История

Lior Tamir 40f8573161 Update azuredeploy.json		2022-05-25 09:42:39 +03:00
..
images	playbooks for update trigger	2022-05-24 19:07:13 +01:00
API permission.txt	playbooks for update trigger	2022-05-24 19:07:13 +01:00
azuredeploy.json	Update azuredeploy.json	2022-05-25 09:42:39 +03:00
readme.md	playbooks for update trigger	2022-05-24 19:07:13 +01:00

readme.md

Sync-IncidentCommentToM365DOnUpdate

author: Benjamin Kovacevic

This playbook will sync incident comments from Microsoft Sentinel to Microsoft 365 Defender when comment is added.

Prerequisites

None.

Quick Deployment

Post-deployment

Add Incident.ReadWrite.All API permission to the playbook's managed identity using PowerShell

$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid

$GraphAppId = "8ee8fdad-f234-4243-8f3b-15c294843740"
$PermissionName1 = "Incident.ReadWrite.All"

$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id

Add playbook as an action to the automation rule

Trigger = When incident is updated;
Condition = Incident provider > Equal > Microsoft 365 Defender, and
Comments > Added

Automation rule example

Screenshots

Playbook

Microsoft 365 Defender