diff --git a/Solutions/Microsoft Defender for Office 365/Playbooks/O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule/azuredeploy.json b/Solutions/Microsoft Defender for Office 365/Playbooks/O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule/azuredeploy.json
new file mode 100644
index 00000000000..760420800f4
--- /dev/null
+++ b/Solutions/Microsoft Defender for Office 365/Playbooks/O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule/azuredeploy.json
@@ -0,0 +1,685 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "O365 - Delete All Malicious Inbox Rule",
+ "description": "This Playbook provides the automation on deleting all the suspicious/malicious Inbox Rules from Provided Mailbox",
+ "prerequisites": [
+ "1. Prior to the deployment of this playbook, Defender for office 365 Custom Connector needs to be deployed under the same subscription.",
+ "2. Refer to [Defender for office 365 Logic App Custom Connector](../../CustomConnector/O365_Defender_FunctionAppConnector/readme.md) documentation for deployment instructions.",
+ "3. Refer to [DeleteMaliciousInboxRule](../../O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule/readme.md) documentation for deployment instructions."
+ ],
+ "postDeployment": [
+ "1. Authorize each connection.",
+ "2. Configure Playbook in Microsoft Sentinel Analytic Rule.",
+ "3. Assign Microsoft Sentinel Responder Role to Playbook.",
+ "6. Check [readme.md](../../O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule/readme.md) for detailed instructions."
+ ],
+ "prerequisitesDeployTemplateFile": "../../CustomConnector/O365_Defender_FunctionAppConnector/azuredeploy.json",
+ "lastUpdateTime": "2023-09-29T12:00:00.000Z",
+ "entities": [ "Account" ],
+ "tags": [ "Malicious", "o365", "Sender", "Email" ,"Account" ],
+ "support": {
+ "tier": "Microsoft"
+ },
+ "author": {
+ "name": "Microsoft"
+ }
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "o365-DeleteMaliciousInboxRule",
+ "type": "string"
+ },
+ "Applicationid": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Applicationid"
+ }
+ },
+ "Keyvault name": {
+ "type": "String",
+ "metadata": {
+ "description": "Enter the key vault name where certificate thumbprint is stored"
+ }
+ },
+ "Certificate_key_name": {
+ "type": "string",
+ "metadata": {
+ "description": "Your Key name for the thumbprint secret stored in keyvault under secrets"
+ }
+ },
+ "OrganizationName": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for OrganizationName"
+ }
+ },
+ "FunctionsAppName": {
+ "defaultValue": "o365def",
+ "type": "string",
+ "metadata": {
+ "description": "Name of the FunctionsApp custom connector, if you want to change the default name, make sure to use the same in all o365 automation playbooks as well"
+ }
+ }
+ },
+ "variables": {
+ "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
+ "FunctionsAppName": "[concat(parameters('FunctionsAppName'), uniqueString(resourceGroup().id))]",
+ "o365FuntionsAppId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/', variables('FunctionsAppName'))]",
+ "KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]"
+ },
+ "resources": [
+ {
+ "properties": {
+ "provisioningState": "Succeeded",
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "defaultValue": {},
+ "type": "Object"
+ },
+ "Applicationid": {
+ "defaultValue": "[parameters('Applicationid')]",
+ "type": "string"
+ },
+ "Certificate_key_name": {
+ "defaultValue": "[parameters('Certificate_key_name')]",
+ "type": "string"
+ },
+ "OrganizationName": {
+ "defaultValue": "[parameters('OrganizationName')]",
+ "type": "string"
+ }
+ },
+ "triggers": {
+ "Microsoft_Sentinel_incident": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "path": "/incident-creation"
+ }
+ }
+ },
+ "actions": {
+ "Add_comment_to_incident_(V3)": {
+ "runAfter": {
+ "Create_HTML_table": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "message": "Rules provided below are deleted from their respective mailboxes:
\n
\n@{variables('Finalarray')}
