Merge pull request Azure#7888 from BenjiSec/UpdateSOCProcessFramework

update to SOCProcessFramework solution

Playbooks/Get-SentinelAlertsEvidence/readme.md

@@ -1,23 +1,35 @@
 # Get-SentinelAlertsEvidence
+Author: Yaniv Shasha
 
 This playbook will Logic will automatically attach alert evidence from Azure Sentinel alerts and send them to an Event Hub that can be consumed by a 3rd party SIEM solution.
+<br><br>
 
-
-Author: Yaniv Shasha
-
-Deploy the solution
+# Prerequisites
 1.	Create an Event Hub using the article "Create an event hub using Azure portal" <br>
 https://docs.microsoft.com/azure/event-hubs/event-hubs-create or use an existing Event Hub.
-2. Go to the Playbook GitHub page.<br>
-3. Press the "deploy to azure" button.<br>
-4. Fill the above information:<br>
-- Azure Sentinel Workspace Name<br>
-- Azure Sentinel Workspace resource group name<br>
-- Number of events to pulls from Azure Sentinel (default value is 10 latest events )<br>
+<br><br>
+
+# Quick Deployment
+**Deploy with incident trigger**
+
+After deployment, you can run this playbook manually on an incident or attach this playbook to an **automation rule** so it runs when the incident is created.
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FGet-SentinelAlertsEvidence%2Fincident-trigger%2Fazuredeploy.json)
+[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FGet-SentinelAlertsEvidence%2Fincident-trigger%2Fazuredeploy.json)
+
+
+**Deploy with alert trigger**
+
+After deployment, you can run this playbook manually on an alert or attach it to an **automation rule** so it will rune when an alert is created.
 
-4.	Once the playbook is deployed, Modify the “Run query and list results” actions and point it to your Azure sentinel workspace.<br>
-5.	Next, configure the "send event" actions to use your Event Hub that created earlier.<br>
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FGet-SentinelAlertsEvidence%2Falert-trigger%2Fazuredeploy.json)
+[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FGet-SentinelAlertsEvidence%2Falert-trigger%2Fazuredeploy.json)
+<br><br>
 
+# Post-deployment
+1.	Once the playbook is deployed, Modify the “Run query and list results” actions and point it to your Azure sentinel workspace.<br>
+2.	Next, configure the "send event" actions to use your Event Hub that created earlier.<br><br>
 
-<[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FGet-SentinelAlertsEvidence%2Fazuredeploy.json)
-[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FGet-SentinelAlertsEvidence%2Fazuredeploy.json)
+# Screenshots
+**Incident Trigger**
+![Incident Trigger](./images/playbookDark.jpg)

Solutions/SOC-Process-Framework/Playbooks/readme.md

@@ -4,22 +4,23 @@
 This playbook uses the SOCRA Watchlist to automatically enrich incidents generated by Microsoft Sentinel with Actions to review and take. Actions will be evaluated per Customer Organization and edited/modified per their standards of conduct.
 
 ## Prerequisites
-This playbook does a watchlist lookup using an API connection created with in the LogicApp of this playbook to the SOCRA Watchlist and writes the recommended actions to the working incident as a comment. Ensure you have deployed the SOCRA Watchlist prior to deploying this playbook.
+This playbook does a watchlist lookup using an API connection created with in the LogicApp of this playbook to the SOCRA Watchlist and writes the recommended actions to the working incident as a incident task. Ensure you have deployed the SOCRA Watchlist prior to deploying this playbook.
 
 ## Deployment
 
-<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FSOCProcessFramework%2FPlaybooks%2FGet-SOCActions%2Fazuredeploy.json" target="_blank">
+<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FSOC-Process-Framework%2FPlaybooks%2FGet-SOCActions%2Fazuredeploy.json" target="_blank">
     <img src="https://aka.ms/deploytoazurebutton"/>
 </a>
-<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FSOCProcessFramework%2FPlaybooks%2FGet-SOCActions%2Fazuredeploy.json" target="_blank">
+<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FSOC-Process-Framework%2FPlaybooks%2FGet-SOCActions%2Fazuredeploy.json" target="_blank">
     <img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
 </a>
 
 ### Post-Deployment Instructions
-After deploying the playbook, you must authorize the connections leveraged.
+After deploying the playbook, you must authorize the connections leveraged and assign permissions
 
 1. Visit the playbook resource.
 2. Under "Development Tools" (located on the left), click "API Connections".
 3. Ensure each connection has been authorized.
+4. Assign Microsoft Sentinel Responder role to the managed identity. To do so, choose Identity blade under Settings of the Logic App.
 
-**Note: If you've deployed the [Get-SOCActions Playbook](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SOC Process Framework/Playbooks/Get-SOCActions/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**
+**Note: If you've deployed the [Get-SOCActions Playbook](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SOC-Process-Framework/Playbooks/Get-SOCActions/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**

Solutions/SOC-Process-Framework/data/Solution_Soc-Process.json

@@ -30,7 +30,7 @@
   ],
   "Metadata": "SolutionMetadata.json",
   "BasePath": "C:\\GitHub\\azure\\Solutions\\SOC-Process-Framework",
-  "Version": "2.0.5",
+  "Version": "2.1.0",
   "TemplateSpec": true,
   "Is1PConnector": false
 }