diff --git a/Solutions/Oracle Cloud Infrastructure/Data/Solution_OCILogs.json b/Solutions/Oracle Cloud Infrastructure/Data/Solution_OCILogs.json index 082e35b9b2..bf6d9f2660 100644 --- a/Solutions/Oracle Cloud Infrastructure/Data/Solution_OCILogs.json +++ b/Solutions/Oracle Cloud Infrastructure/Data/Solution_OCILogs.json @@ -34,7 +34,7 @@ "Analytic Rules/OCIUnexpectedUserAgent.yaml" ], "Parsers": [ - "Parsers/OCILogs.txt" + "Parsers/OCILogs.yaml" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Oracle Cloud Infrastructure", "Version": "3.0.0", diff --git a/Solutions/Oracle Cloud Infrastructure/Package/3.0.1.zip b/Solutions/Oracle Cloud Infrastructure/Package/3.0.1.zip new file mode 100644 index 0000000000..abbbd17622 Binary files /dev/null and b/Solutions/Oracle Cloud Infrastructure/Package/3.0.1.zip differ diff --git a/Solutions/Oracle Cloud Infrastructure/Package/createUiDefinition.json b/Solutions/Oracle Cloud Infrastructure/Package/createUiDefinition.json index cc49c132f7..a34550d6c5 100644 --- a/Solutions/Oracle Cloud Infrastructure/Package/createUiDefinition.json +++ b/Solutions/Oracle Cloud Infrastructure/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Oracle%20Cloud%20Infrastructure/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Oracle Cloud Infrastructure (OCI) solution provides the capability to ingest OCI Logs from [OCI Stream](https://docs.oracle.com/iaas/Content/Streaming/Concepts/streamingoverview.htm) into Microsoft Sentinel using the [OCI Streaming REST API](https://docs.oracle.com/iaas/api/#/streaming/streaming/20180418).\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Oracle%20Cloud%20Infrastructure/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Oracle Cloud Infrastructure (OCI) solution provides the capability to ingest OCI Logs from [OCI Stream](https://docs.oracle.com/iaas/Content/Streaming/Concepts/streamingoverview.htm) into Microsoft Sentinel using the [OCI Streaming REST API](https://docs.oracle.com/iaas/api/#/streaming/streaming/20180418).\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/Oracle Cloud Infrastructure/Package/mainTemplate.json b/Solutions/Oracle Cloud Infrastructure/Package/mainTemplate.json index ee863fcea0..d7baa0b09a 100644 --- a/Solutions/Oracle Cloud Infrastructure/Package/mainTemplate.json +++ b/Solutions/Oracle Cloud Infrastructure/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Oracle Cloud Infrastructure", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "azuresentinel.azure-sentinel-solution-ocilogs", "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", @@ -201,7 +201,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OracleCloudInfrastructureOCIWorkbook Workbook with template version 3.0.0", + "description": "OracleCloudInfrastructureOCIWorkbook Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -289,7 +289,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCIDestinationsIn_HuntingQueries Hunting Query with template version 3.0.0", + "description": "OCIDestinationsIn_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion1')]", @@ -374,7 +374,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCIDestinationsOut_HuntingQueries Hunting Query with template version 3.0.0", + "description": "OCIDestinationsOut_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion2')]", @@ -459,7 +459,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCILaunchedInstances_HuntingQueries Hunting Query with template version 3.0.0", + "description": "OCILaunchedInstances_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion3')]", @@ -544,7 +544,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCIUpdateActivities_HuntingQueries Hunting Query with template version 3.0.0", + "description": "OCIUpdateActivities_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion4')]", @@ -629,7 +629,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCIUserDeleteActions_HuntingQueries Hunting Query with template version 3.0.0", + "description": "OCIUserDeleteActions_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion5')]", @@ -714,7 +714,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCIUserDeletedUsers_HuntingQueries Hunting Query with template version 3.0.0", + "description": "OCIUserDeletedUsers_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion6')]", @@ -799,7 +799,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCIUserNewUsers_HuntingQueries Hunting Query with template version 3.0.0", + "description": "OCIUserNewUsers_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion7')]", @@ -884,7 +884,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCIUserSources_HuntingQueries Hunting Query with template version 3.0.0", + "description": "OCIUserSources_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion8')]", @@ -969,7 +969,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCIUserTerminatedInstances_HuntingQueries Hunting Query with template version 3.0.0", + "description": "OCIUserTerminatedInstances_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion9')]", @@ -1054,7 +1054,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCIUserUpdatedInstances_HuntingQueries Hunting Query with template version 3.0.0", + "description": "OCIUserUpdatedInstances_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryVersion10')]", @@ -1139,7 +1139,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Oracle Cloud Infrastructure data connector with template version 3.0.0", + "description": "Oracle Cloud Infrastructure data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -1264,18 +1264,40 @@ ] }, { - "description": "Use this method for automated deployment of the OCI data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-OracleCloudInfrastructureLogsConnector-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Microsoft Sentinel Workspace Id**, **Microsoft Sentinel Shared Key**, **User**, **Key_content**, **Pass_phrase**, **Fingerprint**, **Tenancy**, **Region**, **Message Endpoint**, **Stream Ocid**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy.", - "title": "Option 1 - Azure Resource Manager (ARM) Template" - }, - { - "description": "Use the following step-by-step instructions to deploy the OCI data connector manually with Azure Functions (Deployment via Visual Studio Code).", - "title": "Option 2 - Manual Deployment of Azure Functions" - }, - { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-OracleCloudInfrastructureLogsConnector-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. OciAuditXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." - }, - { - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAzureSentinelWorkspaceId\n\t\tAzureSentinelSharedKey\n\t\tuser\n\t\tkey_content\n\t\tpass_phrase (Optional)\n\t\tfingerprint\n\t\ttenancy\n\t\tregion\n\t\tMessage Endpoint\n\t\tStreamOcid\n\t\tlogAnalyticsUri (Optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://WORKSPACE_ID.ods.opinsights.azure.us`. \n4. Once all application settings have been entered, click **Save**." + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the OCI data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-OracleCloudInfrastructureLogsConnector-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Microsoft Sentinel Workspace Id**, **Microsoft Sentinel Shared Key**, **User**, **Key_content**, **Pass_phrase**, **Fingerprint**, **Tenancy**, **Region**, **Message Endpoint**, **Stream Ocid**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the OCI data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Step 1 - Deploy a Function App", + "description": "1. Download the [Azure Function App](https://aka.ms/sentinel-OracleCloudInfrastructureLogsConnector-functionapp) file. Extract archive to your local development computer..\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." + }, + { + "title": "Step 2 - Configure the Function App", + "description": "1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select **+ New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAzureSentinelWorkspaceId\n\t\tAzureSentinelSharedKey\n\t\tuser\n\t\tkey_content\n\t\tpass_phrase (Optional)\n\t\tfingerprint\n\t\ttenancy\n\t\tregion\n\t\tMessage Endpoint\n\t\tStreamOcid\n\t\tlogAnalyticsUri (Optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://WORKSPACE_ID.ods.opinsights.azure.us`.\n5. Once all application settings have been entered, click **Save**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } ] } @@ -1468,18 +1490,40 @@ ] }, { - "description": "Use this method for automated deployment of the OCI data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-OracleCloudInfrastructureLogsConnector-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Microsoft Sentinel Workspace Id**, **Microsoft Sentinel Shared Key**, **User**, **Key_content**, **Pass_phrase**, **Fingerprint**, **Tenancy**, **Region**, **Message Endpoint**, **Stream Ocid**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy.", - "title": "Option 1 - Azure Resource Manager (ARM) Template" - }, - { - "description": "Use the