Merge pull request Azure#13295 from Yaniv-Shasha/master

Entity-analyzer-Fixes

Author: v-atulyadav

Solutions/SentinelSOARessentials/Package/3.0.5.zip

@@ -52,7 +52,7 @@
             }
         },
         "lookBackDays": {
-            "defaultValue": 40,
+            "defaultValue": 7,
             "type": "int",
             "metadata": {
                 "description": "Number of days to look back for entity analysis"

Solutions/SentinelSOARessentials/Package/mainTemplate.json

@@ -40,7 +40,7 @@
             "type": "string"
         },
         "lookBackDays": {
-            "defaultValue": 60,
+            "defaultValue": 7,
             "type": "int",
             "metadata": {
                 "description": "Number of days to look back for entity analysis"
@@ -135,18 +135,9 @@
                                         }
                                     }
                                 },
-                                "Compose_Url": {
-                                    "runAfter": {
-                                        "URL_Analyzer": [
-                                            "Succeeded"
-                                        ]
-                                    },
-                                    "type": "Compose",
-                                    "inputs": "@concat(\r\n'🔗 **URL Analysis for: ', item()?['Url'], '**\\n\\n',\r\n'🏷️ **Classification**\\n\\n',\r\nbody('URL_Analyzer')?['classification'], '\\n\\n',\r\n'🔍 **Analysis Result**\\n\\n',\r\nbody('URL_Analyzer')?['analysis'], '\\n\\n',\r\n'✅ **Recommendation**\\n\\n',\r\nbody('URL_Analyzer')?['recommendation'], '\\n\\n',\r\n'⚠️ **Disclaimer**\\n\\n',\r\n'🤖 ', body('URL_Analyzer')?['disclaimer']\r\n)"
-                                },
                                 "Add_Url_comment_to_incident": {
                                     "runAfter": {
-                                        "Compose_Url": [
+                                        "URL_Analyzer": [
                                             "Succeeded"
                                         ]
                                     },
@@ -160,7 +151,7 @@
                                         "method": "post",
                                         "body": {
                                             "incidentArmId": "@triggerBody()?['object']?['id']",
-                                            "message": "<p class=\"editor-paragraph\">@{outputs('Compose_Url')}</p>"
+                                            "message": "<p class=\"editor-paragraph\"><b><strong class=\"editor-text-bold\">Security Analysis Report</strong></b><br><br><br><b><strong class=\"editor-text-bold\">Analysis ID:</strong></b> @{body('URL_Analyzer')?['id']}<br><br><b><strong class=\"editor-text-bold\">Entity Type:</strong></b> Url<br><br><br>🔗 <b><strong class=\"editor-text-bold\">URL Analysis for:</strong></b>@{item()}<br><br><br>🏷️ <b><strong class=\"editor-text-bold\">Classification:</strong></b> @{body('URL_Analyzer')?['classification']}<br><br><br>🔍 <b><strong class=\"editor-text-bold\">Analysis Result:</strong></b> @{body('URL_Analyzer')?['analysis']}<br><br><br>✅ <b><strong class=\"editor-text-bold\">Recommendation:</strong></b> @{body('URL_Analyzer')?['recommendation']}<br><br><br>📋 <b><strong class=\"editor-text-bold\">Data Sources:</strong></b> @{body('URL_Analyzer')?['dataSourceList']}<br><br><br>❗ <b><strong class=\"editor-text-bold\">Disclaimer:</strong></b> @{body('URL_Analyzer')?['disclaimer']}</p>"
                                         },
                                         "path": "/Incidents/Comment"
                                     }
@@ -171,7 +162,12 @@
                                     "Succeeded"
                                 ]
                             },
-                            "type": "Foreach"
