Creating Playbooks in Microsoft Sentinel is made easy through the use of the Logic Apps service. Most operations are just click-to-select when creating the logic steps. But this ease of use can create bad habits. When you click and choose organization-specific content to be included in each step this is actually stored and retained in the JSON code. On its own, that’s great. But if you decide someday you want to deploy the Playbook to another environment or share with the Microsoft Sentinel community at large, all that organization-specific content will be included, and there’s a lot of that type of information that should not be shared.
Consider things like tenant or subscription IDS, API codes, app keys, and more.
As a best practice, always take the time to create variables for organization specific content. Then, when you want to share the JSON file, it’s easier to sanitize and remove the organization’s content.