Creating Playbooks in Microsoft Sentinel is made easy through the use of the Logic Apps service. Most operations are just click-to-select when creating the logic steps. But this ease of use can create bad habits. When you click and choose organization-specific content to be included in each step this is actually stored and retained in the JSON code. On its own, that’s great. But if you decide someday you want to deploy the Playbook to another environment or share with the Microsoft Sentinel community at large, all that organization-specific content will be included, and there’s a lot of that type of information that should not be shared.
Consider things like tenant or subscription IDS, API codes, app keys, and more.
As a best practice, always take the time to create variables for organization specific content. Then, when you want to share the JSON file, it’s easier to sanitize and remove the organization’s content.
My colleague, Sreedhar Ande, has created an amazing tool that will sift through the JSON of a Playbook/Logic App and locate and remove the organization-specific information BUT ONLY if that information is not hard-coded into the Logic App steps. So, if you want to use this tool, this is another great reason to always employ variables.
Sreedhar’s tool is the Playbook Template Generator: https://cda.ms/4bT
For an example of creating and using variables, see the latest Rodcast:
It’s difficult to imagine that the Rodcasts would be up to episode 20 already, but here we are. Subscribe to the channel to not miss an episode: https://cda.ms/4bW
Incidentally, Logic App Parameters are a type of variable and are used for both dynamic lists and for Logic App deployment. See: Using Logic App Parameters with Microsoft Sentinel Playbooks
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]