Skip to content

feat(playbook): LP incident response Logic App ARM template (#123)#151

Merged
TFT444 merged 1 commit into
devfrom
feature/lp-playbook
Jun 23, 2026
Merged

feat(playbook): LP incident response Logic App ARM template (#123)#151
TFT444 merged 1 commit into
devfrom
feature/lp-playbook

Conversation

@TFT444

@TFT444 TFT444 commented Jun 21, 2026
edited
Loading

Copy link
Copy Markdown
Owner

Summary

  • Adds logic-apps/lp-incident-response/workflow.json — ARM template for the Loss Prevention incident response Logic App playbook
  • Triggered by Microsoft Sentinel when any LP rule (lp-incident-response playbook trigger) fires an alert
  • Passes scripts/validate_logicapps.py — 9/9 workflows

Playbook flow

Sentinel alert fires
        │
        ▼
Parse incident entities (title, severity, description, incidentNumber)
        │
        ▼
Add Sentinel comment — "acknowledged"
        │
        ▼
Notify LP manager via email (always)
        │
        ▼
Is Critical?
  ├── Yes → Email SOC escalation group + set incident status Active
  └── No  → (continue)
        │
        ▼
CCTV API configured?
  ├── Yes → POST to CCTV retention API — flag 60-minute footage window
  └── No  → (skip)
        │
        ▼
HR webhook configured?
  ├── Yes → POST HR case (source=RetailShield, caseType=LossPrevention)
  └── No  → (skip)
        │
        ▼
Add Sentinel comment — "complete" (lists actions taken)

Parameters

Parameter Required Description
PlaybookName No (default set) Logic App resource name
WorkspaceId Yes Sentinel Log Analytics workspace ID
WorkspaceResourceGroup Yes Resource group of Sentinel workspace
LPManagerEmail Yes LP manager email for alerts
SOCEmailGroup Yes SOC distribution list for Critical escalation
HRSystemWebhook No HR system webhook URL (empty = skip)
CCTVRetentionApiUrl No CCTV footage retention API (empty = skip)
CCTVApiKey No API key for CCTV system

How to test

python3 scripts/validate_logicapps.py
# Expected: 9/9 workflows passed

For deployment testing: deploy to a Sentinel dev workspace with dummy LP manager email, trigger a test incident, and verify the email notification arrives and Sentinel comments are written.

Closes #123

@TFT444
feat(playbook): LP incident response Logic App ARM template
da4fbe5 
Adds logic-apps/lp-incident-response/workflow.json — a Sentinel-
triggered Logic App that handles Loss Prevention alerts end-to-end:
notifies the LP manager via email, escalates Critical incidents to
the SOC, optionally flags CCTV footage for retention via a
configurable REST API, and optionally creates an HR case via webhook.
Adds a timestamped Sentinel comment at acknowledgement and completion.
Passes validate_logicapps.py (9/9 workflows).

Closes #123
@vercel

vercel Bot commented Jun 21, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
retail-shield Ready Ready Preview, Comment Jun 21, 2026 2:44pm

TFT444
TFT444 commented Jun 23, 2026
View reviewed changes

@TFT444 TFT444 left a comment

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

diff is clean and well structure. met all the requrement ready to merge

@TFT444 TFT444 merged commit 7a2067d into dev Jun 23, 2026
9 checks passed
@TFT444 TFT444 deleted the feature/lp-playbook branch June 23, 2026 17:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TFT444