\n
\n
"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/Incidents/Comment"
+ }
+ },
+ "ConnectExchangeOnline": {
+ "runAfter": {
+ "Parse_JSON_-_Parsing_mailbox_Entries": [
+ "Succeeded"
+ ]
+ },
+ "type": "Function",
+ "inputs": {
+ "body": {
+ "ApplicationId": "@parameters('Applicationid')",
+ "CertificateThumbPrint": "@body('Get_secret')?['value']",
+ "OrganizationName": "@parameters('OrganizationName')"
+ },
+ "function": {
+ "id": "[concat(variables('o365FuntionsAppId'), '/functions/ConnectExchangeOnline')]"
+ }
+ }
+ },
+ "Create_HTML_table": {
+ "runAfter": {
+ "For_each_-_deleting_Mail_rules_action": [
+ "Succeeded"
+ ]
+ },
+ "type": "Table",
+ "inputs": {
+ "format": "HTML",
+ "from": "@variables('Finalarray')"
+ }
+ },
+ "DisconnectExchangeOnline_-_Clearing_any_pre-existing-cache_connection": {
+ "runAfter": {},
+ "type": "Function",
+ "inputs": {
+ "body": {
+ "ApplicationId": "@parameters('Applicationid')",
+ "OrganizationName": "@parameters('OrganizationName')"
+ },
+ "function": {
+ "id": "[concat(variables('o365FuntionsAppId'), '/functions/DisconnectExchangeOnline')]"
+ }
+ }
+ },
+ "DisconnectExchangeOnline_2": {
+ "runAfter": {
+ "Parse_JSON_-_Parsing_final_Array": [
+ "Succeeded"
+ ]
+ },
+ "type": "Function",
+ "inputs": {
+ "body": {
+ "ApplicationId": "@parameters('Applicationid')",
+ "OrganizationName": "@parameters('OrganizationName')"
+ },
+ "function": {
+ "id": "[concat(variables('o365FuntionsAppId'), '/functions/DisconnectExchangeOnline')]"
+ }
+ }
+ },
+ "For_each_-_Collecting_all_rules_and_Recipient_in_one_array": {
+ "foreach": "@body('Parse_JSON_-_Parsing_mailbox_Entries')",
+ "actions": {
+ "Condition_-_check_if_Response_Body_is_empty_or_not": {
+ "actions": {
+ "Append_to_array_variable_2": {
+ "runAfter": {
+ "For_each": [
+ "Succeeded"
+ ]
+ },
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "Finalarray",
+ "value": {
+ "CompromisedMailBox": "@items('For_each_-_Collecting_all_rules_and_Recipient_in_one_array')?['properties']?['recipient']",
+ "RuleList": "@variables('RuleNameList')"
+ }
+ }
+ },
+ "Append_to_array_variable_4": {
+ "runAfter": {
+ "Parse_JSON_-_GetInboxrule-1": [
+ "Succeeded"
+ ]
+ },
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "RuleNameList",
+ "value": "@body('Parse_JSON_-_GetInboxrule-1')?['Name']"
+ }
+ },
+ "Append_to_array_variable_5": {
+ "runAfter": {
+ "Append_to_array_variable_4": [
+ "Succeeded"
+ ]
+ },
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "Finalarray",
+ "value": {
+ "CompromisedMailBox": "@items('For_each_-_Collecting_all_rules_and_Recipient_in_one_array')?['properties']?['recipient']",
+ "RuleList": "@variables('RuleNameList')"
+ }
+ }
+ },
+ "Compose_-dummy_": {
+ "runAfter": {},
+ "type": "Compose",
+ "inputs": "@body('GetInboxRule')"
+ },
+ "For_each": {
+ "foreach": "@body('Parse_JSON_-_GetInboxrule')",
+ "actions": {
+ "Append_to_array_variable": {
+ "runAfter": {},
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "RuleNameList",
+ "value": "@items('For_each')['Name']"
+ }
+ }
+ },
+ "runAfter": {
+ "Parse_JSON_-_GetInboxrule": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Parse_JSON_-_GetInboxrule": {
+ "runAfter": {
+ "Compose_-dummy_": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('GetInboxRule')",
+ "schema": {
+ "items": {
+ "properties": {
+ "Description": {
+ "type": "string"
+ },
+ "Enabled": {
+ "type": "boolean"
+ },
+ "Identity": {
+ "type": "string"
+ },
+ "InError": {
+ "type": "boolean"
+ },
+ "Name": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "Description",
+ "Enabled",
+ "Identity",
+ "InError",
+ "Name"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ }
+ },
+ "Parse_JSON_-_GetInboxrule-1": {
+ "runAfter": {
+ "Compose_-dummy_": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('GetInboxRule')",
+ "schema": {
+ "properties": {
+ "Description": {
+ "type": "string"
+ },
+ "Enabled": {
+ "type": "boolean"
+ },
+ "Identity": {
+ "type": "string"
+ },
