Repackaged solutions for issue in maintemplate for parser while redeployment
This commit is contained in:
v-amolpatil
Родитель
9270227346
Коммит
a31e95caea
Двоичный файл не отображается.
|
|
@ -57,7 +57,7 @@
|
|||
"bladeTitle": "Data Connectors",
|
||||
"elements": [
|
||||
{
|
||||
"name": "dataconnectors1-text",
|
||||
"name": "dataconnectors-text1",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Solution installs the data connector for GitHub. You can get GitHub custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -1,5 +1,6 @@
|
|||
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|
||||
|-------------|--------------------------------|--------------------------------------------------------------------------|
|
||||
| 3.0.5 | 18-04-2024 | Repackaged to fix parser issue |
|
||||
| 3.0.4 | 04-04-2024 | Updated Entity Mappings |
|
||||
| 3.0.3 | 31-01-2024 | Updated the solution to fix Analytic Rules deployment issue |
|
||||
| 3.0.2 | 06-11-2023 | Updated the **Workbook** name to resolve the issue of multiple keywords |
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@
|
|||
],
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\GitHub",
|
||||
"Version": "3.0.4",
|
||||
"Version": "3.0.5",
|
||||
"TemplateSpec": true,
|
||||
"Is1PConnector": false
|
||||
}
|
||||
|
|
@ -28,7 +28,7 @@
|
|||
"Watchlists/ExchangeVIP.json"
|
||||
],
|
||||
"BasePath": "C:\\Git Repositories\\Azure-Sentinel\\Solutions\\Microsoft Exchange Security - Exchange On-Premises\\",
|
||||
"Version": "3.1.3",
|
||||
"Version": "3.1.4",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1Pconnector": false
|
||||
|
|
|
|||
Двоичные данные
Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/3.1.4.zip
Normal file
Двоичные данные
Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/3.1.4.zip
Normal file
Двоичный файл не отображается.
|
|
@ -57,60 +57,18 @@
|
|||
"bladeTitle": "Data Connectors",
|
||||
"elements": [
|
||||
{
|
||||
"name": "dataconnectors1-text",
|
||||
"name": "dataconnectors-text1",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This solution installs two (2) data connectors for ingesting Microsoft Exchange on-premises events to provide security insights. Each of these data connectors help ingest a different set of logs/events."
|
||||
"text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors2-text",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1. Exchange Security Insights On-Premises Collector",
|
||||
"elements": [
|
||||
{
|
||||
"name": "dataconnectors3-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This data connector collects security configuration, RBAC information and audit information from your on-premises Exchange environment(s). It uses a scheduled script that needs to be manually deployed in your environment. This connects directly (via proxy if needed) to Log Analytics/Microsoft Sentinel to ingest data."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors4-text",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "2. Exchange Audit Event logs via Legacy Agent",
|
||||
"elements": [
|
||||
{
|
||||
"name": "dataconnectors5-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This data connector uses Log Analytics Agent or Azure Monitor Agent to collect MSExchange Management Eventlogs, Exchange Security logs, Domain Controllers Security logs, IIS Logs, Exchange logs. Not all logs are required but it depends on your needs and on what you want to collect and secure for hunting in case of compromise. The first important logs consumed by this solution are “MSExchange Management” Event logs."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors6-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "After installing the solution, configure and enable the data connector that’s most relevant to your Exchange environment by following guidance in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors-parser",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Parsers",
|
||||
"elements": [
|
||||
{
|
||||
"name": "dataconnectors-parser-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "The solution installs four (4) parsers that transform ingested data. The transformed logs can be accessed using the ExchangeConfiguration, ExchangeAdminAuditLogs, MESCheckVIP and ExchangeEnvironmentList Kusto Function aliases."
|
||||
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors-link2",
|
||||
|
|
@ -307,7 +265,7 @@
|
|||
"name": "watchlist2-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "ExchangeVIP Watchlist contains a list of VIP users that are allowed to perform privileged operations on Exchange Servers. This watchlist is used by the ServerOrientedWithUserOrientedAdministration rule to detect suspicious activity by VIP users."
|
||||
"text": "Specific VIP Monitored in Exchange."
