Merge pull request #191 from stefanpems/ciso-reporting

KwachSean · web-flow · commit e1ddbbecc1c8 · 2025-04-01T18:58:22.000+03:00
updated readme
diff --git a/Logic Apps/CfS-SendPromptbookResultsByEmail/readme.md b/Logic Apps/CfS-SendPromptbookResultsByEmail/readme.md
@@ -18,7 +18,7 @@ Please refer to this article for further details and for a video on how to deplo
 7. Enable the Logic App (the template deploys it in disabled state).
 
 ## Deployment button
-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fstefanpems%2Fcfs%2Frefs%2Fheads%2Fmain%2FCfS-SendPromptbookResultsByEmail%2FCfS-SendPromptbookResultsByEmail.json)
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FSecurity-Copilot%2Frefs%2Fheads%2Fmain%2FLogic%2520Apps%2FCfS-SendPromptbookResultsByEmail%2FCfS-SendPromptbookResultsByEmail.json)
 
 ## Example of email customization:
 The following image shows:
diff --git a/Logic Apps/ciso-reporting/ciso-incidents-summary-man.yaml b/Logic Apps/ciso-reporting/ciso-incidents-summary-man.yaml
@@ -24,7 +24,7 @@ SkillGroups:
         DisplayName: CISO - Incidents Status Summary
         Description: Get a summary of the incidents status in Defender
         DescriptionForModel : Get a summary of the incidents status in Defender. 
-          If severities are specified in the prompt (e.g. High and Medium), concatenate them as a comma separated list of double-quoted strings (like "High","Medium").
+          If severities are specified in the prompt (e.g. High and Medium), concatenate them as a comma separated list of double-quoted strings with the first letter in uppercase (like "High","Medium").
           If start date and end date are not specified, consider the last 7 days.
           If the top number of results is not specified, consider 5 incidents titles.
           If csv_of_severities is not specified, consider only "High".
@@ -81,7 +81,7 @@ SkillGroups:
         DisplayName: CISO - True Positive Incidents Tactics and Techniques Analysis
         Description: Get a summary of the tactics and techniques used in the incidents that were classified as true positives
         DescriptionForModel : Get a summary of the tactics and techniques used in the incidents that were classified as true positives
-          If severities are specified in the prompt (e.g. High and Medium), concatenate them as a comma separated list of double-quoted strings (like "High","Medium").
+          If severities are specified in the prompt (e.g. High and Medium), concatenate them as a comma separated list of double-quoted strings with the first letter in uppercase (like "High","Medium").
           If start date and end date are not specified, consider the last 7 days.
           If severities is not specified, consider only "High".
         Inputs:
diff --git a/Logic Apps/ciso-reporting/ciso-posture-summary-man.yaml b/Logic Apps/ciso-reporting/ciso-posture-summary-man.yaml
@@ -12,6 +12,7 @@ SkillGroups:
         DisplayName: CISO - Recommendations by Severity
         Description: Get the list of the active recommendations by Severity (work in progress)
         DescriptionForModel : Get the list of the active recommendations by Severity
+          If severities are specified in the prompt (e.g. High and Medium), concatenate them as a comma separated list of double-quoted strings with the first letter in uppercase (like "High","Medium").
         Inputs:
           - Name: days_back
             Description: The number of days to be considered in the past, starting from today
diff --git a/Logic Apps/ciso-reporting/images/yt.png b/Logic Apps/ciso-reporting/images/yt.png
diff --git a/Logic Apps/ciso-reporting/install-guide.md b/Logic Apps/ciso-reporting/install-guide.md
diff --git a/Logic Apps/ciso-reporting/promptbook-incident-analysis.md b/Logic Apps/ciso-reporting/promptbook-incident-analysis.md
@@ -1,10 +1,10 @@
 # Prompts in the Incident Analysis promptbook
 
-This is the sample series of prompts for creating the promptbook dedicated to automating the Security Incident Management status analysis:
+This promptbook, containing a (sample) series of prompts for reporting the high-level status of the Security Incident Management process for the current organization, has been designed to be invoked from the [CfS-SendPromptbookResultsByEmail](https://github.com/Azure/Security-Copilot/tree/main/Logic%20Apps/CfS-SendPromptbookResultsByEmail) Logic App and requires the [CISO Incidents Summary](https://github.com/Azure/Security-Copilot/blob/main/Logic%20Apps/ciso-reporting/ciso-incidents-summary-man.yaml) Custom Plugin as a prerequisite.
 