following step-by-step instructions to deploy the OCI data connector manually with Azure Functions (Deployment via Visual Studio Code).", - "title": "Option 2 - Manual Deployment of Azure Functions" - }, - { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-OracleCloudInfrastructureLogsConnector-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. OciAuditXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." - }, - { - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAzureSentinelWorkspaceId\n\t\tAzureSentinelSharedKey\n\t\tuser\n\t\tkey_content\n\t\tpass_phrase (Optional)\n\t\tfingerprint\n\t\ttenancy\n\t\tregion\n\t\tMessage Endpoint\n\t\tStreamOcid\n\t\tlogAnalyticsUri (Optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://WORKSPACE_ID.ods.opinsights.azure.us`. \n4. Once all application settings have been entered, click **Save**." + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the OCI data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-OracleCloudInfrastructureLogsConnector-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Microsoft Sentinel Workspace Id**, **Microsoft Sentinel Shared Key**, **User**, **Key_content**, **Pass_phrase**, **Fingerprint**, **Tenancy**, **Region**, **Message Endpoint**, **Stream Ocid**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the OCI data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Step 1 - Deploy a Function App", + "description": "1. Download the [Azure Function App](https://aka.ms/sentinel-OracleCloudInfrastructureLogsConnector-functionapp) file. Extract archive to your local development computer..\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." + }, + { + "title": "Step 2 - Configure the Function App", + "description": "1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select **+ New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAzureSentinelWorkspaceId\n\t\tAzureSentinelSharedKey\n\t\tuser\n\t\tkey_content\n\t\tpass_phrase (Optional)\n\t\tfingerprint\n\t\ttenancy\n\t\tregion\n\t\tMessage Endpoint\n\t\tStreamOcid\n\t\tlogAnalyticsUri (Optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://WORKSPACE_ID.ods.opinsights.azure.us`.\n5. Once all application settings have been entered, click **Save**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } ], "id": "[variables('_uiConfigId1')]", @@ -1496,7 +1540,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCIDiscoveryActivity_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "OCIDiscoveryActivity_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion1')]", @@ -1538,13 +1582,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AccountCustomEntity" } - ] + ], + "entityType": "Account" } ] } @@ -1600,7 +1644,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCIEventRuleDeleted_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "OCIEventRuleDeleted_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion2')]", @@ -1642,13 +1686,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ] + ], + "entityType": "IP" } ] } @@ -1704,7 +1748,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCIInboundSSHConnection_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "OCIInboundSSHConnection_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion3')]", @@ -1746,13 +1790,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ] + ], + "entityType": "IP" } ] } @@ -1808,7 +1852,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCIInsecureMetadataEndpoint_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "OCIInsecureMetadataEndpoint_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion4')]", @@ -1850,13 +1894,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ] + ], + "entityType": "IP" } ] } @@ -1912,7 +1956,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCIMetadataEndpointIpAccess_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "OCIMetadataEndpointIpAccess_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion5')]", @@ -1954,13 +1998,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ] + ], + "entityType": "IP" } ] } @@ -2016,7 +2060,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCIMultipleInstancesLaunched_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "OCIMultipleInstancesLaunched_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion6')]", @@ -2058,13 +2102,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ] + ], + "entityType": "IP" } ] } @@ -2120,7 +2164,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCIMultipleInstancesTerminated_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "OCIMultipleInstancesTerminated_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion7')]", @@ -2162,13 +2206,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ] + ], + "entityType": "IP" } ] } @@ -2224,7 +2268,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCIMultipleRejects_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "OCIMultipleRejects_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion8')]", @@ -2266,13 +2310,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ] + ], + "entityType": "IP" } ] } @@ -2328,7 +2372,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCISSHScan_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "OCISSHScan_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion9')]", @@ -2370,13 +2414,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ] + ], + "entityType": "IP" } ] } @@ -2432,7 +2476,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCIUnexpectedUserAgent_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "OCIUnexpectedUserAgent_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion10')]", @@ -2474,13 +2518,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ] + ], + "entityType": "IP" } ] } @@ -2536,7 +2580,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OCILogs Data Parser with template version 3.0.0", + "description": "OCILogs Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion1')]", @@ -2551,15 +2595,15 @@ "properties": { "eTag": "*", "displayName": "OCILogs", - "category": "Samples", + "category": "Microsoft Sentinel Parser", "functionAlias": "OCILogs", - "query": "\nOCI_Logs_CL\r\n| extend EventVendor = 'Oracle'\r\n| extend EventProduct = 'Oracle Cloud Infrastructure'\r\n| extend EventStartTime = coalesce(unixtime_seconds_todatetime(column_ifexists(\"data_startTime_d\", long(null))), time_t)\r\n| extend EventEndTime = coalesce(unixtime_seconds_todatetime(column_ifexists(\"data_endTime_d\", long(null))), time_t)\r\n| extend SrcIpAddr=coalesce(column_ifexists(\"data_sourceAddress_s\",''),data_identity_ipAddress_s)\r\n, SrcPortNumber=column_ifexists(\"data_sourcePort_d\", '')\r\n, DstIpAddr=column_ifexists(\"data_destinationAddress_s\",'')\r\n, DstPortNumber=column_ifexists(\"data_destinationPort_d\",'')\r\n, DstBytes=column_ifexists(\"data_bytesOut_d\",'')\r\n, NetworkProtocol=column_ifexists(\"data_protocolName_s\",'')\r\n, data_stateChange_current_Instance_displayName_s = column_ifexists(\"data_stateChange_current_Instance_displayName_s\",'')\r\n, data_stateChange_current_userName_s = column_ifexists(\"data_stateChange_current_userName_s\",'')\r\n, data_request_headers_oci_original_url_s = column_ifexists(\"data_request_headers_oci_original_url_s\", '')\r\n, data_action_s = column_ifexists(\"data_action_s\",'')\r\n| project-rename EventType=type_s\r\n| project-rename EventMessage=data_message_s\r\n| project-rename HttpUserAgentOriginal=data_identity_userAgent_s\r\n| project-rename HttpStatusCode=data_response_status_s\r\n| project-rename HttpRequestMethod=data_request_action_s\r\n\r\n\r\n", + "query": "OCI_Logs_CL\n| extend EventVendor = 'Oracle'\n| extend EventProduct = 'Oracle Cloud Infrastructure'\n| extend EventStartTime = coalesce(unixtime_seconds_todatetime(column_ifexists(\"data_startTime_d\", long(null))), time_t)\n| extend EventEndTime = coalesce(unixtime_seconds_todatetime(column_ifexists(\"data_endTime_d\", long(null))), time_t)\n| extend SrcIpAddr=coalesce(column_ifexists(\"data_sourceAddress_s\",''),data_identity_ipAddress_s)\n, SrcPortNumber=column_ifexists(\"data_sourcePort_d\", '')\n, DstIpAddr=column_ifexists(\"data_destinationAddress_s\",'')\n, DstPortNumber=column_ifexists(\"data_destinationPort_d\",'')\n, DstBytes=column_ifexists(\"data_bytesOut_d\",'')\n, NetworkProtocol=column_ifexists(\"data_protocolName_s\",'')\n, data_stateChange_current_Instance_displayName_s = column_ifexists(\"data_stateChange_current_Instance_displayName_s\",'')\n, data_stateChange_current_userName_s = column_ifexists(\"data_stateChange_current_userName_s\",'')\n, data_request_headers_oci_original_url_s = column_ifexists(\"data_request_headers_oci_original_url_s\", '')\n, data_action_s = column_ifexists(\"data_action_s\",'')\n| project-rename EventType=type_s\n| project-rename EventMessage=data_message_s\n| project-rename HttpUserAgentOriginal=data_identity_userAgent_s\n| project-rename HttpStatusCode=data_response_status_s\n| project-rename HttpRequestMethod=data_request_action_s\n", "functionParameters": "", - "version": 1, + "version": 