Merge branch 'user/nibhandari/update-uploadapi-template' of https://github.com/ni-bhandari/Azure-Sentinel into user/nibhandari/update-uploadapi-template
This commit is contained in:
Коммит
684233ccb4
|
@ -2,7 +2,7 @@
|
|||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"location": {
|
||||
"location": {
|
||||
"defaultValue": "[resourceGroup().location]",
|
||||
"minLength": 1,
|
||||
"type": "string",
|
||||
|
@ -24,9 +24,9 @@
|
|||
"variables": {
|
||||
"solutionId": "azuresentinel.azure-sentinel-solution-gcpauditlogs-api",
|
||||
"_solutionId": "[variables('solutionId')]",
|
||||
"dataCollectionRuleImmutableId": "data collection rule immutableId",
|
||||
"dataCollectionRuleImmutableId": "data collection rule immutableId",
|
||||
"_dataCollectionRuleImmutableId": "[variables('dataCollectionRuleImmutableId')]",
|
||||
"dataCollectionEndpointId": "[concat('/subscriptions/',variables('subscription'),'/resourceGroups/',variables('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
|
||||
"dataCollectionEndpointId": "[concat('/subscriptions/',variables('subscription'),'/resourceGroups/',variables('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
|
||||
"_dataCollectionEndpointId": "[variables('dataCollectionEndpointId')]",
|
||||
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
|
||||
"uiConfigId1": "GCPAuditLogsDefinition",
|
||||
|
@ -45,11 +45,11 @@
|
|||
"dataConnectorVersion2": "1.0.0",
|
||||
"resourceGroupName": "[resourceGroup().name]",
|
||||
"subscription": "[last(split(subscription().id, '/'))]",
|
||||
"dataCollectionRuleId": "GCPAuditLogs",
|
||||
"streamName": "SENTINEL_GCP_AUDIT_LOGS",
|
||||
"logAnalyticsTableId": "Microsoft-GCPAuditLogs",
|
||||
"dataType": "GCPAuditLogs",
|
||||
"destinationName": "clv2ws1"
|
||||
"dataCollectionRuleId": "GCPAuditLogs",
|
||||
"streamName": "SENTINEL_GCP_AUDIT_LOGS",
|
||||
"logAnalyticsTableId": "Microsoft-GCPAuditLogs",
|
||||
"dataType": "GCPAuditLogs",
|
||||
"destinationName": "clv2ws1"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
|
@ -93,103 +93,101 @@
|
|||
"location": "[parameters('workspace-location')]",
|
||||
"kind": "Customizable",
|
||||
"properties": {
|
||||
"connectorUiConfig": {
|
||||
"id": "[variables('_uiConfigId1')]",
|
||||
"title": "GCP Pub/Sub Audit Logs (Preview)",
|
||||
"publisher": "Microsoft",
|
||||
"descriptionMarkdown": "The Google Cloud Platform (GCP) audit logs, ingested from Sentinel's connector, enable you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.",
|
||||
"graphQueriesTableName": "GCPAuditLogs",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Total events received",
|
||||
"legend": "GCP Audit Logs",
|
||||
"baseQuery": "{{graphQueriesTableName}}"
|
||||
}
|
||||
],
|
||||
"sampleQueries": [
|
||||
{
|
||||
"description": "Get Sample of GCP Audit Logs",
|
||||
"query": "{{graphQueriesTableName}}\n | take 10"
|
||||
}
|
||||
],
|
||||
"dataTypes": [
|
||||
{
|
||||
"name": "{{graphQueriesTableName}}",
|
||||
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
}
|
||||
],
|
||||
"connectivityCriteria": [
|
||||
{
|
||||
"type": "HasDataConnectors"
|
||||
}
|
||||
],
|
||||
"availability": {
|
||||
"status": 1,
|
||||
"isPreview": false
|
||||
},
|
||||
"permissions": {
|
||||
"resourceProvider": [
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces",
|
||||
"permissionsDisplayText": "Read and Write permissions are required.",
|
||||
"providerDisplayName": "Workspace",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"read": true,
|
||||
"write": true,
|
||||
"delete": true,
|
||||
"action": false
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"instructionSteps": [
|
||||
{
|
||||
"instructions": [
|
||||
{
|
||||
"type": "MarkdownControlEnvBased",
|
||||
"parameters": {
|
||||
"prodScript":
|
||||
"#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation).",
|
||||
"govScript":
|
||||
"#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)."
