You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/sentinel-playbook-creation.md
+48-21Lines changed: 48 additions & 21 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,40 +27,40 @@ To understand more about potential playbook use cases, see [Recommended Microsof
27
27
28
28
## Creating and publishing playbooks
29
29
30
-
Microsoft Sentinel Playbooks are based on Microsoft Azure Logic Apps, a cloud platform that enables the creation and execution of automated workflows with minimal to no coding. Users can use the visual designer and select prebuilt operations to efficiently build workflows that integrate and manage their applications, data, services, and systems. For more information, see [Overview - Azure Logic Apps | Microsoft Learn](/azure/logic-apps/logic-apps-overview). Microsoft Azure Logic Apps includes numerous out-of-the-box connectors, such as Salesforce, Office 365, and SQL, which offer no-code options for various functions. For example, the Office 365 Outlook connector includes built-in actions for sending emails without needing any code. If specific actions required by a playbook aren't covered by the out-of-the-box connectors, creating a custom connector is necessary.
30
+
Microsoft Sentinel playbooks are based on Microsoft Azure Logic Apps, a cloud platform that enables the creation and execution of automated workflows with minimal to no coding. Users can use the visual designer and select prebuilt operations to efficiently build workflows that integrate and manage their applications, data, services, and systems. For more information, see [Overview - Azure Logic Apps | Microsoft Learn](/azure/logic-apps/logic-apps-overview). Microsoft Azure Logic Apps includes numerous out-of-the-box connectors, such as Salesforce, Office 365, and SQL, which offer no-code options for various functions. For example, the Office 365 Outlook connector includes built-in actions for sending emails without needing any code. If specific actions required by a playbook aren't covered by the out-of-the-box connectors, creating a custom connector is necessary.
31
31
32
-
### Scenario 1: Playbook using builtin connectors
32
+
### Scenario 1: playbook using builtin connectors
33
33
34
-
**Step 1: Create the Playbook**
35
-
If your Playbook doesn't require any custom actions outside of the actions already provided by the built-in connectors, you can use the Azure Logic apps UI in Microsoft Sentinel to create the Playbook. No other code is required. For detailed instructions on how to create Playbooks from Azure portal, see [Create and manage Microsoft Sentinel playbooks | Microsoft Learn](/azure/sentinel/automation/create-playbooks?tabs=azure-portal%2Cconsumption). For detailed instructions on how to create Playbooks from Defender portal, see [Create and manage Microsoft Sentinel playbooks | Microsoft Learn](/azure/sentinel/automation/create-playbooks?tabs=defender-portal%2Cconsumption).
34
+
**Step 1: Create the playbook**
35
+
If your playbook doesn't require any custom actions outside of the actions already provided by the built-in connectors, you can use the Azure Logic apps UI in Microsoft Sentinel to create the playbook. No other code is required. For detailed instructions on how to create playbooks from Azure portal, see [Create and manage Microsoft Sentinel playbooks | Microsoft Learn](/azure/sentinel/automation/create-playbooks?tabs=azure-portal%2Cconsumption). For detailed instructions on how to create playbooks from Defender portal, see [Create and manage Microsoft Sentinel playbooks | Microsoft Learn](/azure/sentinel/automation/create-playbooks?tabs=defender-portal%2Cconsumption).
36
36
37
-
**Step 2: Generate the ARM template for the Playbook**
37
+
**Step 2: Generate the ARM template for the playbook**
38
38
In the Code view tab of the Azure Logic Apps editor, you can access the JSON ARM template. Remove any organizational details like tenant ID and subscription info for privacy and security. Follow these steps to get a sanitized version of your playbook ARM template -
39
39
40
-
1. Download the PowerShell script from https://aka.ms/Playbook-ARM-Template-Generator
41
-
1. Extract the folder and open "Playbook_ARM_Template_Generator.ps1" in Visual Studio Code, Windows PowerShell, or PowerShell Core.
40
+
1. Download the PowerShell script from https://aka.ms/playbook-ARM-Template-Generator
41
+
1. Extract the folder and open "playbook_ARM_Template_Generator.ps1" in Visual Studio Code, Windows PowerShell, or PowerShell Core.
