Skip to content

Commit cbeac16

Browse files
joergd1985joergd1985
committed
Initial version
1 parent 6340f0b commit cbeac16

File tree

14 files changed

+1336
-0
lines changed

14 files changed

+1336
-0
lines changed

Solutions/VersasecCMS/Data Connectors/VersasecCMS_ccp/DCE.json

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
{
2+
"type": "Microsoft.Insights/dataCollectionEndpoints",
3+
"apiVersion": "2022-06-01",
4+
"name": "[parameters('dceName')]",
5+
"location": "[parameters('location')]",
6+
"properties": {
7+
"networkAcls": {
8+
"publicNetworkAccess": "Enabled"
9+
}
10+
}
11+
}

Solutions/VersasecCMS/Data Connectors/VersasecCMS_ccp/DCR.json

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
{
2+
"type": "Microsoft.Insights/dataCollectionRules",
3+
"apiVersion": "2022-06-01",
4+
"name": "VersasecCms-DCR",
5+
"location": "[parameters('location')]",
6+
"dependsOn": [
7+
"[resourceId(parameters('subscription'), parameters('resourceGroupName'), 'Microsoft.Insights/dataCollectionEndpoints', parameters('dceName'))]",
8+
"[resourceId('Microsoft.OperationalInsights/workspaces/tables', parameters('workspaceName'), 'VersasecCmsSysLogs_CL')]",
9+
"[resourceId('Microsoft.OperationalInsights/workspaces/tables', parameters('workspaceName'), 'VersasecCmsErrorLogs_CL')]",
10+
"[resourceId('Microsoft.OperationsManagement/solutions', concat('SecurityInsights(', parameters('workspaceName'), ')'))]"
11+
],
12+
"properties": {
13+
"dataCollectionEndpointId": "[resourceId(parameters('subscription'), parameters('resourceGroupName'), 'Microsoft.Insights/dataCollectionEndpoints', parameters('dceName'))]",
14+
"streamDeclarations": {
15+
"Custom-VersasecCmsSysLogs_API": {
16+
"columns": [
17+
{ "name": "rowData", "type": "dynamic" }
18+
]
19+
},
20+
"Custom-VersasecCmsErrorLogs_API": {
21+
"columns": [
22+
{ "name": "rowData", "type": "dynamic" }
23+
]
24+
}
25+
},
26+
"destinations": {
27+
"logAnalytics": [
28+
{
29+
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]",
30+
"name": "ws"
31+
}
32+
]
33+
},
34+
"dataFlows": [
35+
{
36+
"streams": [ "Custom-VersasecCmsSysLogs_API" ],
37+
"destinations": [ "ws" ],
38+
"transformKql": "source | project SyslogID = toreal(rowData[0]), SyslogIDCode = tostring(rowData[1]), SyslogIDStrg = tostring(rowData[2]), TimeGenerated = todatetime(rowData[3]), ID = toreal(rowData[4]), ComputerName = tostring(rowData[5]), CLID = tostring(rowData[6]), Param1 = tostring(rowData[7]), UserID = toreal(rowData[8]), TicketRef = tostring(rowData[9])",
39+
"outputStream": "[concat('Custom-', variables('syslogTableName'))]"
40+
},
41+
{
42+
"streams": [ "Custom-VersasecCmsErrorLogs_API" ],
43+
"destinations": [ "ws" ],
44+
"transformKql": "source | project CmsErrorID = toreal(rowData[0]), CmsErrorIDCode = tostring(rowData[1]), CmsErrorIDStrg = tostring(rowData[2]), TimeGenerated = todatetime(rowData[3]), ID = toreal(rowData[4]), ComputerName = tostring(rowData[5]), CLID = tostring(rowData[6]), ErrorStrg = tostring(rowData[7]), UserID = toreal(rowData[8]), SupportTicket = tostring(rowData[9]), TicketRef = tostring(rowData[10])",
45+
"outputStream": "[concat('Custom-', variables('errorlogTableName'))]"
46+
}
47+
]
48+
},
49+
"variables": {
50+
"syslogTableName": "VersasecCmsSysLogs_CL",
51+
"errorlogTableName": "VersasecCmsErrorLogs_CL"
52+
}
53+
}