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "CopyableLabel",
|
||||
"parameters": {
|
||||
"label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
|
||||
"fillWith": ["TenantId"],
|
||||
"name": "PoolId",
|
||||
"disabled": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Markdown",
|
||||
"parameters": {
|
||||
"content": "#### 2. Connect new collectors \n To enable GCP Audit Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "GCPGrid",
|
||||
"parameters":{}
|
||||
},
|
||||
{
|
||||
"type": "GCPContextPane",
|
||||
"parameters":{}
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"isConnectivityCriteriasMatchSome": false
|
||||
},
|
||||
"connectorUiConfig": {
|
||||
"id": "[variables('_uiConfigId1')]",
|
||||
"title": "GCP Pub/Sub Audit Logs",
|
||||
"publisher": "Microsoft",
|
||||
"descriptionMarkdown": "The Google Cloud Platform (GCP) audit logs, ingested from Sentinel's connector, enable you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.",
|
||||
"graphQueriesTableName": "GCPAuditLogs",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Total events received",
|
||||
"legend": "GCP Audit Logs",
|
||||
"baseQuery": "{{graphQueriesTableName}}"
|
||||
}
|
||||
],
|
||||
"sampleQueries": [
|
||||
{
|
||||
"description": "Get Sample of GCP Audit Logs",
|
||||
"query": "{{graphQueriesTableName}}\n | take 10"
|
||||
}
|
||||
],
|
||||
"dataTypes": [
|
||||
{
|
||||
"name": "{{graphQueriesTableName}}",
|
||||
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
}
|
||||
],
|
||||
"connectivityCriteria": [
|
||||
{
|
||||
"type": "HasDataConnectors"
|
||||
}
|
||||
],
|
||||
"availability": {
|
||||
"status": 1,
|
||||
"isPreview": false
|
||||
},
|
||||
"permissions": {
|
||||
"resourceProvider": [
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces",
|
||||
"permissionsDisplayText": "Read and Write permissions are required.",
|
||||
"providerDisplayName": "Workspace",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"read": true,
|
||||
"write": true,
|
||||
"delete": true,
|
||||
"action": false
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"instructionSteps": [
|
||||
{
|
||||
"instructions": [
|
||||
{
|
||||
"type": "MarkdownControlEnvBased",
|
||||
"parameters": {
|
||||
"prodScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation).",
|
||||
"govScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)."
