Merge pull request #3473 from Azure/v-ntripathi/ALCAsSolution

moved to Solution deleted from data connector

Solutions/ALC-WebCTRL/Data/Solution_ALC-WebCTRL.json

@@ -0,0 +1,12 @@
+{
+  "Name": "ALC-WebCTRL",
+  "Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">",
+  "Description": "You can stream the audit logs from the WebCTRL SQL server hosted on Windows machines connected to your Azure Sentinel. This connection enables you to view dashboards, create custom alerts and improve investigation. This gives insights into your Industrial Control Systems that are monitored or controlled by the WebCTRL BAS application.",
+  "Data Connectors": [
+    "Data Connectors/Connector_WindowsEvents_WebCTRL.json"
+  ],
+  "Metadata": "SolutionMetadata.json",
+  "BasePath": "C:\\GitHub\\azure\\Solutions\\ALC-WebCTRL",
+  "Version": "1.0.0"
+}

Solutions/ALC-WebCTRL/Package/createUiDefinition.json

@@ -0,0 +1,95 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+  "handler": "Microsoft.Azure.CreateUIDef",
+  "version": "0.1.2-preview",
+  "parameters": {
+    "config": {
+      "isWizard": false,
+      "basics": {
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nYou can stream the audit logs from the WebCTRL SQL server hosted on Windows machines connected to your Azure Sentinel. This connection enables you to view dashboards, create custom alerts and improve investigation. This gives insights into your Industrial Control Systems that are monitored or controlled by the WebCTRL BAS application.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "subscription": {
+          "resourceProviders": [
+            "Microsoft.OperationsManagement/solutions",
+            "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+            "Microsoft.Insights/workbooks",
+            "Microsoft.Logic/workflows"
+          ]
+        },
+        "location": {
+          "metadata": {
+            "hidden": "Hiding location, we get it from the log analytics workspace"
+          },
+          "visible": false
+        },
+        "resourceGroup": {
+          "allowExisting": true
+        }
+      }
+    },
+    "basics": [
+      {
+        "name": "getLAWorkspace",
+        "type": "Microsoft.Solutions.ArmApiControl",
+        "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+        "condition": "[greater(length(resourceGroup().name),0)]",
+        "request": {
+          "method": "GET",
+          "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+        }
+      },
+      {
+        "name": "workspace",
+        "type": "Microsoft.Common.DropDown",
+        "label": "Workspace",
+        "placeholder": "Select a workspace",
+        "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+        "constraints": {
+          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+          "required": true
+        },
+        "visible": true
+      }
+    ],
+    "steps": [
+      {
+        "name": "dataconnectors",
+        "label": "Data Connectors",
+        "bladeTitle": "Data Connectors",
+        "elements": [
+          {
+            "name": "dataconnectors1-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for ALC-WebCTRL. You can get ALC-WebCTRL custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) Events in your Azure Sentinel / Azure Log Analytics workspace."
+            }
+          },
+          {
+            "name": "dataconnectors-link1",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more about normalized format",
+                "uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
+              }
+            }
+          },
+          {
+            "name": "dataconnectors-link2",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more about connecting data sources",
+                "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+              }
+            }
+          }
+        ]
+      }
+    ],
+    "outputs": {
+      "workspace-location": "[resourceGroup().location]",
+      "location": "[location()]",
+      "workspace": "[basics('workspace')]"
+    }
+  }
+}

