Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update mainTemplate.json

This commit is contained in:
v-sabiraj 2024-08-27 16:41:33 +05:30
Родитель 1c32021dc6
Коммит ab84c6b185
1 изменённых файлов: 270 добавлений и 266 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

536
Solutions/Google Cloud Platform Audit Logs/Package/mainTemplate.json
Просмотреть файл

@ -2,7 +2,7 @@
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"location": {
"defaultValue": "[resourceGroup().location]",
"minLength": 1,
"type": "string",
@ -24,9 +24,9 @@
"variables": {
"solutionId": "azuresentinel.azure-sentinel-solution-gcpauditlogs-api",
"_solutionId": "[variables('solutionId')]",
"dataCollectionRuleImmutableId": "data collection rule immutableId",
"dataCollectionRuleImmutableId": "data collection rule immutableId",
"_dataCollectionRuleImmutableId": "[variables('dataCollectionRuleImmutableId')]",
"dataCollectionEndpointId": "[concat('/subscriptions/',variables('subscription'),'/resourceGroups/',variables('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
"dataCollectionEndpointId": "[concat('/subscriptions/',variables('subscription'),'/resourceGroups/',variables('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
"_dataCollectionEndpointId": "[variables('dataCollectionEndpointId')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"uiConfigId1": "GCPAuditLogsDefinition",
@ -45,11 +45,11 @@
"dataConnectorVersion2": "1.0.0",
"resourceGroupName": "[resourceGroup().name]",
"subscription": "[last(split(subscription().id, '/'))]",
"dataCollectionRuleId": "GCPAuditLogs",
"streamName": "SENTINEL_GCP_AUDIT_LOGS",
"logAnalyticsTableId": "Microsoft-GCPAuditLogs",
"dataType": "GCPAuditLogs",
"destinationName": "clv2ws1"
"dataCollectionRuleId": "GCPAuditLogs",
"streamName": "SENTINEL_GCP_AUDIT_LOGS",
"logAnalyticsTableId": "Microsoft-GCPAuditLogs",
"dataType": "GCPAuditLogs",
"destinationName": "clv2ws1"
},
"resources": [
{
@ -93,101 +93,103 @@
"location": "[parameters('workspace-location')]",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "GCP Pub/Sub Audit Logs",
"publisher": "Microsoft",
"descriptionMarkdown": "The Google Cloud Platform (GCP) audit logs, ingested from Sentinel's connector, enable you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.",
"graphQueriesTableName": "GCPAuditLogs",
"graphQueries": [
{
"metricName": "Total events received",
"legend": "GCP Audit Logs",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
"description": "Get Sample of GCP Audit Logs",
"query": "{{graphQueriesTableName}}\n | take 10"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true,
"action": false
}
}
]
},
"instructionSteps": [
{
"instructions": [
{
"type": "MarkdownControlEnvBased",
"parameters": {
"prodScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation).",
"govScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)."
}
},
{
"type": "CopyableLabel",
"parameters": {
"label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
"fillWith": [ "TenantId" ],
"name": "PoolId",
"disabled": true
}
},
{
"type": "Markdown",
"parameters": {
"content": "#### 2. Connect new collectors \n To enable GCP Audit Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
}
},
{
"type": "GCPGrid",
"parameters": {}
},
{
"type": "GCPContextPane",
"parameters": {}
}
]
}
],
"isConnectivityCriteriasMatchSome": false
},
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "GCP Pub/Sub Audit Logs",
"publisher": "Microsoft",
"descriptionMarkdown": "The Google Cloud Platform (GCP) audit logs, ingested from Sentinel's connector, enable you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.",
"graphQueriesTableName": "GCPAuditLogs",
"graphQueries": [
{
"metricName": "Total events received",
"legend": "GCP Audit Logs",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
"description": "Get Sample of GCP Audit Logs",
"query": "{{graphQueriesTableName}}\n | take 10"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true,
"action": false
}
}
]
},
"instructionSteps": [
{
"instructions": [
{
"type": "MarkdownControlEnvBased",
"parameters": {
"prodScript":
"#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation).",
"govScript":
"#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)."