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "CopyableLabel",
|
||||
"parameters": {
|
||||
"label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
|
||||
"fillWith": [ "TenantId" ],
|
||||
"name": "PoolId",
|
||||
"disabled": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Markdown",
|
||||
"parameters": {
|
||||
"content": "#### 2. Connect new collectors \n To enable GCP Audit Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "GCPGrid",
|
||||
"parameters": {}
|
||||
},
|
||||
{
|
||||
"type": "GCPContextPane",
|
||||
"parameters": {}
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"isConnectivityCriteriasMatchSome": false
|
||||
},
|
||||
"connectionsConfig": {
|
||||
"templateSpecName": "[concat('/subscriptions/',variables('subscription'),'/resourceGroups/',variables('resourceGroupName'),'/providers/Microsoft.Resources/templateSpecs/',variables('dataConnectorTemplateSpecName2'))]",
|
||||
"templateSpecVersion": "[variables('dataConnectorVersion2')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
{
|
||||
"name": "[variables('dataCollectionRuleId')]",
|
||||
"apiVersion": "2021-09-01-preview",
|
||||
"type": "Microsoft.Insights/dataCollectionRules",
|
||||
|
@ -197,22 +195,22 @@
|
|||
"properties": {
|
||||
"dataCollectionEndpointId": "[variables('_dataCollectionEndpointId')]",
|
||||
"destinations": {
|
||||
"logAnalytics": [
|
||||
{
|
||||
"workspaceResourceId": "[variables('workspaceResourceId')]",
|
||||
"name": "[variables('destinationName')]"
|
||||
}
|
||||
]
|
||||
"logAnalytics": [
|
||||
{
|
||||
"workspaceResourceId": "[variables('workspaceResourceId')]",
|
||||
"name": "[variables('destinationName')]"
|
||||
}
|
||||
]
|
||||
},
|
||||
"dataFlows": [
|
||||
{
|
||||
"streams": [
|
||||
"[variables('logAnalyticsTableId')]"
|
||||
],
|
||||
"destinations": [
|
||||
"[variables('destinationName')]"
|
||||
]
|
||||
}
|
||||
{
|
||||
"streams": [
|
||||
"[variables('logAnalyticsTableId')]"
|
||||
],
|
||||
"destinations": [
|
||||
"[variables('destinationName')]"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
|
@ -239,15 +237,15 @@
|
|||
"tier": "Microsoft",
|
||||
"link": "https://support.microsoft.com"
|
||||
},
|
||||
"dependencies": {
|
||||
"criteria": [
|
||||
{
|
||||
"kind": "DataConnector",
|
||||
"contentId": "[variables('_dataConnectorContentId2')]",
|
||||
"version": "[variables('dataConnectorVersion2')]"
|
||||
}
|
||||
]
|
||||
}
|
||||
"dependencies": {
|
||||
"criteria": [
|
||||
{
|
||||
"kind": "DataConnector",
|
||||
"contentId": "[variables('_dataConnectorContentId2')]",
|
||||
"version": "[variables('dataConnectorVersion2')]"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
|
@ -277,120 +275,118 @@
|
|||
"tier": "Microsoft",
|
||||
"link": "https://support.microsoft.com"
|
||||
},
|
||||
"dependencies": {
|
||||
"criteria": [
|
||||
{
|
||||
"kind": "DataConnector",
|
||||
"contentId": "[variables('_dataConnectorContentId2')]",
|
||||
"version": "[variables('dataConnectorVersion2')]"
|
||||
}
|
||||
]
|
||||
}
|
||||
"dependencies": {
|
||||
"criteria": [
|
||||
{
|
||||
"kind": "DataConnector",
|
||||
"contentId": "[variables('_dataConnectorContentId2')]",
|
||||
"version": "[variables('dataConnectorVersion2')]"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
|
||||
"apiVersion": "2022-09-01-preview",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"kind": "Customizable",
|
||||
"properties": {
|
||||
"connectorUiConfig": {
|
||||
"id": "[variables('_uiConfigId1')]",
|
||||
"title": "GCP Pub/Sub Audit Logs (Preview)",
|
||||
"publisher": "Microsoft",
|
||||
"descriptionMarkdown": "The Google Cloud Platform (GCP) audit logs, ingested from Sentinel's connector, enable you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.",
|
||||
"graphQueriesTableName": "GCPAuditLogs",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Total events received",
|
||||
"legend": "GCP Audit Logs",
|
||||
"baseQuery": "{{graphQueriesTableName}}"
|
||||
}
|
||||
],
|
||||
"sampleQueries": [
|
||||
{
|
||||
"description": "Get Sample of GCP Audit Logs",
|
||||
"query": "{{graphQueriesTableName}}\n | take 10"
|
||||
}
|
||||
],
|
||||
"dataTypes": [
|
||||
{
|
||||
"name": "{{graphQueriesTableName}}",
|
||||
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
}
|
||||
],
|
||||
"connectivityCriteria": [
|
||||
{
|
||||
"type": "HasDataConnectors"
|
||||
}
|
||||
],
|
||||
"availability": {
|
||||
"status": 1,
|
||||
"isPreview": false
|
||||
},
|
||||
"permissions": {
|
||||
"resourceProvider": [
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces",
|
||||
"permissionsDisplayText": "Read and Write permissions are required.",
|
||||
"providerDisplayName": "Workspace",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"read": true,
|
||||
"write": true,
|
||||
"delete": true,
|
||||
"action": false
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"instructionSteps": [
|
||||
{
|
||||
"instructions": [
|
||||
{
|
||||
"type": "MarkdownControlEnvBased",
|
||||
"parameters": {
|
||||
"prodScript":
|
||||
"#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation).",
|
||||
"govScript":
|
||||
"#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)."
