Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Solution Cortex XDR CCP solution #11575

Merged
merged 8 commits into from
Dec 18, 2024
Merged

New Solution Cortex XDR CCP solution #11575

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
fac031d
New Data connector Solution
v-prasadboke Dec 17, 2024
804b434
Create Solution_CortexXDR.json
v-prasadboke Dec 17, 2024
3dcf5b2
Create SolutionMetadata.json
v-prasadboke Dec 17, 2024
11524f5
Create ReleaseNotes.md
v-prasadboke Dec 17, 2024
a3548ee
Solution packaged
v-prasadboke Dec 17, 2024
3ce3e1b
arm ttk resolved
v-prasadboke Dec 17, 2024
68be9be
Delete solutionMetadata.json
v-prasadboke Dec 18, 2024
30dfb88
Solution packaged
v-prasadboke Dec 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
833 changes: 833 additions & 0 deletions Solutions/Palo Alto Cortex XDR CCP/Data Connectors/CortexXDR_ccp/DCR.json
View file
Open in desktop

Large diffs are not rendered by default.

174 changes: 174 additions & 0 deletions ...tions/Palo Alto Cortex XDR CCP/Data Connectors/CortexXDR_ccp/DataConnectorDefinition.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,174 @@
{
"name": "CortexXDRDataConnector",
"apiVersion": "2022-09-01-preview",
"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
"location": "[parameters('workspace-location')]",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "CortexXDRDataConnector",
"title": "Palo Alto Cortex XDR",
"publisher": "Microsoft",
"descriptionMarkdown": "The [Palo Alto Cortex XDR](https://cortex-panw.stoplight.io/docs/cortex-xdr/branches/main/09agw06t5dpvw-cortex-xdr-rest-api) data connector allows ingesting logs from the Palo Alto Cortex XDR API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform. It uses the Palo Alto Cortex XDR API to fetch logs and it supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.",
"graphQueries": [
{
"metricName": "Total incident logs received",
"legend": "Palo Alto Cortex XDR incident Logs",
"baseQuery": "PaloAltoCortexXDR_Incidents_CL"
},
{
"metricName": "Total Endpoint logs received",
"legend": "Palo Alto Cortex XDR endpoint Logs",
"baseQuery": "PaloAltoCortexXDR_Endpoints_CL"
},
{
"metricName": "Total Audit Management logs received",
"legend": "Palo Alto Cortex XDR Audit Management Logs",
"baseQuery": "PaloAltoCortexXDR_Audit_Management_CL"
},
{
"metricName": "Total Agent Audit logs received",
"legend": "Palo Alto Cortex XDR Agent Audit Logs",
"baseQuery": "PaloAltoCortexXDR_Audit_Agent_CL"
},
{
"metricName": "Total Alert logs received",
"legend": "Palo Alto Cortex XDR Alert Logs",
"baseQuery": "PaloAltoCortexXDR_Alerts_CL"
}
],
"sampleQueries": [
{
"description": "Get Sample of Cortex XDR incident logs",
"query": "PaloAltoCortexXDR_Incidents_CL| take 10"
},
{
"description": "Get Sample of Cortex XDR endpoint logs",
"query": "PaloAltoCortexXDR_Endpoints_CL| take 10"
},
{
"description": "Get Sample of Cortex XDR alert logs",
"query": "PaloAltoCortexXDR_Alerts_CL| take 10"
},
{
"description": "Get Sample of Cortex XDR Audit Management logs",
"query": "PaloAltoCortexXDR_Audit_Management_CL| take 10"
},
{
"description": "Get Sample of Cortex XDR Agent Audit logs",
"query": "PaloAltoCortexXDR_Audit_Agent_CL| take 10"
}
],
"dataTypes": [
{
"name": "PaloAltoCortexXDR_Incidents_CL",
"lastDataReceivedQuery": "PaloAltoCortexXDR_Incidents_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "PaloAltoCortexXDR_Endpoints_CL",
"lastDataReceivedQuery": "PaloAltoCortexXDR_Endpoints_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "PaloAltoCortexXDR_Alerts_CL",
"lastDataReceivedQuery": "PaloAltoCortexXDR_Alerts_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "PaloAltoCortexXDR_Audit_Management_CL",
"lastDataReceivedQuery": "PaloAltoCortexXDR_Audit_Management_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "PaloAltoCortexXDR_Audit_Agent_CL",
"lastDataReceivedQuery": "PaloAltoCortexXDR_Audit_Agent_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors",
"value": null
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"tenant": null,
"licenses": null,
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true,
"action": false
}
}
]
},
"instructionSteps": [
{
"instructions": [
{
"type": "Markdown",
"parameters": {
"content": "#### Configuration steps for the Palo Alto Cortex XDR API \n Follow the instructions to obtain the credentials. you can also follow this [guide](https://cortex-panw.stoplight.io/docs/cortex-xdr/branches/main/3u3j0e7hcx8t1-get-started-with-cortex-xdr-ap-is) to generate API key."
