Skip to content

Commit

Permalink
Merge pull request #128 from Yaniv-Shasha/fixes
Browse files Browse the repository at this point in the history 
fix SOC transfer report
  • Loading branch information
@KwachSean
KwachSean authored Oct 4, 2024
2 parents 8099550 + 6bd6389 commit 705c5d7
Showing 1 changed file with 23 additions and 125 deletions.
148 changes: 23 additions & 125 deletions Logic Apps/SecurityCopilot-SOCshift-reporting-transfer/azuredeploy.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,9 @@
"contentVersion": "1.0.0.0",
"parameters": {
"PlaybookName": {
"defaultValue": "SecurityCopilot-SOCshift-reporting-transfer",
"defaultValue": "SecurityCopilot-SOCshift-reporting-transfer_1001",
"type": "string"
}
,
"EmailTo": {
"defaultValue": "",
"type": "String"
}
},
"variables": {
"Office365ConnectionName": "[concat('Office365-', parameters('PlaybookName'))]",
Expand All @@ -34,27 +29,27 @@
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "day",
"interval": 1
"frequency": "day",
"interval": 1
},
"evaluatedRecurrence": {
"frequency": "day",
"interval": 1
"frequency": "day",
"interval": 1
},
"type": "Recurrence"
}
},
"actions": {
"Counter_Int": {
"runAfter": {
"Parse_JSON_2": [
"Get_number_of_incidents_for_the_counter": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "counter",
"value": "@int(body('Parse_JSON_2')?['Evaluation Result Content'])"
"value": "@int(body('Get_number_of_incidents_for_the_counter')?['EvaluationResultContent'])"
}
},
"Get_number_of_incidents_for_the_counter": {
Expand All @@ -66,12 +61,12 @@
"type": "ApiConnection",
"inputs": {
"body": {
"PromptContent": "count the number of incidents you menationed above, , this will be used in an automation workflow that only accepts a single string. Provide the incident count in a response with no text before or after",
"PromptContent": "/AskGPT count the number of incidents you menationed above, , this will be used in an automation workflow that only accepts a single string. Provide the incident count in a response with no text before or after",
"SessionId": "@body('Run_Copilot_for_Security_prompt')?['sessionId']"
},
"host": {
"connection": {
"name": "@parameters('$connections')['securitycopilot']['connectionId']"
"name": "@parameters('$connections')['securitycopilot_1']['connectionId']"
}
},
"method": "post",
Expand All @@ -80,14 +75,14 @@
},
"Incidents_split": {
"runAfter": {
"Parse_JSON": [
"Run_Copilot_for_Security_prompt": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "incidents",
"value": "@split(body('Parse_JSON')?['Evaluation Result Content'], ',')"
"value": "@split(body('Run_Copilot_for_Security_prompt')?['EvaluationResultContent'], ',')"
}
},
"Initialize_variable": {
Expand All @@ -99,77 +94,11 @@
{
"name": "Soc Email address",
"type": "string",
"value": "[parameters('EmailTo')]"
"value": "[email protected]"
}
]
}
},
"Parse_JSON": {
"runAfter": {
"Run_Copilot_for_Security_prompt": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('Run_Copilot_for_Security_prompt')",
"schema": {
"properties": {
"Evaluation Result Content": {
"type": "string"
},
"Evaluation Result Type": {
"type": "string"
},
"Prompt Content": {
"type": "string"
},
"SessionId": {
"type": "string"
},
"Skill Name": {
},
"Skill Sources": {
"type": "array"
}
},
"type": "object"
}
}
},
"Parse_JSON_2": {
"runAfter": {
"Get_number_of_incidents_for_the_counter": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('Get_number_of_incidents_for_the_counter')",
"schema": {
"properties": {
"Evaluation Result Content": {
"type": "string"
},
"Evaluation Result Type": {
"type": "string"
},
"Prompt Content": {
"type": "string"
},
"SessionId": {
"type": "string"
},
"Skill Name": {
},
"Skill Sources": {
"type": "array"
}
},
"type": "object"
}
}
},
"Report_variable": {
"runAfter": {
"counter_variable": [
Expand All @@ -195,11 +124,12 @@
"type": "ApiConnection",
"inputs": {
"body": {
