Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #10924 from mpmisha/patch-1 

Create CarbonBlackViaAWSS3_ConnectorDefinition.json
This commit is contained in:
v-prasadboke 2024-10-15 20:55:17 +05:30 коммит произвёл GitHub
Родитель d64b0b7cb3 7a68e18b29
Коммит 9513a94046
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
11 изменённых файлов: 7019 добавлений и 45 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2536
Solutions/VMware Carbon Black Cloud/Data Connectors/CarbonBlackViaAWSS3_ConnectorDefinition.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

1215
Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DCR.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

284
Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DataConnectorDefination.json Normal file
Просмотреть файл

@ -0,0 +1,284 @@
{
"name": "CarbonBlackTemplateConnectorDefinition",
"apiVersion": "2022-09-01-preview",
"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "carbonBlackAWSS3",
"title": "VMware Carbon Black Cloud via AWS S3",
"publisher": "Microsoft",
"descriptionMarkdown": "The [VMware Carbon Black Cloud](https://www.vmware.com/products/carbon-black-cloud.html) via AWS S3 data connector provides the capability to ingest watchlist, alerts, auth and endpoints events via AWS S3 and stream them to ASIM normalized tables. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.",
"graphQueriesTableName": "CarbonBlack_Alerts_CL",
"graphQueries": [
{
"metricName": "CarbonBlack_Alerts_CL",
"legend": "Alerts",
"baseQuery": "CarbonBlack_Alerts_CL"
},
{
"metricName": "CarbonBlack_Watchlist_CL",
"legend": "Watchlist",
"baseQuery": "CarbonBlack_Watchlist_CL"
},
{
"metricName": "ASimNetworkSessionLogs",
"legend": "ASimNetworkSessionLogs",
"baseQuery": "ASimNetworkSessionLogs | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare' "
},
{
"metricName": "ASimProcessEventLogs",
"legend": "ASimProcessEventLogs",
"baseQuery": "ASimProcessEventLogs | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare' "
},
{
"metricName": "ASimFileEventLogs",
"legend": "ASimFileEventLogs",
"baseQuery": "ASimFileEventLogs | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare' "
},
{
"metricName": "ASimRegistryEventLogs",
"legend": "ASimRegistryEventLogs",
"baseQuery": "ASimRegistryEventLogs | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare' "
},
{
"metricName": "ASimAuthenticationEventLogs",
"legend": "Auth",
"baseQuery": "ASimAuthenticationEventLogs | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'"
}
],
"sampleQueries": [],
"dataTypes": [
{
"name": "CarbonBlack_Alerts_CL",
"lastDataReceivedQuery": "CarbonBlack_Alerts_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "CarbonBlack_Watchlist_CL",
"lastDataReceivedQuery": "CarbonBlack_Watchlist_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "ASimNetworkSessionLogs",
"lastDataReceivedQuery": "union ASimNetworkSessionLogs | where TimeGenerated > ago(12h) | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare' | summarize Time = max(TimeGenerated)| where isnotempty(Time)"
},
{
"name": "ASimProcessEventLogs",
"lastDataReceivedQuery": "union ASimProcessEventLogs | where TimeGenerated > ago(12h) | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare' | summarize Time = max(TimeGenerated)| where isnotempty(Time)"
},
{
"name": "ASimFileEventLogs",