+                            "type": "Foreach",
+                            "runtimeConfiguration": {
+                                "concurrency": {
+                                    "repetitions": 5
+                                }
+                            }
                         },
                         "Entities_-_Get_Accounts": {
                             "runAfter": {},
@@ -213,18 +209,9 @@
                                         }
                                     }
                                 },
-                                "Compose_User": {
-                                    "runAfter": {
-                                        "User_Analyzer": [
-                                            "Succeeded"
-                                        ]
-                                    },
-                                    "type": "Compose",
-                                    "inputs": "@concat(\r\n'👤 **User Analysis for: ', item()?['Name'], '**\\n\\n',\r\n'🏷️ **Classification**\\n\\n',\r\nbody('User_Analyzer')?['classification'], '\\n\\n',\r\n'🔍 **Analysis Result**\\n\\n',\r\nbody('User_Analyzer')?['analysis'], '\\n\\n',\r\n'✅ **Recommendation**\\n\\n',\r\nbody('User_Analyzer')?['recommendation'], '\\n\\n',\r\n'⚠️ **Disclaimer**\\n\\n',\r\n'🤖 ', body('User_Analyzer')?['disclaimer']\r\n)"
-                                },
                                 "Add_User_comment_to_incident": {
                                     "runAfter": {
-                                        "Compose_User": [
+                                        "User_Analyzer": [
                                             "Succeeded"
                                         ]
                                     },
@@ -238,7 +225,7 @@
                                         "method": "post",
                                         "body": {
                                             "incidentArmId": "@triggerBody()?['object']?['id']",
-                                            "message": "<p class=\"editor-paragraph\">@{outputs('Compose_User')}</p>"
+                                            "message": "<p class=\"editor-paragraph\"><b><strong class=\"editor-text-bold\">Security Analysis Report</strong></b><br><br><br><b><strong class=\"editor-text-bold\">Analysis ID:</strong></b> @{body('User_Analyzer')?['id']}<br><br><b><strong class=\"editor-text-bold\">Entity Type:</strong></b> User<br><br><br>👤 <b><strong class=\"editor-text-bold\">User Analysis for:</strong></b> @{item()?['Name']}<br><br><br>🏷️ <b><strong class=\"editor-text-bold\">Classification:</strong></b> @{body('User_Analyzer')?['classification']}<br><br><br>🔍 <b><strong class=\"editor-text-bold\">Analysis Result:</strong></b> @{body('User_Analyzer')?['analysis']}<br><br><br>✅ <b><strong class=\"editor-text-bold\">Recommendation:</strong></b> @{body('User_Analyzer')?['recommendation']}<br><br><br>📋 <b><strong class=\"editor-text-bold\">Data Sources:</strong></b> @{body('User_Analyzer')?['dataSourceList']}<br><br><br>❗ <b><strong class=\"editor-text-bold\">Disclaimer:</strong></b> @{body('User_Analyzer')?['disclaimer']}</p>"
                                         },
                                         "path": "/Incidents/Comment"
                                     }
@@ -249,7 +236,12 @@
                                     "Succeeded"
                                 ]
                             },
-                            "type": "Foreach"
+                            "type": "Foreach",
+                            "runtimeConfiguration": {
+                                "concurrency": {
+                                    "repetitions": 5
+                                }
+                            }
                         }
                     },
                     "outputs": {}

