From 9c6e3cffbc659023a2456125d83f0161451ac9a1 Mon Sep 17 00:00:00 2001 From: rohit2230 <121071301+rohit2230@users.noreply.github.com> Date: Mon, 23 Jan 2023 02:58:14 +0530 Subject: [PATCH] Doc review Reviewed for language and style --- .../IncidentConsumer/readme.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/Solutions/CohesitySecurity/Data Connectors/Helios2Sentinel/IncidentConsumer/readme.md b/Solutions/CohesitySecurity/Data Connectors/Helios2Sentinel/IncidentConsumer/readme.md index 53e1515868..06859f62b5 100644 --- a/Solutions/CohesitySecurity/Data Connectors/Helios2Sentinel/IncidentConsumer/readme.md +++ b/Solutions/CohesitySecurity/Data Connectors/Helios2Sentinel/IncidentConsumer/readme.md @@ -1,30 +1,30 @@ # IncidentConsumer Azure Function -This function picks alerts from the queue and creates the corresponding records in the Sentinel Incident table. +This function picks alerts from the queue and creates the corresponding records in the Microsoft Sentinel Incident table. ## Publish the Azure Function -Run [this](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/azuredeploy.json.sh) script to create configuration and deploy the function apps to Azure. +Run [this](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/azuredeploy.json.sh) script to create configuration and deploy the function applications to Azure. -**Note:** You don't need to do it if you've already run the script for deploying another Cohesity function app. +**Note:** You can ignore the **Publish the Azure Function** section if you've already run the script for deploying another Cohesity function app. ## Testing -Check that the function successfully runs at _``Your function name that starts from cohesitycon`` | Functions | Monitor_. Each successfull run should have the corresponding log-message. If not, please see the Troubleshooting section for tips. +Check that the function successfully runs at _``Your function name that starts from cohesitycon`` | Functions | Monitor_. Each successfull run should have the same log-message. If not, then see the Troubleshooting section for tips. ## Troubleshooting -1. If the function fails because your DataHawk (Helios) API key expired, get your new key by following these steps -* Go to the Cohesity DataHawk (Helios) [login page](https://helios.cohesity.com/login). +1. If the function fails due to expiry of API key on your Cohesity Data Cloud API, then you must create another API key. Follow the steps below. +* Go to the Cohesity Data Cloud [login page](https://helios.cohesity.com/login). * Enter your credentials and select _Log In_. The _Summary_ page is displayed. * Navigate to _Settings > Access Management_. The _Users_ tab is displayed. * Select _Add API Key_. The API Key Details is displayed. * Enter a name for the API key. * Select _Save_. The API Key Token is displayed. -2. If you're not seeing new incidents in your workspace, make sure that you created your Sentinel [workspace](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) and also specified it correctly in the _Workspace_ environment variable. +2. If you're not seeing new incidents in your workspace, then ensure that you created your Sentinel [workspace](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) and specified it correctly in the _Workspace_ environment variable. * __Attention__: It should be the same workspace as created for [IncidentProducer](https://github.com/cohesity/Azure-Sentinel/edit/CohesitySecurity.internal/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentProducer/readme.md). -3. If this function receives incidents but they don't get into the Sentinel Incidents table, make sure that you have a valid queue in [Azure Storage Accounts](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts) ([steps to create a queue](https://learn.microsoft.com/azure/storage/queues/storage-quickstart-queues-portal)) and the path is correctly specified in the _AzureWebJobsStorage_ environment variable. +3. If this function receives incidents but they are not listed in the Microsoft Sentinel Incidents table, then ensure that you have a valid queue in [Azure Storage Accounts](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts) ([steps to create a queue](https://learn.microsoft.com/azure/storage/queues/storage-quickstart-queues-portal)) and the path is correctly specified in the _AzureWebJobsStorage_ environment variable. * __Attention__: It should be the same queue as created for [IncidentProducer](https://github.com/cohesity/Azure-Sentinel/edit/CohesitySecurity.internal/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentProducer/readme.md). -4. Check that all environment variables are set correctly by comparing their names with the ones in [local.settings.json](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentConsumer/local.settings.json). -5. If you changed any of the environment variables, we highly recommend restarting the function after that. +4. Ensure that all environment variables are set correctly. To validate, you can compare their names with the ones in [local.settings.json](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentConsumer/local.settings.json). +5. If you changed any of the environment variables, Cohesity highly recommends you to restart the function. Follow the steps below. * Go to the _Overview_ blade of the IncidentProducer function. -* Press _Restart_. +* Select _Restart_. * Confirm the restart. -6. If your function app fails to authenticate to create records in the Sentinel Incidents table, then [re-register](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps) a client application in Azure Active Directory with the Contributor privileges ([steps](https://learn.microsoft.com/azure/healthcare-apis/register-application)). -* Save _Application (client) ID_, _Directory (tenant) ID_ and _Secret Value_ in your [KeyVault](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) with the secret names _ClientId_, _ClientKey_, _TenantId_. +6. If your function application fails to authenticate for creating records in the Microsoft Sentinel Incidents table, then [re-register](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps) the client application in Mcirosoft Azure Active Directory with the Contributor privileges. For more information, see these [steps](https://learn.microsoft.com/azure/healthcare-apis/register-application). +* Save _Application (client) ID_, _Directory (tenant) ID_, and _Secret Value_ in your [KeyVault](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults) with the secret names _ClientId_, _ClientKey_, and _TenantId_.