From 6bd6389a96d8c1528ca4fc1b4da27c4264b1230a Mon Sep 17 00:00:00 2001 From: Yaniv Shasha Date: Thu, 3 Oct 2024 07:46:43 -0700 Subject: [PATCH] commit --- .../azuredeploy.json | 148 +++--------------- 1 file changed, 23 insertions(+), 125 deletions(-) diff --git a/Logic Apps/SecurityCopilot-SOCshift-reporting-transfer/azuredeploy.json b/Logic Apps/SecurityCopilot-SOCshift-reporting-transfer/azuredeploy.json index 9b842144..a5c4443c 100644 --- a/Logic Apps/SecurityCopilot-SOCshift-reporting-transfer/azuredeploy.json +++ b/Logic Apps/SecurityCopilot-SOCshift-reporting-transfer/azuredeploy.json @@ -3,14 +3,9 @@ "contentVersion": "1.0.0.0", "parameters": { "PlaybookName": { - "defaultValue": "SecurityCopilot-SOCshift-reporting-transfer", + "defaultValue": "SecurityCopilot-SOCshift-reporting-transfer_1001", "type": "string" } - , - "EmailTo": { - "defaultValue": "", - "type": "String" - } }, "variables": { "Office365ConnectionName": "[concat('Office365-', parameters('PlaybookName'))]", @@ -34,12 +29,12 @@ "triggers": { "Recurrence": { "recurrence": { - "frequency": "day", - "interval": 1 + "frequency": "day", + "interval": 1 }, "evaluatedRecurrence": { - "frequency": "day", - "interval": 1 + "frequency": "day", + "interval": 1 }, "type": "Recurrence" } @@ -47,14 +42,14 @@ "actions": { "Counter_Int": { "runAfter": { - "Parse_JSON_2": [ + "Get_number_of_incidents_for_the_counter": [ "Succeeded" ] }, "type": "SetVariable", "inputs": { "name": "counter", - "value": "@int(body('Parse_JSON_2')?['Evaluation Result Content'])" + "value": "@int(body('Get_number_of_incidents_for_the_counter')?['EvaluationResultContent'])" } }, "Get_number_of_incidents_for_the_counter": { @@ -66,12 +61,12 @@ "type": "ApiConnection", "inputs": { "body": { - "PromptContent": "count the number of incidents you menationed above, , this will be used in an automation workflow that only accepts a single string. Provide the incident count in a response with no text before or after", + "PromptContent": "/AskGPT count the number of incidents you menationed above, , this will be used in an automation workflow that only accepts a single string. Provide the incident count in a response with no text before or after", "SessionId": "@body('Run_Copilot_for_Security_prompt')?['sessionId']" }, "host": { "connection": { - "name": "@parameters('$connections')['securitycopilot']['connectionId']" + "name": "@parameters('$connections')['securitycopilot_1']['connectionId']" } }, "method": "post", @@ -80,14 +75,14 @@ }, "Incidents_split": { "runAfter": { - "Parse_JSON": [ + "Run_Copilot_for_Security_prompt": [ "Succeeded" ] }, "type": "SetVariable", "inputs": { "name": "incidents", - "value": "@split(body('Parse_JSON')?['Evaluation Result Content'], ',')" + "value": "@split(body('Run_Copilot_for_Security_prompt')?['EvaluationResultContent'], ',')" } }, "Initialize_variable": { @@ -99,77 +94,11 @@ { "name": "Soc Email address", "type": "string", - "value": "[parameters('EmailTo')]" + "value": "yanivsh@microsoft.com" } ] } }, - "Parse_JSON": { - "runAfter": { - "Run_Copilot_for_Security_prompt": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('Run_Copilot_for_Security_prompt')", - "schema": { - "properties": { - "Evaluation Result Content": { - "type": "string" - }, - "Evaluation Result Type": { - "type": "string" - }, - "Prompt Content": { - "type": "string" - }, - "SessionId": { - "type": "string" - }, - "Skill Name": { - }, - "Skill Sources": { - "type": "array" - } - }, - "type": "object" - } - } - }, - "Parse_JSON_2": { - "runAfter": { - "Get_number_of_incidents_for_the_counter": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('Get_number_of_incidents_for_the_counter')", - "schema": { - "properties": { - "Evaluation Result Content": { - "type": "string" - }, - "Evaluation Result Type": { - "type": "string" - }, - "Prompt Content": { - "type": "string" - }, - "SessionId": { - "type": "string" - }, - "Skill Name": { - }, - "Skill Sources": { - "type": "array" - } - }, - "type": "object" - } - } - }, "Report_variable": { "runAfter": { "counter_variable": [ @@ -195,11 +124,12 @@ "type": "ApiConnection", "inputs": { "body": { - "PromptContent": "im a soc