![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Google%20Cloud%20Platform%20Audit%20Logs/logo/Google-Cloud-Branding.png\"){kind=logo}
",
- "Description": "The Google Cloud Platform (GCP) audit logs, ingested from Sentinel's connector, enable you to capture and track all activity that occurs in your GCP environment. These audit logs provide valuable insights for monitoring user activity, troubleshooting issues, and ensuring compliance with security regulations. They serve as a record of events that practitioners can utilize to monitor access and identify potential threats across GCP resources.",
+ "Description": "The Google Cloud Platform (GCP) audit logs, ingested from Microsoft Sentinel's connector, enables you to capture and track all activity that occurs in your GCP environment. These audit logs provide valuable insights for monitoring user activity, troubleshooting issues, and ensuring compliance with security regulations. They serve as a record of events that practitioners can utilize to monitor access and identify potential threats across GCP resources.",
"Data Connectors": [
- "Data Connectors/GCPAuditLogs.json"
+ "Data Connectors/GCPAuditLogs_ccp/data_connector_definition.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Google Cloud Platform Audit Logs",
- "Version": "2.0.2",
+ "Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
- "TemplateSpec": true,
- "Is1Pconnector": false
+ "TemplateSpec": true
}
\ No newline at end of file
diff --git a/Solutions/Google Cloud Platform Audit Logs/Package/3.0.0.zip b/Solutions/Google Cloud Platform Audit Logs/Package/3.0.0.zip
new file mode 100644
index 00000000000..c34de1fef0e
Binary files /dev/null and b/Solutions/Google Cloud Platform Audit Logs/Package/3.0.0.zip differ
diff --git a/Solutions/Google Cloud Platform Audit Logs/Package/createUiDefinition.json b/Solutions/Google Cloud Platform Audit Logs/Package/createUiDefinition.json
index d76fb822f9e..d033ee73d62 100644
--- a/Solutions/Google Cloud Platform Audit Logs/Package/createUiDefinition.json
+++ b/Solutions/Google Cloud Platform Audit Logs/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Google Cloud Platform (GCP) audit logs](https://cloud.google.com/pubsub/docs/audit-logging) solution for Microsoft Sentinel enable you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Codeless Connector Platform (CCP)](https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector#connect-with-the-codeless-connector-platform)\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Google%20Cloud%20Platform%20Audit%20Logs/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Google Cloud Platform (GCP) audit logs, ingested from Microsoft Sentinel's connector, enables you to capture and track all activity that occurs in your GCP environment. These audit logs provide valuable insights for monitoring user activity, troubleshooting issues, and ensuring compliance with security regulations. They serve as a record of events that practitioners can utilize to monitor access and identify potential threats across GCP resources.\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,7 +60,7 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The GCP Pub/Sub Audit Logs data connector ingested from Sentinel's connector, enable you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources."
+ "text": "This Solution installs the data connector for Google Cloud Platform Audit Logs. You can get Google Cloud Platform Audit Logs data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
@@ -82,4 +82,4 @@
"workspace": "[basics('workspace')]"
}
}
-}
\ No newline at end of file
+}
diff --git a/Solutions/Google Cloud Platform Audit Logs/Package/mainTemplate.json b/Solutions/Google Cloud Platform Audit Logs/Package/mainTemplate.json
index 3b708e39444..499d4b859b5 100644
--- a/Solutions/Google Cloud Platform Audit Logs/Package/mainTemplate.json
+++ b/Solutions/Google Cloud Platform Audit Logs/Package/mainTemplate.json
@@ -1,237 +1,199 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Microsoft - support@microsoft.com",
+ "comments": "Solution template for Google Cloud Platform Audit Logs"
+ },
"parameters": {
- "location": {
- "defaultValue": "[resourceGroup().location]",
- "minLength": 1,
+ "location": {
"type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
- "defaultValue": "",
"type": "string",
+ "defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
- "type": "String"
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
}
},
"variables": {
+ "email": "support@microsoft.com",
+ "_email": "[variables('email')]",
+ "_solutionName": "Google Cloud Platform Audit Logs",
+ "_solutionVersion": "3.0.0",
"solutionId": "azuresentinel.azure-sentinel-solution-gcpauditlogs-api",
"_solutionId": "[variables('solutionId')]",
- "dataCollectionRuleImmutableId": "data collection rule immutableId",
- "_dataCollectionRuleImmutableId": "[variables('dataCollectionRuleImmutableId')]",
- "dataCollectionEndpointId": "[concat('/subscriptions/',variables('subscription'),'/resourceGroups/',variables('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
- "_dataCollectionEndpointId": "[variables('dataCollectionEndpointId')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
