Skip to content

Commit

Permalink
Updating text
Browse files Browse the repository at this point in the history
  • Loading branch information
@v-sabiraj
v-sabiraj committed Oct 18, 2023
1 parent 7d5fd60 commit 0b8c608
Show file tree
Hide file tree
Showing 7 changed files with 52 additions and 48 deletions.
74 changes: 39 additions & 35 deletions Solutions/SentinelSOARessentials/Playbooks/Incident-Assignment-Shifts/azuredeploy.json
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,18 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "2.2.0.0",
"metadata":{
"title": "Incident Assignment Shifts",
"metadata": {
"title": "Incident Assignment Shifts",
"description": "This playbook will assign an Incident to an owner based on the Shifts schedule in Microsoft Teams. When an incident is assigned, the incident owner will be notified via email. Incidents are assigned to users based on the following criteria:<br> *Only users who have started their shifts during the time the Logic App runs will be considered. *Users who still have at least 1 hours left before going off shift (can be configured in playbook) *User with the least incidents assigned on the current Shift will be assigned incident first. <br> Refer to [Automate Incident Assignment with Shifts for Teams](https://techcommunity.microsoft.com/t5/azure-sentinel/automate-incident-assignment-with-shifts-for-teams/ba-p/2297549) for more details.",
"prerequisites": ["1. Have [Shifts](https://support.microsoft.com/office/get-started-in-shifts-5f3e30d8-1821-4904-be26-c3cd25a497d6) schedule setup in Microsoft Teams.",
"2. Have user account with Owner role in Microsoft Teams",
"3. Have user account or Service Principal or Managed Identity with Microsoft Sentinel Responder role for HTTP and Microsoft Sentinel connectors",
"prerequisites": [
"1. Have [Shifts](https://support.microsoft.com/office/get-started-in-shifts-5f3e30d8-1821-4904-be26-c3cd25a497d6) schedule setup in Microsoft Teams.",
"2. Have user account with Owner role in Microsoft Teams",
"3. Have user account or Service Principal or Managed Identity with Microsoft Sentinel Responder role for HTTP and Microsoft Sentinel connectors",
"4. Have user account or Service Principal with Log Analytics Reader role on Microsoft Sentinel workspace for Azure Monitor Logs connector",
"5. Have An O365 account to be used to send email notification"],
"postDeployment": [ "**1. Enable Managed Identity and configure role assignment**",
"5. Have An O365 account to be used to send email notification"
],
"postDeployment": [
"**1. Enable Managed Identity and configure role assignment**",
"- Once deployed, go to the Logic App's blade and click on **Identity** under Settings.",
"- Select **On** under the **System assigned** tab. Click **Save** and select **Yes** when prompted.",
"- Click on **Azure role assignments** to assign role to the Managed Identity.",
Expand All @@ -25,10 +28,11 @@
"- Edit the Logic App or go to Logic app designer.",
"- Find the **List all shifts** connector, click on the **X** sign next to Team field for the drop-down list to appear.",
"- Select the Teams channel with your Shifts schedule from the drop-down list.",
"- Save the Logic App once you have completed the above steps." ],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": ["Incident management"],
"- Save the Logic App once you have completed the above steps."
],
"lastUpdateTime": "2022-08-05T00:00:00.000Z",
"entities": [],
"tags": [ "Incident management" ],
"support": {
"tier": "community"
},
Expand All @@ -51,7 +55,7 @@
"EmailAddress": {
"defaultValue": "Your email address",
"type": "string"
}
}
},
"variables": {
"AzureMonitorLogs": "[concat('azuremonitorlogs-', parameters('PlaybookName'))]",
Expand All @@ -65,10 +69,10 @@
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureMonitorLogs')]",
"location": "[resourceGroup().location]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('EmailAddress')]",
"customParameterValues": {},
"displayName": "[parameters('EmailAddress')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"
}
Expand All @@ -80,8 +84,8 @@
"name": "[variables('AzureSentinel')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('EmailAddress')]",
"customParameterValues": {},
"displayName": "[parameters('EmailAddress')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
Expand All @@ -93,8 +97,8 @@
"name": "[variables('office365')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('EmailAddress')]",
"customParameterValues": {},
"displayName": "[parameters('EmailAddress')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"
}
Expand All @@ -106,8 +110,8 @@
"name": "[variables('Shifts')]",
"location": "[resourceGroup().location]",
"properties": {
"displayName": "[parameters('EmailAddress')]",
"customParameterValues": {},
"displayName": "[parameters('EmailAddress')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/shifts')]"
}
Expand All @@ -118,16 +122,16 @@
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"hidden-SentinelTemplateName": "IncidentAssignmentShifts",
"hidden-SentinelTemplateVersion": "1.0"
},
"dependsOn": [
"tags": {
"hidden-SentinelTemplateName": "IncidentAssignmentShifts",
