Merge pull request #10103 from swiftsolves-msft/fixdeploy-Update-Bulk…

…Incidents updated with a fix and more notes
Azure · Mar 7, 2024 · b25751c · b25751c
2 parents 7a1647c + 11ffe48
commit b25751c
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/Playbooks/Update-BulkIncidents/azuredeploy.json b/Playbooks/Update-BulkIncidents/azuredeploy.json
@@ -19,12 +19,16 @@
             "type": "string"
         },
         "AzureSentinelResourceGroup": {
-            "defaultValue": "<AZURE SENTINEL - RESOURCEGROUP>",
+            "defaultValue": "<AZURE SENTINEL - RESOURCEGROUP NAME>",
             "type": "string"
         },
         "AzureSentinelWorkspaceId": {
             "defaultValue": "<AZURE SENTINEL - WORKSPACE ID>",
             "type": "string"
+        },
+        "AzureSentinelWorkspaceName": {
+            "defaultValue": "<AZURE SENTINEL - WORKSPACE NAME>",
+            "type": "string"
         }
     },
     "variables": {
@@ -91,6 +95,10 @@
                         "SentinelWorkspaceId": {
                             "defaultValue": "[parameters('AzureSentinelWorkspaceId')]",
                             "type": "String"
+                        },
+                        "SentinelWorkspaceName": {
+                            "defaultValue": "[parameters('AzureSentinelWorkspaceName')]",
+                            "type": "String"
                         }
                     },
                     "triggers": {
@@ -187,6 +195,7 @@
                                                                     "type": "ApiConnection",
                                                                     "inputs": {
                                                                         "body": {
+                                                                            "CloseReason": "BenignPositive",
                                                                             "CloseReasonText": "Bulk Close from KQL - via Playbook"
                                                                         },
                                                                         "host": {

diff --git a/Playbooks/Update-BulkIncidents/readme.md b/Playbooks/Update-BulkIncidents/readme.md
@@ -9,7 +9,7 @@ This Logic App will act as listener, you can pass json object to a HTTP Endpoint
 
 **Additional Post Install Notes:**
 
-The Logic App requires the SecurityIncident Table preview
+The Logic App requires the SecurityIncident Table preview, check the Global Paramaters in the editor view of Logic App sometimes paramter SentinelResourceGroup has a prefix of a space causing errors, remove prrefix space from string.
 
 **Usage Notes**
 
@@ -23,6 +23,8 @@ You can use Postman, PowerShell, or your favorite shell to send a JSON body to t
 
 At this time the Logic App can only bulk update the Status of Azure Sentinel Incidents.
 
+When finished disable/delete Logic App until next use.
+
 ```
 <#
 
@@ -42,6 +44,13 @@ $uri = "https://prod-38.eastus.logic.azure.com:443/workflows/r794bb6/triggers/re
 
 # Header should be JSON
 $header = @{'Content-Type' = 'application/json'}
+
+# See $json examples below
+$json =
+
+# Execute and Invoke Web Request to Logic App
+Invoke-WebRequest -Uri $uri -Method POST -Body $json -Headers $header
+
 ```
 
 ```
@@ -69,3 +78,4 @@ $json = @"
 }
 "@
 ```
+