Skip to content

Commit 501e400

Browse files
v-prasadbokev-prasadboke
authored
Merge pull request #11903 from Azure/v-gsrihitha-IDS
Google Cloud Platform Cloud IDS CCP Connector
2 parents 91405ed + f2d33ce commit 501e400

File tree

15 files changed

+2177
-0
lines changed

15 files changed

+2177
-0
lines changed

.script/tests/KqlvalidationsTests/CustomTables/GCP_CLOUDIDSV2_CL.json

Lines changed: 289 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,289 @@
1+
{
2+
"Name": "GCP_CLOUDIDSV2_CL",
3+
"Properties": [
4+
{
5+
"name": "InsertId",
6+
"type": "string"
7+
},
8+
{
9+
"name": "LogName",
10+
"type": "string"
11+
},
12+
{
13+
"name": "ReceiveTimestamp",
14+
"type": "datetime"
15+
},
16+
{
17+
"name": "Application",
18+
"type": "string"
19+
},
20+
{
21+
"name": "DestinationIPAddress",
22+
"type": "string"
23+
},
24+
{
25+
"name": "DestinationPort",
26+
"type": "string"
27+
},
28+
{
29+
"name": "ElapsedTime",
30+
"type": "string"
31+
},
32+
{
33+
"name": "Network",
34+
"type": "string"
35+
},
36+
{
37+
"name": "RepeatCount",
38+
"type": "string"
39+
},
40+
{
41+
"name": "SessionId",
42+
"type": "string"
43+
},
44+
{
45+
"name": "SourcePort",
46+
"type": "string"
47+
},
48+
{
49+
"name": "StartTime",
50+
"type": "datetime"
51+
},
52+
{
53+
"name": "TotalBytes",
54+
"type": "string"
55+
},
56+
{
57+
"name": "TotalPackets",
58+
"type": "string"
59+
},
60+
{
61+
"name": "AlertSeverity",
62+
"type": "string"
63+
},
64+
{
65+
"name": "AlertTime",
66+
"type": "datetime"
67+
},
68+
{
69+
"name": "Category",
70+
"type": "string"
71+
},
72+
{
73+
"name": "CVEs",
74+
"type": "string"
75+
},
76+
{
77+
"name": "Details",
78+
"type": "string"
79+
},
80+
{
81+
"name": "Direction",
82+
"type": "string"
83+
},
84+
{
85+
"name": "JsonPayloadName",
86+
"type": "string"
87+
},
88+
{
89+
"name": "ThreatId",
90+
"type": "string"
91+
},
92+
{
93+
"name": "JsonPayloadType",
94+
"type": "string"
95+
},
96+
{
97+
"name": "URIOrFilename",
98+
"type": "string"
99+
},
100+
{
101+
"name": "IPProtocol",
102+
"type": "string"
103+
},
104+
{
105+
"name": "SourceIPAddress",
106+
"type": "string"
107+
},
108+
{
109+
"name": "OperationId",
110+
"type": "string"
111+
},
112+
{
113+
"name": "OperationFirst",
114+
"type": "boolean"
115+
},
116+
{
117+
"name": "OperationLast",
118+
"type": "boolean"
119+
},
120+
{
121+
"name": "OperationProducer",
122+
"type": "string"
123+
},
124+
{
125+
"name": "PayloadType",
126+
"type": "string"
127+
},
128+
{
129+
"name": "AuthenticationInfoPrincipalEmail",
130+
"type": "string"
131+
},
132+
{
133+
"name": "AuthorizationInfo",
134+
"type": "string"
135+
},
136+
{
137+
"name": "MethodName",
138+
"type": "string"
139+
},
140+
{
141+
"name": "NumResponseItems",
142+
"type": "string"
143+
},
144+
{
145+
"name": "RequestName",
146+
"type": "string"
147+
},
148+
{
149+
"name": "RequestType",
150+
"type": "string"
151+
},
152+
{
153+
"name": "RequestParent",
154+
"type": "string"
155+
},
156+
{
157+
"name": "RequestEndpointName",
158+
"type": "string"
159+
},
160+
{
161+
"name": "RequestEndpointNetwork",
162+
"type": "string"
163+
},
164+
{
165+
"name": "RequestEndpointSeverity",
166+
"type": "string"
167+
},
168+
{
169+
"name": "RequestEndpointTrafficLogs",
170+
"type": "string"
171+
},
172+
{
173+
"name": "RequestEndpointId",
174+
"type": "string"
175+
},
176+
{
177+
"name": "RequestEndpointThreatExceptions",
178+
"type": "string"
179+
},
180+
{
181+
"name": "RequestUpdateMaskPaths",
182+
"type": "string"
183+
},
184+
{
185+
"name": "RequestMetadataCallerIP",
186+
"type": "string"
187+
},
188+
{
189+
"name": "RequestMetadataDestinationAttributes",
190+
"type": "string"
191+
},
192+
{
193+
"name": "RequestMetadataRequestAttributesTime",
194+
"type": "datetime"
195+
},
196+
{
197+
"name": "RequestMetadataRequestAttributesAuth",
198+
"type": "string"
199+
},
200+
{
201+
"name": "RequestMetadataRequestAttributesReason",
202+
"type": "string"
203+
},
204+
{
205+
"name": "ResourceLocationCurrentLocations",
206+
"type": "string"
207+
},
208+
{
209+
"name": "ResponseType",
210+
"type": "string"
211+
},
212+
{
213+
"name": "ResponseName",
214+
"type": "string"
215+
},
216+
{
217+
"name": "ResponseNetwork",
218+
"type": "string"
219+
},
220+
{
221+
"name": "ResponseSeverity",
222+
"type": "string"
223+
},
224+
{
225+
"name": "TimeGenerated",
226+
"type": "datetime"
227+
},
228+
{
229+
"name": "ResponseState",
230+
"type": "string"
231+
},
232+
{
233+
"name": "ResponseThreatExceptions",
234+
"type": "string"
235+
},
236+
{
237+
"name": "ResponseTrafficLogs",
238+
"type": "boolean"
239+
},
240+
{
241+
"name": "ResourceName",
242+
"type": "string"
243+
},
244+
{
245+
"name": "ServiceName",
246+
"type": "string"
247+
},
248+
{
249+
"name": "Status",
250+
"type": "string"
251+
},
252+
{
253+
"name": "ResourceLabelsMethod",
254+
"type": "string"
255+
},
256+
{
257+
"name": "ResourceLabelsProjectId",
258+
"type": "string"
259+
},
260+
{
261+
"name": "ResourceLabelsService",
262+
"type": "string"
263+
},
264+
{
265+
"name": "ResourceLabelsId",
266+
"type": "string"
267+
},
268+
{
269+
"name": "ResourceLabelsLocation",
270+
"type": "string"
271+
},
272+
{
273+
"name": "ResourceLabelsResourceContainer",
274+
"type": "string"
275+
},
276+
{
277+
"name": "ResourceType",
278+
"type": "string"
279+
},
280+
{
281+
"name": "Severity",
282+
"type": "string"
283+
},
284+
{
285+
"name": "Timestamp",
286+
"type": "datetime"
287+
}
288+
]
289+
}

DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPCloudIDSLogSetup/GCPCloudIDSLogSetup.tf

Lines changed: 106 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,106 @@
1+
terraform {
2+
required_providers {
3+
google = {
4+
source = "hashicorp/google"
5+
version = "3.73.0"
6+
}
7+
}
8+
9+
required_version = ">= 0.15.0"
10+
}
11+
12+
variable "project-id" {
13+
type = string
14+
description = "Enter your project ID"
15+
}
16+
17+
variable "topic-name" {
18+
type = string
19+
default = "sentinelcloudids-topic"
20+
description = "Name of existing topic"
21+
}
22+
23+
variable "organization-id" {
24+
type = string
25+
default = ""
26+
description = "Organization id"
27+
}
28+
29+
data "google_project" "project" {
30+
project_id = var.project-id
31+
}
32+
33+
resource "google_project_service" "enable-logging-api" {
34+
service = "logging.googleapis.com"
35+
project = data.google_project.project.project_id
36+
}
37+
38+
resource "google_pubsub_topic" "sentinelcloudids-topic" {
39+
count = "${var.topic-name != "sentinelcloudids-topic" ? 0 : 1}"
40+
name = var.topic-name
41+
project = data.google_project.project.project_id
42+
}
43+
44+
resource "google_pubsub_subscription" "sentinel-subscription" {
45+
project = data.google_project.project.project_id
46+
name = "sentinel-subscription-CLOUDIDSlogs"
47+
topic = var.topic-name
48+
depends_on = [google_pubsub_topic.sentinelcloudids-topic]
49+
}
50+
51+
resource "google_logging_project_sink" "sentinel-sink" {
52+
project = data.google_project.project.project_id
53+
count = var.organization-id == "" ? 1 : 0
54+
name = "CLOUDIDS-logs-sentinel-sink"
55+
destination = "pubsub.googleapis.com/projects/${data.google_project.project.project_id}/topics/${var.topic-name}"
56+
depends_on = [google_pubsub_topic.sentinelcloudids-topic]
57+
58+
filter = "protoPayload.serviceName=ids.googleapis.com OR (resource.type=ids.googleapis.com/Endpoint) OR (resource.type=ids.googleapis.com/Endpoint AND jsonPayload.alert_severity=(INFORMATIONAL OR LOW OR MEDIUM OR HIGH OR CRITICAL))"
59+
unique_writer_identity = true
60+
}
61+
62+
resource "google_logging_organization_sink" "sentinel-organization-sink" {
63+
count = var.organization-id == "" ? 0 : 1
64+
name = "CLOUDIDS-logs-organization-sentinel-sink"
65+
org_id = var.organization-id
66+
destination = "pubsub.googleapis.com/projects/${data.google_project.project.project_id}/topics/${var.topic-name}"
67+
68+
filter = "protoPayload.serviceName=ids.googleapis.com OR (resource.type=ids.googleapis.com/Endpoint) OR (resource.type=ids.googleapis.com/Endpoint AND jsonPayload.alert_severity=(INFORMATIONAL OR LOW OR MEDIUM OR HIGH OR CRITICAL))"
69+
include_children = true
70+
}
71+
72+
resource "google_project_iam_binding" "log-writer" {
73+
count = var.organization-id == "" ? 1 : 0
74+
project = data.google_project.project.project_id
75+
role = "roles/pubsub.publisher"
76+
77+
members = [
78+
google_logging_project_sink.sentinel-sink[0].writer_identity
79+
]
80+
}
81+
82+
resource "google_project_iam_binding" "log-writer-organization" {
83+
count = var.organization-id == "" ? 0 : 1
84+
project = data.google_project.project.project_id
85+
role = "roles/pubsub.publisher"
86+
87+
members = [
88+
google_logging_organization_sink.sentinel-organization-sink[0].writer_identity
89+
]
90+
}
91+
92+
output "An_output_message" {
93+
value = "Please copy the following values to Sentinel"
94+
}
95+
96+
output "GCP_project_id" {
97+
value = data.google_project.project.project_id
98+
}
99+
100+
output "GCP_project_number" {
101+
value = data.google_project.project.number
102+
}
103+
104+
output "GCP_subscription_name" {
105+
value = google_pubsub_subscription.sentinel-subscription.name
106+
}

0 commit comments

Comments
 (0)