Solutions/ALC-WebCTRL/Package/mainTemplate.json

@@ -0,0 +1,200 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
+    "comments": "Solution template for ALC-WebCTRL"
+  },
+  "parameters": {
+    "location": {
+      "type": "string",
+      "minLength": 1,
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`.  We instead use the `workspace-location` which is derived from the LA workspace"
+      }
+    },
+    "workspace-location": {
+      "type": "string",
+      "minLength": 1,
+      "defaultValue": "[parameters('location')]",
+      "metadata": {
+        "description": "Region to deploy solution resources"
+      }
+    },
+    "workspace": {
+      "defaultValue": "",
+      "type": "string",
+      "metadata": {
+        "description": "Workspace name for Log Analytics where Sentinel is setup"
+      }
+    },
+    "connector1-name": {
+      "type": "string",
+      "defaultValue": "90b440bd-10b1-4362-b446-a7b584a0e0ff"
+    }
+  },
+  "variables": {
+    "connector1-source": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',parameters('connector1-name'))]",
+    "_connector1-source": "[variables('connector1-source')]",
+    "AutomatedLogicWebCTRLConnector": "AutomatedLogicWebCTRLConnector",
+    "_AutomatedLogicWebCTRLConnector": "[variables('AutomatedLogicWebCTRLConnector')]",
+    "sourceId": "azuresentinel.azure-sentinel-solution-automated-logic-webctrl",
+    "_sourceId": "[variables('sourceId')]"
+  },
+  "resources": [
+    {
+      "id": "[variables('_connector1-source')]",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connector1-name'))]",
+      "apiVersion": "2021-03-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+      "location": "[parameters('workspace-location')]",
+      "kind": "GenericUI",
+      "properties": {
+        "connectorUiConfig": {
+          "title": "Automated Logic WebCTRL ",
+          "publisher": "AutomatedLogic",
+          "descriptionMarkdown": "You can stream the audit logs from the WebCTRL SQL server hosted on Windows machines connected to your Azure Sentinel. This connection enables you to view dashboards, create custom alerts and improve investigation. This gives insights into your Industrial Control Systems that are monitored or controlled by the WebCTRL BAS application.",
+          "graphQueries": [
+            {
+              "metricName": "Total data received",
+              "legend": "Events",
+              "baseQuery": "Event\n| where Source == \"ALCWebCTRL\""
+            }
+          ],
+          "sampleQueries": [
+            {
+              "description": "Total warnings and errors raised by the application",
+              "query": "Event\n| where Source == \"ALCWebCTRL\"\n| where EventLevel in (1,2,3)"
+            }
+          ],
+          "dataTypes": [
+            {
+              "name": "Events",
+              "lastDataReceivedQuery": "Event\n| where Source == \"ALCWebCTRL\"\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+            }
+          ],
+          "connectivityCriterias": [
+            {
+              "type": "IsConnectedQuery",
+              "value": [
+                "Event\n| where Source == \"ALCWebCTRL\"\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
+              ]
+            }
+          ],
+          "availability": {
+            "status": 1,
+            "isPreview": true
+          },
+          "permissions": {
+            "resourceProvider": [
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "read": true,
+                  "write": true,
+                  "delete": true
+                }
+              },
+              {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "action": true
+                }
+              }
+            ]
+          },
+          "instructionSteps": [
+            {
+              "description": "Learn about [agent setup](https://docs.microsoft.com/services-hub/health/mma-setup) and [windows events onboarding](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-windows-events). \n\n You can skip this step if you have already installed the Microsoft agent for Windows",
+              "title": "1. Install and onboard the Microsoft agent for Windows."
+            },
+            {
+              "description": "Install and configure the Windows Scheduled Task to read the audit logs in SQL and write them as Windows Events. These Windows Events will be collected by the agent and forward to Azure Sentinel.\n\n> Notice that the data from all machines will be stored in the selected workspace",
+              "innerSteps": [
+                {
+                  "description": "2.1 Copy the [setup files](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/ALC-WebCTRL/TaskSetup) to a location on the server."
+                },
+                {
+                  "description": "2.2 Update the [ALC-WebCTRL-AuditPull.ps1](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/ALC-WebCTRL/TaskSetup/ALC-WebCTRL-AuditPull.ps1) (copied in above step) script parameters like the target database name and windows event id's. Refer comments in the script for more details."
+                },
+                {
+                  "description": "2.3 Update the windows task settings in the [ALC-WebCTRL-AuditPullTaskConfig.xml](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/ALC-WebCTRL/TaskSetup/ALC-WebCTRL-AuditPullTaskConfig.xml) file that was copied in above step as per requirement. Refer comments in the file for more details."
+                },
+                {
+                  "description": "2.4 Install windows tasks using the updated configs copied in the above steps",
+                  "instructions": [
+                    {
+                      "parameters": {
+                        "label": "Run the following command in powershell from the directory where the setup files are copied in step 2.1",
+                        "value": "schtasks.exe /create /XML \"ALC-WebCTRL-AuditPullTaskConfig.xml\" /tn \"ALC-WebCTRL-AuditPull\""
+                      },
+                      "type": "CopyableLabel"
+                    }
+                  ]
+                }
+              ],
+              "title": "2. Configure Windows task to read the audit data and write it to windows events"
+            },
+            {
+              "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the Event schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, validate below steps for any run time issues:\n\n> 1. Make sure that the scheduled task is created and is in running state in the Windows Task Scheduler.\n\n>2. Check for task execution errors in the history tab in Windows Task Scheduler for the newly created task in step 2.4\n\n>3. Make sure that the SQL Audit table consists new records while the scheduled windows task runs.",
+              "title": "3. Validate connection"
+            }
+          ]
+        }
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+      "apiVersion": "2021-03-01-preview",
+      "properties": {
+        "version": "1.0.0",
+        "kind": "Solution",
+        "contentId": "[variables('_sourceId')]",
+        "parentId": "[variables('_sourceId')]",
+        "source": {
+          "kind": "Solution",
+          "name": "ALC-WebCTRL",
+          "sourceId": "[variables('_sourceId')]"
+        },
+        "author": {
+          "name": "Nikhil Tripathi",
+          "email": "v-ntripathi@microsoft.com"
+        },
+        "support": {
+          "name": "Microsoft Corporation",
+          "email": "support@microsoft.com",
+          "tier": "Microsoft",
+          "link": "https://support.microsoft.com"
+        },
+        "dependencies": {
+          "operator": "AND",
+          "criteria": [
+            {
+              "kind": "DataConnector",
+              "contentId": "[variables('_AutomatedLogicWebCTRLConnector')]",
+              "version": "1.0.0"
+            }
+          ]
+        },
+        "firstPublishDate": "2021-11-18",
+        "providers": [
+          "Microsoft"
+        ],
+        "categories": {
+          "domains": [
+            "domains_domains"
+          ]
+        }
+      },
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]"
+    }
+  ],
+  "outputs": {}
+}

Solutions/ALC-WebCTRL/SolutionMetadata.json

@@ -0,0 +1,15 @@
+{
+	"publisherId": "azuresentinel",
+	"offerId": "azure-sentinel-solution-automated-logic-webctrl",
+	"firstPublishDate": "2021-11-18",
+	"providers": ["Microsoft"],
+	"categories": {
+		"domains" : ["domains_domains"]
+	},
+	"support": {
+	  "name": "Microsoft Corporation",
+	  "email": "support@microsoft.com",
+	  "tier": "Microsoft",
+	  "link": "https://support.microsoft.com"
+	}
+}