"lastDataReceivedQuery": "union ASimFileEventLogs | where TimeGenerated > ago(12h) | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare' | summarize Time = max(TimeGenerated)| where isnotempty(Time)"
},
{
"name": "ASimAuthenticationEventLogs",
"lastDataReceivedQuery": "ASimAuthenticationEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare' | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "ASimRegistryEventLogs",
"lastDataReceivedQuery": "ASimRegistryEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare' | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors"
}
],
"availability": {
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "write permission.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"delete": true
}
}
],
"customs": [
{
"name": "Environment",
"description": "You must have the following AWS resources defined and configured: S3, Simple Queue Service (SQS), IAM roles and permissions policies"
},
{
"name": "Environment",
"description": "You must have the a Carbon black account and required permissions to create a Data Forwarded to AWS S3 buckets. \nFor more details visit [Carbon Black Data Forwarder Docs](https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/carbon-black-cloud-user-guide/GUID-E8D33F72-BABB-4157-A908-D8BBDB5AF349.html)"
}
]
},
"instructionSteps": [
{
"instructions": [
{
"type": "Markdown",
"parameters": {
"content": "#### 1. AWS CloudFormation Deployment \n To configure access on AWS, two templates has been generated to set up the AWS environment to send logs from S3 bucket to your Log Analytics Workspace.\n #### For each template, create Stack in AWS: \n 1. Go to [AWS CloudFormation Stacks](https://aka.ms/awsCloudFormationLink#/stacks/create) \n 2. In AWS, choose the 'Upload a template file' option and click on 'Choose file'. Select the downloaded template \n 3. Click 'Next' and 'Create stack'"
}
},
{
"type": "CopyableLabel",
"parameters": {
"label": "Template 1: OpenID connect authentication deployment",
"isMultiLine": true,
"fillWith": [
"Oidc"
]
}
},
{
"type": "CopyableLabel",
"parameters": {
"label": "Template 2: AWS Carbon Black resources deployment",
"isMultiLine": true,
"fillWith": [
"CarbonBlack"
]
}
},
{
"type": "Markdown",
"parameters": {
"content": "When deploying 'Template 2: AWS Carbon Black resources deployment' template you'll need supply a few parameters \n * **Stack Name**: A stack name of your choosing (will appear in the list of stacks in AWS)\n * **Role Name**: Must begin with 'OIDC_' prefix, has a default value. \n * **Bucket Name**: Bucket name of your choosing, if you already have an existing bucket paste the name here \n * **CreateNewBucket**: If you already have an existing bucket that you would like to use for this connector select 'false' for this option, otherwise a bucket with the name you entered in 'Bucket Name' will be created from this stack. \n * **Region**: This is the region of the AWS resources based on Carbon Black's mapping - for more information please see [Carbon Black documentation](https://developer.carbonblack.com/reference/carbon-black-cloud/integrations/data-forwarder/quick-setup/#create-a-bucket).\n * **SQSQueuePrefix**: The stack create multiple queues, this prefix will be added to each one of them. \n * **WorkspaceID**: Use the Workspace ID provided below."
}
},
{
"type": "CopyableLabel",
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
}
},
{
"type": "Markdown",
"parameters": {
