microsoft
/
secmgmt-insights-connector
зеркало из https://github.com/microsoft/secmgmt-insights-connector.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Audit and template update (#114)

This commit is contained in:
Isaiah Williams 2020-08-27 12:11:03 -05:00 коммит произвёл GitHub
Родитель a9469e702f
Коммит 23c9cc21b0
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
4 изменённых файлов: 124 добавлений и 7 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
.github/ISSUE_TEMPLATE/BUG_REPORT.md поставляемый
Просмотреть файл

@ -4,7 +4,7 @@ about: Create a report to help us improve
---
# Steps to reproduce
## Steps to reproduce
> What steps can reproduce the defect?
> Please share the setup, sample project, target, etc.

2
.github/ISSUE_TEMPLATE/FEATURE_REQUEST.md поставляемый
Просмотреть файл

@ -4,7 +4,7 @@ about: Suggest an idea for this project
---
# Feature Request
## Feature Request
**Is your feature request related to a problem?**
A clear and concise description of what the problem is. Ex. I am always frustrated when [...]

2
.github/PULL_REQUEST_TEMPLATE.md поставляемый
Просмотреть файл

@ -1,4 +1,4 @@
# Description
## Description
Please add a meaningful description for this change. Ensure the PR has required unit tests.

125
src/SecMgmtInsights/SecMgmtInsights.pq
Просмотреть файл

@ -8,7 +8,7 @@ graph_endpoint = "https://graph.microsoft.com";
logout_uri = "https://login.microsoftonline.com/logout.srf";
redirect_uri = "https://oauth.powerbi.com/views/oauthredirect.html";
token_uri = "https://login.microsoftonline.com/organizations/oauth2/v2.0/token";
version = "2.0-preview-2";
version = "2.0-preview-3";
// Data Source Kind description
@ -25,7 +25,6 @@ SecMgmtInsights = [
TestConnection = (dataSourcePath) => {"SecMgmtInsights.Contents"}
];
// Data Source UI publishing description
SecMgmtInsights.Publish = [
@ -395,6 +394,13 @@ SecMgmtInsights.WindowsProtectionState = (tenants as list, schemaOnly as logical
EntityTable = #table({"Entity", "Action"}, {
{ "Alerts", SecMgmtInsights.Alerts },
{ "AuditAzureActiveDirectory", SecMgmtInsights.AuditAzureActiveDirectory },
{ "AuditDlp", SecMgmtInsights.AuditDlp },
{ "AuditExchange", SecMgmtInsights.AuditExchange},
{ "AuditGeneral", SecMgmtInsights.AuditGeneral },
{ "AuditSharePoint", SecMgmtInsights.AuditSharePoint },
{ "AuditSecurityComplianceAlerts", SecMgmtInsights.AuditSecurityComplianceAlerts },
{ "AuditSubscriptions", SecMgmtInsights.AuditSubscriptions },
{ "ConditionalAccessPolicies", SecMgmtInsights.ConditionalAccessPolicies },
{ "Contracts", SecMgmtInsights.Contracts },
{ "Controls", SecMgmtInsights.Controls },
@ -880,6 +886,7 @@ Rest.GetContents = (url as text, token as text, isPaged as logical, optional sch
[
Headers = [
#"Accept" = "application/json;odata.metadata=minimal;odata.streaming=false;IEEE754Compatible=false",
#"Accept-encoding" = "gzip, deflate",
#"Authorization" = "Bearer " & token,
#"User-Agent" = "secmgmt-insights-connector"
],
@ -897,9 +904,13 @@ Rest.GetContents = (url as text, token as text, isPaged as logical, optional sch
)
else
let
contents = Table.FromList({body}, Splitter.SplitByNothing(), null, null, ExtraValues.Error),
abstract = if(Type.Is(Value.Type(body), List.Type)) then body else {body},
contents = Table.FromList(abstract, Splitter.SplitByNothing(), null, null, ExtraValues.Error),
firstRow = contents{0}?,
value = if(firstRow = null) then Table.FromRows({}) else Table.ExpandRecordColumn(contents, "Column1", Record.FieldNames(firstRow[Column1]))
listOfColumns = List.Union(List.Transform(abstract, each Record.FieldNames(_))),
value = if(firstRow = null) then Table.FromRows({}) else Table.ExpandRecordColumn(contents, "Column1", listOfColumns)
in
value
in
@ -953,6 +964,112 @@ ServiceCommunications.BuildRequests = (tenants as list, relativeUrl as text, opt
in
data;
// Office 365 Management Activity
SecMgmtInsights.AuditAzureActiveDirectory = (tenants as list, schemaOnly as logical, optional query as text, optional metadata as table) =>
let
output = if(schemaOnly) then
type table [tenantId = text, CreationTime = datetimezone, Id = text, Operation = text, OrganizationId = text, RecordType = text, ResultStatus = text, UserKey = text, Version = text, Workload = text, ClientIP = text, ObjectId = text, UserId = text, AzureActiveDirectoryEventType = text, ExtendedProperties = any, ModifiedProperties = any, Actor = any, ActorContextId = text, ActorIpAddress = text, InterSystemsId = text, IntraSystemId = text, SupportTicketId = text, Target = any, TargetContextId = text, ApplicationId = text]
else
let
requests = ServiceCommunications.BuildRequests(tenants, "/activity/feed/subscriptions/content?contentType=audit.azureactivedirectory"),
availableContent = Rest.Feed(requests, false),
