changes to MDE, AAD, and SOAR Essentials solutions

[BenjiSec]

Required items, please complete

Change(s): Update to Azure Active Directory solution

• Added Revoke-AADSignInSessions playbooks
• Update to Block-AADUser playbooks

MicrosoftDefenderForEndpoint solution

• added Unisolate-MDEMachine-entity-trigger playbook
• added Isolate-MDEMachine-entity-trigger playbook

SentinelSOARessentials solution

• added workbooks

1. AutomationHealth
2. IncidentOverview
3. IncidentTasksWorkbook
4. SecurityOperationsEfficiency

-added playbooks

1. CreateIncident-MicrosoftForms
2. CreateIncident-SharedMailbox
3. M365D_BEC_Playbook_for_SecOps-Tasks
4. M365D_Phishing_Playbook_for_SecOps-Tasks
5. M365D_Ransomware_Playbook_for_SecOps-Tasks
6. Send-Teams-adaptive-card-on-incident-creation

Deleted playbooks from Playbook folder (moved to Solutions, removing duplicates) Unisolate-MDEMachine-entity-trigger - added to MDE solution Isolate-MDEMachine-entity-trigger - added to MDE solution Revoke-AADSignInSessions - added to AAD solution Revoke-AADSignInSessions-entityTrigger - added to AAD solution CreateIncident-MicrosoftForms - added to SOAR Essentials solution CreateIncident-SharedMailbox - added to SOAR Essentials solution M365D_BEC_Playbook_for_SecOps-Tasks - added to SOAR Essentials solution

Reason for Change(s):

• Merging playbooks with solutions

[v-prasadboke]

Hello @BenjiSec looking into this

[v-prasadboke]

Hello @BenjiSec working on this

[v-prasadboke]

Hello @rahul0216 and @manishkumar1991 can you please review the playbooks and approve

[BenjiSec]

Hi all, when we can expect that this is approved as we are waiting for this to publish blog about new Task support in Microsoft Sentinel?

[manishkumar1991]

Hi all, when we can expect that this is approved as we are waiting for this to publish blog about new Task support in Microsoft Sentinel?

Hello Benjamin ,

We are reviewing your PR .

[v-prasadboke]

Hello @manishkumar1991 benjisec has pushed the changes

[v-prasadboke]

Hello @manishkumar1991 witing for your feedback

[BenjiSec]

Hi @manishkumar1991 - can we please merge this as we are waiting this to update official Microsoft Sentinel docs around Tasks and to publish blog about new possibilities.

[v-prasadboke]

Thank you @manishkumar1991, Continuing to review this pr

[v-prasadboke]

Hello @BenjiSec please update the metadata of this playbook ' Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json '. Title & description is missing from the metadata.

You can refer to this playbook for metadata ' Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json'. If needed please add other parameters as well with reference to the Playbook metadata.

Title for this playbook ' Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json ' is " Revoke-AADSignInSessions " If its ok can we change it to " Revoke AAD Sign-in session using incident trigger "

[v-prasadboke]

And parameter of this two playbooks metadata is set to null " Solutions/MicrosoftDefenderForEndpoint/Playbooks/Isolate-MDEMachine/Isolate-MDE-Machine-entity-trigger/azuredeploy.json " & " Solutions/MicrosoftDefenderForEndpoint/Playbooks/Unisolate-MDEMachine/Unisolate-MDE-Machine-entity-trigger/azuredeploy.json "

Is this property null or can be filled with some instructions / Data

[v-prasadboke]

Hello @BenjiSec please add Workbook metadata of the Workbooks of ' SentinelSOARessentials ' in the given file path " Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json "

[v-prasadboke]

Facing issue with IncidentOverview workbook of SentinelSOARessential solution.

[malowe101]

@v-prasadboke I deployed the workbook and confirmed that it works fine. Please make sure that there is an incident number entered within the workbook to load the widgets and content.

Regarding the addition of the workbooks to the workbooksmetadata file, the 4 workbooks in this solution are all existing workbooks in the gallery. Is it still required that they are added if they are in a solution?

[v-prasadboke]

Regarding the addition of the workbooks to the workbooksmetadata file, the 4 workbooks in this solution are all existing workbooks in the gallery. Is it still required that they are added if they are in a solution?

Hello @BenjiSec after repackaging the solution and doing arm-ttk on the maintemplate I came to know the the workbook metadata is not present in the workbookmetadata file. Which is causing an error.

[v-prasadboke]

Hello @BenjiSec any updates

[v-prasadboke]

Hello @malowe101 There are changes requested above, Thank you.

[v-prasadboke]

Regarding the addition of the workbooks to the workbooksmetadata file, the 4 workbooks in this solution are all existing workbooks in the gallery. Is it still required that they are added if they are in a solution?

Yes @malowe101, Even if the workbooks of ' Sentinel Soar Essentials ' already existed in the gallery but for AutomationHealth & IncidentTasksWorkbook workbook metadata is missing in the " Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json " file.

[BenjiSec]

Azure.Azure-Sentinel (JsonFileValidation)

Hi @v-prasadboke - I tried adding these 2 workbooks to Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json " file, but I'm getting errors. Can you please help with this?

[v-prasadboke]

All looks good