Solutions/SentinelSOARessentials/Playbooks/Http-Trigger-Entity-Analyzer/azuredeploy.json

@@ -2,7 +2,7 @@
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
     "metadata": {
-        "title": "URL Entity Trigger Analyzer",
+        "title": "URL Trigger Entity Analyzer",
         "description": "This playbook is triggered manually when a URL entity is selected in a Microsoft Sentinel incident and provides detailed security insights including classification, analysis results, and recommendations.",
         "prerequisites": [
             "1. The user deploying this Logic App needs to have a Contributor Role.",
@@ -40,7 +40,7 @@
             "type": "string"
         },
         "lookBackDays": {
-            "defaultValue": 10,
+            "defaultValue": 7,
             "type": "int",
             "metadata": {
                 "description": "Number of days to look back for entity analysis"
@@ -122,18 +122,9 @@
                                 "path": "/aiprimitives/analysis"
                             }
                         },
-                        "Compose": {
-                            "runAfter": {
-                                "URL_Analyzer": [
-                                    "Succeeded"
-                                ]
-                            },
-                            "type": "Compose",
-                            "inputs": "@concat(\r\n'| 🔍 **Section** | Details |\\n',\r\n'|---|---|\\n',\r\n'| 🏷️ **Classification** | ', replace(replace(replace(coalesce(body('URL_Analyzer')?['classification'], 'N/A'), '\\r\\n', '\\n'), '\\n', '<br/>'), '|', '\\\\|'), ' |\\n',\r\n'| 🕵️ **Entity Type** | ', replace(replace(replace(coalesce(body('URL_Analyzer')?['properties']?['entityType'], 'N/A'), '\\r\\n', '\\n'), '\\n', '<br/>'), '|', '\\\\|'), ' |\\n',\r\n'| 🔎 **Analysis Result** | ', replace(replace(replace(replace(coalesce(body('URL_Analyzer')?['analysis'], 'N/A'), '- ', '• '), '\\r\\n', '\\n'), '\\n', '<br/>'), '|', '\\\\|'), ' |\\n',\r\n'| ✅ **Recommendation** | ', replace(replace(replace(coalesce(body('URL_Analyzer')?['recommendation'], 'N/A'), '\\r\\n', '\\n'), '\\n', '<br/>'), '|', '\\\\|'), ' |\\n',\r\n'| ⚠️ **Disclaimer** | 🤖 ', replace(replace(replace(coalesce(body('URL_Analyzer')?['disclaimer'], 'N/A'), '\\r\\n', '\\n'), '\\n', '<br/>'), '|', '\\\\|'), ' |\\n',\r\n'| 📂 **Data Sources** | ', if(equals(empty(body('URL_Analyzer')?['dataSourceList']), true), 'N/A', concat('• ', replace(join(body('URL_Analyzer')?['dataSourceList'], '\\n• '), '\\n', '<br/>'))), ' |'\r\n)"
-                        },
                         "Add_comment_to_incident_(V3)": {
                             "runAfter": {
-                                "Compose": [
+                                "URL_Analyzer": [
                                     "Succeeded"
                                 ]
                             },
@@ -147,7 +138,7 @@
                                 "method": "post",
                                 "body": {
                                     "incidentArmId": "@triggerBody()?['IncidentArmID']",
-                                    "message": "<p class=\"editor-paragraph\">@{outputs('Compose')}</p>"
+                                    "message": "<p class=\"editor-paragraph\"><b><strong class=\"editor-text-bold\">Security Analysis Report</strong></b><br><br><br><b><strong class=\"editor-text-bold\">Analysis ID: </strong></b>@{body('URL_Analyzer')['id']}<br><br><b><strong class=\"editor-text-bold\">Entity Type:</strong></b> Url<br><br><br>🔗 <b><strong class=\"editor-text-bold\">URL Analysis for:</strong></b> @{triggerBody()?['Entity']?['properties']?['Url']}<br><br><br>🏷️ <b><strong class=\"editor-text-bold\">Classification: </strong></b>@{body('URL_Analyzer')?['classification']}<br><br><br>🔍 <b><strong class=\"editor-text-bold\">Analysis Result: </strong></b>@{body('URL_Analyzer')?['analysis']}<br><br><br>✅<b><strong class=\"editor-text-bold\"> Recommendation:</strong></b> @{body('URL_Analyzer')?['recommendation']}<br><br><br>📋 <b><strong class=\"editor-text-bold\">Data Sources:</strong></b> @{body('URL_Analyzer')?['dataSourceList']}<br><br><br>❗ <b><strong class=\"editor-text-bold\">Disclaimer:</strong></b> @{body('URL_Analyzer')?['disclaimer']}</p>"
                                 },
                                 "path": "/Incidents/Comment"
                             }

Solutions/SentinelSOARessentials/Playbooks/Incident-Trigger-Entity-Analyzer/azuredeploy.json

@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYY)**  | **Change History**                                                                         |
 |-------------|--------------------------------|--------------------------------------------------------------------------------------------|
+| 3.0.5       | 11-12-2025                     | Updated the lookback value to 7 days across all three **Logic Apps** and Renamed the Logic App title to "URL Trigger Entity Analyzer".|
 | 3.0.4       | 17-11-2025                     | Added new **playbooks** for the Sentinel SentinelSOARessentials solution.                  |
 | 3.0.3       | 30-05-2025                     | This upgrade focused on improving **Playbook** functionality, updating documentation, and refining deployment parameters.               |
 | 3.0.2       | 26-10-2023                     | Changes for rebranding from Microsoft 365 Defender to Microsoft Defender XDR.               |