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -1,5 +1,6 @@
|
|||
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|
||||
|-------------|--------------------------------|---------------------------------------------|
|
||||
| 3.1.4 | 18-04-2024 | Repackaged for parser issue while redeployment |
|
||||
| 3.1.3 | 10-04-2024 | Updated DataConnector last Log indicator and IsConnected queries by including Application and System Log Event Types |
|
||||
| 3.1.2 | 20-02-2024 | Correct DataConnector last Log indicator and IsConnected queries |
|
||||
| 3.1.1 | 18-12-2023 | Update Parsers parameters |
|
||||
|
|
|
|||
|
|
@ -25,8 +25,8 @@
|
|||
"Watchlists/ExchOnlineVIP.json"
|
||||
],
|
||||
"WatchlistDescription": "ExchOnlineVIP Watchlists contains a list of VIP users identified in Exchange Online that would be more monitored than others. This watchlist is used in the Audit log workbooks to filter activities on those users.",
|
||||
"BasePath": "C:\\Git Repositories\\Azure-Sentinel\\Solutions\\Microsoft Exchange Security - Exchange Online",
|
||||
"Version": "3.1.1",
|
||||
"BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Microsoft Exchange Security - Exchange Online",
|
||||
"Version": "3.1.2",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1Pconnector": false
|
||||
|
|
|
|||
Двоичные данные
Solutions/Microsoft Exchange Security - Exchange Online/Package/3.1.2.zip
Normal file
Двоичные данные
Solutions/Microsoft Exchange Security - Exchange Online/Package/3.1.2.zip
Normal file
Двоичный файл не отображается.
|
|
@ -57,7 +57,7 @@
|
|||
"bladeTitle": "Data Connectors",
|
||||
"elements": [
|
||||
{
|
||||
"name": "dataconnectors1-text",
|
||||
"name": "dataconnectors-text1",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange Online. You can get Microsoft Exchange Security - Exchange Online custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
|
|
@ -67,7 +67,7 @@
|
|||
"name": "dataconnectors-parser-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "The solution installs six (3) parsers that transform ingested data. The transformed logs can be accessed using the ExchangeConfiguration, MESCheckVIP and ExchangeEnvironmentList Kusto Function aliases."
|
||||
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
|
||||
}
|
||||
},
|
||||
{
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -1,5 +1,7 @@
|
|||
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|
||||
|-------------|--------------------------------|---------------------------------------------|
|
||||
| 3.1.2 | 18-04-2024 | Repackaged for parser issue while update |
|
||||
| 3.1.1 | 19-03-2024 | Manually updated package content |
|
||||
| 3.0.5 | 20-02-2024 | Correct DataConnector last Log indicator |
|
||||
| 3.0.4 | 18-12-2023 | Correct Parser parameters and force version update |
|
||||
| 3.0.3 | 05-12-2023 | Added parameters in **Parser** to fix default values issue. |
|
||||
|
|
|
|||
Двоичный файл не отображается.
|
|
@ -57,14 +57,14 @@
|
|||
"bladeTitle": "Data Connectors",
|
||||
"elements": [
|
||||
{
|
||||
"name": "dataconnectors1-text",
|
||||
"name": "dataconnectors-text1",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Solution installs the data connector for Okta Single Sign-On. You can get Okta Single Sign-On custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors2-text",
|
||||
"name": "dataconnectors-text2",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Solution installs the data connector for Okta Single Sign-On. You can get Okta Single Sign-On data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -1,5 +1,6 @@
|
|||
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|
||||
|-------------|--------------------------------|---------------------------------------------------------------|
|
||||
| 3.0.6 | 17-04-2024 | Repackaged solution for parser fix |
|
||||
| 3.0.5 | 08-04-2024 | Added Azure Deploy button for government portal deployments |
|
||||
| 3.0.4 | 18-03-2024 | Updated description in data file, data connector and added logo for ccp data connector |
|
||||
| 3.0.3 | 08-03-2024 | Updated ccp with domainname in dcr, tables, name change in definition and poller |
|
||||
|
|
|
|||
|
|
@ -44,7 +44,7 @@
|
|||
],
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Okta Single Sign-On\\",
|
||||
"Version": "3.0.5",
|
||||
"Version": "3.0.6",
|
||||
"TemplateSpec": true,
|
||||
"Is1PConnector": false
|
||||
}
|
||||
|
|
@ -23,7 +23,7 @@
|
|||
"Solutions/ProofPointTap/Playbooks/ProofpointTAP-CheckAccountInVAP/azuredeploy.json"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel",
|
||||
"Version": "3.0.2",
|
||||
"Version": "3.0.3",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1PConnector": false
|
||||
|
|
|
|||
Двоичный файл не отображается.
