Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding new Box CCP connector and updated parser #11324

Merged
merged 15 commits into from
Dec 10, 2024
Merged

Adding new Box CCP connector and updated parser #11324

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
25a0f1e
Adding Box CCP connector and parser
javiersoriano Oct 24, 2024
1053a07
Merge branch 'master' into pr/11324
v-prasadboke Nov 11, 2024
59884f9
solution packaged correctly
v-prasadboke Nov 15, 2024
ffc6892
adding BoxEventsV2_CL schema
javiersoriano Nov 15, 2024
893e2fe
Merge branch 'boxccp' of https://github.com/javiersoriano/Azure-Senti…
javiersoriano Nov 15, 2024
023e86a
Update BoxEventsV2_CL.json
v-prasadboke Nov 19, 2024
d7b77ab
Update BoxEvents.json
v-prasadboke Nov 19, 2024
a5f5551
Update BoxEvents.json
v-prasadboke Nov 22, 2024
c275174
Merge branch 'master' into pr/11324
v-prasadboke Dec 6, 2024
6a2ec50
Merge branch 'boxccp' of https://github.com/javiersoriano/Azure-Senti…
v-prasadboke Dec 6, 2024
b752764
Update SkipValidationsTemplates.json
v-prasadboke Dec 6, 2024
401471d
Update ReleaseNotes.md
v-prasadboke Dec 6, 2024
215e661
Merge branch 'boxccp' of https://github.com/javiersoriano/Azure-Senti…
v-prasadboke Dec 6, 2024
5310e1a
Update BoxConn.zip
v-prasadboke Dec 6, 2024
098cd00
Merge branch 'master' into pr/11324
v-prasadboke Dec 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .script/tests/KqlvalidationsTests/CustomTables/BoxEvents.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -242,4 +242,4 @@
"Type": "Boolean"
}
]
}
}
157 changes: 157 additions & 0 deletions .script/tests/KqlvalidationsTests/CustomTables/BoxEventsV2_CL.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,157 @@
{
"Name": "BoxEventsV2_CL",
"Properties": [
{
"name": "additional_details",
"type": "dynamic"
},
{
"name": "created_at",
"type": "datetime"
},
{
"name": "event_id",
"type": "string"
},
{
"name": "EventEndTime",
"type": "string"
},
{
"name": "event_type",
"type": "string"
},
{
"name": "ip_address",
"type": "string"
},
{
"name": "session_id",
"type": "dynamic"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "event_category",
"type": "string"
},
{
"name": "source_user_email",
"type": "string"
},
{
"name": "source_file_id",
"type": "string"
},
{
"name": "source_file_name",
"type": "string"
},
{
"name": "source_parent_name",
"type": "string"
},
{
"name": "source_item_type",
"type": "string"
},
{
"name": "source_item_id",
"type": "string"
},
{
"name": "source_item_name",
"type": "string"
},
{
"name": "source_parent_type",
"type": "string"
},
{
"name": "source_parent_id",
"type": "string"
},
{
"name": "source_owned_by_type",
"type": "string"
},
{
"name": "source_owned_by_id",
"type": "string"
},
{
"name": "source_owned_by_name",
"type": "string"
},
{
"name": "source_owned_by_login",
"type": "string"
},
{
"name": "created_by_type",
"type": "string"
},
{
"name": "created_by_id",
"type": "string"
},
{
"name": "created_by_name",
"type": "string"
},
{
"name": "created_by_login",
"type": "string"
},
{
"name": "source_type",
"type": "string"
},
{
"name": "source_id",
"type": "string"
},
{
"name": "source_name",
"type": "string"
},
{
"name": "source_login",
"type": "string"
},
{
"name": "source_folder_id",
"type": "string"
},
{
"name": "source_folder_name",
"type": "string"
},
{
"name": "source_user_id",
"type": "string"
},
{
"name": "source_user_name",
"type": "string"
},
{
"name": "accessible_by_type",
"type": "string"
},
{
"name": "accessible_by_id",
"type": "string"
},
{
"name": "accessible_by_name",
"type": "string"
},
{
"name": "accessible_by_login",
"type": "string"
}
]
}
7 changes: 6 additions & 1 deletion .script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3084,6 +3084,11 @@
"templateName": "MESCheckVIP.yaml",
"validationFailReason": "Temporarily Added for Parser KQL Queries validation"
},
{
"id": "231a04da-9a8d-4cd6-8a20-2da7ded173ba",
"templateName": "BoxEvents.yaml",
"validationFailReason": "Failing for missing coloumn which is already added to the Custom table Schema (EventEndTime)"
},
{
"id": "600db9e0-1c11-4295-a88a-071c79434926",
"templateName": "AccountElevatedtoNewRole.yaml",
Expand Down Expand Up @@ -3631,4 +3636,4 @@
}

