Skip to content

Commit

Permalink
Merge branch 'native_Authentication_parser' of https://github.com/Azu…
Browse files Browse the repository at this point in the history 
…re/Azure-Sentinel into native_Authentication_parser
  • Loading branch information
@Alekhya0824
Alekhya0824 committed Jan 9, 2025
2 parents 565807d + 2a90b5a commit ff9d3bf
Show file tree
Hide file tree
Showing 46 changed files with 9,945 additions and 936 deletions.
12 changes: 12 additions & 0 deletions Logos/Druva_Logo.svg
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion Parsers/ASimAuthentication/ARM/vimAuthenticationNative/vimAuthenticationNative.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
"displayName": "Authentication Event ASIM filtering parser for Microsoft Sentinel native Authentication table",
"category": "ASIM",
"FunctionAlias": "vimAuthenticationNative",
"query": "let parser=\n(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n)\n{\n ASimAuthenticationEventLogs | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or TargetAppName has_any (targetappname_has_any)) \n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and ((array_length(srchostname_has_any) == 0) or SrcHostname has_any (srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails has_any (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n User = TargetUsername,\n Src = coalesce (SrcDvcId, SrcHostname, SrcIpAddr),\n IpAddr=SrcIpAddr,\n LogonTarget= coalesce (TargetAppName, TargetUrl, TargetHostname),\n Dvc=EventVendor,\n Application=TargetAppName,\n Dst = coalesce (TargetDvcId,TargetHostname, TargetIpAddr, TargetAppId,TargetAppName), \n Rule = coalesce(RuleName, tostring(RuleNumber)),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Authentication\"\n | project-rename\n EventUid = _ItemId\n | project-away TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser\n (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)",
"query": "let parser=\n(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n)\n{\n ASimAuthenticationEventLogs | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or TargetAppName has_any (targetappname_has_any)) \n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and ((array_length(srchostname_has_any) == 0) or SrcHostname has_any (srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails has_any (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n User = TargetUsername,\n Src = coalesce (SrcDvcId, SrcHostname, SrcIpAddr),\n IpAddr=SrcIpAddr,\n LogonTarget= coalesce (TargetAppName, TargetUrl, TargetHostname),\n Dvc=EventVendor,\n Application=TargetAppName,\n Dst = coalesce (TargetDvcId,TargetHostname, TargetIpAddr, TargetAppId,TargetAppName), \n Rule = coalesce(RuleName, tostring(RuleNumber)),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Authentication\"\n | project-rename\n EventUid = _ItemId\n | project-away TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser\n (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False"
}
Expand Down
Binary file modified Solutions/Check Point CloudGuard CNAPP/Package/3.0.0.zip
View file
Binary file not shown.
2 changes: 1 addition & 1 deletion Solutions/Check Point CloudGuard CNAPP/Package/mainTemplate.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@
"_email": "[variables('email')]",
"_solutionName": "Check Point CloudGuard CNAPP",
"_solutionVersion": "3.0.0",
"solutionId": "checkpoint-cloudguard.checkpoint-sentinel-solutions-cloud-guard",
"solutionId": "checkpoint.checkpoint-sentinel-solutions-cloud-guard",
"_solutionId": "[variables('solutionId')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"dataConnectorCCPVersion": "1.0.0",
Expand Down
2 changes: 1 addition & 1 deletion Solutions/Check Point CloudGuard CNAPP/SolutionMetadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"publisherId": "checkpoint-cloudguard",
"publisherId": "checkpoint",
"offerId": "checkpoint-sentinel-solutions-cloud-guard",
"firstPublishDate": "2024-11-12",
"providers": [
Expand Down
219 changes: 219 additions & 0 deletions Solutions/DruvaDataSecurityCloud/Data Connectors/Druva_ccp/Druva_DCR.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,219 @@
[
{
"name": "DruvaDCR",
"apiVersion": "2021-09-01-preview",
"type": "Microsoft.Insights/dataCollectionRules",
"location": "{{location}}",
"properties": {
"dataCollectionEndpointId": "{{dataCollectionEndpointId}}",
"streamDeclarations": {
"Custom-DruvaSecurityEvents_CL": {
"columns": [
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "id",
"type": "int"
},
{
"name": "globalCustomerId",
"type": "string"
},
{
"name": "occurenceTime",
"type": "int"
},
{
"name": "area",
"type": "string"
},
{
"name": "category",
"type": "string"
},
{
"name": "type",
"type": "string"
},
{
"name": "syslogSeverity",
"type": "int"
},
{
"name": "syslogFacility",
"type": "int"
},
{
"name": "details",
"type": "string"
}
]
},
"Custom-DruvaPlatformEvents_CL": {
"columns": [
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "category",
"type": "string"
},
{
"name": "details",
"type": "dynamic"
},
{
"name": "feature",
"type": "string"
},
{
"name": "globalID",
"type": "string"
},
{
"name": "timeStamp",
"type": "int"
},
{
"name": "productID",
"type": "int"
},
{
"name": "syslogFacility",
"type": "int"
},
{
"name": "syslogSeverity",
"type": "int"
},
{
"name": "type",
"type": "string"
}
]
},
"Custom-DruvaInsyncEvents_CL": {
"columns": [
{
"name": "eventType",
"type": "string"
},
{
"name": "eventState",
"type": "string"
},
{
"name": "eventID",
"type": "int"
},
{
"name": "eventDetails",
"type": "string"
},
{
"name": "timestamp",
"type": "datetime"
},
{
"name": "initiator",
"type": "string"
},
{
"name": "ip",
"type": "string"
},
{
"name": "profileID",
"type": "string"
},
{
"name": "profileName",
"type": "string"
},
{
"name": "inSyncUserID",
"type": "string"
},
{
"name": "inSyncUserName",
"type": "string"
},
{
"name": "inSyncUserEmail",
"type": "string"
},
{
"name": "inSyncDataSourceID",
"type": "string"
},
{
"name": "inSyncDataSourceName",
"type": "string"
},
{
"name": "clientOS",
"type": "string"
},
{
"name": "clientVersion",
"type": "string"
},
{
"name": "severity",
"type": "int"
},
{
"name": "facility",
"type": "int"
}
]
}
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "{{workspaceResourceId}}",
"name": "clv2ws1"
}
]
},
"dataFlows": [
{
"streams": [
"Custom-DruvaSecurityEvents_CL"
],
"destinations": [
"clv2ws1"
],
"transformKql": "source\n| extend TimeGenerated = datetime_add('second',occurenceTime,make_datetime(1970,1,1)) \n| extend event_type = type\n| project-away occurenceTime, type\n| extend id = tostring(id) // Convert 'id' to string and rename to EventUid\n| project-rename EventUid = id\n\n",
"outputStream": "Custom-DruvaSecurityEvents_CL"
},