|
|
@ -57,7 +57,7 @@
|
|||
"bladeTitle": "Data Connectors",
|
||||
"elements": [
|
||||
{
|
||||
"name": "dataconnectors1-text",
|
||||
"name": "dataconnectors-text1",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Solution installs the data connector for ProofPointTap. You can get ProofPointTap custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -1,5 +1,6 @@
|
|||
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|
||||
|-------------|--------------------------------|--------------------------------------------------------------|
|
||||
| 3.0.3 | 16-04-2024 | Repackaged for parser issue in maintemplate |
|
||||
| 3.0.2 | 10-04-2024 | Added Azure Deploy button for government portal deployments |
|
||||
| 3.0.1 | 10-10-2023 | Manual deployment instructions updated for **Data Connector**|
|
||||
| 3.0.0 | 01-08-2023 | Updated solution logo with Microsoft Sentinel logo |
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
"Description": "The [Symantec Endpoint Protection (SEP)](https://www.broadcom.com/products/cyber-security/endpoint/end-user/enterprise) solution allows you to easily connect your SEP logs with Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)",
|
||||
"Analytic Rules": [
|
||||
"Analytic Rules/ExcessiveBlockedTrafficGeneratedbyUser.yaml",
|
||||
"Analytic Rules/MalwareDetected.yaml"
|
||||
"Analytic Rules/MalwareDetected.yaml"
|
||||
],
|
||||
"Data Connectors": [
|
||||
"Data Connectors/Connector_Syslog_SymantecEndpointProtection.json"
|
||||
|
|
@ -13,12 +13,12 @@
|
|||
"Workbooks": [
|
||||
"Workbooks/SymantecEndpointProtection.json"
|
||||
],
|
||||
"Parsers": [
|
||||
"Parsers/SymantecEndpointProtection.yaml"
|
||||
"Parsers": [
|
||||
"Parsers/SymantecEndpointProtection.yaml"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Symantec Endpoint Protection",
|
||||
"Version": "2.0.4",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1Pconnector": false
|
||||
"Version": "3.0.1",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1Pconnector": false
|
||||
}
|
||||
Двоичный файл не отображается.
|
|
@ -57,7 +57,7 @@
|
|||
"bladeTitle": "Data Connectors",
|
||||
"elements": [
|
||||
{
|
||||
"name": "dataconnectors1-text",
|
||||
"name": "dataconnectors-text1",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Solution installs the data connector for Symantec Endpoint Protection. You can get Symantec Endpoint Protection Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -0,0 +1,4 @@
|
|||
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|
||||
|-------------|--------------------------------|---------------------------------------------|
|
||||
| 3.0.1 | 18-04-2024 | Repackaged for fix in parser in maintemplate |
|
||||
| 3.0.0 | 15-04-2024 | Updated Parser SymantecEndpointProtection.yaml to automatic update applicable logs |
|
||||
|
|
@ -13,7 +13,7 @@
|
|||
"Workbooks/ZoomReports.json"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\solutions\\ZoomReports",
|
||||
"Version": "3.0.2",
|
||||
"Version": "3.0.3",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1PConnector": false
|
||||
|
|
|
|||
Двоичный файл не отображается.