|
||||
{
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
|
||||
"apiVersion": "2022-09-01-preview",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"kind": "Customizable",
|
||||
"properties": {
|
||||
"connectorUiConfig": {
|
||||
"id": "[variables('_uiConfigId1')]",
|
||||
"title": "GCP Pub/Sub Audit Logs",
|
||||
"publisher": "Microsoft",
|
||||
"descriptionMarkdown": "The Google Cloud Platform (GCP) audit logs, ingested from Sentinel's connector, enable you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.",
|
||||
"graphQueriesTableName": "GCPAuditLogs",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Total events received",
|
||||
"legend": "GCP Audit Logs",
|
||||
"baseQuery": "{{graphQueriesTableName}}"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "CopyableLabel",
|
||||
"parameters": {
|
||||
"label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
|
||||
"fillWith": ["TenantId"],
|
||||
"name": "PoolId",
|
||||
"disabled": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Markdown",
|
||||
"parameters": {
|
||||
"content": "#### 2. Connect new collectors \n To enable GCP Audit Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "GCPGrid",
|
||||
"parameters":{}
|
||||
},
|
||||
{
|
||||
"type": "GCPContextPane",
|
||||
"parameters":{}
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"isConnectivityCriteriasMatchSome": false
|
||||
},
|
||||
"connectionsConfig": {
|
||||
"templateSpecName": "[concat('/subscriptions/',variables('subscription'),'/resourceGroups/',variables('resourceGroupName'),'/providers/Microsoft.Resources/templateSpecs/',variables('dataConnectorTemplateSpecName2'))]",
|
||||
"templateSpecVersion": "[variables('dataConnectorVersion2')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
],
|
||||
"sampleQueries": [
|
||||
{
|
||||
"description": "Get Sample of GCP Audit Logs",
|
||||
"query": "{{graphQueriesTableName}}\n | take 10"
|
||||
}
|
||||
],
|
||||
"dataTypes": [
|
||||
{
|
||||
"name": "{{graphQueriesTableName}}",
|
||||
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
}
|
||||
],
|
||||
"connectivityCriteria": [
|
||||
{
|
||||
"type": "HasDataConnectors"
|
||||
}
|
||||
],
|
||||
"availability": {
|
||||
"status": 1,
|
||||
"isPreview": false
|
||||
},
|
||||
"permissions": {
|
||||
"resourceProvider": [
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces",
|
||||
"permissionsDisplayText": "Read and Write permissions are required.",
|
||||
"providerDisplayName": "Workspace",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"read": true,
|
||||
"write": true,
|
||||
"delete": true,
|
||||
"action": false
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"instructionSteps": [
|
||||
{
|
||||
"instructions": [
|
||||
{
|
||||
"type": "MarkdownControlEnvBased",
|
||||
"parameters": {
|
||||
"prodScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation).",
|
||||
"govScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)."
