Closed mikedizzle closed 1 year ago
briandelmsft
commented
1 year ago @mikedizzle We have tested it, but not yet documented it. Right now it would be manual edits of the JSON, not difficult, but could be time consuming if you have many Logic apps / many module calls. Looking at some automation to help with the conversion. I'll provide an update soon
briandelmsft
commented
1 year ago High level manual steps to convert from v1 to v2 (of course make a copy from code view before you attempt). These steps would all be done in code view.
Here is a sample module from STAT v1 Base Module
"Base_Module": {
"inputs": {
"body": {
"Entities": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"IncidentARMId": "@triggerBody()?['object']?['id']",
"WorkspaceId": "@triggerBody()?['workspaceId']"
},
"host": {
"connection": {
"name": "@parameters('$connections')['SentinelTriageAssistant']['connectionId']"
}
},
"method": "post",
"path": "/workflows/4bbd8xxxxxxxxxxxxxxxxxxxxxxxxx0462/triggers/manual/paths/invoke/func/base",
"queries": {
"api-version": "2016-10-01",
"sig": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"sp": "/triggers/manual/run",
"sv": "1.0"
}
},
"runAfter": {
"Terminate": [
"Succeeded"
]
},
"type": "ApiConnection"
},To convert you'll need to do 2 steps per module (3 for the base) For each module:
"queries" {} section/api/modules/modulenameHere's an example of the Base Module after the changes
"Base_Module": {
"inputs": {
"body": {
"Body": "@triggerBody()"
},
"host": {
"connection": {
"name": "@parameters('$connections')['SentinelTriageAssistant']['connectionId']"
}
},
"method": "post",
"path": "/api/modules/base"
},
"runAfter": {},
"type": "ApiConnection"
}Then globally for the Logic app you will need to change the parameters reference to the Logic App Custom connector You will need to change both the connectionId to point at the apiConnection object for STAT v2 and you'll need to change the id to point to the Logic App Custom Connector for STAT v2
Sample
"SentinelTriageAssistant": {
"connectionId": "/subscriptions/397xxxxxx-dxxx-4xxx-axxx-f3a40db4xxxx/resourceGroups/STAT/providers/Microsoft.Web/connections/STAT-Sample-STAT-Triage",
"connectionName": "STAT-Sample-STAT-Triage",
"id": "/subscriptions/397xxxxxx-dxxx-4xxx-axxx-f3a40db4xxxx/resourceGroups/STAT/providers/Microsoft.Web/customApis/SentinelTriageAssistant"
}
mikedizzle
commented
1 year ago Thanks for this. I think I might be following. When you say Base Module changes above, you're talking about changes to where the modules are called in the playbook that the automation rule is calling? The triage playbook?
briandelmsft
commented
1 year ago @mikedizzle yes that's correct, you only need to make changes in the triage playbook(s) where the modules are called. The base module call specifically requires an extra change as in v2 it wants the entire incident/alert body as an input
mikedizzle
commented
1 year ago Thanks. @seyed-nouraie hooked me up with the fact that the v2 branch on original stat project was where I wanted to be. I ran the deploy from there and it worked like a champ. I did need to change the defender api strings to gcc for my env, but things seems to be working really well.
Thanks!
I know the function-based STAT is still in preview, but do you have any instructions on how to move from V1 to V2?