FlareSystemsFirework: update to 1.0.1 solution

[jctaillandier]

Fixes #

Proposed Changes

• Added Playbook
• Changed wizard and instructions in Data Connector as well as Solution deployment (Zip)
• The changes to the zip are already published in microsoft marketplace listing

[ghost]

All CLA requirements met.

[lior-tamir]

Hi,
Seems like the playbook includes only the Json definition of the playbook, while it should include a whole ARM template of:

• Workflow resource
• Resource for each API connection
• Parameters (such playbook name)

Also, I see there is a 3 levels For Each - Is it required? As it may be confusing/costly in case of multiple items.

[jctaillandier]

• Workflow resource
• Resource for each API connection
• Parameters (such playbook name)

Could you give an example? I see Fortinet playbooks as well as RiskIQ's only have a JSON and an .md

[lior-tamir]

In the azuredeploy.json files (of Fortinet/RiskIQ) there are more then just the logic app definition. Your Json includes only the "definition" field of the "properties" of the resource of "type": "Microsoft.Logic/workflows".

A "clean" template can be found here:
https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/.template/incident-trigger/azuredeploy.json

[jctaillandier]

@NikTripathi Should work now.. Otherwise not sure whats up!

[NikTripathi]

@lior-tamir : Could you please review the playbooks?

[lior-tamir]

Hi,
Did you manage to deploy the raw code of the playbooks?
I get an error:
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "InvalidTemplate",
"message": "The template validation failed: 'The workflow definition parameter '$connections' at line '1' and column '176' is not valid: the 'type' property is not specified.'."
}
]
}

Also, noticed some errors in Office 365 connection:

1. Missing a resource for the Office 365 connection (same as Sentinel has a resource definition, and workflow depends on it)
2. The connection reference to Office 365 includes an unsupported authentication type: lines 274-278 are not supported by Outlook connector and should be removed.
3. This seems wrong syntax: "<...>" in 271,273 - probably should be same as in Sentinel connection.

[jctaillandier]

I cannot test it locally since
https://portal.azure.com/?feature.BringYourOwnConnector=true
doesnt show the import option anymore

@lior-tamir Can I remove the office365 connection, its not really necessary ? If so how ?

[v-jayakal]

@jctaillandier - I could import json file using https://portal.azure.com/?feature.BringYourOwnConnector=true

Can you please try once again?

[jctaillandier]

Right, data connector doesnt seem to be the issue, I was talking about playbook template import

[v-jayakal]

@lior-tamir - Can you please help here on importing playbooks, thanks.

[anki-narravula]

Hi @jctaillandier - there are few issues with azuredeploy.json template. I have corrected and attached the file here, can you please submit the modified file. Also regarding the feature flag not working for you, what is your SubscriptionId and workspaceId ?
FlareFirework_azuredeploy.zip

[jctaillandier]

Thank you! Done.

[anki-narravula]

Thank you! Done.

@jctaillandier Can you provide your subscriotionId and workspaceId, so that we can enable feature flag for you.

[jctaillandier]

Subscription id: 7bd8ef24-f62e-4ed8-ba05-962f2b23bb4f
Workspace: 0da0c3cf-7422-40bf-8c40-0252fdb8c30b
Cheers!

[anki-narravula]

Subscription id: 7bd8ef24-f62e-4ed8-ba05-962f2b23bb4f Workspace: 0da0c3cf-7422-40bf-8c40-0252fdb8c30b Cheers!

We have added your subscription to access this feature, please validate and let us know

[jctaillandier]

Cant remember whether/which feature flag is required. It doesn't come up right now

[anki-narravula]

readme.md Can you please improve the readme.md by referring create-readme-file

• Include titles for Playbook and add sections Prerequisites, deploy to azure as described above

• Include at least 1-2 screenshots of the playbook (how looks like after successful deployment)

azuredeploy.json refer link create-arm-template and add below things

• Can you add "Deploy to Azure" and "Deploy to Azure Gov" and make sure it works

Connector_REST_API_FlareSystemsFirework.json

• Can you please add at least one more query sample, preferably which gives summarize result , for example

[anki-narravula]

Cant remember whether/which feature flag is required. It doesn't come up right now

Its not yet published, we are just 1-2 steps away. Can you please improvise as per my review comments

[anki-narravula]

@jctaillandier can you please add the changes I have mentioned to readme.md file asap, so that we can package it for solution

[anki-narravula]

We can go ahead for solution packaging as readme.md is no blocker for Solution template

done

[v-maudan]

@jctaillandier, To pass PR validations, Can you please merge your branch with master. Thanks!

[jctaillandier]

You mean rebase on master ? I cannot do a merge request since missing one more reviewer!