{
"streams": [
"Custom-DruvaPlatformEvents_CL"
],
"destinations": [
"clv2ws1"
],
"transformKql": "source\n| extend TimeGenerated = datetime_add('second',timeStamp,make_datetime(1970,1,1))\n| extend event_type = type\n| project-away timeStamp, type\n",
"outputStream": "Custom-DruvaPlatformEvents_CL"
},

{
"streams": [
"Custom-DruvaInsyncEvents_CL"
],
"destinations": [
"clv2ws1"
],
"transformKql": "source\n| extend TimeGenerated = timestamp\n| extend eventID = tostring(eventID)\n| project-rename EventUid = eventID\n| project-away timestamp\n",
"outputStream": "Custom-DruvaInsyncEvents_CL"
}
]
}
}
]
131 changes: 131 additions & 0 deletions ...tions/DruvaDataSecurityCloud/Data Connectors/Druva_ccp/Druva_DataConnectorDefinition.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
{
"name": "DruvaEventCCPDefinition",
"apiVersion": "2022-09-01-preview",
"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
"location": "{{location}}",
"kind": "Customizable",
"properties":
{

"connectorUiConfig": {
"id": "DruvaEventCCPDefinition",
"title": "Druva Events Connector",
"publisher" : "Microsoft",
"descriptionMarkdown" : "Provides capability to ingest the druva events from druva apis",
"graphQueriesTableName" : "DruvaSecurityEvents_CL",
"graphQueries": [
{
"metricName":"Total Security Events",
"legend":"Druva Security events received",
"baseQuery": "{{graphQueriesTableName}}"
},

{
"metricName":"Total platform events",
"legend":"Druva platform events received",
"baseQuery": "DruvaPlatformEvents_CL"
},
{
"metricName":"Total insync events",
"legend":"Druva insync events received",
"baseQuery": "DruvaInsyncEvents_CL"
}
],
"sampleQueries":[
{
"description": "Sample of Druva security events",
"query": "{{graphQueriesTableName}}\n| take 10"
},
{
"description": "Sample of Druva platform events",
"query": "DruvaPlatformEvents_CL\n| take 10"
},
{
"description": "Sample of Druva insync events",
"query": "DruvaInsyncEvents_CL\n| take 10"
}
],
"dataTypes":[
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time=max(TimeGenerated) \n | where isnotempty(Time)"
},
{
"name": "DruvaPlatformEvents_CL",
"lastDataReceivedQuery": "DruvaPlatformEvents_CL\n | summarize Time=max(TimeGenerated) \n | where isnotempty(Time)"
},
{
"name": "DruvaInsyncEvents_CL",
"lastDataReceivedQuery": "DruvaInsyncEvents_CL\n | summarize Time=max(TimeGenerated) \n | where isnotempty(Time)"
}
],
"connectivityCriteria":[
{
"type": "HasDataConnectors"
}
],
"permissions":{
"resourceProvider":[
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText":"Read and Write permission are required",
"providerDisplayName":"Workspace",
"scope":"Workspace",
"requiredPermissions":{
"write": true,
"read":true,
"delete": true
}
}
],
"customs":[
{
"name": "Druva API Access",
"description":"Druva api requires a client id and client secret to authenticate"
}
]
},
"instructionSteps":[
{
"description": ">Note: Configurations to connect to Druva Rest API\n"
},
{
"description": "Step 1: Create Crdentials from Druva Console: https://help.druva.com/en/articles/8580838-create-and-manage-api-credentials\n"
},
{
"description": "Step 2: Enter the hostname public cloud its apis.druva.com\n"
},
{
"description": "Step 3: Get client id and client secret key\n"
},
{
"description": "Provide required values:\n",
"instructions":[

{
"type": "Textbox",
"parameters": {
"label": "hostname",
"placeholder": "Example: apis.druva.com",
"type": "text",
"name": "hostname"
}
},

{
"type": "OAuthForm",
"parameters":{
"clientIdLabel":"Client ID",
"clientSecretLabel" : "Client Secret",
"connectButtonLabel":"Connect",
"disconnectButtonLabel": "Diconnect"

}
}
],
"tittle": "Connect to Druva API to start collecting logs in microft sentinel"
}
]
}
}
}
Loading

0 comments on commit ff9d3bf

Please sign in to comment.