 ## Prompt 1
 ```
-/CisoIncidentsStatusSummary Consider the top <TOP_INCIDENTS_NUMBER> most occurring incidents with severity <SEVERITIES> in the period of <TIME_FRAME>. 
+/CisoIncidentsStatusSummary Consider the top <TOP_INCIDENTS_NUMBER> most occurring incidents in the period of <TIME_FRAME>. For the input parameter named "csv_of_severities" specify the following word or words, each surrounded by double quotes, with only the first letter in uppercase and, if more than one, separated by commas: <SEVERITIES> .
 Respond by applying ALL these 4 indications to this specific response only:
 1. Start the response with the following first sentence: "This is the list of Incidents with severity <SEVERITIES> created in the requested period ". Then add, within round brackets, exactly the first day and the last day considered for <TIME_FRAME>, as used for invoking the CisoIncidentsStatusSummary skill; use the long date format.
 2. Do not return a table: return the results in paragraphs instead; highlight the incident title and write as bulleted list the numbers by status. Do not write classifications where the number is zero. Write in bold underlined the incident classified as true positive.
@@ -14,7 +14,7 @@ Respond by applying ALL these 4 indications to this specific response only:
 
 ## Prompt 2
 ```
-/CisoTruePositiveIncidentsTTAnalysis Consider only the incidents occurred <TIME_FRAME> with severity <SEVERITIES>.
+/CisoTruePositiveIncidentsTTAnalysis Consider only the incidents occurred <TIME_FRAME>. For the input parameter named "csv_of_severities" specify the following word or words, each surrounded by double quotes, with only the first letter in uppercase and, if more than one, separated by commas: <SEVERITIES> .
 Respond by applying BOTH these 2 indications to this specific response only:
 1. Start the response with the following first sentence: "These are the MITRE Tactics and Techniques for the Incidents closed as 'True Positives' in the requested period ". Then add, within round brackets, exactly the first day and the last day considered for <TIME_FRAME>, as used for invoking the CisoTruePositiveIncidentsTTAnalysis skill; use the long date format. 
 2. Do not return a table: return the results in paragraphs instead; highlight the incident title and write in a bullet the the number of occurrences, in a second bullet the list of tactics and in a third bullet the list of techniques.
@@ -95,7 +95,7 @@ Call the CisoGetUsersStatus skill of the CisoIncidentsSummaryApiHelper plugin. P
 ---
 
 # Parameters for the Logic App that invoke the Incident Analysis promptbook and sends the results by email
-(Logic App template: https://github.com/stefanpems/cfs/tree/main/CfS-SendPromptbookResultsByEmail)
+(Logic App template: https://github.com/Azure/Security-Copilot/tree/main/Logic%20Apps/CfS-SendPromptbookResultsByEmail)
 
 
 ## Paramters related to the responses of the promptbook
diff --git a/Logic Apps/ciso-reporting/promptbook-posture-analysis.md b/Logic Apps/ciso-reporting/promptbook-posture-analysis.md
@@ -1,6 +1,8 @@
 # Prompts in the Incident Analysis promptbook
 
-This is the sample series of prompts for creating the promptbook dedicated to automating the Security Posture status analysis:
+This promptbook, containing a (sample) series of prompts for reporting the high-level status of the security Posture for the current organization, has been designed to be invoked from the [CfS-SendPromptbookResultsByEmail](https://github.com/Azure/Security-Copilot/tree/main/Logic%20Apps/CfS-SendPromptbookResultsByEmail) Logic App and requires the [CISO Posture Summary](https://github.com/Azure/Security-Copilot/blob/main/Logic%20Apps/ciso-reporting/ciso-posture-summary-man.yaml) Custom Plugin as a prerequisite.
+
+NOTE: This promptbook is in a very preliminary draft state. Not only are these prompts not optimized in terms of compute capacity consumption, but it is also very incomplete. Please refer to [this article](https://www.linkedin.com/pulse/periodic-reporting-security-managers-cisos-using-stefano-pescosolido-fm80f/) for further details on how this promptbook should be improved.
 