- "uiConfigId1": "GCPAuditLogsDefinition",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "GCPAuditLogsDefinition",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
- "dataConnectorVersion1": "1.0.0",
- "dataConnectorContentId2": "GCPAuditLogsConnector",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2')))]",
- "dataConnectorVersion2": "1.0.0",
- "resourceGroupName": "[resourceGroup().name]",
- "subscription": "[last(split(subscription().id, '/'))]",
- "dataCollectionRuleId": "GCPAuditLogs",
- "streamName": "SENTINEL_GCP_AUDIT_LOGS",
- "logAnalyticsTableId": "Microsoft-GCPAuditLogs",
- "dataType": "GCPAuditLogs",
- "destinationName": "clv2ws1"
+ "dataConnectorCCPVersion": "1.0.0",
+ "_dataConnectorContentIdConnectorDefinition1": "GCPAuditLogsDefinition",
+ "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "_dataConnectorContentIdConnections1": "GCPAuditLogsDefinitionConnections",
+ "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]",
+ "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
+ "blanks": "[replace('b', 'b', '')]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
- "properties": {
- "description": "GCPAuditLogs data connector with template",
- "displayName": "GCPAuditLogs template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
"properties": {
- "description": "GCPAuditLogs data connector with template version 1.0.0",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "displayName": "GCP Pub/Sub Audit Logs",
+ "contentKind": "DataConnector",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
"parameters": {},
"variables": {},
"resources": [
{
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
"apiVersion": "2022-09-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
"location": "[parameters('workspace-location')]",
"kind": "Customizable",
"properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "GCP Pub/Sub Audit Logs",
- "publisher": "Microsoft",
- "descriptionMarkdown": "The Google Cloud Platform (GCP) audit logs, ingested from Sentinel's connector, enable you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.",
- "graphQueriesTableName": "GCPAuditLogs",
- "graphQueries": [
- {
- "metricName": "Total events received",
- "legend": "GCP Audit Logs",
- "baseQuery": "{{graphQueriesTableName}}"
- }
- ],
- "sampleQueries": [
- {
- "description": "Get Sample of GCP Audit Logs",
- "query": "{{graphQueriesTableName}}\n | take 10"
- }
- ],
- "dataTypes": [
- {
- "name": "{{graphQueriesTableName}}",
- "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriteria": [
- {
- "type": "HasDataConnectors"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "Read and Write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true,
- "action": false
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "instructions": [
- {
- "type": "MarkdownControlEnvBased",
- "parameters": {
- "prodScript":
- "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation).",
- "govScript":
- "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)."
- }
- },
- {
- "type": "CopyableLabel",
- "parameters": {
- "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
- "fillWith": ["TenantId"],
- "name": "PoolId",
- "disabled": true
- }
- },
- {
- "type": "Markdown",
- "parameters": {
- "content": "#### 2. Connect new collectors \n To enable GCP Audit Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
- }
- },
- {
- "type": "GCPGrid",
- "parameters":{}
- },
- {
- "type": "GCPContextPane",
- "parameters":{}
- }
- ]
- }
- ],
- "isConnectivityCriteriasMatchSome": false
- },
- "connectionsConfig": {
- "templateSpecName": "[concat('/subscriptions/',variables('subscription'),'/resourceGroups/',variables('resourceGroupName'),'/providers/Microsoft.Resources/templateSpecs/',variables('dataConnectorTemplateSpecName2'))]",
- "templateSpecVersion": "[variables('dataConnectorVersion2')]"
- }
- }
- },
- {
- "name": "[variables('dataCollectionRuleId')]",
- "apiVersion": "2021-09-01-preview",
- "type": "Microsoft.Insights/dataCollectionRules",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "dataCollectionEndpointId": "[variables('_dataCollectionEndpointId')]",
- "destinations": {
- "logAnalytics": [
- {
- "workspaceResourceId": "[variables('workspaceResourceId')]",
- "name": "[variables('destinationName')]"
+ "connectorUiConfig": {
+ "id": "GCPAuditLogsDefinition",
+ "title": "GCP Pub/Sub Audit Logs",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "The Google Cloud Platform (GCP) audit logs, ingested from Microsoft Sentinel's connector, enables you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.",
+ "graphQueriesTableName": "GCPAuditLogs",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "GCP Audit Logs",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Get Sample of GCP Audit Logs",
+ "query": "{{graphQueriesTableName}}\n | take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true,
+ "action": false
}
+ }
]
- },
- "dataFlows": [
+ },
+ "instructionSteps": [
{
- "streams": [
- "[variables('logAnalyticsTableId')]"
- ],
- "destinations": [
- "[variables('destinationName')]"
- ]
+ "instructions": [
+ {
+ "type": "MarkdownControlEnvBased",
+ "parameters": {
+ "prodScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation).",
+ "govScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)."
