Merge pull request Azure#10219 from Azure/v-shukore/AbuselPDB

Updated playbook prerequisite description and corrected sentence formatting

Solutions/AbuseIPDB/Data/Solution_AbuseIPDB.json

@@ -10,7 +10,7 @@
     "Solutions/AbuseIPDB/Playbooks/AbuseIPDB-BlacklistIpToThreatIntelligence/azuredeploy.json"
   ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel",
-  "Version": "3.0.0",
+  "Version": "3.0.1",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1PConnector": false

Solutions/AbuseIPDB/Package/createUiDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AbuseIPDB/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [AbuseIPDB](https://www.abuseipdb.com/about) solution for Microsoft Sentinel allows you to check the reputation of IP addresses in log data and perform automated actions like enriching a Microsoft Sentinel incident by IP reputation information, add blacklisted IP addresses to ThreatIntelligenceIndicator table and reporting IPs to Abuse IPDB based on a user response in Teams.\n\n**Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/AbuseIPDB/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [AbuseIPDB](https://www.abuseipdb.com/about) solution for Microsoft Sentinel allows you to check the reputation of IP addresses in log data and perform automated actions like enriching a Microsoft Sentinel incident by IP reputation information, add blacklisted IP addresses to ThreatIntelligenceIndicator table and reporting IPs to Abuse IPDB based on a user response in Teams.\n\n**Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",

Solutions/AbuseIPDB/Package/mainTemplate.json

@@ -33,7 +33,7 @@
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "AbuseIPDB",
-    "_solutionVersion": "3.0.0",
+    "_solutionVersion": "3.0.1",
     "solutionId": "azuresentinel.azure-sentinel-solution-abuseipdb",
     "_solutionId": "[variables('solutionId')]",
     "AbuseIPDBAPIConnector": "AbuseIPDBAPIConnector",
@@ -82,7 +82,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AbuseIPDBAPIConnector Playbook with template version 3.0.0",
+        "description": "AbuseIPDBAPIConnector Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion1')]",
@@ -640,7 +640,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AbuseIPDB-EnrichIncidentByIPInfo Playbook with template version 3.0.0",
+        "description": "AbuseIPDB-EnrichIncidentByIPInfo Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion2')]",
@@ -974,7 +974,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AbuseIPDB-ReportaIPsToAbuselPDBAfterCheckingByUserInMSTeams Playbook with template version 3.0.0",
+        "description": "AbuseIPDB-ReportaIPsToAbuselPDBAfterCheckingByUserInMSTeams Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion3')]",
@@ -1525,7 +1525,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "AbuseIPDB-BlacklistIpToThreatIntelligence Playbook with template version 3.0.0",
+        "description": "AbuseIPDB-BlacklistIpToThreatIntelligence Playbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion4')]",
@@ -1829,8 +1829,9 @@
             "description": "By every day reccurence, this playbook gets triggered and performs the following actions:\n 1. Gets [list](https://docs.abuseipdb.com/#blacklist-endpoint) of the most reported IP addresses form the Blacklist Endpoint.",
             "prerequisites": [
               "1. AbuseIPDBAPI Custom Connector has to be deployed prior to the deployment of this playbook under the same subscription.",
-              "2. To use the Microsoft Graph Security connector actions, Microsoft Entra ID tenant administrator consent needs to be provided. The Microsoft Graph Security connector application ID and name for Microsoft Entra ID in is as follows for Microsoft Entra ID administrator consent:\n- Application Name - MicrosoftGraphSecurityConnector\n- Application ID - c4829704-0edc-4c3d-a347-7c4a67586f3c",
-              "3.To view the Threat Indicators submitted by Microsoft Graph Security connector, 'Threat Intelligence Platforms' connector from 'Threat Intelligence' Solution need be installed."
+              "2. To use the Microsoft Graph Security connector actions, Microsoft Entra ID tenant administrator consent needs to be provided. The Microsoft Graph Security connector application ID and name for Microsoft Entra ID follows for Microsoft Entra ID administrator consent:\n- Application Name - MicrosoftGraphSecurityConnector\n- Application ID - c4829704-0edc-4c3d-a347-7c4a67586f3c",
+
+			  "3. To view the Threat Indicators submitted by Microsoft Graph Security connector, 'Threat Intelligence Platforms' connector from 'Threat Intelligence' Solution need to be install."
             ],
             "preDeployment": [
               "1. AbuseIPDB Custom Connector has to be deployed prior to the deployment of this playbook under the same subscription."
@@ -1880,12 +1881,12 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.0",
+        "version": "3.0.1",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "AbuseIPDB",
         "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
-        "descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The <a href=\"https://www.abuseipdb.com/about\">AbuseIPDB</a> solution for Microsoft Sentinel allows you to check the reputation of IP addresses in log data and perform automated actions like enriching a Microsoft Sentinel incident by IP reputation information, add blacklisted IP addresses to ThreatIntelligenceIndicator table and reporting IPs to Abuse IPDB based on a user response in Teams.</p>\n<p><strong>Custom Azure Logic Apps Connectors:</strong> 1, <strong>Playbooks:</strong> 3</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/AbuseIPDB/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.abuseipdb.com/about\">AbuseIPDB</a> solution for Microsoft Sentinel allows you to check the reputation of IP addresses in log data and perform automated actions like enriching a Microsoft Sentinel incident by IP reputation information, add blacklisted IP addresses to ThreatIntelligenceIndicator table and reporting IPs to Abuse IPDB based on a user response in Teams.</p>\n<p><strong>Custom Azure Logic Apps Connectors:</strong> 1, <strong>Playbooks:</strong> 3</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
         "id": "[variables('_solutioncontentProductId')]",