 ## Prompt 1
 ```
@@ -14,14 +16,14 @@ Which threats should I focus on based on their exposure scores? For each returne
 
 ## Prompt 3
 ```
-/CisoRecommendationsBySeverity List the top recurring 10 Recommendations created in the last <NUMBER_OF_DAYS> days with severity <SEVERITIES>
+/CisoRecommendationsBySeverity List the top <NUMBER_OF_RECOMMENDATIONS> active Recommendations created in the last <NUMBER_OF_DAYS> days. For the input parameter named "csv_of_severities" specify the following word or words, each surrounded by double quotes, with only the first letter in uppercase and, if more than one, separated by commas: <SEVERITIES>
 ```
 
 
 ---
 
 # Parameters for the Logic App that invoke the Posture Analysis promptbook and sends the results by email
-(Logic App template: https://github.com/stefanpems/cfs/tree/main/CfS-SendPromptbookResultsByEmail)
+(Logic App template: https://github.com/Azure/Security-Copilot/tree/main/Logic%20Apps/CfS-SendPromptbookResultsByEmail)
 
 
 ## Paramters related to the responses of the promptbook
@@ -37,9 +39,8 @@ Indexes of the prompts whose responses should not be included in the delivered e
 ### Value for the Logic App Paramter 'ReplacePromptsInOutput' 
 Text to be used for replacing the prompts in the delivered email. 
 NOTE: It may include words and numbers that should be consistent with the values specified for the input parameters of the promptbook.  
-(Leave empty)
 ```
-[]
+["List the global threats that should be prioritized based on their exposure score and the vulnerabilities present in my environment.","List the recommendations for better coverage in our SIEM (Microsoft Sentinel) against the most impactful threats. Also, show the recommendations for better utilization of our collected logs.","List the top 10 high and medium severity recommendations based on the number of impacted resources in my cloud PaaS environments in Azure, AWS, and GCP."]
 ```
 
 
@@ -49,7 +50,7 @@ NOTE: It may include words and numbers that should be consistent with the values
 ### Value for the Logic App Paramter 'HtmlBodyHeader' 
 (Shades of **green**)
 ```
-<!DOCTYPE html><html><style>.notification-table-header {padding: 10px;width: auto;border-top: none;background: #0078D4;font-size: 11.0pt;color: white;font-weight: bold;margin-left: 10px;text-align: left;border: none;border-bottom: solid white 1.5pt;} .notification-table-text {padding: 10px;margin-left: 5px;width: 70%;text-align: left;border: none;border-bottom: solid white 1.5pt;background: #FAFAFA;font-size: 12.0pt;height: 20.05pt;} .notification-card-footer span {font-size: 12.0pt;color: #000000;} .notification-card-footer p {vertical-align: baseline;} .notification-body {margin: 0 auto;text-align: center;width: 650px;border: 1px black;border-collapse: collapse;background-color: #CCE4F6;} </style> <body style="background-color: #dfdfdf;"><table style="width:100%;"><tr><td style="padding:0;"><div align="center"><table class="notification-body"><tr style="border: 1px grey; border-top:none;"><td><p style='font-size:5.0pt;'><span>&nbsp;</span></p><table style='width:590px;margin:0 auto;border-collapse:collapse;'><tr class="notification-card-footer"><td><p style='text-align:left; font-size:12.0pt;'><b>***EMAILTITLE***</b></p></td></tr>
+<!DOCTYPE html><html><style>.notification-table-header {padding: 10px;width: auto;border-top: none;background: #3B7D23;font-size: 11.0pt;color: white;font-weight: bold;margin-left: 10px;text-align: left;border: none;border-bottom: solid white 1.5pt;} .notification-table-text {padding: 10px;margin-left: 5px;width: 70%;text-align: left;border: none;border-bottom: solid white 1.5pt;background: #FAFAFA;font-size: 12.0pt;height: 20.05pt;} .notification-card-footer span {font-size: 12.0pt;color: #000000;} .notification-card-footer p {vertical-align: baseline;} .notification-body {margin: 0 auto;text-align: center;width: 650px;border: 1px black;border-collapse: collapse;background-color: #B4E5A3;} </style> <body style="background-color: #dfdfdf;"><table style="width:100%;"><tr><td style="padding:0;"><div align="center"><table class="notification-body"><tr style="border: 1px grey; border-top:none;"><td><p style='font-size:5.0pt;'><span>&nbsp;</span></p><table style='width:590px;margin:0 auto;border-collapse:collapse;
 ```
 
 ### Value for the Logic App Paramter 'HtmlBodyRow' 
diff --git a/Logic Apps/ciso-reporting/readme.md b/Logic Apps/ciso-reporting/readme.md
@@ -1,2 +1,3 @@
 Please refer to: 
-https://www.linkedin.com/pulse/periodic-reporting-security-managers-cisos-using-stefano-pescosolido-fm80f/
+* [Description](https://www.linkedin.com/pulse/periodic-reporting-security-managers-cisos-using-stefano-pescosolido-fm80f/)
+* [Install Guide](https://github.com/Azure/Security-Copilot/blob/main/Logic%20Apps/ciso-reporting/install-guide.md)
