Azure
Updating the original playbook
Removed unneeded tasks - updated a few variable fields etc.
Required items, please complete
Change(s):
- Removed unused Alert -Get incident
- Replaced condition Add comment to incident (v2) - with V3
- Replaced Change incident severity to High with Update Incident
- Updated the Parse JSON schema in For each to match output of Alert - Get hosts
- Changed the variable in the URI to match the MDATPDeviceID with new Schema
Reason for Change(s):
- New schemas used in output of tasks
- Playbook as it currently is misses fields out
- Superfluous tasks calls
- Use of old methods\tasks
Version Updated:
- No
- N\A?
Testing Completed:
- Yes
- Where I was getting 404s and red task fails for the original playbook these are update and pulling fields as expected.
Checked that the validations are passing and have addressed any issues that are present:
- Yes - only underlines is in the connection name but this will be updated by the deploying user
Sorry for the late reply @noapocalypse , @manishkumar1991 can you please look into this
@v-prasadboke : Kindly ask @noapocalypse to clear the validations , then only iIcan go ahead and review the PR .
Hello @noapocalypse please update your branch from the master
I have no visibility of the validations requiring correction.
@v-prasadboke @manishkumar1991
Hi @noapocalypse, can you please update your branch from master and push the changes? This will re run the failed validations.
Hello @noapocalypse ,
For generating the arm template of playbooks , kindly use the tool , link provided below :
https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator
Then fill all the required metadata details and make sure that sentinel connection uses "ManagedServiceIdentity" for authentication
For reference check the below playbook. https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ThreatXCloud/Playbooks/ThreatXPlaybooks/ThreatX-Enrichment/azuredeploy.json
Current arm template of playbook is giving an error
while deploying playbook
Unable to process template language expressions for resource '/subscriptions/4383ac89-7cd1-48c1-8061-b0b3c5ccfd97/resourceGroups/manishsoar/providers/Microsoft.Logic/workflows/Enrich-SentinelIncident-MDATPTVM' at line '19' and column '9'. 'The template variable 'AzureSentinelConnectionName' is not found. Please see https://aka.ms/arm-syntax-variables for usage details.'. Click here for details
AzureSentinelConnectionName i've set this as per the original https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Enrich-SentinelIncident-MDATPTVM/azuredeploy.json
@noapocalypse , We are still not seeing that playbook arm template has metadata and sentinel connection uses "ManagedServiceIdentity" for authentication
Can you please again check my previous comment and do the changes accordingly
@noapocalypse , We are still not seeing that playbook arm template has metadata and sentinel connection uses "ManagedServiceIdentity" for authentication
Can you please again check my previous comment and do the changes accordingly
I'll be honest I'm bored of updating this now :) Started in April. Feel free to take the code and fix the broken playbook with it as an example or keep the broken code in your main repo. I'm done updating i've lost interest
I have reached out to the author of the original playbook to ask him to take a look. I am unable to get nonapcalypse playbook to run as it has been submitted. From an MDTI point of view, not approved.