}
},
{
"type": "CopyableLabel",
"parameters": {
"label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
"fillWith": ["TenantId"],
"name": "PoolId",
"disabled": true
}
},
{
"type": "Markdown",
"parameters": {
"content": "#### 2. Connect new collectors \n To enable GCP Audit Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
}
},
{
"type": "GCPGrid",
"parameters":{}
},
{
"type": "GCPContextPane",
"parameters":{}
}
]
}
],
"isConnectivityCriteriasMatchSome": false
},
"connectionsConfig": {
"templateSpecName": "[concat('/subscriptions/',variables('subscription'),'/resourceGroups/',variables('resourceGroupName'),'/providers/Microsoft.Resources/templateSpecs/',variables('dataConnectorTemplateSpecName2'))]",
"templateSpecVersion": "[variables('dataConnectorVersion2')]"
}
}
},
{
{
"name": "[variables('dataCollectionRuleId')]",
"apiVersion": "2021-09-01-preview",
"type": "Microsoft.Insights/dataCollectionRules",
@ -195,22 +197,22 @@
"properties": {
"dataCollectionEndpointId": "[variables('_dataCollectionEndpointId')]",
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[variables('workspaceResourceId')]",
"name": "[variables('destinationName')]"
}
]
"logAnalytics": [
{
"workspaceResourceId": "[variables('workspaceResourceId')]",
"name": "[variables('destinationName')]"
}
]
},
"dataFlows": [
{
"streams": [
"[variables('logAnalyticsTableId')]"
],
"destinations": [
"[variables('destinationName')]"
]
}
{
"streams": [
"[variables('logAnalyticsTableId')]"
],
"destinations": [
"[variables('destinationName')]"
]
}
]
}
},
@ -237,15 +239,15 @@
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId2')]",
"version": "[variables('dataConnectorVersion2')]"
}
]
}
"dependencies": {
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId2')]",
"version": "[variables('dataConnectorVersion2')]"
}
]
}
}
}
]
@ -275,118 +277,120 @@
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId2')]",
"version": "[variables('dataConnectorVersion2')]"
}
]
}
"dependencies": {
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId2')]",
"version": "[variables('dataConnectorVersion2')]"
}
]
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2022-09-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
"location": "[parameters('workspace-location')]",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "GCP Pub/Sub Audit Logs",
"publisher": "Microsoft",
"descriptionMarkdown": "The Google Cloud Platform (GCP) audit logs, ingested from Sentinel's connector, enable you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.",
"graphQueriesTableName": "GCPAuditLogs",
"graphQueries": [
{
"metricName": "Total events received",
"legend": "GCP Audit Logs",
"baseQuery": "{{graphQueriesTableName}}"
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2022-09-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
"location": "[parameters('workspace-location')]",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "GCP Pub/Sub Audit Logs",
"publisher": "Microsoft",
"descriptionMarkdown": "The Google Cloud Platform (GCP) audit logs, ingested from Sentinel's connector, enable you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.",
"graphQueriesTableName": "GCPAuditLogs",
"graphQueries": [
{
"metricName": "Total events received",
"legend": "GCP Audit Logs",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
"description": "Get Sample of GCP Audit Logs",
"query": "{{graphQueriesTableName}}\n | take 10"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true,
"action": false
}
}
]
},
"instructionSteps": [
{
"instructions": [
{
"type": "MarkdownControlEnvBased",
"parameters": {
"prodScript":
"#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation).",
"govScript":
"#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)."
}
],
"sampleQueries": [
{
"description": "Get Sample of GCP Audit Logs",
"query": "{{graphQueriesTableName}}\n | take 10"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true,
"action": false
}
}
]
},
"instructionSteps": [
{
"instructions": [
{
"type": "MarkdownControlEnvBased",
"parameters": {
"prodScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation).",
"govScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)."