renamedColumns = Table.RenameColumns(availableContent, {"contentUri", "secMgmtInsightsRequest"}, MissingField.Ignore),
data = Rest.Feed(renamedColumns, false)
in
data
in
output;
SecMgmtInsights.AuditDlp = (tenants as list, schemaOnly as logical, optional query as text, optional metadata as table) =>
let
output = if(schemaOnly) then
type table [tenantId = text, CreationTime = datetimezone, Id = text, Operation = text, OrganizationId = text, RecordType = text, UserKey = text, UserType = text, Version = text, Workload = text, ObjectId = text, UserId = text, IncidentId = text, PolicyDetails = any, SensitiveInfoDetectionIsIncluded = logical, ExchangeMetaData = any, SharePointMetaData = any, ExceptionInfo = text]
else
let
requests = ServiceCommunications.BuildRequests(tenants, "/activity/feed/subscriptions/content?contentType=dlp.all"),
availableContent = Rest.Feed(requests, false),
renamedColumns = Table.RenameColumns(availableContent, {"contentUri", "secMgmtInsightsRequest"}, MissingField.Ignore),
data = Rest.Feed(renamedColumns, false)
in
data
in
output;
SecMgmtInsights.AuditExchange = (tenants as list, schemaOnly as logical, optional query as text, optional metadata as table) =>
let
output = if(schemaOnly) then
type table [tenantId = text, contentType = text, contentId = text, contentUri = text, contentCreated = datetimezone, contentExpiration = datetimezone]
else
let
requests = ServiceCommunications.BuildRequests(tenants, "/activity/feed/subscriptions/content?contentType=audit.exchange"),
availableContent = Rest.Feed(requests, false),
renamedColumns = Table.RenameColumns(availableContent, {"contentUri", "secMgmtInsightsRequest"}, MissingField.Ignore),
data = Rest.Feed(renamedColumns, false)
in
data
in
output;
SecMgmtInsights.AuditSecurityComplianceAlerts = (tenants as list, schemaOnly as logical, optional query as text, optional metadata as table) =>
let
output = if(schemaOnly) then
type table [tenantId = text, CreationTime = datetimezone, Id = text, Operation = text, OrganizationId = text, RecordType = text, ResultStatus = text, UserKey = text, UserType = text, Version = text, Workload = text, ObjectId = text, UserId = text, AlertId = text, AlertLinks = any, AlertType = text, Category = text, Comments = text, Data = any, Name = text, PolicyId = text, Severity = text, Source = text, Status = text]
else
let
requests = ServiceCommunications.BuildRequests(tenants, "/activity/feed/subscriptions/content?contentType=audit.general"),
availableContent = Rest.Feed(requests, false),
renamedColumns = Table.RenameColumns(availableContent, {"contentUri", "secMgmtInsightsRequest"}, MissingField.Ignore),
data = Rest.Feed(renamedColumns, false),
filtered = Table.SelectRows(data, each try [UserKey] = "SecurityComplianceAlerts" otherwise null)
in
filtered
in
output;
SecMgmtInsights.AuditGeneral = (tenants as list, schemaOnly as logical, optional query as text, optional metadata as table) =>
let
output = if(schemaOnly) then
type table [tenantId = text, CreationTime = datetimezone, Id = text, Operation = text, OrganizationId = text, RecordType = text, UserKey = text, UserType = text, Version = text, Workload = text, UserId = text, DataType = text]
else
let
requests = ServiceCommunications.BuildRequests(tenants, "/activity/feed/subscriptions/content?contentType=audit.general"),
availableContent = Rest.Feed(requests, false),
renamedColumns = Table.RenameColumns(availableContent, {"contentUri", "secMgmtInsightsRequest"}, MissingField.Ignore),
data = Rest.Feed(renamedColumns, false)
in
data
in
output;
SecMgmtInsights.AuditSharePoint = (tenants as list, schemaOnly as logical, optional query as text, optional metadata as table) =>
let
output = if(schemaOnly) then
type table [tenantId = text, contentType = text, contentId = text, contentUri = text, contentCreated = datetimezone, contentExpiration = datetimezone]
else
let
requests = ServiceCommunications.BuildRequests(tenants, "/activity/feed/subscriptions/content?contentType=audit.sharepoint"),
availableContent = Rest.Feed(requests, false),
renamedColumns = Table.RenameColumns(availableContent, {"contentUri", "secMgmtInsightsRequest"}, MissingField.Ignore),
data = Rest.Feed(renamedColumns, false)
in
data
in
output;
SecMgmtInsights.AuditSubscriptions = (tenants as list, schemaOnly as logical, optional query as text, optional metadata as table) =>
let
output = if(schemaOnly) then
type table [tenantId = text, contentType = text, status = text, webhook = any]
else
let
requests = ServiceCommunications.BuildRequests(tenants, "/activity/feed/subscriptions/list"),
data = Rest.Feed(requests, false)
in
data
in
output;
// Office 365 Service Communication
SecMgmtInsights.ServiceCurrentStatus = (tenants as list, schemaOnly as logical, optional query as text, optional metadata as table) =>