|
|
@ -57,7 +57,7 @@
|
|||
"bladeTitle": "Data Connectors",
|
||||
"elements": [
|
||||
{
|
||||
"name": "dataconnectors1-text",
|
||||
"name": "dataconnectors-text1",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Solution installs the data connector for ZoomReports. You can get ZoomReports custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -1,5 +1,6 @@
|
|||
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|
||||
|-------------|--------------------------------|---------------------------------------------|
|
||||
| 3.0.3 | 18-04-2024 | Repackaged for fix on parser in maintemplate |
|
||||
| 3.0.2 | 10-04-2024 | Added Azure Deploy button for government portal deployments |
|
||||
| 3.0.1 | 04-12-2023 | Authentication changes for zoom reports with server to server **Oauth app** |
|
||||
| 3.0.0 | 04-07-2023 | Fixed broken links for **Data Connector** & Added **Workbook** in Solution content |
|
||||
|
|
|
|||
|
|
@ -745,7 +745,7 @@ function PrepareSolutionMetadata($solutionMetadataRawContent, $contentResourceDe
|
|||
displayName = $contentToImport.Workbooks ? "[parameters('workbook$global:workbookCounter-name')]" : "[concat(parameters('workbook$global:workbookCounter-name'), ' - ', parameters('formattedTimeNow'))]";
|
||||
serializedData = $serializedData;
|
||||
version = "1.0";
|
||||
sourceId = $contentToImport.TemplateSpec? "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]" : "[variables('_workbook-source')]";
|
||||
sourceId = $contentToImport.TemplateSpec? "[variables('workspaceResourceId')]" : "[variables('_workbook-source')]";
|
||||
category = "sentinel"
|
||||
}
|
||||
}
|
||||
|
|
@ -839,6 +839,11 @@ function PrepareSolutionMetadata($solutionMetadataRawContent, $contentResourceDe
|
|||
version = "[variables('workbookVersion$global:workbookCounter')]";
|
||||
};
|
||||
|
||||
# Add workspace resource ID if not available
|
||||
if (!$global:baseMainTemplate.variables.workspaceResourceId) {
|
||||
$global:baseMainTemplate.variables | Add-Member -NotePropertyName "workspaceResourceId" -NotePropertyValue "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]"
|
||||
}
|
||||
|
||||
if ($contentResourceDetails.contentSchemaVersion -ne '3.0.0')
|
||||
{
|
||||
# Add base templateSpec
|
||||
|
|
@ -1534,6 +1539,10 @@ function PrepareSolutionMetadata($solutionMetadataRawContent, $contentResourceDe
|
|||
}
|
||||
}
|
||||
|
||||
# Add workspace resource ID if not available
|
||||
if (!$global:baseMainTemplate.variables.workspaceResourceId) {
|
||||
$global:baseMainTemplate.variables | Add-Member -NotePropertyName "workspaceResourceId" -NotePropertyValue "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]"
|
||||
}
|
||||
# Add base templateSpec
|
||||
if ($contentResourceDetails.contentSchemaVersion -ne '3.0.0')
|
||||
{
|
||||
|
|
@ -1782,6 +1791,10 @@ function PrepareSolutionMetadata($solutionMetadataRawContent, $contentResourceDe
|
|||
|
||||
if ($contentToImport.TemplateSpec) {
|
||||
$connectorName = $contentToImport.Name
|
||||
# Add workspace resource ID if not available
|
||||
if (!$global:baseMainTemplate.variables.workspaceResourceId -and $contentResourceDetails.contentSchemaVersion -ne '3.0.0') {
|
||||
$global:baseMainTemplate.variables | Add-Member -NotePropertyName "workspaceResourceId" -NotePropertyValue "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]"
|
||||
}
|
||||
# If both ID and Title exist, is standard GenericUI data connector
|
||||
if ($templateSpecConnectorData.id -and $templateSpecConnectorData.title) {
|
||||
$global:baseMainTemplate.variables | Add-Member -NotePropertyName "uiConfigId$global:connectorCounter" -NotePropertyValue $templateSpecConnectorData.id
|
||||
|
|
@ -2096,7 +2109,7 @@ function PrepareSolutionMetadata($solutionMetadataRawContent, $contentResourceDe
|
|||
elements = @();
|
||||
}
|
||||
$baseDataConnectorTextElement = [PSCustomObject] @{
|
||||
name = "dataconnectors-text$global:connectorCounter";
|
||||
name = "dataconnectors$global:connectorCounter-text";
|
||||