"hidden-SentinelTemplateVersion": "1.0"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureMonitorLogs'))]",
"[resourceId('Microsoft.Web/connections', variables('AzureSentinel'))]",
"[resourceId('Microsoft.Web/connections', variables('office365'))]",
"[resourceId('Microsoft.Web/connections', variables('Shifts'))]"
],
],
"properties": {
"state": "Enabled",
"definition": {
Expand Down Expand Up @@ -197,7 +201,7 @@
]
},
"type": "Compose",
"inputs": "<!DOCTYPE html>\n<html>\n<head> \n<style>\n.header-Informational{background-color: grey;color: white;}.header-Low{background-color: yellow;color: black;}.header-Medium{background-color: orange;color: black;}.header-High{background-color: red;color: white;}\nspan{display: none;}.severity-1{display: inline;text-decoration:none;}\n{display: inline;text-decoration:none;}.cell{float: left;overflow: hidden;text-overflow: ellipsis;white-space: nowrap; max-width: 100%;}\n</style>\n</head>\n<body>\n<table class=\"header-@{triggerBody()?['object']?['properties']?['severity']}\" style=\"table-layout: auto; width: 100%; padding-left: 10px; padding-right:10px;font-size:20px\" ><tr>\n<td class=\"align-middle\" height=\"50\" align=\"left\" style=\"width: 20%;\">Severity:<b><i>@{triggerBody()?['object']?['properties']?['severity']}</b></i></td>\n<td class=\"align-middle\" height=\"50\" align=\"left\" style=\"width: 75%;\">Title: <b><i>@{triggerBody()?['object']?['properties']?['title']}</b></i></td></tr><tr>\n</table>\n<div style=\"margin-top: 20px\">\n\n The following incident in Azure Sentinel has been assigned to <b>@{body('Update_incident')?['properties']?['owner']?['assignedTo']}</b>.\n\n\n <h1>Incident Details:</h1>\n\n <b>Incident Number:</b> @{triggerBody()?['object']?['properties']?['incidentNumber']}<br />\n <b>Title:</b> @{triggerBody()?['object']?['properties']?['title']} <br />\n <b>Owner:</b> @{body('Update_incident')?['properties']?['owner']?['assignedTo']} <br />\n <b>Severity:</b> @{triggerBody()?['object']?['properties']?['severity']}<br />\n <b>TimeGenerated(UTC):</b> @{triggerBody()?['object']?['properties']?['createdTimeUtc']} <br />\n <b>Status:</b> @{triggerBody()?['object']?['properties']?['status']} <br />\n <br />\n <b>Incident link:</b> <a href=\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident@{triggerBody()?['object']?['id']}\">View Incident</a><br />\n\n </body>\n </html>\n\n"
"inputs": "<!DOCTYPE html>\n<html>\n<head> \n<style>\n.header-Informational{background-color: grey;color: white;}.header-Low{background-color: yellow;color: black;}.header-Medium{background-color: orange;color: black;}.header-High{background-color: red;color: white;}\nspan{display: none;}.severity-1{display: inline;text-decoration:none;}\n{display: inline;text-decoration:none;}.cell{float: left;overflow: hidden;text-overflow: ellipsis;white-space: nowrap; max-width: 100%;}\n</style>\n</head>\n<body>\n<table class=\"header-@{triggerBody()?['object']?['properties']?['severity']}\" style=\"table-layout: auto; width: 100%; padding-left: 10px; padding-right:10px;font-size:20px\" ><tr>\n<td class=\"align-middle\" height=\"50\" align=\"left\" style=\"width: 20%;\">Severity:<b><i>@{triggerBody()?['object']?['properties']?['severity']}</b></i></td>\n<td class=\"align-middle\" height=\"50\" align=\"left\" style=\"width: 75%;\">Title: <b><i>@{triggerBody()?['object']?['properties']?['title']}</b></i></td></tr><tr>\n</table>\n<div style=\"margin-top: 20px\">\n\n The following incident in Microsoft Sentinel has been assigned to <b>@{body('Update_incident')?['properties']?['owner']?['assignedTo']}</b>.\n\n\n <h1>Incident Details:</h1>\n\n <b>Incident Number:</b> @{triggerBody()?['object']?['properties']?['incidentNumber']}<br />\n <b>Title:</b> @{triggerBody()?['object']?['properties']?['title']} <br />\n <b>Owner:</b> @{body('Update_incident')?['properties']?['owner']?['assignedTo']} <br />\n <b>Severity:</b> @{triggerBody()?['object']?['properties']?['severity']}<br />\n <b>TimeGenerated(UTC):</b> @{triggerBody()?['object']?['properties']?['createdTimeUtc']} <br />\n <b>Status:</b> @{triggerBody()?['object']?['properties']?['status']} <br />\n <br />\n <b>Incident link:</b> <a href=\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident@{triggerBody()?['object']?['id']}\">View Incident</a><br />\n\n </body>\n </html>\n\n"
},
"Run_query_and_list_results_-_Get_user_with_low_assignment_": {
"runAfter": {},
Expand Down Expand Up @@ -230,7 +234,7 @@
"inputs": {
"body": {
"Body": "<p>@{outputs('Compose_HTML_Email')}</p>",
"Subject": "Azure Sentinel Incident Assignment Notification - Incident Number: @{triggerBody()?['object']?['properties']?['incidentNumber']}",
"Subject": "Microsoft Sentinel Incident Assignment Notification - Incident Number: @{triggerBody()?['object']?['properties']?['incidentNumber']}",
"To": "@body('Update_incident')?['properties']?['owner']?['email']"
},
"host": {
Expand Down Expand Up @@ -604,28 +608,28 @@
"$connections": {
"value": {
"azuremonitorlogs": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureMonitorLogs'))]",
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureMonitorLogs'))]",
"connectionName": "[variables('AzureMonitorLogs')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuremonitorlogs')]"