+ "InError": {
+ "type": "boolean"
+ },
+ "Name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "GetInboxRule": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Append_to_array_variable_3": {
+ "runAfter": {},
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "Finalarray",
+ "value": {
+ "CompromisedMailBox": "@items('For_each_-_Collecting_all_rules_and_Recipient_in_one_array')?['properties']?['recipient']",
+ "RuleList": [
+ "No rule found - Deleted Nothing"
+ ]
+ }
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "not": {
+ "equals": [
+ "@body('GetInboxRule')",
+ ""
+ ]
+ }
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "GetInboxRule": {
+ "runAfter": {},
+ "type": "Function",
+ "inputs": {
+ "body": {
+ "Mailbox": "@items('For_each_-_Collecting_all_rules_and_Recipient_in_one_array')?['properties']?['recipient']"
+ },
+ "function": {
+ "id": "[concat(variables('o365FuntionsAppId'), '/functions/GetInboxRule')]"
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "ConnectExchangeOnline": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach",
+ "runtimeConfiguration": {
+ "concurrency": {
+ "repetitions": 1
+ }
+ }
+ },
+ "For_each_-_deleting_Mail_rules_action": {
+ "foreach": "@body('Parse_JSON_-_Parsing_final_Array')",
+ "actions": {
+ "For_each_3": {
+ "foreach": "@items('For_each_-_deleting_Mail_rules_action')['RuleList']",
+ "actions": {
+ "ConnectExchangeOnline_2": {
+ "runAfter": {},
+ "type": "Function",
+ "inputs": {
+ "body": {
+ "ApplicationId": "@parameters('Applicationid')",
+ "CertificateThumbPrint": "@body('Get_secret')?['value']",
+ "OrganizationName": "@parameters('OrganizationName')"
+ },
+ "function": {
+ "id": "[concat(variables('o365FuntionsAppId'), '/functions/ConnectExchangeOnline')]"
+ }
+ }
+ },
+ "DisconnectExchangeOnline": {
+ "runAfter": {
+ "RemoveInboxRule": [
+ "Succeeded"
+ ]
+ },
+ "type": "Function",
+ "inputs": {
+ "body": {
+ "ApplicationId": "@parameters('Applicationid')",
+ "OrganizationName": "@parameters('OrganizationName')"
+ },
+ "function": {
+ "id": "[concat(variables('o365FuntionsAppId'), '/functions/DisconnectExchangeOnline')]"
+ }
+ }
+ },
+ "RemoveInboxRule": {
+ "runAfter": {
+ "ConnectExchangeOnline_2": [
+ "Succeeded"
+ ]
+ },
+ "type": "Function",
+ "inputs": {
+ "body": {
+ "Identity": "@items('For_each_3')",
+ "Mailbox": "@{items('For_each_-_deleting_Mail_rules_action')['CompromisedMailBox']}"
+ },
+ "function": {
+ "id": "[concat(variables('o365FuntionsAppId'), '/functions/RemoveInboxRule')]"
+ }
+ }
+ }
+ },
+ "runAfter": {},
+ "type": "Foreach"
+ }
+ },
+ "runAfter": {
+ "DisconnectExchangeOnline_2": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach",
+ "runtimeConfiguration": {
+ "concurrency": {
+ "repetitions": 1
+ }
+ }
+ },
+ "Get_secret": {
+ "runAfter": {
+ "DisconnectExchangeOnline_-_Clearing_any_pre-existing-cache_connection": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/secrets/@{encodeURIComponent(parameters('Certificate_key_name'))}/value"
+ }
+ },
+ "Initialize_variable": {
+ "runAfter": {
+ "Get_secret": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "RuleNameList",
+ "type": "array"
+ }
+ ]
+ }
+ },
+ "Initialize_variable_-_Final_result_array_of_object": {
+ "runAfter": {
+ "Initialize_variable": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Finalarray",
+ "type": "array"
+ }
+ ]
+ }
+ },
+ "Parse_JSON_-_Parsing_final_Array": {
+ "runAfter": {
+ "For_each_-_Collecting_all_rules_and_Recipient_in_one_array": [
+ "Succeeded",
+ "Failed"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@variables('Finalarray')",
+ "schema": {
+ "items": {
+ "properties": {
+ "CompromisedMailBox": {
+ "type": "string"
+ },
+ "RuleList": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "required": [
+ "CompromisedMailBox",
+ "RuleList"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ }
+ },
+ "Parse_JSON_-_Parsing_mailbox_Entries": {
+ "runAfter": {
