Merge pull request #11390 from idoshabi07/gcp-firewall-package-solution

Gcp firewall package solution

Author: v-prasadboke

Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCPFirewall_DCR.json

@@ -0,0 +1,29 @@
+[
+    {
+        "name": "gcpFirewallLogsDCR",
+        "apiVersion": "2021-09-01-preview",
+        "type": "Microsoft.Insights/dataCollectionRules",
+        "location": "{{location}}",
+        "properties": {
+            "destinations": {
+                "logAnalytics": [
+                    {
+                        "workspaceResourceId": "{{workspaceResourceId}}",
+                        "name": "clv2ws1"
+                    }
+                ]
+            },
+            "dataFlows": [
+                {
+                    "streams": [
+                        "Microsoft-GCPFirewallLogs"
+                    ],
+                    "destinations": [
+                        "clv2ws1"
+                    ]
+                }
+            ],
+            "dataCollectionEndpointId": "{{dataCollectionEndpointId}}"
+        }
+    }
+]

Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCPFirewall_PollingConfig.json

@@ -0,0 +1,29 @@
+[
+    {
+        "name": "GCPFirewallLogsTemplateConnections",
+        "apiVersion": "2023-02-01-preview",
+        "type": "Microsoft.SecurityInsights/dataConnectors",
+        "location": "{{location}}",
+        "kind": "GCP",
+        "properties": {
+            "connectorDefinitionName": "GCPFirewallLogsCCPDefinition",
+            "dcrConfig": {
+                "streamName": "SENTINEL_GCP_FIREWALL_LOGS",
+                "dataCollectionEndpoint": "{{dataCollectionEndpoint}}",
+                "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}"
+            },
+            "dataType": "GCPFirewallLogs",
+            "auth": {
+                "serviceAccountEmail": "{{'GCPServiceAccountEmail'}}",
+                "projectNumber": "{{'GCPProjectNumber'}}",
+                "workloadIdentityProviderId": "{{'GCPWorkloadIdentityProviderId'}}"
+            },
+            "request": {
+                "projectId": "{{'GCPProjectId'}}",
+                "subscriptionNames": [
+                    "{{'GCPSubscriptionName'}}"
+                ]
+            }
+        }
+    }
+]

Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCP_ConnectorDefinition.json

@@ -0,0 +1,105 @@
+{
+    "name": "GCPFirewallLogsCCPDefinition",
+    "apiVersion": "2022-09-01-preview",
+    "type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
+    "location": "{{location}}",
+    "kind": "Customizable",
+    "properties": {
+        "connectorUiConfig": {
+            "id": "GCPFirewallLogsCCPDefinition",
+            "title": "GCP Pub/Sub Firewall Logs",
+            "publisher": "Microsoft",
+            "descriptionMarkdown": "The Google Cloud Platform (GCP) firewall logs, enable you to capture network inbound and outbound activity to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.",
+            "graphQueriesTableName": "GCPFirewallLogs",
+            "graphQueries": [
+                {
+                    "metricName": "Total events received",
+                    "legend": "GCP Pub/Sub Firewall Logs",
+                    "baseQuery": "{{graphQueriesTableName}}"
+                }
+            ],
+            "sampleQueries": [
+                {
+                    "description": "Get Sample of GCP Firewall Logs",
+                    "query": "{{graphQueriesTableName}}\n | take 10"
+                }
+            ],
+            "dataTypes": [
+                {
+                    "name": "{{graphQueriesTableName}}",
+                    "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                }
+            ],
+            "availability": {
+                "status": 1,
+                "isPreview": false
+            },
+            "connectivityCriteria": [
+                {
+                    "type": "HasDataConnectors"
+                }
+            ],
+            "permissions": {
+                "resourceProvider": [
+                    {
+                        "provider": "Microsoft.OperationalInsights/workspaces",
+                        "permissionsDisplayText": "Read and Write permissions are required.",
+                        "providerDisplayName": "Workspace",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                            "read": true,
+                            "write": true,
+                            "delete": true,
+                            "action": false
+                        }
+                    }
+                  
+                ]
+            },
+            "instructionSteps": [
+                {
+                    "instructions": [
+                        {
+                            "type": "MarkdownControlEnvBased",
+                            "parameters": {
+                                "prodScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation)\n Connector tutorial: [Link to tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup) .",
+                                "govScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)\n Connector tutorial: [Link to tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup)."
+                            }
+                        },
+                        {
+                            "type": "CopyableLabel",
+                            "parameters": {
+                                "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
+                                "fillWith": [
+                                    "TenantId"
+                                ],
+                                "name": "TenantId",
+                                "disabled": true
+                            }
+                        },
+                        {
+                            "type": "Markdown",
+                            "parameters": {
+                                "content": "#### 2. Enable Firewall logs \nIn your GCP account, navigate to the Firewall section. Here, you can either create a new rule or edit an existing one that you want to monitor. Once you open the rule, switch the toggle button under the **Logs** section to **On**, and save the changes.\n\nFor more information: [Link to documentation](https://cloud.google.com/firewall/docs/using-firewall-rules-logging?_gl=1*1no0nhk*_ga*NDMxNDIxODI3LjE3MjUyNjUzMzc.*_ga_WH2QY8WWF5*MTcyNTUyNzc4MS4xMS4xLjE3MjU1MjgxNTIuNDYuMC4w)"
+                            }
+                        },
+                        {
+                            "type": "Markdown",
+                            "parameters": {
+                                "content": "#### 3. Connect new collectors \n To enable GCP Firewall Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
+                            }
+                        },
+                        {
+                            "type": "GCPGrid",
+                            "parameters": {}
+                        },
+                        {
+                            "type": "GCPContextPane",
+                            "parameters": {}
+                        }
+                    ]
+                }
+            ]
+        }
+    }
+}

Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/solutionMetadata.json

@@ -0,0 +1,24 @@
+{
+	"publisherId": "azuresentinel",
+	"offerId": "azure-sentinel-solution-gcpfirewalllogs-api",
+	"firstPublishDate": "2024-09-08",
+	"providers": ["Google"],
+	"categories": {
+		"domains" : ["DevOps"],
+		"verticals": []
+	},
+	"support": {
+	  "name": "Microsoft Corporation",
+	  "email": "support@microsoft.com",
+	  "tier": "Microsoft",
+	  "link": "https://support.microsoft.com"
+	},
+	"SolutionName":"GCP Pub/Sub Firewall Logs",
+    "SolutionAuthor": "User",
+    "SolutionVersion":"1.0.0",
+	"packageIcon": "google_logo",
+	"SolutionTier": "Microsoft",
+	"PackageId":"gcpfirewalllogs-api",
+	"ConnectorDefinitionTemplateVersion": "1.0.0",
+    "DataConnectorsTemplateVersion": "1.0.0"
+}

Solutions/Google Cloud Platform Firewall Logs/Data/Solution_GoogleFirewallLogs.json

@@ -0,0 +1,14 @@
+{
+  "Name": "Google Cloud Platform Firewall Logs",
+  "Author": "Microsoft - support@microsoft.com",
+  "Logo": "<img src =\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/google_logo.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "The Google Cloud Platform (GCP) firewall logs, ingested from Sentinel's connector, enable you to capture and track all network activity that occurs in your GCP intances. These firewall logs provide valuable insights for monitoring user activity, troubleshooting issues, and ensuring compliance with security regulations. They serve as a record of events that practitioners can utilize to monitor access and identify potential threats across GCP resources.",
+  "Data Connectors": [
+    "Data Connectors/GCPFirewallLogs_ccp/GCP_ConnectorDefinition.json"
+  ],
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Google Cloud Platform Firewall Logs",
+  "Version": "3.0.0",  
+  "Metadata": "SolutionMetadata.json",
+  "TemplateSpec": true, 
+  "Is1PConnector": false
+}

Solutions/Google Cloud Platform Firewall Logs/Package/3.0.0.zip

@@ -0,0 +1,85 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+  "handler": "Microsoft.Azure.CreateUIDef",
+  "version": "0.1.2-preview",
+  "parameters": {
+    "config": {
+      "isWizard": false,
+      "basics": {
+        "description": "<img src =\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/google_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Google%20Cloud%20Platform%20Firewall%20Logs/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Google Cloud Platform (GCP) firewall logs, ingested from Sentinel's connector, enable you to capture and track all network activity that occurs in your GCP intances. These firewall logs provide valuable insights for monitoring user activity, troubleshooting issues, and ensuring compliance with security regulations. They serve as a record of events that practitioners can utilize to monitor access and identify potential threats across GCP resources.\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "subscription": {
+          "resourceProviders": [
+            "Microsoft.OperationsManagement/solutions",
+            "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+            "Microsoft.Insights/workbooks",
+            "Microsoft.Logic/workflows"
+          ]
+        },
+        "location": {
+          "metadata": {
+            "hidden": "Hiding location, we get it from the log analytics workspace"
+          },
+          "visible": false
+        },
+        "resourceGroup": {
+          "allowExisting": true
+        }
+      }
+    },
+    "basics": [
+      {
+        "name": "getLAWorkspace",
+        "type": "Microsoft.Solutions.ArmApiControl",
+        "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+        "condition": "[greater(length(resourceGroup().name),0)]",
+        "request": {
+          "method": "GET",
+          "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+        }
+      },
+      {
+        "name": "workspace",
+        "type": "Microsoft.Common.DropDown",
+        "label": "Workspace",
+        "placeholder": "Select a workspace",
+        "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+        "constraints": {
+          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+          "required": true
+        },
+        "visible": true
+      }
+    ],
+    "steps": [
+      {
+        "name": "dataconnectors",
+        "label": "Data Connectors",
+        "bladeTitle": "Data Connectors",
+        "elements": [
+          {
+            "name": "dataconnectors1-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Solution installs the data connector for Google Cloud Platform Firewall Logs. You can get Google Cloud Platform Firewall Logs data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+            }
+          },
+          {
+            "name": "dataconnectors-link2",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more about connecting data sources",
+                "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+              }
+            }
+          }
+        ]
+      }
+    ],
+    "outputs": {
+      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+      "location": "[location()]",
+      "workspace": "[basics('workspace')]"
+    }
+  }
+}