2, "tags": [ { "name": "description", - "value": "OCILogs" + "value": "" } ] } @@ -2569,7 +2613,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", "dependsOn": [ - "[variables('_parserName1')]" + "[variables('_parserId1')]" ], "properties": { "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", @@ -2616,15 +2660,15 @@ "properties": { "eTag": "*", "displayName": "OCILogs", - "category": "Samples", + "category": "Microsoft Sentinel Parser", "functionAlias": "OCILogs", - "query": "\nOCI_Logs_CL\r\n| extend EventVendor = 'Oracle'\r\n| extend EventProduct = 'Oracle Cloud Infrastructure'\r\n| extend EventStartTime = coalesce(unixtime_seconds_todatetime(column_ifexists(\"data_startTime_d\", long(null))), time_t)\r\n| extend EventEndTime = coalesce(unixtime_seconds_todatetime(column_ifexists(\"data_endTime_d\", long(null))), time_t)\r\n| extend SrcIpAddr=coalesce(column_ifexists(\"data_sourceAddress_s\",''),data_identity_ipAddress_s)\r\n, SrcPortNumber=column_ifexists(\"data_sourcePort_d\", '')\r\n, DstIpAddr=column_ifexists(\"data_destinationAddress_s\",'')\r\n, DstPortNumber=column_ifexists(\"data_destinationPort_d\",'')\r\n, DstBytes=column_ifexists(\"data_bytesOut_d\",'')\r\n, NetworkProtocol=column_ifexists(\"data_protocolName_s\",'')\r\n, data_stateChange_current_Instance_displayName_s = column_ifexists(\"data_stateChange_current_Instance_displayName_s\",'')\r\n, data_stateChange_current_userName_s = column_ifexists(\"data_stateChange_current_userName_s\",'')\r\n, data_request_headers_oci_original_url_s = column_ifexists(\"data_request_headers_oci_original_url_s\", '')\r\n, data_action_s = column_ifexists(\"data_action_s\",'')\r\n| project-rename EventType=type_s\r\n| project-rename EventMessage=data_message_s\r\n| project-rename HttpUserAgentOriginal=data_identity_userAgent_s\r\n| project-rename HttpStatusCode=data_response_status_s\r\n| project-rename HttpRequestMethod=data_request_action_s\r\n\r\n\r\n", + "query": "OCI_Logs_CL\n| extend EventVendor = 'Oracle'\n| extend EventProduct = 'Oracle Cloud Infrastructure'\n| extend EventStartTime = coalesce(unixtime_seconds_todatetime(column_ifexists(\"data_startTime_d\", long(null))), time_t)\n| extend EventEndTime = coalesce(unixtime_seconds_todatetime(column_ifexists(\"data_endTime_d\", long(null))), time_t)\n| extend SrcIpAddr=coalesce(column_ifexists(\"data_sourceAddress_s\",''),data_identity_ipAddress_s)\n, SrcPortNumber=column_ifexists(\"data_sourcePort_d\", '')\n, DstIpAddr=column_ifexists(\"data_destinationAddress_s\",'')\n, DstPortNumber=column_ifexists(\"data_destinationPort_d\",'')\n, DstBytes=column_ifexists(\"data_bytesOut_d\",'')\n, NetworkProtocol=column_ifexists(\"data_protocolName_s\",'')\n, data_stateChange_current_Instance_displayName_s = column_ifexists(\"data_stateChange_current_Instance_displayName_s\",'')\n, data_stateChange_current_userName_s = column_ifexists(\"data_stateChange_current_userName_s\",'')\n, data_request_headers_oci_original_url_s = column_ifexists(\"data_request_headers_oci_original_url_s\", '')\n, data_action_s = column_ifexists(\"data_action_s\",'')\n| project-rename EventType=type_s\n| project-rename EventMessage=data_message_s\n| project-rename HttpUserAgentOriginal=data_identity_userAgent_s\n| project-rename HttpStatusCode=data_response_status_s\n| project-rename HttpRequestMethod=data_request_action_s\n", "functionParameters": "", - "version": 1, + "version": 2, "tags": [ { "name": "description", - "value": "OCILogs" + "value": "" } ] } @@ -2664,7 +2708,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Oracle Cloud Infrastructure", diff --git a/Solutions/Oracle Cloud Infrastructure/ReleaseNotes.md b/Solutions/Oracle Cloud Infrastructure/ReleaseNotes.md index 984d7af449..ec77ac0f4c 100644 --- a/Solutions/Oracle Cloud Infrastructure/ReleaseNotes.md +++ b/Solutions/Oracle Cloud Infrastructure/ReleaseNotes.md @@ -1,3 +1,4 @@ -| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | -|-------------|--------------------------------|---------------------------------------------| -| 3.0.0 | 21-08-2023 | Modified the **Parser** by adding Columnifexists condition to avoid errors. \ No newline at end of file +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|-----------------------------------------------------------------------------| +| 3.0.1 | 05-10-2023 | Manual deployment instructions updated for **Data Connector** | +| 3.0.0 | 21-08-2023 | Modified the **Parser** by adding Columnifexists condition to avoid errors. | \ No newline at end of file