}
},
{
"type": "CopyableLabel",
"parameters": {
"label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
"fillWith": [ "TenantId" ],
"name": "PoolId",
"disabled": true
}
},
{
"type": "Markdown",
"parameters": {
"content": "#### 2. Connect new collectors \n To enable GCP Audit Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
}
},
{
"type": "GCPGrid",
"parameters": {}
},
{
"type": "GCPContextPane",
"parameters": {}
}
]
}
],
"isConnectivityCriteriasMatchSome": false
},
"connectionsConfig": {
"templateSpecName": "[concat('/subscriptions/',variables('subscription'),'/resourceGroups/',variables('resourceGroupName'),'/providers/Microsoft.Resources/templateSpecs/',variables('dataConnectorTemplateSpecName2'))]",
"templateSpecVersion": "[variables('dataConnectorVersion2')]"
}
}
},
},
{
"type": "CopyableLabel",
"parameters": {
"label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
"fillWith": ["TenantId"],
"name": "PoolId",
"disabled": true
}
},
{
"type": "Markdown",
"parameters": {
"content": "#### 2. Connect new collectors \n To enable GCP Audit Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
}
},
{
"type": "GCPGrid",
"parameters":{}
},
{
"type": "GCPContextPane",
"parameters":{}
}
]
}
],
"isConnectivityCriteriasMatchSome": false
},
"connectionsConfig": {
"templateSpecName": "[concat('/subscriptions/',variables('subscription'),'/resourceGroups/',variables('resourceGroupName'),'/providers/Microsoft.Resources/templateSpecs/',variables('dataConnectorTemplateSpecName2'))]",
"templateSpecVersion": "[variables('dataConnectorVersion2')]"
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2022-02-01",
@ -401,7 +405,7 @@
"displayName": "GCPAuditLogs template"
}
},
{
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2022-02-01",
"name": "[concat(variables('dataConnectorTemplateSpecName2'),'/',variables('dataConnectorVersion2'))]",
@ -419,25 +423,25 @@
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion2')]",
"parameters": {
"GCPProjectId": {
"type": "String",
"minLength": 4
},
"GCPProjectNumber": {
"type": "String",
"minLength": 1
},
"GCPWorkloadIdentityProviderId": {
"type": "String"
},
"GCPServiceAccountEmail": {
"type": "String",
"minLength": 1
},
"GCPSubscriptionName": {
"type": "String",
"minLength": 3
},
"GCPProjectId": {
"type": "String",
"minLength": 4
},
"GCPProjectNumber": {
"type": "String",
"minLength": 1
},
"GCPWorkloadIdentityProviderId": {
"type": "String"
},
"GCPServiceAccountEmail": {
"type": "String",
"minLength": 1
},
"GCPSubscriptionName": {
"type": "String",
"minLength": 3
},
"connectorDefinitionName": {
"defaultValue": "connectorDefinitionName",
"type": "string",
@ -457,14 +461,14 @@
"dataCollectionRuleImmutableId": "[variables('_dataCollectionRuleImmutableId')]"
}
},
"guidValue": {
"type": "string",
"defaultValue": "[[newGuid()]"
}
"guidValue": {
"type": "string",
"defaultValue": "[[newGuid()]"
}
},
"variables": {
"_dataConnectorContentId2": "[variables('_dataConnectorContentId2')]",
"connectorName": "[[concat('GCPAuditLogs', parameters('guidValue'))]"
"_dataConnectorContentId2": "[variables('_dataConnectorContentId2')]",
"connectorName": "[[concat('GCPAuditLogs', parameters('guidValue'))]"
},
"resources": [
{
@ -482,19 +486,19 @@
},
"dataType": "[variables('dataType')]",
"auth": {
"serviceAccountEmail": "[[parameters('GCPServiceAccountEmail')]",
"projectNumber": "[[parameters('GCPProjectNumber')]",
"workloadIdentityProviderId": "[[parameters('GCPWorkloadIdentityProviderId')]"
"serviceAccountEmail": "[[parameters('GCPServiceAccountEmail')]",
"projectNumber": "[[parameters('GCPProjectNumber')]",
"workloadIdentityProviderId": "[[parameters('GCPWorkloadIdentityProviderId')]"
},
"request": {
"projectId": "[[parameters('GCPProjectId')]",
"subscriptionNames": [
"[[parameters('GCPSubscriptionName')]"
]
"projectId": "[[parameters('GCPProjectId')]",
"subscriptionNames": [
"[[parameters('GCPSubscriptionName')]"
]
}
}
},
{
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
@ -523,7 +527,7 @@
}
}
},
{
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
@ -558,9 +562,9 @@
]
},
"firstPublishDate": "2022-06-24",
"providers": [ "Microsoft" ],
"providers": ["Microsoft"],
"categories": {
"domains": [ "Cloud Provider" ]
"domains": ["Cloud Provider"]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"