},
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinel'))]",
"connectionName": "[variables('AzureSentinel')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"

},
"office365": {
"office365": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('office365'))]",
"connectionName": "[variables('office365')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]"

},
"shifts": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Shifts'))]",
"connectionName": "[variables('Shifts')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/shifts')]"

}
}
}
Expand Down
12 changes: 6 additions & 6 deletions Solutions/SentinelSOARessentials/Playbooks/Incident-Assignment-Shifts/readme.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,10 @@ This playbook will assign an Incident to an owner based on the Shifts schedule i
Ensure you have the following details:


### 1. User account or Service Principal or Managed Identity with Azure Sentinel Responder role
- Create or use an existing user account/ Service Principal/ Managed Identity with Azure Sentinel Responder role.
### 1. User account or Service Principal or Managed Identity with Microsoft Sentinel Responder role
- Create or use an existing user account/ Service Principal/ Managed Identity with Microsoft Sentinel Responder role.

- This will be used in Azure Sentinel connectors (Incident Trigger, Update incident & Add comment to incident) and a HTTP connector.
- This will be used in Microsoft Sentinel connectors (Incident Trigger, Update incident & Add comment to incident) and a HTTP connector.

- This example will walk you through using System Managed Identity for the above connectors.

Expand All @@ -41,7 +41,7 @@ Ensure you have the following details:


### 4. User account or Service Principal with Log Analytics Reader role
- Create or use an existing user account or Service Principal with Log Analytics Reader role on the Azure Sentinel workspace.
- Create or use an existing user account or Service Principal with Log Analytics Reader role on the Microsoft Sentinel workspace.

- The user account or Service Principal will be used in Azure Monitor Logs connector (Run query and list results).

Expand All @@ -65,8 +65,8 @@ Ensure you have the following details:
<br />

- Click on **+ Add role assignment**.
- Select **Resource group** under Scope and select the **Subscription** and **Resource group** where the Azure Sentinel **Workspace** is located.
Select **Azure Sentinel Responder** under Role and click **Save**.
- Select **Resource group** under Scope and select the **Subscription** and **Resource group** where the Microsoft Sentinel **Workspace** is located.
Select **Microsoft Sentinel Responder** under Role and click **Save**.


### 2. Configure connections
Expand Down
2 changes: 1 addition & 1 deletion Solutions/SentinelSOARessentials/Playbooks/Post-Message-Slack/readme.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

Author: Yaniv Shasha

This playbook will post a message in a Slack channel when an alert is created in Azure Sentinel.
This playbook will post a message in a Slack channel when an alert is created in Microsoft Sentinel.

## Prerequisites

Expand Down
2 changes: 1 addition & 1 deletion Solutions/SentinelSOARessentials/Playbooks/Send-basic-email/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Send-basic-email
author: Benjamin Kovacevic

This playbook will be sending email with basic incidents details (Incident title, severity, tactics, link,…) when incident is created in Azure Sentinel.
This playbook will be sending email with basic incidents details (Incident title, severity, tactics, link,…) when incident is created in Microsoft Sentinel.
<br/><br/>
## Pre-requisites:
An O365 account to be used to send email notification
Expand Down
Loading

0 comments on commit 0b8c608

Please sign in to comment.