Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Solutions/Lookout Cloud Security Plat.../Data Connectors/LookoutCSConnector
История
v-atulyadav 593e19045f Update LookoutCSConn.zip 2024-06-26 13:34:03 +05:30
..
LookoutCloudSecurityAnamolies
LookoutCloudSecurityEvents
LookoutCloudSecurityViolations
LookoutCSConn.zip Update LookoutCSConn.zip 2024-06-26 13:34:03 +05:30
LookoutCloudSecurityConnector_API_FunctionApp.json
README.md
azuredeploy_LookoutCloudSecurityConnector_FunctionApp.json
host.json
proxies.json
requirements.txt Bump urllib3 2024-06-17 22:12:35 +00:00

README.md

Ingest LookOut Cloud Security events into sentinel through LookOut Cloud Security dataconnector

Author: Prathibha Tadikamalla

The Azure function based LookOut Cloud Security dataconnector pulls all the LookOut cloud security events into Sentinel. This function app contains three different functions to fetch activity events, Violation events and Anamoly events respectivley. Every time the internal function runs, it identifies the last event received date and time and stored into a file share. This value will be used as a start time for every next run. And this function also provides a provision to delay the records through a "FetchDelay" config value to prevent any data loss scenarios. And it also provides a provision to fetch the historical data for the first time function runs through a config value "PastDays". All these events will be placed into the table called "LookoutCloudSecurity_CL". As of now the solution has 3 parsers based on the below events:

Following are the configuration steps to deploy Function App.

Pre-requisites

Configuration Steps to Deploy Function App

  1. Click on Deploy to Azure (For both Commercial & Azure GOV)
    Deploy to Azure Deploy to Azure Gov

  2. Select the preferred Subscription, Resource Group and Location
    Note
    Best practice : Create new Resource Group while deploying - all the resources of your custom Data connector will reside in the newly created Resource Group

  3. Enter the following value in the ARM template deployment

"FunctionName": The name of the Azure function. Default value will be given as "fnLoCSCon"
"Workspace Id": The Sentinel Log Analytics Workspace Id  
"Primary Key": The Sentinel Log Analytics Workspace Primary Key
"LookoutClientId": The unique ID that was provided for this client
"LookoutApiSecret": The API secret that was provided for this client
"Baseurl": The URL used to access this client. The url must start with "https://"
"Schedule": A cron expression which is a string that defines a set of times, using six fields separated by white space. Each field in the cron expression represents a set of values that determine when a task should be executed. For example, the following cron expression would run a task every 5 minutes: Ex: "0 */5 * * * *" 
"MaxResults": Maximum Results to be returned from API as per source capacity
"FetchDelay": This integer value represents the number of minutes to be delayed while fetching of the results to prevent data loss due to delays at source.
"PastDays": The integer value represents the number of days to get historical data during the start of the function app via config