type = "Microsoft.Common.TextBlock";
|
||||
options = [PSCustomObject] @{
|
||||
text = $connectorDescriptionText;
|
||||
|
|
@ -2106,23 +2119,8 @@ function PrepareSolutionMetadata($solutionMetadataRawContent, $contentResourceDe
|
|||
if ($global:connectorCounter -eq 1) {
|
||||
$global:baseCreateUiDefinition.parameters.steps += $baseDataConnectorStep
|
||||
}
|
||||
|
||||
$hasDataConnectorText = $false
|
||||
foreach ($item in $global:baseCreateUiDefinition.parameters.steps.elements) {
|
||||
if ($item.name -like "*dataconnectors-text*") {
|
||||
$optionText = $item.options.text;
|
||||
if ($optionText -eq $connectorDescriptionText) {
|
||||
$hasDataConnectorText = $true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$currentStepNum = $global:baseCreateUiDefinition.parameters.steps.Count - 1
|
||||
if (!$hasDataConnectorText) {
|
||||
|
||||
$global:baseCreateUiDefinition.parameters.steps[$currentStepNum].elements += $baseDataConnectorTextElement
|
||||
}
|
||||
|
||||
$global:baseCreateUiDefinition.parameters.steps[$currentStepNum].elements += $baseDataConnectorTextElement
|
||||
if ($global:connectorCounter -eq $contentToImport."Data Connectors".Count) {
|
||||
$parserTextElement = [PSCustomObject] @{
|
||||
name = "dataconnectors-parser-text";
|
||||
|
|
@ -2304,6 +2302,10 @@ function PrepareSolutionMetadata($solutionMetadataRawContent, $contentResourceDe
|
|||
|
||||
$global:baseMainTemplate.variables | Add-Member -NotePropertyName "huntingQueryObject$global:huntingQueryCounter" -NotePropertyValue $objHuntingQueryVariables
|
||||
|
||||
if (!$global:baseMainTemplate.variables.workspaceResourceId -and $contentResourceDetails.contentSchemaVersion -ne '3.0.0') {
|
||||
$global:baseMainTemplate.variables | Add-Member -NotePropertyName "workspaceResourceId" -NotePropertyValue "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]"
|
||||
}
|
||||
|
||||
if ($contentResourceDetails.contentSchemaVersion -ne '3.0.0')
|
||||
{
|
||||
$baseHuntingQueryTemplateSpec = [PSCustomObject]@{
|
||||
|
|
@ -2676,6 +2678,10 @@ function PrepareSolutionMetadata($solutionMetadataRawContent, $contentResourceDe
|
|||
$objAnalyticRulesVariables | Add-Member -NotePropertyName "analyticRuleTemplateSpecName$global:analyticRuleCounter" -NotePropertyValue "[concat(parameters('workspace'),'-ar-',uniquestring('$($yaml.id)'))]"
|
||||
}
|
||||
|
||||
if (!$global:baseMainTemplate.variables.workspaceResourceId -and $contentResourceDetails.contentSchemaVersion -ne '3.0.0') {
|
||||
$global:baseMainTemplate.variables | Add-Member -NotePropertyName "workspaceResourceId" -NotePropertyValue "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]"
|
||||
}
|
||||
|
||||
if ($contentResourceDetails.contentSchemaVersion -ne '3.0.0')
|
||||
{
|
||||
$baseAnalyticRuleTemplateSpec = [PSCustomObject]@{
|
||||
|
|
@ -3285,6 +3291,11 @@ function Base32Encode([uint32]$charValue)
|
|||
|
||||
function addTemplateSpecParserResource($content,$yaml,$isyaml, $contentResourceDetails)
|
||||
{
|
||||
# Add workspace resource ID if not available
|
||||
if (!$global:baseMainTemplate.variables.workspaceResourceId -and $contentResourceDetails.contentSchemaVersion -ne '3.0.0') {
|
||||
$global:baseMainTemplate.variables | Add-Member -NotePropertyName "workspaceResourceId" -NotePropertyValue "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]"
|
||||
}
|
||||
|
||||
if ($contentResourceDetails.contentSchemaVersion -ne '3.0.0')
|
||||
{
|
||||
# Add base templateSpec
|
||||
|
|
@ -3341,7 +3352,7 @@ function addTemplateSpecParserResource($content,$yaml,$isyaml, $contentResourceD
|
|||
"[variables('parserObject$global:parserCounter')._parserId$global:parserCounter]"
|
||||
);
|
||||
properties = [PSCustomObject]@{
|
||||
parentId = "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), '$($parserName)')]"
|
||||
parentId = "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), '$($displayDetails.displayName)')]"
|
||||
contentId = "[variables('parserObject$global:parserCounter').parserContentId$global:parserCounter]";