analyst leader and our SOC is in the phase for changing a shift, can you summarize all the defender incident that opened in the last 24 hr and they are in status in progress, from the above response only take the incident number, this will be used in an automation workflow that only accepts a single string. Provide the incident number in a response with no text before or after" + "PromptContent": "im a soc analyst leader and our SOC is in the phase for changing a shift, can you summarize all the defender incident that opened in the last 24 hr and they are in status in progress, from the above response only take the incident number, this will be used in an automation workflow that only accepts a single string. Provide the incident number in a response with no text before or after", + "SkillName": "GetDefenderIncidents" }, "host": { "connection": { - "name": "@parameters('$connections')['securitycopilot']['connectionId']" + "name": "@parameters('$connections')['securitycopilot_1']['connectionId']" } }, "method": "post", @@ -222,7 +152,7 @@ }, "host": { "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" + "name": "@parameters('$connections')['office365_1']['connectionId']" } }, "method": "post", @@ -236,14 +166,14 @@ "actions": { "Append_to_string_variable": { "runAfter": { - "Parse_JSON_3": [ + "generate_the_report": [ "Succeeded" ] }, "type": "AppendToStringVariable", "inputs": { "name": "Report", - "value": "@{body('Parse_JSON_3')?['Evaluation Result Content']} " + "value": " @{body('generate_the_report')?['EvaluationResultContent']}" } }, "Increment_variable": { @@ -258,50 +188,18 @@ "value": 1 } }, - "Parse_JSON_3": { - "runAfter": { - "generate_the_report": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('generate_the_report')", - "schema": { - "properties": { - "Evaluation Result Content": { - "type": "string" - }, - "Evaluation Result Type": { - "type": "string" - }, - "Prompt Content": { - "type": "string" - }, - "SessionId": { - "type": "string" - }, - "Skill Name": { - }, - "Skill Sources": { - "type": "array" - } - }, - "type": "object" - } - } - }, "generate_the_report": { "runAfter": { }, "type": "ApiConnection", "inputs": { "body": { - "PromptContent": "/GetDefenderIncidentReport @{items('For_each')} The results from this response will be used in an automation workflow that only accepts only html structure and tags, \nProvide the report as html tags only, add the incident id as h2 tag, format the incident details as table, include in this table a direct link to defender portal in the above format: https://security.microsoft.com/incidents/\u003cincidentid\u003e.\nFinally use html CSS that will include our organization look and feel that is on color green, add this colors as all the titles and use the color black as the reset of the content." + "PromptContent": "@{items('For_each')} The results from this response will be used in an automation workflow that only accepts only html structure and tags, \nProvide the report as html tags only, add the incident id as h2 tag, format the incident details as table, include in this table a direct link to defender portal in the above format: https://security.microsoft.com/incidents/\u003cincidentid\u003e.\nFinally use html CSS that will include our organization look and feel that is on color green, add this colors as all the titles and use the color black as the reset of the content.", + "SkillName": "GetDefenderIncidentReport" }, "host": { "connection": { - "name": "@parameters('$connections')['securitycopilot']['connectionId']" + "name": "@parameters('$connections')['securitycopilot_1']['connectionId']" } }, "method": "post", @@ -385,12 +283,12 @@ "parameters": { "$connections": { "value": { - "office365": { + "office365_1": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", "connectionName": "[variables('Office365ConnectionName')]", "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]" }, - "securitycopilot": { + "securitycopilot_1": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('SecuritycopilotConnectionName'))]", "connectionName": "[variables('SecuritycopilotConnectionName')]", "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]"