}
},
{
"type": "Markdown",
"parameters": {
"content": "#### 1. Retrieve API URL\n 1.1. Log in to the Palo Alto Cortex XDR [**Management Console**] with Admin user credentials\n 1.2. In the [**Management Console**], click [**Settings**] -> [**Configurations**] \n 1.3. Under [**Integrations**] click on [**API Keys**].\n 1.4. In the [**Settings**] Page click on [**Copy API URL**] in the top right corner."
}
},
{
"type": "Markdown",
"parameters": {
"content": "#### 2. Retrieve API Token\n 2.1. Log in to the Palo Alto Cortex XDR [**Management Console**] with Admin user credentials\n 2.2. In the [**Management Console**], click [**Settings**] -> [**Configurations**] \n 2.3. Under [**Integrations**] click on [**API Keys**].\n 2.4. In the [**Settings**] Page click on [**New Key**] in the top right corner.\n 2.5. Choose security level, role, choose Standard and click on [**Generate**]\n 2.6. Copy the API Token, once it generated the [**API Token ID**] can be found under the ID column"
}
},
{
"parameters": {
"label": "Base API URL",
"placeholder": "https://api-example.xdr.au.paloaltonetworks.com",
"type": "text",
"name": "apiUrl"
},
"type": "Textbox"
},
{
"parameters": {
"label": "API Key ID",
"placeholder": "API ID",
"type": "text",
"name": "apiId"
},
"type": "Textbox"
},
{
"type": "Textbox",
"parameters": {
"label": "API Token",
"placeholder": "API Token",
"type": "password",
"name": "apiToken"
}
},
{
"parameters": {
"label": "toggle",
"name": "toggle"
},
"type": "ConnectionToggleButton"
}
],
"innerSteps": null
}
],
"isConnectivityCriteriasMatchSome": false
}
}
}
223 changes: 223 additions & 0 deletions Solutions/Palo Alto Cortex XDR CCP/Data Connectors/CortexXDR_ccp/PollingConfig.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,223 @@
[
{
"type": "Microsoft.SecurityInsights/dataConnectors",
"apiVersion": "2021-10-01-preview",
"name": "CortexXdrAgent",
"location": "{{location}}",
"kind": "RestApiPoller",
"properties": {
"connectorDefinitionName": "CortexXDRDataConnector",
"dataType": "PaloAltoCortexXDR_Audit_Agent_CL",
"auth": {
"type": "APIKey",
"ApiKey": "[[parameters('apitoken')]",
"ApiKeyName": "Authorization"
},
"request": {
"apiEndpoint": "[[concat(parameters('apiUrl'), '/public_api/v1/audits/agents_reports')]",
"headers": {
"Accept": "application/json",
"User-Agent": "Scuba",
"x-xdr-auth-id": "[[parameters('apiId')]"
},
"httpMethod": "Post",
"queryParametersTemplate": "{ 'request_data': { 'filters': [ { 'field': 'timestamp', 'operator': 'gte', 'value': {_QueryWindowStartTime} },{ 'field': 'timestamp', 'operator': 'lte', 'value': {_QueryWindowEndTime} } ], 'sort': { 'field': 'timestamp', 'keyword': 'desc' } } }",
"queryTimeFormat": "UnixTimestampInMills",
"queryWindowInMin": 5,
"logResponseContent":true
},
"response": {
"eventsJsonPaths": [
"$.reply.data"
]
},
"dcrConfig": {
"streamName": "Custom-CortexXdrStreamAgent",
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
},
"paging": {
"offsetParaName": "$.request_data.search_from",
"pagingType": "Offset",
"offsetEndParaName": "$.request_data.search_to",
"pageSize": 100
}
}
},
{
"type": "Microsoft.SecurityInsights/dataConnectors",
"apiVersion": "2021-10-01-preview",
"name": "CortexXdrAlerts",
"location": "{{location}}",
"kind": "RestApiPoller",
"properties": {
"connectorDefinitionName": "CortexXDRDataConnector",
"dataType": "PaloAltoCortexXDR_Alerts_CL",
"auth": {
"type": "APIKey",
"ApiKey": "[[parameters('apitoken')]",
"ApiKeyName": "Authorization"
},
"request": {
"apiEndpoint": "[[concat(parameters('apiUrl'),'/public_api/v1/alerts/get_alerts')]",
"headers": {
"Accept": "application/json",
"User-Agent": "Scuba",
"x-xdr-auth-id": "[[parameters('apiId')]"
},
"httpMethod": "Post",
"queryParametersTemplate": "{ 'request_data': { 'filters': [ { 'field': 'creation_time', 'operator': 'gte', 'value': {_QueryWindowStartTime} },{ 'field': 'creation_time', 'operator': 'lte', 'value': {_QueryWindowEndTime} }], 'sort': { 'field': 'creation_time', 'keyword': 'desc' } } }",
"queryTimeFormat": "UnixTimestampInMills",
"queryWindowInMin": 5,
"logResponseContent":true
},
"response": {
"eventsJsonPaths": [
"$.reply.alerts"
]
},
"dcrConfig": {
"streamName": "Custom-CortexXdrStreamAlerts",
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
},
"paging": {
"offsetParaName": "$.request_data.search_from",
"pagingType": "Offset",
"offsetEndParaName": "$.request_data.search_to",
"pageSize": 100
}

