Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Packaging tool changes for AWS, GCP kind of CCP connectors #11667

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
+658 −178
Draft

Packaging tool changes for AWS, GCP kind of CCP connectors #11667

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
25d91d4
code changes in poll and gcp solution
v-amolpatil Jan 2, 2025
c34fe96
added code gcp and aws
v-amolpatil Jan 13, 2025
4325973
code customization
v-amolpatil Jan 13, 2025
f58e203
updated code to add standard table mapping.
v-amolpatil Jan 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
97 changes: 97 additions & 0 deletions ...Cloud Platform Audit Logs/Data Connectors/GCPAuditLogs_ccp/data_connector_definition.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
{
"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
"apiVersion": "2022-09-01-preview",
"name": "{{workspace}}/Microsoft.SecurityInsights/GCPAuditLogsDefinition",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "GCPAuditLogsDefinition",
"title": "GCP Pub/Sub Audit Logs",
"publisher": "Microsoft",
"descriptionMarkdown": "The Google Cloud Platform (GCP) audit logs, ingested from Sentinel's connector, enable you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.",
"graphQueriesTableName": "GCPAuditLogs",
"graphQueries": [
{
"metricName": "Total events received",
"legend": "GCP Audit Logs",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
"description": "Get Sample of GCP Audit Logs",
"query": "{{graphQueriesTableName}}\n | take 10"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true,
"action": false
}
}
]
},
"instructionSteps": [
{
"instructions": [
{
"type": "MarkdownControlEnvBased",
"parameters": {
"prodScript":
"#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation).",
"govScript":
"#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)."
}
},
{
"type": "CopyableLabel",
"parameters": {
"label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
"fillWith": ["TenantId"],
"name": "PoolId",
"disabled": true
}
},
{
"type": "Markdown",
"parameters": {
"content": "#### 2. Connect new collectors \n To enable GCP Audit Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
}
},
{
"type": "GCPGrid",
"parameters":{}
},
{
"type": "GCPContextPane",
"parameters":{}
}
]
}
]
}
}
}
24 changes: 24 additions & 0 deletions ...gle Cloud Platform Audit Logs/Data Connectors/GCPAuditLogs_ccp/data_connector_poller.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
[{
"type": "Microsoft.SecurityInsights/dataConnectors",
"apiVersion": "2022-10-01-preview",
"name": "{{workspace}}/Microsoft.SecurityInsights/GCPAuditLogs",
"kind": "GCP",
"properties": {
"connectorDefinitionName": "GCPAuditLogsDefinition",
"dataType": "GCPAuditLogs",
"dcrConfig": {
"streamName": "SENTINEL_GCP_AUDIT_LOGS"
},
"auth": {
"serviceAccountEmail": "{{GCPServiceAccountEmail}}",
"projectNumber": "{{GCPProjectNumber}}",
"workloadIdentityProviderId": "{{GCPWorkloadIdentityProviderId}}"
},
"request": {
"projectId": "{{GCPProjectId}}",
"subscriptionNames": [
"{{GCPSubscriptionName}}"
]
}
}
}]
25 changes: 25 additions & 0 deletions Solutions/Google Cloud Platform Audit Logs/Data Connectors/GCPAuditLogs_ccp/dcr.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
[{
"name": "GCPAuditLogs",
"apiVersion": "2021-09-01-preview",
"type": "Microsoft.Insights/dataCollectionRules",
"location": "{{location}}",
"properties": {
"destinations": {
"logAnalytics": [
{
"name": "clv2ws1"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-GCPAuditLogs"
],
"destinations": [
"clv2ws1"
]
}
]
}
}]
2 changes: 1 addition & 1 deletion Tools/Create-Azure-Sentinel-Solution/V3/createSolutionV3.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -320,5 +320,5 @@ try {
}
}
catch {
Write-Host "Error occured in catch of createSolutionV3 file Error details are $_"
Write-Host "Error occurred in catch of createSolutionV3 file Error details are $_"
}
3 changes: 3 additions & 0 deletions Tools/Create-Azure-Sentinel-Solution/common/commonFunctions.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3112,6 +3112,9 @@ function PrepareSolutionMetadata($solutionMetadataRawContent, $contentResourceDe
if ($null -ne $global:baseCreateUiDefinition.parameters.steps -and
$($global:baseCreateUiDefinition.parameters.steps).GetType() -ne [System.Object[]]) {
$global:baseCreateUiDefinition.parameters.steps = @($global:baseCreateUiDefinition.parameters.steps)
} elseif ($null -eq $global:baseCreateUiDefinition.parameters.steps) {
# when there is no content then create ui fails as step is null
$global:baseCreateUiDefinition.parameters.steps = @(@{}) # [{}]
}
$global:baseCreateUiDefinition | ConvertTo-Json -Depth $jsonConversionDepth | Out-File $createUiDefinitionOutputPath -Encoding utf8
}
Expand Down
Loading
Loading