Solutions/VersasecCMS/Data Connectors/VersasecCMS_ccp/PollerConfig.json

Lines changed: 96 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,96 @@
1+
[{
2+
"name": "VersasecCmsPoller_syslogs_created_events",
3+
"apiVersion": "2022-10-01-preview",
4+
"type": "Microsoft.SecurityInsights/dataConnectors",
5+
"kind": "RestApiPoller",
6+
"dependsOn": [
7+
"[resourceId('Microsoft.Insights/dataCollectionRules', 'VersasecCms-DCR')]"
8+
],
9+
"properties": {
10+
"connectorDefinitionName": "VersasecCmsCCP",
11+
"dataType": "VersasecCms API",
12+
"dcrConfig": {
13+
"streamName": "Custom-VersasecCmsSysLogs_API",
14+
"dataCollectionEndpoint": "[reference(resourceId('Microsoft.Insights/dataCollectionEndpoints', parameters('dceName')), '2022-06-01').logsIngestion.endpoint]",
15+
"dataCollectionRuleImmutableId": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', 'VersasecCms-DCR'), '2022-06-01').immutableId]"
16+
},
17+
"auth": {
18+
"type": "APIKey",
19+
"ApiKey": "[parameters('apiToken')]",
20+
"ApiKeyName": "X-VSECCMS-AUTHTICKET"
21+
},
22+
23+
"request": {
24+
"apiEndpoint": "[concat(parameters('managementUrl'), parameters('apiBasePath'), 'QueryCmsPersistenceData')]",
25+
"rateLimitQPS": 10,
26+
"queryWindowInMin": "[parameters('pollingInterval')]",
27+
"httpMethod": "POST",
28+
"contentType": "application/json",
29+
"queryTimeFormat": "yyyy-MM-ddTHH:mm:ss",
30+
"headers": {
31+
"Content-Type": "application/json",
32+
"Accept": "application/json"
33+
},
34+
"isPostPayloadJson": true,
35+
"queryParametersTemplate": "[format('{{\"tableName\": \"CvSysLog\", \"queryStatement\": \"StartOperationAnd false AddOperationGreaterEqual false TimeStamp false \\\"T{0}\\\" FinishLogicalOperation\", \"flags\": 0, \"resultPosition\": 0, \"resultAmount\": 100}}', '{_QueryWindowStartTime}')]"
36+
},
37+
"paging": {
38+
"pagingType": "NextPageToken",
39+
"NextPageTokenJsonPath": "$.pagination.nextCursor",
40+
"NextPageParaName": "cursor"
41+
},
42+
"response": {
43+
"eventsJsonPaths": [
44+
"$.rows"
45+
]
46+
}
47+
}
48+
}, {
49+
"name": "VersasecCmsPoller_errorlogs_created_events",
50+
"apiVersion": "2022-10-01-preview",
51+
"type": "Microsoft.SecurityInsights/dataConnectors",
52+
"kind": "RestApiPoller",
53+
"dependsOn": [
54+
"[resourceId('Microsoft.Insights/dataCollectionRules', 'VersasecCms-DCR')]"
55+
],
56+
"properties": {
57+
"connectorDefinitionName": "VersasecCmsCCP",
58+
"dataType": "VersasecCms API",
59+
"dcrConfig": {
60+
"streamName": "Custom-VersasecCmsErrorLogs_API",
61+
"dataCollectionEndpoint": "[reference(resourceId('Microsoft.Insights/dataCollectionEndpoints', parameters('dceName')), '2022-06-01').logsIngestion.endpoint]",
62+
"dataCollectionRuleImmutableId": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', 'VersasecCms-DCR'), '2022-06-01').immutableId]"
63+
},
64+
"auth": {
65+
"type": "APIKey",
66+
"ApiKey": "[parameters('apiToken')]",
67+
"ApiKeyName": "X-VSECCMS-AUTHTICKET"
68+
},
69+
70+
"request": {
71+
"apiEndpoint": "[concat(parameters('managementUrl'), parameters('apiBasePath'), 'QueryCmsPersistenceData')]",
72+
"rateLimitQPS": 10,
73+
"queryWindowInMin": "[parameters('pollingInterval')]",
74+
"httpMethod": "POST",
75+
"contentType": "application/json",
76+
"queryTimeFormat": "yyyy-MM-ddTHH:mm:ss",
77+
"headers": {
78+
"Content-Type": "application/json",
79+
"Accept": "application/json"
80+
},
81+
"isPostPayloadJson": true,
82+
"queryParametersTemplate": "[format('{{\"tableName\": \"CvErrorLog\", \"queryStatement\": \"StartOperationAnd false AddOperationGreaterEqual false TimeStamp false \\\"T{0}\\\" FinishLogicalOperation\", \"flags\": 0, \"resultPosition\": 0, \"resultAmount\": 100}}', '{_QueryWindowStartTime}')]"
83+
},
84+
"paging": {
85+
"pagingType": "NextPageToken",
86+
"NextPageTokenJsonPath": "$.pagination.nextCursor",
87+
"NextPageParaName": "cursor"
88+
},
89+
"response": {
90+
"eventsJsonPaths": [
91+
"$.rows"
92+
]
93+
}
94+
}
95+
}
96+
]