+ "Initialize_variable_-_Final_result_array_of_object": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "schema": {
+ "items": {
+ "properties": {
+ "id": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "properties": {
+ "properties": {
+ "fileEntityIds": {
+ "type": "array"
+ },
+ "friendlyName": {
+ "type": "string"
+ },
+ "recipient": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "id",
+ "type",
+ "kind",
+ "properties"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ }
+ }
+ },
+ "outputs": {}
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "connectionName": "[variables('MicrosoftSentinelConnectionName')]",
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ },
+ "keyvault": {
+ "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]",
+ "connectionName": "[variables('KeyvaultConnectionName')]",
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "name": "[parameters('PlaybookName')]",
+ "type": "Microsoft.Logic/workflows",
+ "location": "[resourceGroup().location]",
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "tags": {
+ "hidden-SentinelTemplateName": "o365-DeleteMaliciousInboxRule",
+ "hidden-SentinelTemplateVersion": "1.0"
+ },
+ "apiVersion": "2017-07-01",
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[variables('MicrosoftSentinelConnectionName')]",
+ "location": "[resourceGroup().location]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[variables('MicrosoftSentinelConnectionName')]",
+ "customParameterValues": {},
+ "parameterValueType": "Alternative",
+ "api": {
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/Connections",
+ "apiVersion": "2016-06-01",
+ "name": "[variables('KeyvaultConnectionName')]",
+ "kind": "V1",
+ "location": "[resourceGroup().location]",
+ "properties": {
+ "api": {
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/', 'keyvault')]",
+ "type": "Microsoft.Web/locations/managedApis"
+ },
+ "parameterValueType": "Alternative",
+ "alternativeParameterValues": {
+ "vaultName": "[parameters('keyvault name')]"
+ },
+ "displayName": "[variables('KeyvaultConnectionName')]",
+ "nonSecretParameterValues": {
+ "vaultName": "[parameters('keyvault name')]"
+ }
+ }
+ }
+ ]
+}
diff --git a/Solutions/Microsoft Defender for Office 365/Playbooks/O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule/images/o365-DeleteMaliciousInboxRule_entitymapping.jpg b/Solutions/Microsoft Defender for Office 365/Playbooks/O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule/images/o365-DeleteMaliciousInboxRule_entitymapping.jpg
new file mode 100644
index 00000000000..54afd9e36de
Binary files /dev/null and b/Solutions/Microsoft Defender for Office 365/Playbooks/O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule/images/o365-DeleteMaliciousInboxRule_entitymapping.jpg differ
diff --git a/Solutions/Microsoft Defender for Office 365/Playbooks/O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule/images/o365-DeleteMaliciousInboxRule_light.jpg b/Solutions/Microsoft Defender for Office 365/Playbooks/O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule/images/o365-DeleteMaliciousInboxRule_light.jpg
new file mode 100644
index 00000000000..c4ce14c76ce
Binary files /dev/null and b/Solutions/Microsoft Defender for Office 365/Playbooks/O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule/images/o365-DeleteMaliciousInboxRule_light.jpg differ
diff --git a/Solutions/Microsoft Defender for Office 365/Playbooks/O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule/readme.md b/Solutions/Microsoft Defender for Office 365/Playbooks/O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule/readme.md
new file mode 100644
index 00000000000..b08523e50d3
--- /dev/null
+++ b/Solutions/Microsoft Defender for Office 365/Playbooks/O365DefenderPlaybooks/o365-DeleteMaliciousInboxRule/readme.md
@@ -0,0 +1,63 @@
+# o365-Delete All Malicious Inbox Rule Playbook
+ ## Summary
+ When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs below actions
+ 1. Fetches the list of Malicious forwarding rule of compromised mailbox .