+ }
+ },
+ {
+ "type": "CopyableLabel",
+ "parameters": {
+ "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
+ "fillWith": [
+ "TenantId"
+ ],
+ "name": "TenantId",
+ "disabled": true
+ }
+ },
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 2. Connect new collectors \n To enable GCP Audit Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
+ }
+ },
+ {
+ "type": "GCPGrid",
+ "parameters": {}
+ },
+ {
+ "type": "GCPContextPane",
+ "parameters": {}
+ }
+ ]
}
- ]
+ ]
+ }
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
"kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
+ "version": "[variables('dataConnectorCCPVersion')]",
"source": {
- "kind": "Solution",
- "name": "Google Cloud Platform Audit Logs",
- "sourceId": "[variables('_solutionId')]"
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
},
"author": {
- "name": "Microsoft"
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
@@ -239,37 +201,171 @@
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
- "dependencies": {
- "criteria": [
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- ]
- }
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "GCPAuditLogs",
+ "apiVersion": "2022-06-01",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "[parameters('workspace-location')]",
+ "kind": "[variables('blanks')]",
+ "properties": {
+ "destinations": {
+ "logAnalytics": [
+ {
+ "name": "clv2ws1",
+ "workspaceResourceId": "[variables('workspaceResourceId')]"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Microsoft-GCPAuditLogs"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ]
+ }
+ ],
+ "dataCollectionEndpointId": "[variables('dataCollectionEndpointId')]"
}
}
]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "GCPAuditLogsDefinition",
+ "title": "GCP Pub/Sub Audit Logs",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "The Google Cloud Platform (GCP) audit logs, ingested from Microsoft Sentinel's connector, enables you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.",
+ "graphQueriesTableName": "GCPAuditLogs",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "GCP Audit Logs",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Get Sample of GCP Audit Logs",
+ "query": "{{graphQueriesTableName}}\n | take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true,
+ "action": false
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "instructions": [
+ {
+ "type": "MarkdownControlEnvBased",
+ "parameters": {
+ "prodScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation).",
+ "govScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)."
+ }
+ },
+ {
+ "type": "CopyableLabel",
+ "parameters": {
+ "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
+ "fillWith": [
+ "TenantId"
+ ],
+ "name": "TenantId",
+ "disabled": true
+ }
+ },
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 2. Connect new collectors \n To enable GCP Audit Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
+ }
+ },
+ {
+ "type": "GCPGrid",
+ "parameters": {}
+ },
+ {
+ "type": "GCPContextPane",
+ "parameters": {}
+ }
+ ]
+ }
+ ]
}
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
"kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
+ "version": "[variables('dataConnectorCCPVersion')]",
"source": {
- "kind": "Solution",
- "name": "Google Cloud Platform Audit Logs",
- "sourceId": "[variables('_solutionId')]"
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
},
"author": {
- "name": "Microsoft"
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
@@ -277,264 +373,158 @@
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
- "dependencies": {
- "criteria": [
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- ]
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2022-09-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
- "location": "[parameters('workspace-location')]",
- "kind": "Customizable",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "GCP Pub/Sub Audit Logs",
- "publisher": "Microsoft",
- "descriptionMarkdown": "The Google Cloud Platform (GCP) audit logs, ingested from Sentinel's connector, enable you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.",
- "graphQueriesTableName": "GCPAuditLogs",
- "graphQueries": [
- {
- "metricName": "Total events received",
- "legend": "GCP Audit Logs",
- "baseQuery": "{{graphQueriesTableName}}"
- }
- ],
- "sampleQueries": [
- {
- "description": "Get Sample of GCP Audit Logs",
- "query": "{{graphQueriesTableName}}\n | take 10"
- }
- ],
- "dataTypes": [
- {
- "name": "{{graphQueriesTableName}}",
- "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriteria": [
- {
- "type": "HasDataConnectors"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "Read and Write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true,
- "action": false
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "instructions": [
- {
- "type": "MarkdownControlEnvBased",
- "parameters": {
- "prodScript":
- "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation).",
- "govScript":
- "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)."
