You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"descriptionMarkdown": "The [Keeper Security](https://keepersecurity.com) connector provides the capability to read raw event data from Keeper Security in Microsoft Sentinel.",
13
+
"graphQueries": [
14
+
{
15
+
"metricName": "Events Logs",
16
+
"legend": "KeeperSecurityEventNewLogs_CL",
17
+
"baseQuery": "KeeperSecurityEventNewLogs_CL"
18
+
}
19
+
],
20
+
"sampleQueries": [
21
+
{
22
+
"description": "Keeper Security - All Events Logs",
23
+
"query": "KeeperSecurityEventNewLogs_CL\n | sort by TimeGenerated desc"
24
+
}
25
+
],
26
+
"dataTypes": [
27
+
{
28
+
"name": "KeeperSecurityEventNewLogs_CL",
29
+
"lastDataReceivedQuery": "KeeperSecurityEventNewLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
"permissionsDisplayText": "read and write permissions are required.",
48
+
"providerDisplayName": "Workspace",
49
+
"scope": "Workspace",
50
+
"requiredPermissions": {
51
+
"write": true,
52
+
"read": true,
53
+
"delete": true
54
+
}
55
+
}
56
+
],
57
+
"customs": [
58
+
{
59
+
"name": "Microsoft Entra",
60
+
"description": "Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher."
61
+
},
62
+
{
63
+
"name": "Microsoft Azure",
64
+
"description": "Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role"
65
+
}
66
+
]
67
+
},
68
+
"instructionSteps": [
69
+
{
70
+
"title": "1. Create ARM Resources and Provide the Required Permissions",
71
+
"description": "This connector reads data from the tables that Keeper Security uses in a Microsoft Analytics Workspace, if the [data forwarding](https://docs.keepersecurity.com/docs/data-forwarding) option is enabled in Keeper Security then raw event data is sent to the Microsoft Sentinel Ingestion API.",
72
+
"instructions": [
73
+
{
74
+
"type": "Markdown",
75
+
"parameters": {
76
+
"content": "#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \"Deploy\" will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). \nIt will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token."
"description": "Use the following parameters to configure the your machine to send the logs to the workspace.",
91
+
"instructions": [
92
+
{
93
+
"parameters": {
94
+
"label": "Tenant ID (Directory ID)",
95
+
"fillWith": [
96
+
"TenantId"
97
+
]
98
+
},
99
+
"type": "CopyableLabel"
100
+
},
101
+
{
102
+
"parameters": {
103
+
"label": "Entra App Registration Application ID",
104
+
"fillWith": [
105
+
"ApplicationId"
106
+
],
107
+
"placeholder": "Deploy push connector to get the App Registration Application ID"
108
+
},
109
+
"type": "CopyableLabel"
110
+
},
111
+
{
112
+
"parameters": {
113
+
"label": "Entra App Registration Secret",
114
+
"fillWith": [
115
+
"ApplicationSecret"
116
+
],
117
+
"placeholder": "Deploy push connector to get the App Registration Secret"
118
+
},
119
+
"type": "CopyableLabel"
120
+
},
121
+
{
122
+
"parameters": {
123
+
"label": "Data Collection Endpoint Uri",
124
+
"fillWith": [
125
+
"DataCollectionEndpoint"
126
+
],
127
+
"placeholder": "Deploy push connector to get the Data Collection Endpoint Uri"
128
+
},
129
+
"type": "CopyableLabel"
130
+
},
131
+
{
132
+
"parameters": {
133
+
"label": "Data Collection Rule Immutable ID",
134
+
"fillWith": [
135
+
"DataCollectionRuleId"
136
+
],
137
+
"placeholder": "Deploy push connector to get the Data Collection Rule Immutable ID"
138
+
},
139
+
"type": "CopyableLabel"
140
+
},
141
+
{
142
+
"parameters": {
143
+
"label": "Events Logs Stream Name",
144
+
"value": "Custom-KeeperSecurityEventNewLogs"
145
+
},
146
+
"type": "CopyableLabel"
147
+
}
148
+
]
149
+
},
150
+
{
151
+
"title": "3. Update Keeper Admin Console",
152
+
"description": "Configure the Keeper Admin Console with the Azure connection details to enable data forwarding to Microsoft Sentinel.",
153
+
"instructions": [
154
+
{
155
+
"type": "Markdown",
156
+
"parameters": {
157
+
"content": "#### Configure Azure Monitor Logs in Keeper Admin Console\n\nIn the [Keeper Admin Console](https://keepersecurity.com/console/), login as the Keeper Administrator. Then go to **Reporting & Alerts** and select **Azure Monitor Logs**.\n\nProvide the following information from Step 2 above into the Admin Console:\n\n- **Azure Tenant ID**: You can find this from Azure's \"Subscriptions\" area.\n- **Application (client) ID**: This is located in the App registration (KeeperLogging) overview screen\n- **Client Secret Value**: This is the Client Secret Value from the app registration secrets.\n- **Endpoint URL**: This is a URL that is created in the following specific format:\n `https://<collection_url>/dataCollectionRules/<dcr_id>/streams/<table>?api-version=2023-01-01`\n\nTo assemble the Endpoint URL:\n\n- **<Collection URL>** This comes from Step 2 above\n- **<DCR_ID>** From the Data Collector Rule, copy the \"Immutable Id\" value, e.g. `dcr-xxxxxxx`\n- **<TABLE>** This is the table name created by Azure, e.g. `Custom-KeeperSecurityEventNewLogs`\n\nExample: `https://<Collection_URL>/dataCollectionRules/<DCR_ID>/streams/Custom-KeeperSecurityEventNewLogs?api-version=2023-01-01`"
"Description": "The [Keeper Security](https://keepersecurity.com/) solution for Microsoft Sentinel enables you to ingest [Keeper Security](https://keepersecurity.com/) forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.",
0 commit comments