"PromptContent": "im a soc analyst leader and our SOC is in the phase for changing a shift, can you summarize all the defender incident that opened in the last 24 hr and they are in status in progress, from the above response only take the incident number, this will be used in an automation workflow that only accepts a single string. Provide the incident number in a response with no text before or after"
"PromptContent": "im a soc analyst leader and our SOC is in the phase for changing a shift, can you summarize all the defender incident that opened in the last 24 hr and they are in status in progress, from the above response only take the incident number, this will be used in an automation workflow that only accepts a single string. Provide the incident number in a response with no text before or after",
"SkillName": "GetDefenderIncidents"
},
"host": {
"connection": {
"name": "@parameters('$connections')['securitycopilot']['connectionId']"
"name": "@parameters('$connections')['securitycopilot_1']['connectionId']"
}
},
"method": "post",
Expand All @@ -222,7 +152,7 @@
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
"name": "@parameters('$connections')['office365_1']['connectionId']"
}
},
"method": "post",
Expand All @@ -236,14 +166,14 @@
"actions": {
"Append_to_string_variable": {
"runAfter": {
"Parse_JSON_3": [
"generate_the_report": [
"Succeeded"
]
},
"type": "AppendToStringVariable",
"inputs": {
"name": "Report",
"value": "@{body('Parse_JSON_3')?['Evaluation Result Content']} "
"value": " @{body('generate_the_report')?['EvaluationResultContent']}"
}
},
"Increment_variable": {
Expand All @@ -258,50 +188,18 @@
"value": 1
}
},
"Parse_JSON_3": {
"runAfter": {
"generate_the_report": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('generate_the_report')",
"schema": {
"properties": {
"Evaluation Result Content": {
"type": "string"
},
"Evaluation Result Type": {
"type": "string"
},
"Prompt Content": {
"type": "string"
},
"SessionId": {
"type": "string"
},
"Skill Name": {
},
"Skill Sources": {
"type": "array"
}
},
"type": "object"
}
}
},
"generate_the_report": {
"runAfter": {
},
"type": "ApiConnection",
"inputs": {
"body": {
"PromptContent": "/GetDefenderIncidentReport @{items('For_each')} The results from this response will be used in an automation workflow that only accepts only html structure and tags, \nProvide the report as html tags only, add the incident id as h2 tag, format the incident details as table, include in this table a direct link to defender portal in the above format: https://security.microsoft.com/incidents/\u003cincidentid\u003e.\nFinally use html CSS that will include our organization look and feel that is on color green, add this colors as all the titles and use the color black as the reset of the content."
"PromptContent": "@{items('For_each')} The results from this response will be used in an automation workflow that only accepts only html structure and tags, \nProvide the report as html tags only, add the incident id as h2 tag, format the incident details as table, include in this table a direct link to defender portal in the above format: https://security.microsoft.com/incidents/\u003cincidentid\u003e.\nFinally use html CSS that will include our organization look and feel that is on color green, add this colors as all the titles and use the color black as the reset of the content.",
"SkillName": "GetDefenderIncidentReport"
},
"host": {
"connection": {
"name": "@parameters('$connections')['securitycopilot']['connectionId']"
"name": "@parameters('$connections')['securitycopilot_1']['connectionId']"
}
},
"method": "post",
Expand Down Expand Up @@ -385,12 +283,12 @@
"parameters": {
"$connections": {
"value": {
"office365": {
"office365_1": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
"connectionName": "[variables('Office365ConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]"
},
"securitycopilot": {
"securitycopilot_1": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('SecuritycopilotConnectionName'))]",
"connectionName": "[variables('SecuritycopilotConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]"
Expand Down

0 comments on commit 705c5d7

Please sign in to comment.