Solutions/VersasecCMS/Data Connectors/VersasecCMS_ccp/connectorDefinition.json

Lines changed: 103 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,103 @@
1+
{
2+
"name": "[concat(workspaceRef(), '/Microsoft.SecurityInsights/', variables('connectorName'))]",
3+
"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
4+
"apiVersion": "2022-09-01-preview",
5+
"kind": "Customizable",
6+
"properties": {
7+
"connectorUiConfig": {
8+
"id": "VersasecCmsCCP",
9+
"title": "VersasecCms",
10+
"publisher": "Versasec AB",
11+
"descriptionMarkdown": "The VersasecCms data connector allows ingesting logs into Microsoft Sentinel.",
12+
"graphQueries": [{
13+
"metricName": "Total System Logs",
14+
"legend": "Versasec Cms SysLog",
15+
"baseQuery": "VersasecCmsSysLogs_CL"
16+
}, {
17+
"metricName": "Total Error Logs",
18+
"legend": "Versasec Cms ErrorLog",
19+
"baseQuery": "VersasecCmsErrorLogs_CL"
20+
}
21+
],
22+
"sampleQueries": [{
23+
"description": "View last 50 System Logs",
24+
"query": "VersasecCmsSysLogs_CL | take 50"
25+
}, {
26+
"description": "View last 50 Error Logs",
27+
"query": "VersasecCmsErrorLogs_CL | take 50"
28+
}
29+
],
30+
"dataTypes": [{
31+
"name": "VersasecCmsSysLogs_CL",
32+
"lastDataReceivedQuery": "VersasecCmsSysLogs_CL | summarize Time = max(TimeGenerated)"
33+
}, {
34+
"name": "VersasecCmsErrorLogs_CL",
35+
"lastDataReceivedQuery": "VersasecCmsErrorLogs_CL | summarize Time = max(TimeGenerated)"
36+
}
37+
],
38+
"connectivityCriteria": [{
39+
"type": "IsConnectedQuery",
40+
"value": [
41+
"VersasecCmsSysLogs_CL | summarize count() by TimeGenerated"
42+
]
43+
}
44+
],
45+
"permissions": {
46+
"resourceProvider": [{
47+
"provider": "Microsoft.OperationalInsights/workspaces",
48+
"permissionsDisplayText": "Read and Write permissions are required.",
49+
"providerDisplayName": "Workspace",
50+
"scope": "Workspace",
51+
"requiredPermissions": {
52+
"read": true,
53+
"write": true,
54+
"delete": true
55+
}
56+
}
57+
]
58+
},
59+
"instructionSteps": [{
60+
"title": "Configuration",
61+
"description": "Enter credentials for VersasecCms.",
62+
"instructions": [{
63+
"parameters": {
64+
"label": "Management URL",
65+
"type": "text",
66+
"name": "managementUrl"
67+
},
68+
"type": "Textbox"
69+
}, {
70+
"parameters": {
71+
"label": "API Base Path",
72+
"type": "text",
73+
"name": "apiBasePath"
74+
},
75+
"type": "Textbox"
76+
}, {
77+
"parameters": {
78+
"label": "API Token",
79+
"type": "securestring",
80+
"name": "apiToken"
81+
},
82+
"type": "Textbox"
83+
}, {
84+
"parameters": {
85+
"label": "Polling Interval (Minutes)",
86+
"type": "int",
87+
"name": "pollingInterval",
88+
"defaultValue": 5
89+
},
90+
"type": "Textbox"
91+
}, {
92+
"parameters": {
93+
"label": "connect",
94+
"name": "connectButton"
95+
},
96+
"type": "ConnectionToggleButton"
97+
}
98+
]
99+
}
100+
]
101+
}
102+
}
103+
}

