incidents which include IP addresses considered safe.",
"prerequisites": ["None"],
- "mainSteps": ["For each Ip address included in the alert (entities of type IP): \n\n 1. Check if IP is included in watchlist. \n\n * If IP is in the watchlist, consider the IP saf,. **Add it to Safe IPs array.** \n\n * If IP is not in the watchlist, meaning that we are not sure it is safe, **Add it to not Safe IPs array.** \n\n 2. Add a comment to the incident the list of safe and not safe IPs found. \n\n 3. If the not safe list is empty (length == 0), close the incident as Benign Positive. \n\n \n\n ## Configurations \n\n * Configure the step 'Run query and list results with the identifiers of the Sentinel workspace where the watchlist is stored. \n\n * Configure the identity used in the 'Run query and list results' step with the Log Analytics Reader RBAC role on the Microsoft Sentinel resource group. \n\n * Configure the Managed Identity of the Logic App with the Microsoft Sentinel Responder RBAC role on the Microsoft Sentinel resource group. \n\n * The watchlist used in this example has at list one column named **ipaddress** which stores the safe address. See the csv file attached in this folder as an example. \n\n \n\n 
\n\n 
\n\n 
"],
+ "mainSteps": ["For each Ip address included in the alert (entities of type IP): \n\n 1. Check if IP is included in watchlist. \n\n * If IP is in the watchlist, consider the IP saf,. **Add it to Safe IPs array.** \n\n * If IP is not in the watchlist, meaning that we are not sure it is safe, **Add it to not Safe IPs array.** \n\n 2. Add a comment to the incident the list of safe and not safe IPs found. \n\n 3. If the not safe list is empty (length == 0), close the incident as Benign Positive. \n\n \n\n ## Configurations \n\n * Configure the step 'Run query and list results with the identifiers of the Sentinel workspace where the watchlist is stored. \n\n * Configure the identity used in the 'Run query and list results' step with the Log Analytics Reader RBAC role on the Microsoft Sentinel resource group. \n\n * Configure the Managed Identity of the Logic App with the Microsoft Sentinel Responder RBAC role on the Microsoft Sentinel resource group. \n\n * The watchlist used in this example has at list one column named **ipaddress** which stores the safe address. See the csv file attached in this folder as an example. \n\n \n\n 
\n\n 
\n\n 
"],
"lastUpdateTime": "2022-07-22T10:00:00.000Z",
"entities": ["Ip"],
"tags": ["Triage"],