// Temporarily adding Solution Parsers id's for Solution Parsers KQL Validations - End
]
]
82 changes: 82 additions & 0 deletions Solutions/Box/Data Connectors/BoxEvents_ccp/BoxEvents_DCR.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
[
{
"name": "BoxEventsDCR",
"apiVersion": "2021-09-01-preview",
"type": "Microsoft.Insights/dataCollectionRules",
"location": "{{location}}",
"properties": {
"dataCollectionEndpointId": "{{dataCollectionEndpointId}}",
"streamDeclarations": {
"Custom-Box_CL": {
"columns": [
{
"name": "type",
"type": "string"
},
{
"name": "event_id",
"type": "string"
},
{
"name": "created_by",
"type": "dynamic"
},
{
"name": "created_at",
"type": "datetime"
},
{
"name": "recorded_at",
"type": "datetime"
},
{
"name": "event_type",
"type": "string"
},
{
"name": "session_id",
"type": "string"
},
{
"name": "source",
"type": "dynamic"
},
{
"name": "ip_address",
"type": "string"
},
{
"name": "accessible_by",
"type": "dynamic"
},
{
"name": "additional_details",
"type": "dynamic"
}
]
}
},
"dataSources": {},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[variables('workspaceResourceId')]",
"name": "4b0f6f0e10104aa5838b3c0b18702683"
}
]
},
"dataFlows": [
{
"streams": [
"Custom-Box_CL"
],
"destinations": [
"4b0f6f0e10104aa5838b3c0b18702683"
],
"transformKql": "source\n| extend TimeGenerated = created_at, event_category = type\n| extend\n source_user_email=tostring(source.user_email),\n source_file_id=tostring(source.file_id),\n source_file_name=tostring(source.file_name),\n source_parent_name=tostring(source.parent.name),\n source_item_type=tostring(source.item_type),\n source_item_id=tostring(source.item_id),\n source_item_name=tostring(source.item_name),\n source_parent_type=tostring(source.parent.type),\n source_parent_id=tostring(source.parent.id),\n source_owned_by_type=tostring(source.owned_by.type),\n source_owned_by_id=tostring(source.owned_by.type),\n source_owned_by_name=tostring(source.owned_by.name),\n source_owned_by_login=tostring(source.owned_by.login),\n created_by_type=tostring(created_by.type),\n created_by_id=tostring(created_by.id),\n created_by_name=tostring(created_by.name),\n created_by_login=tostring(created_by.login),\n source_type=tostring(source.type),\n source_id=tostring(source.id),\n source_name=tostring(source.name),\n source_login=tostring(source.login),\n source_folder_id=tostring(source.folder_id),\n source_folder_name=tostring(source.folder_name),\n source_user_id=tostring(source.user_id),\n source_user_name=tostring(source.user_name),\n accessible_by_type=tostring(accessible_by.type),\n accessible_by_id=tostring(accessible_by.id),\n accessible_by_name=tostring(accessible_by.name),\n accessible_by_login=tostring(accessible_by.login)\n| project-away type, accessible_by, created_by, source \n\n",
"outputStream": "Custom-BoxEventsV2_CL"
}
]
}
}
]
107 changes: 107 additions & 0 deletions Solutions/Box/Data Connectors/BoxEvents_ccp/BoxEvents_DataConnectorDefinition.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
{
"name": "BoxEventsCCPDefinition",
"apiVersion": "2022-09-01-preview",
"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
"location": "{{location}}",
"kind": "Customizable",
"id": "BoxEventsCCPDefinition",
"properties": {
"connectorUiConfig": {
"id": "BoxEventsCCPDefinition",
"title": "Box Events (CCP) (Preview)",
"publisher": "Microsoft",
"descriptionMarkdown": "The Box data connector provides the capability to ingest [Box enterprise's events](https://developer.box.com/guides/events/#admin-events) into Microsoft Sentinel using the Box REST API. Refer to [Box documentation](https://developer.box.com/guides/events/enterprise-events/for-enterprise/) for more information.",
"graphQueriesTableName": "BoxEventsV2_CL",
"graphQueries": [
{
"metricName": "Events received",
"legend": "Box events received",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
"description": "All Box events",
"query": "BoxEvents\n| sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors"
}
],
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
}
],
"customs": [
{
"name": "Box API credentials",
"description": "Box API requires a Box App client ID and client secret to authenticate. [See the documentation to learn more about Client Credentials grant](https://developer.box.com/guides/authentication/client-credentials/client-credentials-setup/)"
},
{
"name": "Box Enterprise ID",
"description": "Box Enterprise ID is required to make the connection. See documentation to [find Enterprise ID](https://developer.box.com/platform/appendix/locating-values/)"
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This connector uses Codeless Connecor Platform (CCP) to connect to the Box REST API to pull logs into Microsoft Sentinel."
},
{
"description": ">**NOTE:** This connector depends on a parser based on Kusto Function to work as expected [**BoxEvents**](https://aka.ms/sentinel-BoxDataConnector-parser) which is deployed with the Microsoft Sentinel Solution."
},
{
"description": "**STEP 1 - Create Box Custom Application**\n\nSee documentation to [setup client credentials authentication](https://developer.box.com/guides/authentication/client-credentials/client-credentials-setup/)\n"
},
{
"description": "**STEP 2 - Grab Client ID and Client Secret values**\n\nYou might need to setup 2FA to fetch the secret.\n"
},
{
"description": "**STEP 3 - Grab Box Enterprise ID from Box Admin Console**\n\nSee documentation to [find Enterprise ID](https://developer.box.com/platform/appendix/locating-values/)\n"
},
{
"description": "Provide the required values below:\n",
"instructions": [
{
"type": "Textbox",
"parameters": {
"label": "Box Enterprise ID",
"placeholder": "123456",
"type": "text",
"name": "boxEnterpriseId"
}
},
{
"type": "OAuthForm",
"parameters": {
"clientIdLabel": "Client ID",
"clientSecretLabel": "Client Secret",
"connectButtonLabel": "Connect",
"disconnectButtonLabel": "Disconnect"
}
}
],
"title": "Connect to Box to start collecting event logs to Microsoft Sentinel"
}
]
}
}
}
Loading
Loading