|
||||
kind = "Parser";
|
||||
version = "[variables('parserObject$global:parserCounter').parserVersion$global:parserCounter]";
|
||||
|
|
@ -3436,7 +3447,7 @@ function addTemplateSpecParserResource($content,$yaml,$isyaml, $contentResourceD
|
|||
"[variables('parserObject$global:parserCounter')._parserId$global:parserCounter]"
|
||||
);
|
||||
properties = [PSCustomObject]@{
|
||||
parentId = "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), '$($parserName)')]"
|
||||
parentId = "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), '$($displayDetails.displayName)')]"
|
||||
contentId = "[variables('parserObject$global:parserCounter').parserContentId$global:parserCounter]";
|
||||
kind = "Parser";
|
||||
version = "[variables('parserObject$global:parserCounter').parserVersion$global:parserCounter]";
|
||||
|
|
@ -3505,7 +3516,7 @@ function generateParserContent($file, $contentToImport, $contentResourceDetails)
|
|||
}
|
||||
|
||||
$displayDetails = getParserDetails $global:solutionId $yaml $isyaml
|
||||
$parserName = ($isyaml -eq $true) ? "$($yaml.Function.Title)" : "$($fileName)";
|
||||
$parserName = $fileName + " Data Parser"
|
||||
$objParserVariables | Add-Member -NotePropertyName "_parserName$global:parserCounter" -NotePropertyValue "[concat(parameters('workspace'),'/','$($parserName)')]"
|
||||
|
||||
$objParserVariables | Add-Member -NotePropertyName "_parserId$global:parserCounter" -NotePropertyValue "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), '$($parserName)')]"
|
||||
|
|
|
|||
|
|
@ -218,18 +218,14 @@ function Get-ArmResource($name, $type, $kind, $properties){
|
|||
"Microsoft.Insights/dataCollectionRules" = "2022-06-01";
|
||||
}
|
||||
|
||||
$resource = [PSCustomObject]@{
|
||||
return [PSCustomObject]@{
|
||||
name = $name;
|
||||
apiVersion = $apiVersion[$type]
|
||||
type = $type;
|
||||
location = "[parameters('workspace-location')]";
|
||||
kind = $kind;
|
||||
properties = $properties;
|
||||
}
|
||||
if ($null -ne $kind) {
|
||||
$resource | Add-Member -MemberType NoteProperty -Name "kind" -Value $kind
|
||||
}
|
||||
|
||||
return $resource
|
||||
}
|
||||
|
||||
function addNewParameter($templateResourceObj, $parameterName, $isSecret = $false) {
|
||||
|
|
@ -245,40 +241,16 @@ function addNewParameter($templateResourceObj, $parameterName, $isSecret = $fals
|
|||
return $templateResourceObj;
|
||||
}
|
||||
|
||||
function replacePlaceHolders($actualFieldValue, $propMatchedPlaceHolderValues) {
|
||||
$finalStringName = "[[concat("
|
||||
$closureBrackets = ")]"
|
||||
|
||||
foreach ($currentPlaceHolder in $propMatchedPlaceHolderValues) {
|
||||
if ($currentPlaceHolder.Value -ne '') {
|
||||
$currentPlaceHolderValue = $currentPlaceHolder.Value
|
||||
$placeHolderName = $currentPlaceHolderValue.replace("{{", "").replace("}}", "")
|
||||
$startIndexOfPlaceholder = $actualFieldValue.IndexOf($currentPlaceHolderValue)
|
||||
|
||||
if ($startIndexOfPlaceholder -eq 0) {
|
||||
$finalStringName += "parameters('" + $placeHolderName + "')"
|
||||
$actualFieldValue = $actualFieldValue.Replace($currentPlaceHolder, "");
|
||||
} else {
|
||||
$strSubString = $actualFieldValue.Substring(0, $startIndexOfPlaceholder);
|
||||
$finalStringName += ",'" + $strSubString + "', parameters('" + $placeHolderName + "')"
|
||||
$actualFieldValue = $actualFieldValue.Replace($currentPlaceHolder, "");
|
||||
$actualFieldValue = $actualFieldValue.Substring($strSubString.Length, $actualFieldValue.Length - $strSubString.Length);
|
||||
}
|
||||
}
|
||||
}
|
||||
if ($actualFieldValue -ne '') {
|
||||
$finalStringName += ",'" + $actualFieldValue + "'"
|
||||
}
|
||||
|
||||
return $finalStringName + $closureBrackets;
|
||||
}
|
||||
|
||||
# THIS IS THE STARTUP FUNCTION FOR CCP RESOURCE CREATOR
|
||||
function createCCPConnectorResources($contentResourceDetails, $dataFileMetadata, $solutionFileMetadata, $dcFolderName, $ccpDict, $solutionBasePath, $solutionName, $ccpTables, $ccpTablesCounter) {
|
||||
Write-Host "Inside of CCP Connector Code!"