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "CopyableLabel",
|
||||
"parameters": {
|
||||
"label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
|
||||
"fillWith": [ "TenantId" ],
|
||||
"name": "PoolId",
|
||||
"disabled": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Markdown",
|
||||
"parameters": {
|
||||
"content": "#### 2. Connect new collectors \n To enable GCP Audit Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "GCPGrid",
|
||||
"parameters": {}
|
||||
},
|
||||
{
|
||||
"type": "GCPContextPane",
|
||||
"parameters": {}
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"isConnectivityCriteriasMatchSome": false
|
||||
},
|
||||
"connectionsConfig": {
|
||||
"templateSpecName": "[concat('/subscriptions/',variables('subscription'),'/resourceGroups/',variables('resourceGroupName'),'/providers/Microsoft.Resources/templateSpecs/',variables('dataConnectorTemplateSpecName2'))]",
|
||||
"templateSpecVersion": "[variables('dataConnectorVersion2')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs",
|
||||
"apiVersion": "2022-02-01",
|
||||
|
@ -405,7 +401,7 @@
|
|||
"displayName": "GCPAuditLogs template"
|
||||
}
|
||||
},
|
||||
{
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs/versions",
|
||||
"apiVersion": "2022-02-01",
|
||||
"name": "[concat(variables('dataConnectorTemplateSpecName2'),'/',variables('dataConnectorVersion2'))]",
|
||||
|
@ -418,30 +414,30 @@
|
|||
"hidden-sentinelContentType": "LogicAppsCustomConnector"
|
||||
},
|
||||
"properties": {
|
||||
"description": "GCPAuditLogs data connector with template version 2.0.2",
|
||||
"description": "GCPAuditLogs data connector with template version 2.0.3",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('dataConnectorVersion2')]",
|
||||
"parameters": {
|
||||
"GCPProjectId": {
|
||||
"type": "String",
|
||||
"minLength": 4
|
||||
},
|
||||
"GCPProjectNumber": {
|
||||
"type": "String",
|
||||
"minLength": 1
|
||||
},
|
||||
"GCPWorkloadIdentityProviderId": {
|
||||
"type": "String"
|
||||
},
|
||||
"GCPServiceAccountEmail": {
|
||||
"type": "String",
|
||||
"minLength": 1
|
||||
},
|
||||
"GCPSubscriptionName": {
|
||||
"type": "String",
|
||||
"minLength": 3
|
||||
},
|
||||
"GCPProjectId": {
|
||||
"type": "String",
|
||||
"minLength": 4
|
||||
},
|
||||
"GCPProjectNumber": {
|
||||
"type": "String",
|
||||
"minLength": 1
|
||||
},
|
||||
"GCPWorkloadIdentityProviderId": {
|
||||
"type": "String"
|
||||
},
|
||||
"GCPServiceAccountEmail": {
|
||||
"type": "String",
|
||||
"minLength": 1
|
||||
},
|
||||
"GCPSubscriptionName": {
|
||||
"type": "String",
|
||||
"minLength": 3
|
||||
},
|
||||
"connectorDefinitionName": {
|
||||
"defaultValue": "connectorDefinitionName",
|
||||
"type": "string",
|
||||
|
@ -461,14 +457,14 @@
|
|||
"dataCollectionRuleImmutableId": "[variables('_dataCollectionRuleImmutableId')]"
|
||||
}
|
||||
},
|
||||
"guidValue": {
|
||||
"type": "string",
|
||||
"defaultValue": "[[newGuid()]"
|
||||
}
|
||||
"guidValue": {
|
||||
"type": "string",
|
||||
"defaultValue": "[[newGuid()]"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"_dataConnectorContentId2": "[variables('_dataConnectorContentId2')]",
|
||||
"connectorName": "[[concat('GCPAuditLogs', parameters('guidValue'))]"
|
||||
"_dataConnectorContentId2": "[variables('_dataConnectorContentId2')]",
|
||||
"connectorName": "[[concat('GCPAuditLogs', parameters('guidValue'))]"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
|
@ -486,19 +482,19 @@
|
|||
},
|
||||
"dataType": "[variables('dataType')]",
|
||||
"auth": {
|
||||
"serviceAccountEmail": "[[parameters('GCPServiceAccountEmail')]",
|
||||
"projectNumber": "[[parameters('GCPProjectNumber')]",
|
||||
"workloadIdentityProviderId": "[[parameters('GCPWorkloadIdentityProviderId')]"
|
||||
"serviceAccountEmail": "[[parameters('GCPServiceAccountEmail')]",
|
||||
"projectNumber": "[[parameters('GCPProjectNumber')]",
|
||||
"workloadIdentityProviderId": "[[parameters('GCPWorkloadIdentityProviderId')]"
|
||||
},
|
||||
"request": {
|
||||
"projectId": "[[parameters('GCPProjectId')]",
|
||||
"subscriptionNames": [
|
||||
"[[parameters('GCPSubscriptionName')]"
|
||||
]
|
||||
"projectId": "[[parameters('GCPProjectId')]",
|
||||
"subscriptionNames": [
|
||||
"[[parameters('GCPSubscriptionName')]"
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2022-01-01-preview",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
|
||||
|
@ -527,12 +523,12 @@
|
|||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2022-01-01-preview",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"properties": {
|
||||
"version": "2.0.2",
|
||||
"version": "2.0.3",
|
||||
"kind": "Solution",
|
||||
"contentSchemaVersion": "2.0.0",
|
||||
"contentId": "[variables('_solutionId')]",
|
||||
|
@ -562,9 +558,9 @@
|
|||
]
|
||||
},
|
||||
"firstPublishDate": "2022-06-24",
|
||||
"providers": ["Microsoft"],
|
||||
"providers": [ "Microsoft" ],
|
||||
"categories": {
|
||||
"domains": ["Cloud Provider"]
|
||||
"domains": [ "Cloud Provider" ]
|
||||
}
|
||||
},
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
|
||||
|
|
|
@ -4,56 +4,57 @@
|
|||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\" height=\"75px\">",
|
||||
"Description": "The Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.",
|
||||
"Data Connectors": [
|
||||
"Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceTaxii.json"
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Data Connectors/template_ThreatIntelligenceTaxii.json",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Data Connectors/template_ThreatIntelligenceUploadIndicators_ForGov.json"
|
||||
],
|
||||
"Workbooks": [
|
||||
"Solutions/Threat Intelligence/Workbooks/ThreatIntelligence.json"
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Workbooks/ThreatIntelligence.json"
|
||||
],
|
||||
"Hunting Queries": [
|
||||
"Solutions/Threat Intelligence/Hunting Queries/FileEntity_OfficeActivity.yaml",
|
||||
"Solutions/Threat Intelligence/Hunting Queries/FileEntity_SecurityEvent.yaml",
|
||||
"Solutions/Threat Intelligence/Hunting Queries/FileEntity_Syslog.yaml",
|
||||
"Solutions/Threat Intelligence/Hunting Queries/FileEntity_VMConnection.yaml",
|
||||
"Solutions/Threat Intelligence/Hunting Queries/FileEntity_WireData.yaml"
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Hunting Queries/FileEntity_OfficeActivity.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Hunting Queries/FileEntity_SecurityEvent.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Hunting Queries/FileEntity_Syslog.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Hunting Queries/FileEntity_VMConnection.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Hunting Queries/FileEntity_WireData.yaml"
|
||||
],
|
||||
"Analytic Rules": [
|
||||
"Solutions/Threat Intelligence/Analytic Rules/DomainEntity_CommonSecurityLog.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/DomainEntity_DnsEvents.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/DomainEntity_imWebSession.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/DomainEntity_PaloAlto.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/DomainEntity_SecurityAlert.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/DomainEntity_Syslog.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/EmailEntity_AzureActivity.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/EmailEntity_OfficeActivity.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/EmailEntity_PaloAlto.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityAlert.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityEvent.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SigninLogs.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_CommonSecurityLog.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_SecurityEvent.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/IPEntity_AWSCloudTrail.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureActivity.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureFirewall.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureKeyVault.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureNetworkAnalytics.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/IPEntity_AzureSQL.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/IPEntity_CustomSecurityLog.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/IPEntity_DnsEvents.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/IPEntity_imWebSession.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/IPEntity_OfficeActivity.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/IPentity_SigninLogs.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/IPEntity_VMConnection.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/IPEntity_W3CIISLog.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/URLEntity_AuditLogs.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/URLEntity_OfficeActivity.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/URLEntity_PaloAlto.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/URLEntity_SecurityAlerts.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/URLEntity_Syslog.yaml",
|
||||
"Solutions/Threat Intelligence/Analytic Rules/IPEntity_DuoSecurity.yaml"
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/DomainEntity_CommonSecurityLog.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/DomainEntity_DnsEvents.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/DomainEntity_imWebSession.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/DomainEntity_PaloAlto.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/DomainEntity_SecurityAlert.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/DomainEntity_Syslog.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/EmailEntity_AzureActivity.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/EmailEntity_OfficeActivity.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/EmailEntity_PaloAlto.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/EmailEntity_SecurityAlert.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/EmailEntity_SecurityEvent.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/EmailEntity_SigninLogs.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/FileHashEntity_CommonSecurityLog.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/FileHashEntity_SecurityEvent.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/IPEntity_AppServiceHTTPLogs.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/IPEntity_AWSCloudTrail.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/IPEntity_AzureActivity.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/IPEntity_AzureFirewall.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/IPEntity_AzureKeyVault.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/IPEntity_AzureNetworkAnalytics.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/IPEntity_AzureSQL.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/IPEntity_CustomSecurityLog.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/IPEntity_DnsEvents.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/IPEntity_imWebSession.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/IPEntity_OfficeActivity.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/IPentity_SigninLogs.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/IPEntity_VMConnection.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/IPEntity_W3CIISLog.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/URLEntity_AuditLogs.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/URLEntity_OfficeActivity.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/URLEntity_PaloAlto.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/URLEntity_SecurityAlerts.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/URLEntity_Syslog.yaml",
|
||||
"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/IPEntity_DuoSecurity.yaml"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel",
|
||||
"Version": "3.1.0",
|
||||
"Version": "3.0.2",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"StaticDataConnectorIds": [
|
||||
|
|
Двоичные данные
Solutions/Threat Intelligence Solution for Azure Government/Package/3.0.2.zip
Normal file
Двоичные данные
Solutions/Threat Intelligence Solution for Azure Government/Package/3.0.2.zip
Normal file
Двоичный файл не отображается.
|
@ -63,6 +63,13 @@
|
|||
"text": "This Solution installs the data connector for Threat Intelligence Solution for Azure Government. You can get Threat Intelligence Solution for Azure Government custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors2-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Solution installs the data connector for Threat Intelligence Solution for Azure Government. You can get Threat Intelligence Solution for Azure Government custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors-link2",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
|
@ -722,4 +729,4 @@
|
|||
"workspace": "[basics('workspace')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
@ -76,7 +76,7 @@
|
|||
],
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Threat Intelligence\\",
|
||||
"Version": "3.1.0",
|
||||
"Version": "3.0.5",
|
||||
"TemplateSpec": true,
|
||||
"StaticDataConnectorIds": [
|
||||
"ThreatIntelligenceTaxii",
|
||||
|
|
Двоичный файл не отображается.
Двоичные данные
Solutions/Threat Intelligence/Package/3.1.0.zip
Двоичные данные
Solutions/Threat Intelligence/Package/3.1.0.zip
Двоичный файл не отображается.
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
Загрузка…
Ссылка в новой задаче