Solutions/AbuseIPDB/Package/testParameters.json

@@ -0,0 +1,24 @@
+{
+  "location": {
+    "type": "string",
+    "minLength": 1,
+    "defaultValue": "[resourceGroup().location]",
+    "metadata": {
+      "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`.  We instead use the `workspace-location` which is derived from the LA workspace"
+    }
+  },
+  "workspace-location": {
+    "type": "string",
+    "defaultValue": "",
+    "metadata": {
+      "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+    }
+  },
+  "workspace": {
+    "defaultValue": "",
+    "type": "string",
+    "metadata": {
+      "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+    }
+  }
+}

Solutions/AbuseIPDB/Playbooks/AbuseIPDB-BlacklistIpToThreatIntelligence/azuredeploy.json

@@ -6,8 +6,8 @@
       "description": "By every day reccurence, this playbook gets triggered and performs the following actions:\n 1. Gets [list](https://docs.abuseipdb.com/#blacklist-endpoint) of the most reported IP addresses form the Blacklist Endpoint.",
       "prerequisites": [
          "1. AbuseIPDBAPI Custom Connector has to be deployed prior to the deployment of this playbook under the same subscription.",
-         "2. To use the Microsoft Graph Security connector actions, Microsoft Entra ID tenant administrator consent needs to be provided. The Microsoft Graph Security connector application ID and name for Microsoft Entra ID in is as follows for Microsoft Entra ID administrator consent:\n- Application Name - MicrosoftGraphSecurityConnector\n- Application ID - c4829704-0edc-4c3d-a347-7c4a67586f3c",
-         "3.To view the Threat Indicators submitted by Microsoft Graph Security connector, 'Threat Intelligence Platforms' connector from 'Threat Intelligence' Solution need be installed."
+         "2. To use the Microsoft Graph Security connector actions, Microsoft Entra ID tenant administrator consent needs to be provided. The Microsoft Graph Security connector application ID and name for Microsoft Entra ID follows for Microsoft Entra ID administrator consent:\n- Application Name - MicrosoftGraphSecurityConnector\n- Application ID - c4829704-0edc-4c3d-a347-7c4a67586f3c",
+         "3. To view the Threat Indicators submitted by Microsoft Graph Security connector, 'Threat Intelligence Platforms' connector from 'Threat Intelligence' Solution need to be install."
       ],
       "prerequisitesDeployTemplateFile": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/AbuseIPDB/Playbooks/AbuseIPDBAPIConnector/azuredeploy.json",
       "preDeployment": [ "1. AbuseIPDB Custom Connector has to be deployed prior to the deployment of this playbook under the same subscription." ],

Solutions/AbuseIPDB/ReleaseNotes.md

@@ -1,4 +1,5 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                               |
 |-------------|--------------------------------|----------------------------------------------------------------------------------|
-| 3.0.0       | 31-07-2023                     | Updated prerequisites for  AbuseIPDB-BlacklistIpToThreatIntelligence playbook    |
+| 3.0.1       | 29-03-2024                     | Updated **playbook** description and corrected sentense formatting			      |
+| 3.0.0       | 31-07-2023                     | Updated prerequisites for  AbuseIPDB-BlacklistIpToThreatIntelligence **playbook**    |
 |             |                                | Modified text as there is rebranding from Azure Active Directory to Microsoft Entra ID.         |