Azure-Sentinel

История

v-rucdu 22e3e6e903 Solution Tool Updates for Template Spec Migration (#4655 ) * Initial Template Spec Automation * Example Template Spec Input File * Updated code to add Template Spec for parser * Updated Dataconnector meatdata id * Handled Template Spec for AR, HQ and Workbooks * 1PConnector support and techniques, id prop for HQ * Handled the review scenarios * Updated Package tool for comments from Sarath * Tool updates * Updated files * Working Template with Analytical Rule Fix * Updated ResourceId ref of Workbook, AR and HQ * Fixed the solutionId issue * Fixed AnalyticalRule typo * Fixing query frequency, query period issue * Updated code as per Roey's feedback * Incorporated the feedback from Roey * Changed ParserName * Modified Template Spec Name * Added missing status property for Analytics Rule * Workbook Metadata and Analytic Rules Changes * Update createSolution.ps1 * Update createSolution.ps1 * Fixed multiple workbook key issue * Reverted parser updates * Commiting changes for the workbooks and contentId fix * Checking-in the Parser changes for template specs * Changing the function alias of the parser object * Content Types are referenced as varaibles across metadata dependencies and changed Parser content id * Update createSolution.ps1 * Template Spec V2 Tooling Changes * upated analytical rule version to 2.0.0 * read the version property from input file * Copied code to the V2 folder * Handled UIdefinition changes in templating file * Deleted unwanted files * Deleted unwanted files * Removed preview keyword * IsPreview flag for data connector has been handled * Workbook UI Parameter Block commented * Removing workbook name from UI * Versioning change for the content types * Added the logic for the existing function apps title * Function App existing code modified Logic * adding the description validation check * Workbook Versioning change * ISV email property handling in the tool * Playbook TemplateSpec code changes * Updated correct content for Playbooks * Fixed JSON Validation issues * Added missing metadata prop * Added new template spec name code changes * Update Metadata Path * Added resource property for DC content changes * Added customConnectorCount, Removed Junk Resource * Fixed the locale issue in documentation links * Added ReadMe file and Resolve review comments (#5115) * Added ReadMe file and Resolve review comments * Fixed PR validation issue Co-authored-by: Eli Forbes <v-eliforbes@microsoft.com> Co-authored-by: v-sabiraj <v-sabiraj@microsoft.com> Co-authored-by: Sarath Tirumalareddy <tichandr@microsoft.com> Co-authored-by: Sapan Goel <95875056+ms-sapangoel@users.noreply.github.com> Co-authored-by: ashishsyal <89064706+ashishsyal@users.noreply.github.com>		2022-05-26 10:55:44 +05:30
..
dcr-arm-template	Customlogs ingestion via DCE/DCR	2022-05-02 16:57:33 -07:00
images	Added download icon	2022-05-02 17:09:13 -07:00
src	Solution Tool Updates for Template Spec Migration (#4655 )	2022-05-26 10:55:44 +05:30
README.MD	CustomLogsIngestion-DCE-DCR/README Update	2022-05-06 10:21:26 -07:00

README.MD

Ingest Customlogs via DCE/DCR

Author : Sreedhar Ande

Script to send data to a data collection endpoint which is a unique connection point for your subscription. The payload sent to Azure Monitor must be in JSON format. A data collection rule is needed in your Azure tenant that understands the format of the source data, potentially filters and transforms it for the target table, and then directs it to a specific table in a specific workspace. You can modify the target table and workspace by modifying the data collection rule without any change to the REST API call or source data.

Pre-requisites

Register an Azure Active Directory application to authenticate against the API
https://docs.microsoft.com/azure/azure-monitor/logs/tutorial-custom-logs#configure-application
Create Data Collection Endpoint (DCE) on Azure Monitor
https://docs.microsoft.com/azure/azure-monitor/logs/tutorial-custom-logs#create-data-collection-endpoint
Create Customlog Table https://docs.microsoft.com/azure/azure-monitor/logs/tutorial-custom-logs#add-custom-log-table
Create Data Collection Rule (DCR)
https://docs.microsoft.com/azure/azure-monitor/logs/tutorial-custom-logs-api#create-data-collection-rule
Collect DCR-ImmutableId
https://docs.microsoft.com/azure/azure-monitor/logs/tutorial-custom-logs#collect-information-from-dcr
Assign Permissions to Data Collection Rule(DCR)
https://docs.microsoft.com/azure/azure-monitor/logs/tutorial-custom-logs-api#assign-permissions-to-dcr

Steps to Ingest Customlogs

Download the script
Extract the folder and open "Send-AzMonitorCustomLogs.ps1" either in Visual Studio Code/PowerShell

Note
The script runs from the user's machine. You must allow PowerShell script execution. To do so, run the following command:
```
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass  
```
You are prompted to enter the following value
- LogPath
  Path to the log file or folder (JSON|CSV) to read logs from and send them to Azure Monitor
- AADAppId
  Azure Active Directory application to authenticate against the API to send logs to Azure Monitor data collection endpoint. This script supports the Client Credential Grant Flow.
- AADAppSecret
  Secret text to use with the Azure Active Directory application to authenticate against the API for the Client Credential Grant Flow
- TenantId
  ID of Tenant
- DcrImmutableId
  Immutable ID of the data collection rule used to process events flowing to an Azure Monitor data table
- DceURI
  Uri of the data collection endpoint used to host the data collection rule
- StreamName
  Name of stream to send data to before being procesed and sent to an Azure Monitor data table