42
42
43
43
> [!NOTE]
44
44
> Run the script from your machine. Allow PowerShell script execution by running the command in PowerShell: Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
45
45
46
46
1. Enter your Azure Tenant ID when prompted.
47
47
1. Authenticate with your credentials, then choose:
48
48
1. Subscription
49
-
1.Playbooks
50
-
1. Select a location on your local drive to save the sanitized ARM Template as azuredeploy.json. The tool converts Microsoft Sentinel connections to Microsoft Software Installer (MSI) during export. For more information, see this demonstration video [Export your SOAR Playbooks with ease | Microsoft Sentinel in the Field #7 - YouTube](https://www.youtube.com/watch?v=scTtVHVzrQw)
49
+
1.playbooks
50
+
1. Select a location on your local drive to save the sanitized ARM Template as azuredeploy.json. The tool converts Microsoft Sentinel connections to Microsoft Software Installer (MSI) during export. For more information, see this demonstration video [Export your SOAR playbooks with ease | Microsoft Sentinel in the Field #7 - YouTube](https://www.youtube.com/watch?v=scTtVHVzrQw)
51
51
1. Update the metadata section of the azuredeploy.json file with your playbook's specific details
52
52
53
53
:::image type="content" source="media/sentinel-playbook-creation/playbook-update-metadata.png" alt-text="Screenshot of playbook metadata that needs to be updated." lightbox="media/sentinel-playbook-creation/playbook-update-metadata.png" :::
54
54
55
-
5. It's recommended to use managed service identity rather than user-assigned identity for connecting Azure services (such as Microsoft Sentinel, Key Vault, and Storage Account) with playbooks. Update the authentication type under connectionProperties to "ManagedServiceIdentity".
55
+
7. It's recommended to use managed service identity rather than user-assigned identity for connecting Azure services (such as Microsoft Sentinel, Key Vault, and Storage Account) with playbooks. Update the authentication type under connectionProperties to "ManagedServiceIdentity".
56
56
57
57
:::image type="content" source="media/sentinel-playbook-creation/sentinel-playbook-identity.png" alt-text="Screenshot of playbook identity updates." lightbox="media/sentinel-playbook-creation/sentinel-playbook-identity.png" :::
58
58
59
-
6. Update "Microsoft.Web/connections" resources
59
+
8. Update "Microsoft.Web/connections" resources
60
60
61
61
:::image type="content" source="media/sentinel-playbook-creation/sentinel-playbook-web-connections.png" alt-text="Screenshot of playbook web connections metadata." lightbox="media/sentinel-playbook-creation/sentinel-playbook-web-connections.png" :::
62
62
63
-
For more information, see https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ThreatXCloud/Playbooks/ThreatXPlaybooks/ThreatX-BlockIP-URL/azuredeploy.json
63
+
For more information, see https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ThreatXCloud/playbooks/ThreatXplaybooks/ThreatX-BlockIP-URL/azuredeploy.json
64
64
65
65
### Scenario 2: Playbook using custom connectors
66
66
@@ -72,12 +72,40 @@ Custom connectors in Logic Apps extend Azure Logic Apps by integrating with APIs
72
72
73
73
For more information, see [custom connectors](/connectors/custom-connectors)
74
74
75
-
**Step 1: Create the Playbook**
75
+
**Step 1: Create the playbook**
76
76
To create a custom connector, describe the API so the connector understands its operations and data structures. This example uses an OpenAPI definition for the Cognitive Services Text Analytics Sentiment API. For more details on creating custom connectors, visit [Create a custom connector from an OpenAPI definition | Microsoft Learn](/connectors/custom-connectors/define-openapi-definition)
77
77
78
-
Once the custom connector is created, you can use it to build a Playbook using Azure logic apps. For step-by-step instructions on how to use custom connectors in a playbook, see [Use a custom connector in a logic app workflow | Microsoft Learn](/connectors/custom-connectors/use-custom-connector-logic-apps)
78
+
Once the custom connector is created, you can use it to build a playbook using Azure logic apps. For step-by-step instructions on how to use custom connectors in a playbook, see [Use a custom connector in a logic app workflow | Microsoft Learn](/connectors/custom-connectors/use-custom-connector-logic-apps)
79
79
80
-
**Step 2: Generate the ARM template for the Playbook**
80
+
**Step 2: Generate the ARM template for the playbook**
81
+
In the Code view tab of the Azure Logic Apps editor, you can access the JSON ARM template. Remove any organizational details like tenant ID and subscription info for privacy and security. Follow these steps to get a sanitized version of your playbook ARM template -
82
+
83
+
1. Download the PowerShell script from https://aka.ms/playbook-ARM-Template-Generator
84
+
1. Extract the folder and open "playbook_ARM_Template_Generator.ps1" in Visual Studio Code, Windows PowerShell, or PowerShell Core.
85
+
86
+
> [!NOTE]
87
+
> Run the script from your machine. Allow PowerShell script execution by running the command in PowerShell: Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
88
+
89
+
1. Enter your Azure Tenant ID when prompted.
90
+
1. Authenticate with your credentials, then choose:
91
+
1. Subscription
92
+
1. playbooks
93
+
1. Select a location on your local drive to save the sanitized ARM Template as azuredeploy.json. The tool converts Microsoft Sentinel connections to Microsoft Software Installer (MSI) during export. For more information, see this demonstration video [Export your SOAR playbooks with ease | Microsoft Sentinel in the Field #7 - YouTube](https://www.youtube.com/watch?v=scTtVHVzrQw)
94
+
1. Update the metadata section of the azuredeploy.json file with your playbook's specific details
95
+
96
+
:::image type="content" source="media/sentinel-playbook-creation/playbook-update-metadata.png" alt-text="Screenshot of playbook metadata that needs to be updated." lightbox="media/sentinel-playbook-creation/playbook-update-metadata.png" :::
97
+
98
+
7. It's recommended to use managed service identity rather than user-assigned identity for connecting Azure services (such as Microsoft Sentinel, Key Vault, and Storage Account) with playbooks. Update the authentication type under connectionProperties to "ManagedServiceIdentity".
99
+
100
+
:::image type="content" source="media/sentinel-playbook-creation/sentinel-playbook-identity.png" alt-text="Screenshot of playbook identity updates." lightbox="media/sentinel-playbook-creation/sentinel-playbook-identity.png" :::
101
+
102
+
8. Update "Microsoft.Web/connections" resources
103
+
104
+
:::image type="content" source="media/sentinel-playbook-creation/sentinel-playbook-web-connections.png" alt-text="Screenshot of playbook web connections metadata." lightbox="media/sentinel-playbook-creation/sentinel-playbook-web-connections.png" :::
105
+
106
+
For more information, see https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ThreatXCloud/playbooks/ThreatXplaybooks/ThreatX-BlockIP-URL/azuredeploy.json
107
+
108
+
**Step 3: Generate the ARM template for the Logic app Custom Connector**
81
109
1. Navigate to Azure portal
82
110
1. Search for **Logic Apps Custom Connector**
83
111
1. Open the connector and then select on Export template under Automation link.
@@ -90,7 +118,6 @@ Once the custom connector is created, you can use it to build a Playbook using A
90
118
91
119
:::image type="content" source="media/sentinel-playbook-creation/sentinel-playbook-download-swagger.png" alt-text="Screenshot to download swagger file." Lightbox="media/sentinel-playbook-creation/sentinel-playbook-download-swagger.png" :::
92
120
93
-
94
121
7. Updated the JSON file created in step 4 with the swagger and backendService values obtained from the swagger file created in step 6.
95
122
1. Validate the host, basepath, and scheme parameters in the swagger file and update as needed.
96
123
@@ -101,14 +128,14 @@ Once the custom connector is created, you can use it to build a Playbook using A
Refer to the link for reference or comparison to determine which other fields need to be modified within the ARM template.
104
-
[Azure-Sentinel/Solutions/Minemeld/Playbooks/CustomConnector/MinemeldCustomConnector/azuredeploy.json at master · Azure/Azure-Sentinel](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Minemeld/Playbooks/CustomConnector/MinemeldCustomConnector/azuredeploy.json)
### Directory structure for playbook and custom connector contributions
107
134
108
135
Before making a pull request to the Microsoft Sentinel GitHub repo, follow the proper directory structure. The ARM template file must be named “azuredeploy.json.” Additionally, include a Readme.md file for all custom connectors and playbooks, detailing configuration steps during and after deployment.
109
136
110
-
For Readme.md file guidelines, refer to the links -
0 commit comments