"content": "Once the deployment is complete - head to the 'Outputs' tab, you will see: Role ARN, S3 bucket and 4 SQS resources created. You will need those resources in the next step when configuring Carbon Black's data forwarders and the data connector."
}
},
{
"type": "Markdown",
"parameters": {
"content": "#### 2. Carbon Black data forwarder configuration \n After all AWS resources has been created you'll need to configure Carbon Black to forward the events to the AWS buckets for Microsoft Sentinel to ingest them. Follow [Carbon Black's documentation on how to create a 'Data Forwarders'](https://developer.carbonblack.com/reference/carbon-black-cloud/integrations/data-forwarder/quick-setup/#2-create-a-forwarder) Use the first recommended option. When asked to input a bucket name use the bucket created in the previous step. \n You will be required to add 'S3 prefix' for each forwarder, please use this mapping:"
}
},
{
"type": "Markdown",
"parameters": {
"content": " | Event type | S3 prefix | \n |-----------------|-----------|\n | Alert | carbon-black-cloud-forwarder/Alerts |\n | Auth Events | carbon-black-cloud-forwarder/Auth |\n | Endpoint Events | carbon-black-cloud-forwarder/Endpoint |\n | Watchlist Hit | carbon-black-cloud-forwarder/Watchlist |"
}
},
{
"type": "Markdown",
"parameters": {
"content": "#### 2.1. Test your data forwarder (Optional) \n To validate the data forwarder is configured as expected, in Carbon Black's portal search for the data forwarder that you just created and click on 'Test Forwarder' button under the 'Actions' column, this will generate a 'HealthCheck' file in the S3 Bucket, you should see it appear immediately."
}
},
{
"type": "Markdown",
"parameters": {
"content": "#### 3. Connect new collectors \n To enable AWS S3 for Microsoft Sentinel, click the 'Add new collector' button, fill the required information, the ARN role and the SQS URL are created in step 1, note that you will need to enter the correct SQS URL and select the appropriate event type from the dropdown, for example if you want to ingest Alert events you will need to copy the Alerts SQS URL and select the 'Alerts' event type in the dropdown"
}
}
]
},
{
"instructions": [
{
"type": "DataConnectorsGrid",
"parameters": {
"mapping": [
{
"columnValue": "properties.roleArn",
"columnName": "Role ARN"
},
{
"columnValue": "properties.sqsUrls[0]",
"columnName": "Queue URL"
},
{
"columnValue": "properties.dcrConfig.streamName",
"columnName": "Stream name"
}
],
"menuItems": [
"DeleteConnector"
]
}
},
{
"type": "ContextPane",
"parameters": {
"contextPaneType": "DataConnectorsContextPane",
"title": "Add new controller",
"subtitle": "AWS S3 connector",
"label": "Add new collector",
"instructionSteps": [
{
"title": "Account details",
"instructions": [
{
"type": "Textbox",
"parameters": {
"label": "Role ARN",
"type": "text",
"name": "roleArn",
"validations": {
"required": true
}
}
},
{
"type": "Textbox",
"parameters": {
"label": "Queue URL",
"type": "text",
"name": "queueUrl",
"validations": {
"required": true
}
}
},
{
"type": "Dropdown",
"parameters": {
"label": "Data type",
"type": "text",
"name": "streamName",
"required": true,
"placeholder": "Select a data type",
"options": [
{
"key": "Custom-CarbonBlackAlertsStream",
"text": "Alerts"
},
{
"key": "Custom-CarbonBlackAuthStream",
"text": "Auth Events"
},
{
"key": "Custom-CarbonBlackEndpointStream",
"text": "Endpoint Events"
},
{
"key": "Custom-CarbonBlackWatchlistStream",
"text": "Watchlist"
}
]
}
}
]
}
]
}
}
]
}
]
}
}
}