|
||||
$solutionId = $solutionFileMetadata.publisherId + "." + $solutionFileMetadata.offerId
|
||||
$placeHolderPatternMatches = '\{{[a-zA-Z0-9]+\}}'
|
||||
|
||||
if (!$global:baseMainTemplate.variables.workspaceResourceId) {
|
||||
$global:baseMainTemplate.variables | Add-Member -NotePropertyName "workspaceResourceId" -NotePropertyValue "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]"
|
||||
}
|
||||
|
||||
if (!$global:baseMainTemplate.variables._solutionName) {
|
||||
$global:baseMainTemplate.variables | Add-Member -NotePropertyName "_solutionName" -NotePropertyValue $dataFileMetadata.Name
|
||||
}
|
||||
|
|
@ -396,28 +368,12 @@ function createCCPConnectorResources($contentResourceDetails, $dataFileMetadata,
|
|||
|
||||
Write-Host "Processing for CCP Poller file path: $ccpPollerFilePath"
|
||||
$dataConnectorPollerName = $null -eq $fileContent.Name -or $fileContent.Name -eq '' ? $fileContent.properties.connectorDefinitionName : $fileContent.Name;
|
||||
|
||||
if ($dataConnectorPollerName.contains("{{")) {
|
||||
$resourceName = $dataConnectorPollerName
|
||||
} else {
|
||||
$resourceName = "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', '$dataConnectorPollerName')]"
|
||||
}
|
||||
|
||||
$resourceName = "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', '$dataConnectorPollerName')]"
|
||||
#$resourceName = "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', '$templateName')]"
|
||||
$armResource = Get-ArmResource $resourceName $fileContent.type $fileContent.kind $fileContent.properties
|
||||
$armResource.type = "Microsoft.OperationalInsights/workspaces/providers/dataConnectors"
|
||||
$armResource.kind = $ccpItem.PollerKind;
|
||||
|
||||
# data connector poller containing placeholder
|
||||
if ($dataConnectorPollerName.contains("{{")) {
|
||||
$placeHoldersMatched = $dataConnectorPollerName | Select-String $placeHolderPatternMatches -AllMatches
|
||||
|
||||
if ($placeHoldersMatched.Matches.Count -gt 0) {
|
||||
$finalizedName = replacePlaceHolders -actualFieldValue $dataConnectorPollerName -propMatchedPlaceHolderValues $placeHoldersMatched.Matches
|
||||
$armResource.name = $finalizedName
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# dataCollectionEndpoint : this is optional field for users to add.
|
||||
$hasDataCollectionEndpoint = [bool](($armResource.properties.dcrConfig).PSobject.Properties.name -match "dataCollectionEndpoint")
|
||||
if ($hasDataCollectionEndpoint) {
|
||||
|
|
@ -547,10 +503,6 @@ function createCCPConnectorResources($contentResourceDetails, $dataFileMetadata,
|
|||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
$authTypeValue = $armResource.properties.auth.type
|
||||
Write-Host "Data Connector Poller file has invalid auth 'type' property value '$($authTypeValue)'. Supported auth 'type' property value are OAuth2, Basic or APIKey!"
|
||||
}
|
||||
|
||||
if ($armResource.properties.request.apiEndPoint.contains("{{")) {
|
||||
# identify any placeholders in apiEndpoint
|
||||
|
|
@ -594,33 +546,6 @@ function createCCPConnectorResources($contentResourceDetails, $dataFileMetadata,
|
|||
$armResource.properties.request.apiEndPoint = $finalizedEndpointUrl + $closureBrackets
|
||||
}
|
||||
}
|
||||
|
||||
# headers placeholder
|
||||
$hasHeaders = [bool]($armResource.properties.request.PSobject.Properties.name -match "headers")
|
||||
if ($hasHeaders) {
|
||||
foreach ($headerProps in $armResource.properties.request.headers.PsObject.Properties) {
|
||||
$headerPropName = $headerProps.Name
|
||||
$headerPropValue = $headerProps.Value
|
||||
|
||||
if ($headerPropValue.contains("{{")) {
|
||||
$placeHoldersMatched = $headerPropValue | Select-String $placeHolderPatternMatches -AllMatches
|
||||
if ($placeHoldersMatched.Matches.Value.Count -gt 0) {
|
||||
$placeHolderName = $placeHoldersMatched.Matches.Value.replace("{{", "").replace("}}", "")
|
||||
$armResource.properties.request.headers."$headerPropName" = "[[parameters('$($placeHolderName)')]"
|
||||
