diff --git a/.script/tests/KqlvalidationsTests/CustomTables/ApigeeXV2_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/ApigeeXV2_CL.json new file mode 100644 index 00000000000..eeb09a96161 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/ApigeeXV2_CL.json @@ -0,0 +1,41 @@ +{ + "Name": "ApigeeXV2_CL", + "properties": [ + { + "name": "protoPayload", + "type": "dynamic" + }, + { + "name": "insertId", + "type": "string" + }, + { + "name": "resource", + "type": "dynamic" + }, + { + "name": "timestamp", + "type": "datetime" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "logName", + "type": "string" + }, + { + "name": "receiveTimestamp", + "type": "datetime" + }, + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "payload_request_name_s", + "type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/ApigeeX_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/ApigeeX_CL.json index d02edf29fe0..3f637043ec9 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/ApigeeX_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/ApigeeX_CL.json @@ -92,10 +92,6 @@ "Name": "log_name", "Type": "string" }, - { - "Name": "insert_id_", - "Type": "string" - }, { "Name": "severity", "Type": "string" @@ -244,10 +240,6 @@ "Name": "log_name", "Type": "string" }, - { - "Name": "insert_id", - "Type": "string" - }, { "Name": "severity", "Type": "string" @@ -329,12 +321,140 @@ "Type": "datetime" }, { - "Name": "Type", + "Name": "_ResourceId", "Type": "string" }, { - "Name": "_ResourceId", + "Name": "payload_request_name_s", + "Type": "string" + }, + { + "Name": "payload_request_environment_apiProxyType_s", + "Type": "string" + }, + { + "Name": "payload_request_environment_deploymentType_s", + "Type": "string" + }, + { + "Name": "payload_request_environment_description_s", + "Type": "string" + }, + { + "Name": "payload_request_environment_displayname_s", + "Type": "string" + }, + { + "Name": "payload_request_environment_name_s", + "Type": "string" + }, + { + "Name": "payload_response_type_s", "Type": "string" + }, + { + "Name": "payload_response_name_s", + "Type": "string" + }, + { + "Name": "payload_response_displayName_s", + "Type": "string" + }, + { + "Name": "payload_response_apiProxyType_s", + "Type": "string" + }, + { + "Name": "payload_status_message_s", + "Type": "string" + }, + { + "Name": "payload_request_reportTime_s", + "Type": "string" + }, + { + "Name": "insert_id_s", + "Type": "string" + }, + { + "Name": "resource_type_s", + "Type": "string" + }, + { + "Name": "severity_s", + "Type": "string" + }, + { + "Name": "payload__type_s", + "Type": "string" + }, + { + "Name": "log_name_s", + "Type": "string" + }, + { + "Name": "payload_methodName_s", + "Type": "string" + }, + { + "Name": "resource_labels_project_id_s", + "Type": "string" + }, + { + "Name": "resource_labels_service_s", + "Type": "string" + }, + { + "Name": "resource_labels_method_s", + "Type": "string" + }, + { + "Name": "payload_authenticationInfo_principalEmail_s", + "Type": "string" + }, + { + "Name": "payload_requestMetadata_callerIp_s", + "Type": "string" + }, + { + "Name": "payload_requestMetadata_callerSuppliedUserAgent_s", + "Type": "string" + }, + { + "Name": "payload_requestMetadata_requestAttributes_time_s", + "Type": "string" + }, + { + "Name": "payload_serviceName_s", + "Type": "string" + }, + { + "Name": "payload_authorizationInfo_s", + "Type": "string" + }, + { + "Name": "payload_resourceName_s", + "Type": "string" + }, + { + "Name": "payload_request_type_s", + "Type": "string" + }, + { + "Name": "payload_request_instanceUid_g", + "Type": "string" + }, + { + "Name": "payload_requestMetadata_requestAttributes_time_t", + "Type": "datetime" + }, + { + "Name": "timestamp_t", + "Type": "datetime" + }, + { + "Name": "payload_status_code_d", + "Type": "real" } ] } \ No newline at end of file diff --git a/Sample Data/Custom/ApigeeXV2.json b/Sample Data/Custom/ApigeeXV2.json new file mode 100644 index 00000000000..ef85a28a519 --- /dev/null +++ b/Sample Data/Custom/ApigeeXV2.json @@ -0,0 +1,52 @@ +[ + { + "protoPayload": { + "@type": "type.googleapis.com/google.cloud.audit.AuditLog", + "authenticationInfo": { + "principalEmail": "sanitized@sanitized.com", + "principalSubject": "sanitized@sanitized.com" + }, + "requestMetadata": { + "callerIp": "gce-internal-ip", + "callerSuppliedUserAgent": "Go-http-client/1.1,gzip(gfe)", + "requestAttributes": { + "time": "2024-12-11T18:36:57.957393509Z", + "auth": {} + }, + "destinationAttributes": {} + }, + "serviceName": "apigee.googleapis.com", + "methodName": "google.cloud.apigee.v1.RuntimeService.ReportInstanceStatus", + "authorizationInfo": [ + { + "resource": "organizations/project-id/instances/eval-instance", + "permission": "apigee.instances.reportStatus", + "granted": true, + "resourceAttributes": {}, + "permissionType": "ADMIN_WRITE" + } + ], + "resourceName": "organizations/project-id/instances/eval-instance", + "request": { + "@type": "type.googleapis.com/google.cloud.apigee.v1.ReportInstanceStatusRequest", + "instanceUid": "1bd146a8-523d-4f4b-bb4f-82df179d1152", + "instance": "organizations/project-id/instances/eval-instance", + "reportTime": "2024-12-11T18:36:57.910622476Z" + }, + "resourceLocation": {} + }, + "insertId": "y59wnoe38mgg", + "resource": { + "type": "audited_resource", + "labels": { + "project_id": "project-id", + "method": "google.cloud.apigee.v1.RuntimeService.ReportInstanceStatus", + "service": "apigee.googleapis.com" + } + }, + "timestamp": "2024-12-11T18:36:58.766977706Z", + "severity": "NOTICE", + "logName": "projects/project-id/logs/cloudaudit.googleapis.com%2Factivity", + "receiveTimestamp": "2024-12-11T18:36:58.766977706Z" + } +] diff --git a/Solutions/Google Apigee/Data Connectors/Apigee_GCP_CCP/ApigeeXV2_Config.json b/Solutions/Google Apigee/Data Connectors/Apigee_GCP_CCP/ApigeeXV2_Config.json new file mode 100644 index 00000000000..67e2f890e56 --- /dev/null +++ b/Solutions/Google Apigee/Data Connectors/Apigee_GCP_CCP/ApigeeXV2_Config.json @@ -0,0 +1,27 @@ +{ + "name": "GCPApigeeXV2CCP", + "apiVersion": "2022-12-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "location": "{{location}}", + "kind": "GCP", + "properties": { + "connectorDefinitionName": "GoogleApigeeCCPDefinition", + "dcrConfig": { + "streamName": "Custom-ApigeeXV2_CL", + "dataCollectionEndpoint": "{{dataCollectionEndpointResourceID}}", + "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}" + }, + "dataType": "ApigeeXV2_CL", + "auth": { + "serviceAccountEmail": "{{GCPServiceAccountEmail}}", + "projectNumber": "{{GCPProjectNumber}}", + "workloadIdentityProviderId": "{{GCPWorkloadIdentityProviderId}}" + }, + "request": { + "projectId": "{{GCPProjectId'}}", + "subscriptionNames": [ + "{{GCPSubscriptionName}}" + ] + } + } +} diff --git a/Solutions/Google Apigee/Data Connectors/Apigee_GCP_CCP/ApigeeXV2_DCR.json b/Solutions/Google Apigee/Data Connectors/Apigee_GCP_CCP/ApigeeXV2_DCR.json new file mode 100644 index 00000000000..03867c2e1f6 --- /dev/null +++ b/Solutions/Google Apigee/Data Connectors/Apigee_GCP_CCP/ApigeeXV2_DCR.json @@ -0,0 +1,66 @@ +[ + { + "type": "Microsoft.Insights/dataCollectionRules", + "apiVersion": "2023-03-11", + "name": "ApigeeXV2_CL", + "location": "{{location}}", + "properties": { + "dataCollectionEndpointId": "{{dataCollectionEndpointResourceId}}", + "streamDeclarations": { + "Custom-ApigeeXV2_CL": { + "columns": [ + { + "name": "protoPayload", + "type": "dynamic" + }, + { + "name": "insertId", + "type": "string" + }, + { + "name": "resource", + "type": "dynamic" + }, + { + "name": "timestamp", + "type": "datetime" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "logName", + "type": "string" + }, + { + "name": "receiveTimestamp", + "type": "datetime" + } + ] + } + }, + "dataSources": {}, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('logAnalyticsWorkspaceResourceId)]", + "name": "SentinelWorkspace" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-ApigeeXV2_CL" + ], + "destinations": [ + "SentinelWorkspace" + ], + "transformKql": "source\n| extend TimeGenerated = timestamp\n", + "outputStream": "Custom-ApigeeXV2_CL" + } + ] + } + } +] diff --git a/Solutions/Google Apigee/Data Connectors/Apigee_GCP_CCP/ApigeeXV2_DataConnectorDefinition.json b/Solutions/Google Apigee/Data Connectors/Apigee_GCP_CCP/ApigeeXV2_DataConnectorDefinition.json new file mode 100644 index 00000000000..59451043d33 --- /dev/null +++ b/Solutions/Google Apigee/Data Connectors/Apigee_GCP_CCP/ApigeeXV2_DataConnectorDefinition.json @@ -0,0 +1,106 @@ +{ + "name": "GoogleApigeeCCPDefinition", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectorDefinitions", + "location": "{{location}}", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "GoogleApigeeCCPDefinition", + "title": "Google ApigeeX (CCP) (Preview)", + "publisher": "Microsoft", + "descriptionMarkdown": "The [Google ApigeeX](https://cloud.google.com/apigee/docs) data connector provides the capability to ingest ApigeeX audit logs into Microsoft Sentinel using the GCP PubSub functionality. Refer to [GCP PubSub and Microsoft Sentinel documentation](https://learn.microsoft.com/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs) for more information on the architecture and flow.", + "graphQueriesTableName": "ApigeeXV2_CL", + "graphQueries": [ + { + "metricName": "Total ApigeeX events received", + "legend": "ApigeeX events received", + "baseQuery": "ApigeeXV2_CL" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of ApigeeX logs", + "query": "ApigeeXV2_CL\n | take 10" + } + ], + "dataTypes": [ + { + "name": "ApigeeXV2_CL", + "lastDataReceivedQuery": "ApigeeXV2_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors", + "value": null + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + } + ], + "customs": [ + { + "name": "GCP Service Account", + "description": "GCP service account with permissions to read logs is required for GCP Logging API. Also json file with service account key is required. See the documentation to learn more about [required permissions](https://cloud.google.com/iam/docs/audit-logging#audit_log_permissions), [creating service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) and [creating service account key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys)." + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "type": "MarkdownControlEnvBased", + "parameters": { + "prodScript": + "#### 1. Set up your GCP environment
You must have the following GCP resources defined and configured:
- topic
- subscription for the topic
- workload identity pool
- workload identity provider
- service account with permissions to get and consume from subscription

There are two methods to configure the required resources:
1.[RECOMMENDED] Provided Terraform scripts that configure the key resources: For the service account, custom role, and identity pool, please use [this script](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPInitialAuthenticationSetup/GCPInitialAuthenticationSetup.tf) and [instructions](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup). For the log sink, topic, and subscription to PubSub, please use the [following script](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation) and [instructions](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs)
2. Manually deploy each resource. For this process, please see our [reference document.](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=manual%2Cauditlogs)

NOTE: These instructions do not include enabling APIGee in the environment. You will need to either enable the service before or after the deployment of the connector.", + "govScript": + "#### 1. Set up your GCP environment
You must have the following GCP resources defined and configured:
- topic
- subscription for the topic
- workload identity pool
- workload identity provider
- service account with permissions to get and consume from subscription

There are two methods to configure the required resources:
1.[RECOMMENDED] Provided Terraform scripts that configure the key resources: For the service account, custom role, and identity pool, please use [this script](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPInitialAuthenticationSetup/GCPInitialAuthenticationSetup.tf) and [instructions](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup). For the log sink, topic, and subscription to PubSub, please use the [following script](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov) and [instructions](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs)
2. Manually deploy each resource. For this process, please see our [reference document.](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=manual%2Cauditlogs)

NOTE: These instructions do not include enabling APIGee in the environment. You will need to either enable the service before or after the deployment of the connector." + } + }, + { + "type": "CopyableLabel", + "parameters": { + "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.", + "fillWith": ["TenantId"], + "name": "PoolId", + "disabled": true + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 2. Connect new collectors \n To enable GCP Apigee Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect." + } + }, + { + "type": "GCPGrid", + "parameters":{} + }, + { + "type": "GCPContextPane", + "parameters":{} + } + ] + } + ], + "isConnectivityCriteriasMatchSome": false + } + } +} diff --git a/Solutions/Google Apigee/Data Connectors/Apigee_GCP_CCP/ApigeeXV2_table.json b/Solutions/Google Apigee/Data Connectors/Apigee_GCP_CCP/ApigeeXV2_table.json new file mode 100644 index 00000000000..c4be3ba0ed7 --- /dev/null +++ b/Solutions/Google Apigee/Data Connectors/Apigee_GCP_CCP/ApigeeXV2_table.json @@ -0,0 +1,45 @@ +{ + "name": "ApigeeXV2_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "{{location}}", + "properties": { + "schema": { + "name": "ApigeeXV2_CL", + "columns": [ + { + "name": "protoPayload", + "type": "dynamic" + }, + { + "name": "insertId", + "type": "string" + }, + { + "name": "resource", + "type": "dynamic" + }, + { + "name": "timestamp", + "type": "datetime" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "logName", + "type": "string" + }, + { + "name": "receiveTimestamp", + "type": "datetime" + }, + { + "name": "TimeGenerated", + "type": "datetime" + } + ] + } + } +} diff --git a/Solutions/Google Apigee/Data/Solution_Google Apigee.json b/Solutions/Google Apigee/Data/Solution_Google Apigee.json index d6b31ddf7fc..5ceffdcf37e 100644 --- a/Solutions/Google Apigee/Data/Solution_Google Apigee.json +++ b/Solutions/Google Apigee/Data/Solution_Google Apigee.json @@ -2,16 +2,19 @@ "Name": "Google Apigee", "Author": "Microsoft - support@microsoft.com", "Logo": "", - "Description": "The [Google ApigeeX](https://cloud.google.com/apigee/docs) solution provides the capability to ingest ApigeeX audit logs into Microsoft Sentinel using the GCP Logging API. Refer to [GCP Logging API documentation](https://cloud.google.com/logging/docs/reference/v2/rest) for more information.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)", + "Description": "The [Google ApigeeX](https://cloud.google.com/apigee/docs) solution provides the capability to ingest ApigeeX audit logs into Microsoft Sentinel using the GCP Logging API or PubSub architecture. Refer to [GCP Logging API documentation](https://cloud.google.com/logging/docs/reference/v2/rest) for more information on the Azure Function connector and the [Microsoft Sentinel documentation](https://learn.microsoft.com/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs) for the basics on PubSub based ingestion.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)", "Data Connectors": [ - "Data Connectors/ApigeeX_FunctionApp.json" + "Data Connectors/ApigeeX_FunctionApp.json", + "Data Connectors/Apigee_GCP_CCP/ApigeeXV2_DataConnectorDefinition.json" ], "Parsers": [ - "Parsers/ApigeeX.yaml" + "Parsers/ApigeeX.yaml", + "Parsers/ApigeeXV2.yaml", + "Parsers/Unified_ApigeeX.yaml" ], "BasePath": "C:\\Sentinel-Repos\\19.05.22\\Azure-Sentinel\\Solutions\\Google Apigee", - "Version": "3.0.0", + "Version": "3.1.