Solutions/VersasecCMS/Data Connectors/VersasecCMS_ccp/table - ErrorLogs.json

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
{
2+
"name": "VersasecCmsErrorLogs_CL",
3+
"type": "Microsoft.OperationalInsights/workspaces/tables",
4+
"apiVersion": "2022-10-01",
5+
"tags": {},
6+
"properties": {
7+
"schema": {
8+
"name": "VersasecCmsErrorLogs_CL",
9+
"columns": [{
10+
"name": "TimeGenerated",
11+
"type": "datetime"
12+
}, {
13+
"name": "CmsErrorID",
14+
"type": "real"
15+
}, {
16+
"name": "CmsErrorIDCode",
17+
"type": "string"
18+
}, {
19+
"name": "CmsErrorIDStrg",
20+
"type": "string"
21+
}, {
22+
"name": "ID",
23+
"type": "real"
24+
}, {
25+
"name": "ComputerName",
26+
"type": "string"
27+
}, {
28+
"name": "CLID",
29+
"type": "string"
30+
}, {
31+
"name": "ErrorStrg",
32+
"type": "string"
33+
}, {
34+
"name": "UserID",
35+
"type": "real"
36+
},{
37+
"name": "SupportTicket",
38+
"type": "string"
39+
}, {
40+
"name": "TicketRef",
41+
"type": "string"
42+
}
43+
]
44+
}
45+
}
46+
}

Solutions/VersasecCMS/Data Connectors/VersasecCMS_ccp/table - SysLogs.json

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
{
2+
"name": "VersasecCmsSysLogs_CL",
3+
"type": "Microsoft.OperationalInsights/workspaces/tables",
4+
"apiVersion": "2022-10-01",
5+
"tags": {},
6+
"properties": {
7+
"schema": {
8+
"name": "VersasecCmsSysLogs_CL",
9+
"columns": [{
10+
"name": "TimeGenerated",
11+
"type": "datetime"
12+
}, {
13+
"name": "SyslogID",
14+
"type": "real"
15+
}, {
16+
"name": "SyslogIDCode",
17+
"type": "string"
18+
}, {
19+
"name": "SyslogIDStrg",
20+
"type": "string"
21+
}, {
22+
"name": "ID",
23+
"type": "real"
24+
}, {
25+
"name": "ComputerName",
26+
"type": "string"
27+
}, {
28+
"name": "CLID",
29+
"type": "string"
30+
}, {
31+
"name": "Param1",
32+
"type": "string"
33+
}, {
34+
"name": "UserID",
35+
"type": "real"
36+
}, {
37+
"name": "TicketRef",
38+
"type": "string"
39+
}
40+
]
41+
}
42+
}
43+
}

Solutions/VersasecCMS/Data/Solution_VersasecCMS.json

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
{
2+
"Name": "VersasecCMS",
3+
"Author": "Versasec AB - info@versasec.com",
4+
"Logo": "<img src=\"https://versasec.com/wp-content/uploads/2025/09/versasec-logo.png\" width=\"75px\" height=\"75px\">",
5+
"Description": "Ingests Versasec Cms system logs into Microsoft Sentinel using a REST API poller (CCF).",
6+
"Data Connectors": [
7+
"Data Connectors/VersasecCMS_ccp/connectorDefinition.json"
8+
],
9+
"Workbooks": [],
10+
"Parsers": [],
11+
"Analytic Rules": [],
12+
"Hunting Queries": [],
13+
"BasePath": "C:/Github/Azure-Sentinel/Solutions/VersasecCMS",
14+
"Version": "1.0.0",
15+
"Metadata": "SolutionMetadata.json",
16+
"TemplateSpec": true,
17+
"Is1PConnector": false
18+
}

Solutions/VersasecCMS/Package/3.0.0.zip

6.06 KB
Binary file not shown.

0 commit comments

Comments
 (0)