29
Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_PollingConfig.json Normal file
Просмотреть файл

@ -0,0 +1,29 @@
{
"name": "carbonBlackViaAWSS3",
"apiVersion": "2022-10-01-preview",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "AmazonWebServicesS3",
"properties": {
"connectorDefinitionName": "carbonBlackAWSS3",
"dataType": {
"logs": {
"state": "enabled"
}
},
"dcrConfig": {
"streamName": "Custom-CarbonBlackAlertsStream",
"dataCollectionEndpoint": "{{dataCollectionEndpoint}}",
"dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}"
},
"roleArn": "{{roleArn}}",
"sqsUrls": [
"{{queueUrl}}"
],
"destinationTable": "CarbonBlackAlertsStream_CL",
"dataFormat": {
"Format": "JsonLine",
"IsCompressed": true,
"compressType": "Gzip"
}
}
}

282
Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/table_alerts.json Normal file
Просмотреть файл

@ -0,0 +1,282 @@
{
"name": "CarbonBlack_Alerts_CL",
"type": "Microsoft.OperationalInsights/workspaces/tables",
"apiVersion": "2021-03-01-privatepreview",
"location": "{{location}}",
"tags": {},
"properties": {
"schema": {
"name": "CarbonBlack_Alerts_CL",
"columns": [
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "Version",
"type": "string"
},
{
"name": "AlertUrl",
"type": "string"
},
{
"name": "Id",
"type": "string"
},
{
"name": "AlertType",
"type": "string"
},
{
"name": "IsUpdated",
"type": "string"
},
{
"name": "DetectionTimestamp",
"type": "string"
},
{
"name": "BackendTimestamp",
"type": "string"
},
{
"name": "BackendUpdateTimestamp",
"type": "string"
},
{
"name": "FirstEventTimestamp",
"type": "string"
},
{
"name": "LastEventTimestamp",
"type": "string"
},
{
"name": "Severity",
"type": "string"
},
{
"name": "Reason",
"type": "string"
},
{
"name": "ThreatId",
"type": "string"
},
{
"name": "PrimaryEventId",
"type": "string"
},
{
"name": "Workflow",
"type": "string"
},
{
"name": "Determination",
"type": "string"
},
{
"name": "AlertNotesPresent",
"type": "string"
},
{
"name": "PolicyApplied",
"type": "string"
},
{
"name": "RunState",
"type": "string"
},
{
"name": "ReasonCode",
"type": "string"
},
{
"name": "SensorAction",
"type": "string"
},
{
"name": "DeviceTargetValue",
"type": "string"
},
{
"name": "DevicePolicyId",
"type": "string"
},
{
"name": "DevicePolicy",
"type": "string"
},
{
"name": "DeviceId",
"type": "string"
},
{
"name": "DeviceName",
"type": "string"
},
{
"name": "DeviceOs",
"type": "string"
},
{
"name": "DeviceOsVersion",
"type": "string"
},
{
"name": "DeviceUsername",
"type": "string"
},
{
"name": "DeviceLocation",
"type": "string"
},
{
"name": "DeviceExternalIp",
"type": "string"
},
{
"name": "DeviceInternalIp",
"type": "string"
},
{
"name": "ReportId",
"type": "string"
},
{
"name": "ReportName",
"type": "string"
},
{
"name": "ReportDescription",
"type": "string"
},
{
"name": "ReportTags",
"type": "string"
},
{
"name": "ReportLink",
"type": "string"
},
{
"name": "IocId",
"type": "string"
},
{
"name": "IocHit",
"type": "string"
},
{
"name": "Watchlists",
"type": "string"
},
{
"name": "ProcessGuid",
"type": "string"
},
{
"name": "ProcessPid",
"type": "string"
},
{
"name": "ProcessName",
"type": "string"
},
{
"name": "ProcessSha256",
"type": "string"
},
{
"name": "ProcessMd5",
"type": "string"
},
{
"name": "ProcessReputation",
"type": "string"
},
{
"name": "ProcessEffectiveReputation",
"type": "string"
},
{
"name": "ProcessCmdline",
"type": "string"
},
{
"name": "ProcessUsername",
"type": "string"
},
{
"name": "ProcessIssuer",
"type": "string"
},
{
"name": "ProcessPublisher",
"type": "string"
},
{
"name": "ParentGuid",
"type": "string"
},
{
"name": "ParentPid",
"type": "string"
},
{
"name": "ParentName",
"type": "string"
},
{
"name": "ParentSha256",
"type": "string"
},
{
"name": "ParentMd5",
"type": "string"
},
{
"name": "ParentReputation",
"type": "string"
},
{
"name": "ParentEffectiveReputation",
"type": "string"
},
{
"name": "ParentCmdline",
"type": "string"
},
{
"name": "ParentUsername",
"type": "string"
},
{
"name": "MdrAlertNotesPresent",
"type": "string"
},
{
"name": "MdrAlert",
"type": "string"
},
{
"name": "MlClassificationFinalVerdict",
"type": "string"
},
{
"name": "MlClassificationGlobalPrevalence",
"type": "string"
},
{
"name": "MlClassificationOrgPrevalence",
"type": "string"
},
{
"name": "ml_classification_org_prevalence",
"type": "string"
}
]
}
}
}

146
Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/table_watclist.json Normal file
Просмотреть файл