}
},
{
"type": "Microsoft.SecurityInsights/dataConnectors",
"apiVersion": "2021-10-01-preview",
"name": "CortexXdrEndpoints",
"location": "{{location}}",
"kind": "RestApiPoller",
"properties": {
"connectorDefinitionName": "CortexXDRDataConnector",
"dataType": "PaloAltoCortexXDR_Endpoints_CL",
"auth": {
"type": "APIKey",
"ApiKey": "[[parameters('apitoken')]",
"ApiKeyName": "Authorization"
},
"request": {
"apiEndpoint": "[[concat(parameters('apiUrl'),'/public_api/v1/endpoints/get_endpoints')]",
"headers": {
"Accept": "application/json",
"User-Agent": "Scuba",
"x-xdr-auth-id": "[[parameters('apiId')]"
},
"httpMethod": "Post",
"queryParametersTemplate": "{}",
"queryTimeFormat": "UnixTimestampInMills",
"queryWindowInMin": 60,
"logResponseContent":true
},
"response": {
"eventsJsonPaths": [
"$.reply"
]
},
"dcrConfig": {
"streamName": "Custom-CortexXdrStreamEndpoint",
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
}
}
},
{
"type": "Microsoft.SecurityInsights/dataConnectors",
"apiVersion": "2021-10-01-preview",
"name": "CortexXdrIncidents",
"location": "{{location}}",
"kind": "RestApiPoller",
"properties": {
"connectorDefinitionName": "CortexXDRDataConnector",
"dataType": "PaloAltoCortexXDR_Incidents_CL",
"auth": {
"type": "APIKey",
"ApiKey": "[[parameters('apitoken')]",
"ApiKeyName": "Authorization"
},
"request": {
"apiEndpoint": "[[concat(parameters('apiUrl'),'/public_api/v1/incidents/get_incidents')]",
"headers": {
"Accept": "application/json",
"User-Agent": "Scuba",
"x-xdr-auth-id": "[[parameters('apiId')]"
},
"httpMethod": "Post",
"queryParametersTemplate": "{ 'request_data': { 'filters': [ { 'field': 'creation_time', 'operator': 'gte', 'value': {_QueryWindowStartTime} },{ 'field': 'creation_time', 'operator': 'lte', 'value': {_QueryWindowEndTime} }], 'sort': { 'field': 'creation_time', 'keyword': 'desc' } } }",
"queryTimeFormat": "UnixTimestampInMills",
"queryWindowInMin": 5,
"logResponseContent":true
},
"response": {
"eventsJsonPaths": [
"$.reply.incidents"
]
},
"dcrConfig": {
"streamName": "Custom-CortexXdrStreamIncidents",
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
},
"paging": {
"offsetParaName": "$.request_data.search_from",
"pagingType": "Offset",
"offsetEndParaName": "$.request_data.search_to",
"pageSize": 100
}
}
},
{
"type": "Microsoft.SecurityInsights/dataConnectors",
"apiVersion": "2021-10-01-preview",
"name": "CortexXdrManagement",
"location": "{{location}}",
"kind": "RestApiPoller",
"properties": {
"connectorDefinitionName": "CortexXDRDataConnector",
"dataType": "PaloAltoCortexXDR_Audit_Management_CL",
"auth": {
"type": "APIKey",
"ApiKey": "[[parameters('apitoken')]",
"ApiKeyName": "Authorization"
},
"request": {
"apiEndpoint": "[[concat(parameters('apiUrl'),'/public_api/v1/audits/management_logs')]",
"headers": {
"Accept": "application/json",
"User-Agent": "Scuba",
"x-xdr-auth-id": "[[parameters('apiId')]"
},
"httpMethod": "Post",
"queryParametersTemplate": "{ 'request_data': { 'filters': [ { 'field': 'timestamp', 'operator': 'gte', 'value': {_QueryWindowStartTime} },{ 'field': 'timestamp', 'operator': 'lte', 'value': {_QueryWindowEndTime} } ], 'sort': { 'field': 'timestamp', 'keyword': 'desc' } } }",
"queryTimeFormat": "UnixTimestampInMills",
"queryWindowInMin": 5,
"logResponseContent":true
},
"response": {
"eventsJsonPaths": [
"$.reply.data"
]
},
"dcrConfig": {
"streamName": "Custom-CortexXdrStreamManagement",
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
},
"paging": {
"offsetParaName": "$.request_data.search_from",
"pagingType": "Offset",
"offsetEndParaName": "$.request_data.search_to",
"pageSize": 100
}
}
}

]
Loading
Loading