$templateContentConnections.properties.mainTemplate = addNewParameter -templateResourceObj $templateContentConnections.properties.mainTemplate -parameterName "$placeHolderName" -isSecret $false
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ($dataConnectorPollerName.contains("{{")) {
|
||||
$placeHoldersMatched = $dataConnectorPollerName | Select-String $placeHolderPatternMatches -AllMatches
|
||||
|
||||
if ($placeHoldersMatched.Matches.Count -gt 0) {
|
||||
$finalizedName = replacePlaceHolders -actualFieldValue $dataConnectorPollerName -propMatchedPlaceHolderValues $placeHoldersMatched.Matches
|
||||
$armResource.name = $finalizedName
|
||||
}
|
||||
}
|
||||
$templateContentConnections.properties.mainTemplate.resources += $armResource
|
||||
}
|
||||
}
|
||||
|
|
@ -650,7 +575,7 @@ function createCCPConnectorResources($contentResourceDetails, $dataFileMetadata,
|
|||
Write-Host "Processing for CCP DCR file path: $ccpDCRFilePath"
|
||||
foreach ($logAnalyticDestination in $fileContent.properties.destinations.logAnalytics)
|
||||
{
|
||||
$logAnalyticDestination.workspaceResourceId = "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]"
|
||||
$logAnalyticDestination.workspaceResourceId = "[variables('workspaceResourceId')]"
|
||||
}
|
||||
|
||||
$dcrPlaceHolderMatched = $fileContent.name | Select-String $placeHolderPatternMatches -AllMatches
|
||||
|
|
@ -833,39 +758,27 @@ function createCCPConnectorResources($contentResourceDetails, $dataFileMetadata,
|
|||
|
||||
$connectorDescriptionText = "This Solution installs the data connector for $solutionName. You can get $solutionName data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
|
||||
$hasDataConnectorDetails = $false
|
||||
foreach($item in $global:baseCreateUiDefinition.parameters.steps.elements) {
|
||||
if ($item.name -like "*dataconnectors-text*") {
|
||||
$optionText = $item.options.text;
|
||||
if ($optionText -eq $connectorDescriptionText) {
|
||||
$hasDataConnectorDetails = $true
|
||||
}
|
||||
$baseDataConnectorTextElement = [PSCustomObject] @{
|
||||
name = "dataconnectors$global:connectorCounter-text";
|
||||
type = "Microsoft.Common.TextBlock";
|
||||
options = [PSCustomObject] @{
|
||||
text = $connectorDescriptionText;
|
||||
}
|
||||
}
|
||||
|
||||
if (!$hasDataConnectorDetails) {
|
||||
$baseDataConnectorTextElement = [PSCustomObject] @{
|
||||
name = "dataconnectors-text$global:connectorCounter";
|
||||
type = "Microsoft.Common.TextBlock";
|
||||
options = [PSCustomObject] @{
|
||||
text = $connectorDescriptionText;
|
||||
}
|
||||
}
|
||||
|
||||
$currentStepNum = $global:baseCreateUiDefinition.parameters.steps.Count - 1
|
||||
$global:baseCreateUiDefinition.parameters.steps[$currentStepNum].elements += $baseDataConnectorTextElement
|
||||
$connectDataSourcesLink = [PSCustomObject] @{
|
||||
name = "dataconnectors-link$global:connectorCounter";
|
||||
type = "Microsoft.Common.TextBlock";
|
||||
options = [PSCustomObject] @{
|
||||
link = [PSCustomObject] @{
|
||||
label = "Learn more about connecting data sources";
|
||||
uri = "https://docs.microsoft.com/azure/sentinel/connect-data-sources";
|
||||
}
|
||||
$currentStepNum = $global:baseCreateUiDefinition.parameters.steps.Count - 1
|
||||
$global:baseCreateUiDefinition.parameters.steps[$currentStepNum].elements += $baseDataConnectorTextElement
|
||||
$connectDataSourcesLink = [PSCustomObject] @{
|
||||
name = "dataconnectors-link2";
|
||||
type = "Microsoft.Common.TextBlock";
|
||||
options = [PSCustomObject] @{
|
||||
link = [PSCustomObject] @{
|
||||
label = "Learn more about connecting data sources";
|
||||
uri = "https://docs.microsoft.com/azure/sentinel/connect-data-sources";
|
||||
}
|
||||
}
|
||||
$global:baseCreateUiDefinition.parameters.steps[$currentStepNum].elements += $connectDataSourcesLink
|
||||
}
|
||||
$global:baseCreateUiDefinition.parameters.steps[$currentStepNum].elements += $connectDataSourcesLink
|
||||
|
||||
$global:connectorCounter += 1
|
||||
}
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче