Add metadata to Sentinel SOAR playbooks and templates

v-maheshbh · v-maheshbh · commit ae8f23e26fea · 2025-12-10T10:22:06.000+05:30
Introduced detailed metadata sections to mainTemplate.json and playbook deployment templates for HTTP, Incident, and URL Entity Analyzer playbooks. Metadata includes title, description, prerequisites, post-deployment steps, supported entities, tags, release notes, support tier, and author information to improve documentation and deployment clarity.
diff --git a/Solutions/SentinelSOARessentials/Package/3.0.4.zip b/Solutions/SentinelSOARessentials/Package/3.0.4.zip
diff --git a/Solutions/SentinelSOARessentials/Package/mainTemplate.json b/Solutions/SentinelSOARessentials/Package/mainTemplate.json
@@ -7628,7 +7628,43 @@
                 }
               }
             }
-          ]
+          ],
+          "metadata": {
+            "title": "HTTP Trigger Entity Analyzer",
+            "description": "This playbook is triggered by HTTP POST requests with entity information and performs automated investigation and enrichment of URL and User entities with asynchronous processing.",
+            "prerequisites": [
+              "1. The user deploying this Logic App needs to have a Contributor Role.",
+              "2. The user has permissions to access Microsoft Sentinel workspace.",
+              "3. Microsoft Sentinel data connector lake must be enabled in your workspace for entity data collection.",
+              "4. The SentinelMCP connector is available in your environment.",
+              "5. You need to provide a valid Sentinel workspace ID during deployment.",
+              "6. Authentication support for the Entity Analyzer connection includes Entra ID Authentication (OAuth), Service Principal (Application ID and Secret), or Managed Identity (System-assigned or User-assigned)."
+            ],
+            "postDeployment": [
+              "1. Authenticate the connections: Go to the Logic App → API connections and authenticate SentinelMCP connection with Microsoft Sentinel MCP permissions.",
+              "2. Authenticate the Entity Analyzer connection using one of the supported methods: Entra ID Auth, Service Principal, or Managed Identity.",
+              "3. Get the HTTP endpoint URL: Open the Logic App → Go to Logic app designer → Click on the HTTP trigger → Copy the HTTP POST URL.",
+              "4. The playbook will trigger when POST requests are sent to the HTTP endpoint."
+            ],
+            "lastUpdateTime": "2025-12-07T00:00:00Z",
+            "entities": [
+              "URL",
+              "Account"
+            ],
+            "tags": [
+              "Enrichment",
+              "Utilities",
+              "Entity Analysis",
+              "API Integration"
+            ],
+            "releaseNotes": {
+              "version": "1.0",
+              "title": "[variables('blanks')]",
+              "notes": [
+                "Initial version"
+              ]
+            }
+          }
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
@@ -7956,7 +7992,40 @@
                 }
               }
             }
-          ]
+          ],
+          "metadata": {
+            "title": "Incident Trigger Entity Analyzer",
+            "description": "This playbook is triggered by Microsoft Sentinel incidents and performs automated investigation and enrichment of URL and User entities associated with the incident.",
+            "prerequisites": [
+              "1. A Microsoft Sentinel workspace must be configured.",
+              "2. The user deploying this Logic App needs to have a Contributor Role.",
+              "3. The user has permissions to access Microsoft Sentinel workspace.",
+              "4. The SentinelMCP connector is available in your environment."
+            ],
+            "postDeployment": [
+              "1. Authenticate the connections: Go to the Logic App → API connections and authenticate Microsoft Sentinel connection with a user that has Sentinel permissions.",
+              "2. Authenticate the SentinelMCP connection with Microsoft Sentinel MCP permissions.",
+              "3. The playbook will automatically trigger when new incidents are created.",
+              "4. Consider creating an automation rule to run this playbook automatically on specific incident types."
+            ],
+            "lastUpdateTime": "2025-12-07T00:00:00Z",
+            "entities": [
+              "URL",
+              "Account"
+            ],
+            "tags": [
+              "Enrichment",
+              "Utilities",
+              "Entity Analysis"
+            ],
+            "releaseNotes": {
+              "version": "1.0",
+              "title": "[variables('blanks')]",
+              "notes": [
+                "Initial version"
+              ]
+            }
+          }
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
@@ -8186,7 +8255,40 @@
                 }
               }
             }
-          ]
+          ],
+          "metadata": {
+            "title": "URL Entity Trigger Analyzer",
+            "description": "This playbook is triggered manually when a URL entity is selected in a Microsoft Sentinel incident and provides detailed security insights including classification, analysis results, and recommendations.",
+            "prerequisites": [
+              "1. The user deploying this Logic App needs to have a Contributor Role.",
+              "2. The user has permissions to access Microsoft Sentinel workspace.",
+              "3. You have the Workspace ID for your Sentinel environment.",
+              "4. The SentinelMCP connector is available in your environment.",
+              "5. Access to Microsoft Sentinel portal in Azure (not Defender portal)."
+            ],
+            "postDeployment": [
+              "1. Authenticate the connections: Go to the Logic App → API connections and authenticate Microsoft Sentinel connection with a user that has Sentinel permissions.",
+              "2. Authenticate the SentinelMCP connection with Microsoft Sentinel MCP permissions.",
+              "3. The playbook will be available to run manually from incident entities.",
+              "4. Results will be automatically added as comments to the relevant incidents."
+            ],
+            "lastUpdateTime": "2025-12-07T00:00:00Z",
+            "entities": [
+              "URL"
+            ],
+            "tags": [
+              "Enrichment",
+              "Utilities",
+              "Entity Analysis"
+            ],
+            "releaseNotes": {
+              "version": "1.0",
+              "title": "[variables('blanks')]",
+              "notes": [
+                "Initial version"
+              ]
+            }
+          }
         },
         "packageKind": "Solution",
         "packageVersion": "[variables('_solutionVersion')]",
diff --git a/Solutions/SentinelSOARessentials/Playbooks/Http-Trigger-Entity-Analyzer/azuredeploy.json b/Solutions/SentinelSOARessentials/Playbooks/Http-Trigger-Entity-Analyzer/azuredeploy.json
@@ -1,6 +1,42 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
+    "metadata": {
+        "title": "HTTP Trigger Entity Analyzer",
+        "description": "This playbook is triggered by HTTP POST requests with entity information and performs automated investigation and enrichment of URL and User entities with asynchronous processing.",
+        "prerequisites": [
+            "1. The user deploying this Logic App needs to have a Contributor Role.",
+            "2. The user has permissions to access Microsoft Sentinel workspace.",
+            "3. Microsoft Sentinel data connector lake must be enabled in your workspace for entity data collection.",
+            "4. The SentinelMCP connector is available in your environment.",
+            "5. You need to provide a valid Sentinel workspace ID during deployment.",
+            "6. Authentication support for the Entity Analyzer connection includes Entra ID Authentication (OAuth), Service Principal (Application ID and Secret), or Managed Identity (System-assigned or User-assigned)."
+        ],
+        "postDeployment": [
+            "1. Authenticate the connections: Go to the Logic App → API connections and authenticate SentinelMCP connection with Microsoft Sentinel MCP permissions.",
+            "2. Authenticate the Entity Analyzer connection using one of the supported methods: Entra ID Auth, Service Principal, or Managed Identity.",
+            "3. Get the HTTP endpoint URL: Open the Logic App → Go to Logic app designer → Click on the HTTP trigger → Copy the HTTP POST URL.",
+            "4. The playbook will trigger when POST requests are sent to the HTTP endpoint."
+        ],
+        "prerequisitesDeployTemplateFile": "",
+        "lastUpdateTime": "2025-12-07T00:00:00.000Z",
+        "entities": [
+            "URL",
+            "Account"
+        ],
+        "tags": [
+            "Enrichment",
+            "Utilities",
+            "Entity Analysis",
+            "API Integration"
+        ],
+        "support": {
+            "tier": "community"
+        },
+        "author": {
+            "name": "yaniv shasha"
+        }
+    },
     "parameters": {
         "PlaybookName": {
             "defaultValue": "Http-Trigger-Entity-Analyzer",
diff --git a/Solutions/SentinelSOARessentials/Playbooks/Incident-Trigger-Entity-Analyzer/azuredeploy.json b/Solutions/SentinelSOARessentials/Playbooks/Incident-Trigger-Entity-Analyzer/azuredeploy.json
@@ -1,6 +1,39 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
+    "metadata": {
+        "title": "Incident Trigger Entity Analyzer",
+        "description": "This playbook is triggered by Microsoft Sentinel incidents and performs automated investigation and enrichment of URL and User entities associated with the incident.",
+        "prerequisites": [
+            "1. A Microsoft Sentinel workspace must be configured.",
+            "2. The user deploying this Logic App needs to have a Contributor Role.",
+            "3. The user has permissions to access Microsoft Sentinel workspace.",
+            "4. The SentinelMCP connector is available in your environment."
+        ],
+        "postDeployment": [
+            "1. Authenticate the connections: Go to the Logic App → API connections and authenticate Microsoft Sentinel connection with a user that has Sentinel permissions.",
+            "2. Authenticate the SentinelMCP connection with Microsoft Sentinel MCP permissions.",
+            "3. The playbook will automatically trigger when new incidents are created.",
+            "4. Consider creating an automation rule to run this playbook automatically on specific incident types."
+        ],
+        "prerequisitesDeployTemplateFile": "",
+        "lastUpdateTime": "2025-12-07T00:00:00.000Z",
+        "entities": [
+            "URL",
+            "Account"
+        ],
+        "tags": [
+            "Enrichment",
+            "Utilities",
+            "Entity Analysis"
+        ],
+        "support": {
+            "tier": "community"
+        },
+        "author": {
+            "name": "yaniv shasha"
+        }
+    },
     "parameters": {
         "PlaybookName": {
             "defaultValue": "Entity-Analyzer-Incident-Trigger",
diff --git a/Solutions/SentinelSOARessentials/Playbooks/Url-Trigger-Entity-Analyzer/azuredeploy.json b/Solutions/SentinelSOARessentials/Playbooks/Url-Trigger-Entity-Analyzer/azuredeploy.json
@@ -1,6 +1,39 @@
 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
+    "metadata": {
+        "title": "URL Entity Trigger Analyzer",
+        "description": "This playbook is triggered manually when a URL entity is selected in a Microsoft Sentinel incident and provides detailed security insights including classification, analysis results, and recommendations.",
+        "prerequisites": [
+            "1. The user deploying this Logic App needs to have a Contributor Role.",
+            "2. The user has permissions to access Microsoft Sentinel workspace.",
+            "3. You have the Workspace ID for your Sentinel environment.",
+            "4. The SentinelMCP connector is available in your environment.",
+            "5. Access to Microsoft Sentinel portal in Azure (not Defender portal)."
+        ],
+        "postDeployment": [
+            "1. Authenticate the connections: Go to the Logic App → API connections and authenticate Microsoft Sentinel connection with a user that has Sentinel permissions.",
+            "2. Authenticate the SentinelMCP connection with Microsoft Sentinel MCP permissions.",
+            "3. The playbook will be available to run manually from incident entities.",
+            "4. Results will be automatically added as comments to the relevant incidents."
+        ],
+        "prerequisitesDeployTemplateFile": "",
+        "lastUpdateTime": "2025-12-07T00:00:00.000Z",
+        "entities": [
+            "URL"
+        ],
+        "tags": [
+            "Enrichment",
+            "Utilities",
+            "Entity Analysis"
+        ],
+        "support": {
+            "tier": "community"
+        },
+        "author": {
+            "name": "yaniv shasha"
+        }
+    },
     "parameters": {
         "PlaybookName": {
             "defaultValue": "Entity-analyzer-Url-Trigger",