+ 2. Delete all forwarding rule from mailbox .
+
+
+
+### Prerequisites
+1. Defender for office 365 function app custom connector needs to be deployed prior to the deployment of this playbook under the same subscription.
+2. Custom connector [readme.md](../../CustomConnector/O365_Defender_FunctionAppConnector/readme.md) file should be followed properly before using any of the Defender for office 365 playbooks.
+
+### Deployment instructions
+1. Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoft%2520Defender%2520for%2520Office%2520365%2FPlaybooks%2FO365DefenderPlaybooks%2Fo365-DeleteMaliciousInboxRule%2Fazuredeploy.json)
+[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoft%2520Defender%2520for%2520Office%2520365%2FPlaybooks%2FO365DefenderPlaybooks%2Fo365-DeleteMaliciousInboxRule%2Fazuredeploy.json)
+
+2. Fill in the required parameters:
+ * Playbook Name: Enter the playbook name here
+ * Applicationid: Enter the application ID , which you got during app registration.
+ * Organization Name : Enter the organization name (ex : abc@pay.onmicrosoft.com then orgname will be : pay.onmicrosoft.com).
+ * Key vault name : Your Key vault name where certificate thumbprint is saved.
+ * Certificate_key_name : Your secret key name under which certificate thumbprint is stored.
+ * Functions App Name : Enter your function app name (Default : o365def ,Recommend : don’t change it)
+
+
+### Post-Deployment instructions
+#### a. Authorize connections (Perform this action if needed)
+Once deployment is complete, you will need to authorize each connection.
+1. Click the Microsoft Sentinel connection resource
+2. Click edit API connection
+3. Click Authorize
+4. Sign in
+5. Click Save
+6. Repeat steps for all connections
+#### b. Configurations in Sentinel
+1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky Account.
+2. Configure the automation rules to trigger this playbook, mapping of account is necessary
+3. Refer to Screenshot below
+
+
+
+#### c. Assign Playbook Microsoft Sentinel Responder Role
+1. Select the Playbook (Logic App) resource
+2. Click on Identity Blade
+3. Choose System assigned tab
+4. Click on Azure role assignments
+5. Click on Add role assignments
+6. Select Scope - Resource group
+7. Select Subscription - where Playbook has been created
+8. Select Resource group - where Playbook has been created
+9. Select Role - Microsoft Sentinel Responder
+10. Click Save (It takes 3-5 minutes to show the added role.)
+#### d. Assign access policy on key vault for Playbook to fetch the secret key
+1. Select the Keyvault resource where you have stored the secret
+2. Click on Access policies Blade
+3. Click on Create
+4. Under Secret permissions column , Select Get , List from "Secret Management Operations"
+5. Click next to go to Principal tab and choose your deployed playbook name
+6. Click Next leave application tab as it is .
+7. Click Review and create
+8. Click Create