Updating the original playbook

[noapocalypse]

Removed unneeded tasks - updated a few variable fields etc.

Required items, please complete

Change(s):

• Removed unused Alert -Get incident
• Replaced condition Add comment to incident (v2) - with V3
• Replaced Change incident severity to High with Update Incident
• Updated the Parse JSON schema in For each to match output of Alert - Get hosts
• Changed the variable in the URI to match the MDATPDeviceID with new Schema

Reason for Change(s):

• New schemas used in output of tasks
• Playbook as it currently is misses fields out
• Superfluous tasks calls
• Use of old methods\tasks

Version Updated:

• No
• N\A?

Testing Completed:

• Yes
• Where I was getting 404s and red task fails for the original playbook these are update and pulling fields as expected.

Checked that the validations are passing and have addressed any issues that are present:

• Yes - only underlines is in the connection name but this will be updated by the deploying user

[noapocalypse]

@microsoft-github-policy-service agree

[v-prasadboke]

Hello @noapocalypse looking into this

[v-prasadboke]

Hello @v-vdixit can you please look into this

[v-prasadboke]

Looking into this

[v-prasadboke]

Hello @noapocalypse working on this

[noapocalypse]

Hello @noapocalypse working on this

Nice one :)

[noapocalypse]

Hello @noapocalypse working on this

Nice one :)

[v-atulyadav]

Hi @manishkumar1991, please provide your feedback on this. Thanks

[v-prasadboke]

Sorry for the late reply @noapocalypse , @manishkumar1991 can you please look into this

[manishkumar1991]

@v-prasadboke : Kindly ask @noapocalypse to clear the validations , then only iIcan go ahead and review the PR .

[v-prasadboke]

Hello @noapocalypse please update your branch from the master

[noapocalypse]

Hello @noapocalypse please update your branch from the master

I have no visibility of the validations requiring correction.
@v-prasadboke @manishkumar1991

[v-rbajaj]

Hi @noapocalypse, can you please update your branch from master and push the changes?
This will re run the failed validations.

[manishkumar1991]

Hello @noapocalypse ,

For generating the arm template of playbooks , kindly use the tool , link provided below :

https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator

Then fill all the required metadata details and make sure that sentinel connection uses "ManagedServiceIdentity" for authentication

For reference check the below playbook.
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ThreatXCloud/Playbooks/ThreatXPlaybooks/ThreatX-Enrichment/azuredeploy.json

Current arm template of playbook is giving an error

while deploying playbook

Unable to process template language expressions for resource '/subscriptions/4383ac89-7cd1-48c1-8061-b0b3c5ccfd97/resourceGroups/manishsoar/providers/Microsoft.Logic/workflows/Enrich-SentinelIncident-MDATPTVM' at line '19' and column '9'. 'The template variable 'AzureSentinelConnectionName' is not found. Please see https://aka.ms/arm-syntax-variables for usage details.'. Click here for details

[noapocalypse]

AzureSentinelConnectionName i've set this as per the original https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Enrich-SentinelIncident-MDATPTVM/azuredeploy.json

[manishkumar1991]

@noapocalypse , We are still not seeing that playbook arm template has metadata and sentinel connection uses "ManagedServiceIdentity" for authentication

Can you please again check my previous comment and do the changes accordingly

[noapocalypse]

@noapocalypse , We are still not seeing that playbook arm template has metadata and sentinel connection uses "ManagedServiceIdentity" for authentication

Can you please again check my previous comment and do the changes accordingly

I'll be honest I'm bored of updating this now :) Started in April. Feel free to take the code and fix the broken playbook with it as an example or keep the broken code in your main repo. I'm done updating i've lost interest

[dennismercer]

I have reached out to the author of the original playbook to ask him to take a look. I am unable to get nonapcalypse playbook to run as it has been submitted. From an MDTI point of view, not approved.