Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update readme.md 

Updated publishing instructions
This commit is contained in:
eerus 2023-01-06 11:38:53 -06:00 коммит произвёл GitHub
Родитель de74f40e18
Коммит bc64f554f2
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
1 изменённых файлов: 15 добавлений и 34 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

49
Solutions/CohesitySecurity/Data Connectors/Helios2Sentinel/IncidentProducer/readme.md
Просмотреть файл

@ -1,46 +1,27 @@
# IncidentProducer Azure Function
This function retrieves ransomware alerts from Cohesity DataHawk and lands them in the queue for further processing and storing in the Sentinel Incident table.
## Publishing Prerequisites
1. Get your DataHawk API key.
* Go to the Cohesity Helios [login page](https://helios.cohesity.com/login).
## Publish Azure Function
* Run ``az login`` followed by ``func azure functionapp publish IncidentProducer --csharp --force``
## Testing
* Check that the function successfully runs at _IncidentProducer | Functions | Monitor_ - each function run precedes the corresponding info message. If not, please see the troubleshooting section for tips.
## Troubleshooting
1. If the function fails because your DataHawk (Helios) API key expired, get your new key by following these steps
* Go to the Cohesity DataHawk (Helios) [login page](https://helios.cohesity.com/login).
* Enter your credentials and select _Log In_. The _Summary_ page is displayed.
* Navigate to _Settings > Access Management_. The _Users_ tab is displayed.
* Select _Add API Key_. The API Key Details is displayed.
* Enter a name for the API key.
* Select _Save_. The API Key Token is displayed.
2. Create your Sentinel [workspace](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel).
2. If you're not receiving new incidents, make sure that you created your Sentinel [workspace](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel) and also specified it correctly in the _Workspace_ environment variable.
* __Attention__: It should be the same workspace as created for [IncidentConsumer](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentConsumer#readme).
3. [Register](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps) a client application in Azure Active Directory with the Contributor privileges ([steps](https://learn.microsoft.com/azure/healthcare-apis/register-application)).
* Save _Application (client) ID_, _Directory (tenant) ID_ and _Secret Value_.
4. Create a new queue in [Azure Storage Accounts](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts) ([steps](https://learn.microsoft.com/azure/storage/queues/storage-quickstart-queues-portal)).
* __Attention__: It should be the same workspace as created for [IncidentConsumer](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentConsumer#readme).
* Save the connection string
5. Create an instance of [Azure Cache for Redis](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Cache%2FRedis) ([steps](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-configure))
* Save the connection string
## Publish the Azure Function
* You can publish an Azure Function with Visual Studio ([steps](https://learn.microsoft.com/azure/azure-functions/functions-develop-vs?tabs=in-process#publish-to-azure)) or Visual Studio Code ([steps](https://learn.microsoft.com/azure/azure-functions/functions-develop-vs-code?tabs=csharp#publish-to-azure)).
* Alternatively, you can do it from the command line. An important note on using the following commands, the Azure Function version must match what is defined in your codebase. Visual Studio will prompt to upgrade the function if this is different, the command below may not.
Run the following commands
``az login``
followed by
``func azure functionapp publish IncidentProducer --csharp --force``
## Post Publishing Steps
1. In the [Function App](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp) window choose IncidentProducer.
2. Click on _Configuration_ to see the _IncidentProducer | Configuration_ window.
3. Set the following parameters in the _Application Settings_ tab to the corresponding values you created in the __Publishing Prerequisites__ above. If you don't see one of these settings, then press the _+New Application Setting_ button and create it (learn more about changing Application Settings [here](https://learn.microsoft.com/azure/app-service/configure-common?tabs=portal)).
* _AzureWebJobsStorage_: The queue connection string.
* _apiKey_: The DataHawk API key.
* _startDaysAgo_: If it's the first run, how many days of historical events would you like to get? By default, we recommend to set it to _-30_ meaning that you'll get all alerts that happened between 30 days ago and now. If you set it to 0, then you'll get only new alerts.
* _connectStr_: The Redis cache connection string.
* _workspace_: Your workspace name.
* _CohesityQueueName_: Your queue name.
4. Restart the Azure Function.
3. If this function receives incidents but they don't get into the Sentinel Incidents table, make sure that you have a valid queue in [Azure Storage Accounts](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts) ([steps to create a queue](https://learn.microsoft.com/azure/storage/queues/storage-quickstart-queues-portal)) and the path is correctly specified in the _AzureWebJobsStorage_ environment variable.
* __Attention__: It should be the same queue as created for [IncidentConsumer](https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentConsumer#readme).
4. If it's the first run, how many days of historical events would you like to get? If you're ok to see a blank table until you get a new alert, then skip this recommendation. If not, then we recommend to set the _startDaysAgo_ variable to _-30_ meaning that you'll get all alerts that happened between 30 days ago and now. If you set it to 0, then you'll get only new alerts.
5. Check that all environment variables are set correctly by comparing their names with the ones in [local.settings.json](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentProducer/local.settings.json).
6. If you changed any of the environment variables, we highly recommend restarting the function after that.
* Go to the _Overview_ blade of the IncidentProducer function.
* Press _Restart_.
* Confirm the restart.
## Testing
Check that the function successfully runs at _IncidentProducer | Functions | Monitor_. If not, please check that you created all environment variables correctly by comparing their names with the ones in [local.settings.json](https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Solutions/CohesitySecurity/Data%20Connectors/Helios2Sentinel/IncidentProducer/local.settings.json).