@ -0,0 +1,146 @@
{
"name": "CarbonBlack_Watchlist_CL",
"type": "Microsoft.OperationalInsights/workspaces/tables",
"apiVersion": "2021-03-01-privatepreview",
"location": "{{location}}",
"tags": {},
"properties": {
"schema": {
"name": "CarbonBlack_Watchlist_CL",
"columns": [
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "DeviceExternalIp",
"type": "string"
},
{
"name": "DeviceId",
"type": "string"
},
{
"name": "DeviceInternalIp",
"type": "string"
},
{
"name": "DeviceName",
"type": "string"
},
{
"name": "IocHit",
"type": "string"
},
{
"name": "IocId",
"type": "string"
},
{
"name": "OrgKey",
"type": "string"
},
{
"name": "ParentCmdline",
"type": "string"
},
{
"name": "ParentPath",
"type": "string"
},
{
"name": "ParentPid",
"type": "string"
},
{
"name": "ProcessCmdline",
"type": "string"
},
{
"name": "ProcessPath",
"type": "string"
},
{
"name": "ProcessPid",
"type": "string"
},
{
"name": "ParentUsername",
"type": "string"
},
{
"name": "ProcessUsername",
"type": "string"
},
{
"name": "ReportId",
"type": "string"
},
{
"name": "ReportName",
"type": "string"
},
{
"name": "Severity",
"type": "string"
},
{
"name": "ReportTags",
"type": "string"
},
{
"name": "Schema",
"type": "string"
},
{
"name": "CreateTime",
"type": "string"
},
{
"name": "DeviceOs",
"type": "string"
},
{
"name": "ParentGuid",
"type": "string"
},
{
"name": "ParentHash",
"type": "string"
},
{
"name": "ParentPublisher",
"type": "string"
},
{
"name": "ParentReputation",
"type": "string"
},
{
"name": "ProcessGuid",
"type": "string"
},
{
"name": "ProcessHash",
"type": "string"
},
{
"name": "ProcessPublisher",
"type": "string"
},
{
"name": "ProcessReputation",
"type": "string"
},
{
"name": "WatchlistsType",
"type": "string"
},
{
"name": "Watchlists",
"type": "string"
}
]
}
}
}

1
Solutions/VMware Carbon Black Cloud/Data/Solution_VMware Carbon Black Cloud.json
Просмотреть файл

@ -4,6 +4,7 @@
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [VMware Carbon Black Cloud](https://www.vmware.com/products/carbon-black-cloud.html) solution for Microsoft Sentinel allows ingesting Carbon Black [Audit](https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/#audit-log-events), [Notification](https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/#notifications) and [Event](https://developer.carbonblack.com/reference/carbon-black-cloud/platform/deprecated/data-forwarder-config-api/) logs into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)",
"Data Connectors": [
"Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DataConnectorDefination.json",
"Data Connectors/VMwareCarbonBlack_API_FunctionApp.json"
],
"Analytic Rules": [

Двоичные данные
Solutions/VMware Carbon Black Cloud/Package/3.0.2.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

19
Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/VMware%20Carbon%20Black%20Cloud/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [VMware Carbon Black Cloud](https://www.vmware.com/products/carbon-black-cloud.html) solution for Microsoft Sentinel allows ingesting Carbon Black [Audit](https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/#audit-log-events), [Notification](https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/#notifications) and [Event](https://developer.carbonblack.com/reference/carbon-black-cloud/platform/deprecated/data-forwarder-config-api/) logs into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 2, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/VMware%20Carbon%20Black%20Cloud/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [VMware Carbon Black Cloud](https://www.vmware.com/products/carbon-black-cloud.html) solution for Microsoft Sentinel allows ingesting Carbon Black [Audit](https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/#audit-log-events), [Notification](https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/#notifications) and [Event](https://developer.carbonblack.com/reference/carbon-black-cloud/platform/deprecated/data-forwarder-config-api/) logs into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 2, **Workbooks:** 1, **Analytic Rules:** 2, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -59,6 +59,23 @@
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for VMware Carbon Black Cloud. You can get VMware Carbon Black Cloud data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
},
{
"name": "dataconnectors2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for VMware Carbon Black Cloud. You can get VMware Carbon Black Cloud custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}

2538
Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

14
Solutions/VMware Carbon Black Cloud/Package/testParameters.json
Просмотреть файл

@ -21,6 +21,20 @@
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
"resourceGroupName": {
"type": "string",
"defaultValue": "[resourceGroup().name]",
"metadata": {
"description": "resource group name where Microsoft Sentinel is setup"
}
},
"subscription": {
"type": "string",
"defaultValue": "[last(split(subscription().id, '/'))]",
"metadata": {
"description": "subscription id where Microsoft Sentinel is setup"
}
},
"workbook1-name": {
"type": "string",
"defaultValue": "VMware Carbon Black Cloud",