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector"
}
- },
- {
- "type": "CopyableLabel",
- "parameters": {
- "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
- "fillWith": ["TenantId"],
- "name": "PoolId",
- "disabled": true
- }
- },
- {
- "type": "Markdown",
- "parameters": {
- "content": "#### 2. Connect new collectors \n To enable GCP Audit Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
- }
- },
- {
- "type": "GCPGrid",
- "parameters":{}
- },
- {
- "type": "GCPContextPane",
- "parameters":{}
- }
- ]
- }
- ],
- "isConnectivityCriteriasMatchSome": false
- },
- "connectionsConfig": {
- "templateSpecName": "[concat('/subscriptions/',variables('subscription'),'/resourceGroups/',variables('resourceGroupName'),'/providers/Microsoft.Resources/templateSpecs/',variables('dataConnectorTemplateSpecName2'))]",
- "templateSpecVersion": "[variables('dataConnectorVersion2')]"
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "LogicAppsCustomConnector"
- },
- "properties": {
- "description": "GCPAuditLogs data connector with template",
- "displayName": "GCPAuditLogs template"
+ ]
+ }
}
},
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('dataConnectorTemplateSpecName2'),'/',variables('dataConnectorVersion2'))]",
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName2'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "LogicAppsCustomConnector"
- },
"properties": {
- "description": "GCPAuditLogs data connector with template version 2.0.3",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "displayName": "GCP Pub/Sub Audit Logs",
+ "contentKind": "ResourcesDataConnector",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
"parameters": {
- "GCPProjectId": {
- "type": "String",
- "minLength": 4
- },
- "GCPProjectNumber": {
- "type": "String",
- "minLength": 1
- },
- "GCPWorkloadIdentityProviderId": {
- "type": "String"
- },
- "GCPServiceAccountEmail": {
- "type": "String",
- "minLength": 1
- },
- "GCPSubscriptionName": {
- "type": "String",
- "minLength": 3
- },
- "connectorDefinitionName": {
- "defaultValue": "connectorDefinitionName",
- "type": "string",
- "minLength": 1,
- "metadata": {
- "description": "connectorDefinitionName"
- }
- },
"workspace": {
"defaultValue": "[parameters('workspace')]",
"type": "string"
},
+ "GCPServiceAccountEmail": {
+ "defaultValue": "Enter GCPServiceAccountEmail value",
+ "type": "string",
+ "minLength": 4
+ },
+ "GCPProjectNumber": {
+ "defaultValue": "Enter GCPProjectNumber value",
+ "type": "string",
+ "minLength": 1
+ },
+ "GCPWorkloadIdentityProviderId": {
+ "defaultValue": "Enter GCPWorkloadIdentityProviderId value",
+ "type": "string",
+ "minLength": 4
+ },
+ "GCPProjectId": {
+ "defaultValue": "Enter GCPProjectId value",
+ "type": "string",
+ "minLength": 4
+ },
+ "GCPSubscriptionName": {
+ "defaultValue": "Enter GCPSubscriptionName value",
+ "type": "string",
+ "minLength": 3
+ },
+ "connectorDefinitionName": {
+ "defaultValue": "GCP Pub/Sub Audit Logs",
+ "type": "string",
+ "minLength": 1
+ },
"dcrConfig": {
- "type": "object",
"defaultValue": {
"dataCollectionEndpoint": "data collection Endpoint",
- "dataCollectionRuleImmutableId": "[variables('_dataCollectionRuleImmutableId')]"
- }
- },
- "guidValue": {
- "type": "string",
- "defaultValue": "[[newGuid()]"
- }
+ "dataCollectionRuleImmutableId": "data collection rule immutableId"
+ },
+ "type": "object"
+ }
},
"variables": {
- "_dataConnectorContentId2": "[variables('_dataConnectorContentId2')]",
- "connectorName": "[[concat('GCPAuditLogs', parameters('guidValue'))]"
+ "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]"
},
"resources": [
{
- "name": "[[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('connectorName'))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'), '/Microsoft.SecurityInsights', '/GCPAuditLogs')]",
"apiVersion": "2023-02-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GCP",
"properties": {
- "connectorDefinitionName": "[[parameters('connectorDefinitionName')]",
+ "connectorDefinitionName": "GCPAuditLogsDefinition",
+ "dataType": "GCPAuditLogs",
"dcrConfig": {
- "streamName": "[variables('streamName')]",
+ "streamName": "SENTINEL_GCP_AUDIT_LOGS",
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
},
- "dataType": "[variables('dataType')]",
"auth": {
- "serviceAccountEmail": "[[parameters('GCPServiceAccountEmail')]",
- "projectNumber": "[[parameters('GCPProjectNumber')]",
- "workloadIdentityProviderId": "[[parameters('GCPWorkloadIdentityProviderId')]"
+ "serviceAccountEmail": "[[parameters('GCPServiceAccountEmail')]",
+ "projectNumber": "[[parameters('GCPProjectNumber')]",
+ "workloadIdentityProviderId": "[[parameters('GCPWorkloadIdentityProviderId')]"
},
"request": {
- "projectId": "[[parameters('GCPProjectId')]",
- "subscriptionNames": [
- "[[parameters('GCPSubscriptionName')]"
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "LogicAppsCustomConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Google Cloud Platform Audit Logs",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
+ "projectId": "[[parameters('GCPProjectId')]",
+ "subscriptionNames": [
+ "[[parameters('GCPSubscriptionName')]"
+ ]
}
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
}
},
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.0.3",
+ "version": "3.0.0",
"kind": "Solution",
- "contentSchemaVersion": "2.0.0",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "Google Cloud Platform Audit Logs",
+ "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Google Cloud Platform (GCP) audit logs, ingested from Microsoft Sentinel's connector, enables you to capture and track all activity that occurs in your GCP environment. These audit logs provide valuable insights for monitoring user activity, troubleshooting issues, and ensuring compliance with security regulations. They serve as a record of events that practitioners can utilize to monitor access and identify potential threats across GCP resources.
\nData Connectors: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
@@ -543,32 +533,37 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Microsoft"
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
- "link": "https://support.microsoft.com/"
+ "link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "version": "[variables('dataConnectorVersion1')]"
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "version": "[variables('dataConnectorCCPVersion')]"
}
]
},
- "firstPublishDate": "2022-06-24",
- "providers": ["Microsoft"],
+ "firstPublishDate": "2023-03-29",
+ "providers": [
+ "Google"
+ ],
"categories": {
- "domains": ["Cloud Provider"]
+ "domains": [
+ "DevOps"
+ ]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
}
],
"outputs": {}
-}
\ No newline at end of file
+}
diff --git a/Solutions/Google Cloud Platform Audit Logs/Package/testParameters.json b/Solutions/Google Cloud Platform Audit Logs/Package/testParameters.json
new file mode 100644
index 00000000000..554801e41b7
--- /dev/null
+++ b/Solutions/Google Cloud Platform Audit Logs/Package/testParameters.json
@@ -0,0 +1,38 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ }
+}
diff --git a/Solutions/Google Cloud Platform Audit Logs/ReleaseNotes.md b/Solutions/Google Cloud Platform Audit Logs/ReleaseNotes.md
new file mode 100644
index 00000000000..3b7f885b196
--- /dev/null
+++ b/Solutions/Google Cloud Platform Audit Logs/ReleaseNotes.md
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.0 | 15-01-2024 | Created CCP Package |
\ No newline at end of file