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false -} \ No newline at end of file +} diff --git a/Solutions/Google Apigee/Package/3.1.0.zip b/Solutions/Google Apigee/Package/3.1.0.zip new file mode 100644 index 00000000000..ea212d80c7a Binary files /dev/null and b/Solutions/Google Apigee/Package/3.1.0.zip differ diff --git a/Solutions/Google Apigee/Package/createUiDefinition.json b/Solutions/Google Apigee/Package/createUiDefinition.json index c1364171da7..88bad44f11f 100644 --- a/Solutions/Google Apigee/Package/createUiDefinition.json +++ b/Solutions/Google Apigee/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Google%20Apigee/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Google ApigeeX](https://cloud.google.com/apigee/docs) solution provides the capability to ingest ApigeeX audit logs into Microsoft Sentinel using the GCP Logging API. Refer to [GCP Logging API documentation](https://cloud.google.com/logging/docs/reference/v2/rest) for more information.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Google%20Apigee/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Google ApigeeX](https://cloud.google.com/apigee/docs) solution provides the capability to ingest ApigeeX audit logs into Microsoft Sentinel using the GCP Logging API or PubSub architecture. Refer to [GCP Logging API documentation](https://cloud.google.com/logging/docs/reference/v2/rest) for more information on the Azure Function connector and the [Microsoft Sentinel documentation](https://learn.microsoft.com/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs) for the basics on PubSub based ingestion.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 2, **Parsers:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -64,14 +64,7 @@ } }, { - "name": "dataconnectors-parser-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." - } - }, - { - "name": "dataconnectors-link2", + "name": "dataconnectors-link1", "type": "Microsoft.Common.TextBlock", "options": { "link": { diff --git a/Solutions/Google Apigee/Package/mainTemplate.json b/Solutions/Google Apigee/Package/mainTemplate.json index b3811da7325..d6e1ed6f64a 100644 --- a/Solutions/Google Apigee/Package/mainTemplate.json +++ b/Solutions/Google Apigee/Package/mainTemplate.json @@ -27,13 +27,27 @@ "metadata": { "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } } }, "variables": { "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Google Apigee", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.1.0", "solutionId": "azuresentinel.azure-sentinel-solution-googleapigeex", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "ApigeeXDataConnector", @@ -45,6 +59,15 @@ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "dataConnectorCCPVersion": "1.0.0", + "_dataConnectorContentIdConnectorDefinition2": "GoogleApigeeCCPDefinition", + "dataConnectorTemplateNameConnectorDefinition2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition2')))]", + "_dataConnectorContentIdConnections2": "GoogleApigeeCCPDefinitionConnections", + "dataConnectorTemplateNameConnections2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections2')))]", + "dataCollectionEndpointResourceId2": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "blanks": "[replace('b', 'b', '')]", + "TemplateEmptyObject": "[json('{}')]", "parserObject1": { "_parserName1": "[concat(parameters('workspace'),'/','ApigeeX')]", "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ApigeeX')]", @@ -52,6 +75,20 @@ "parserVersion1": "1.0.0", "parserContentId1": "ApigeeX-Parser" }, + "parserObject2": { + "_parserName2": "[concat(parameters('workspace'),'/','ApigeeXv2')]", + "_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ApigeeXv2')]", + "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ApigeeXv2-Parser')))]", + "parserVersion2": "1.0.0", + "parserContentId2": "ApigeeXv2-Parser" + }, + "parserObject3": { + "_parserName3": "[concat(parameters('workspace'),'/','Unified_ApigeeX')]", + "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Unified_ApigeeX')]", + "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('Unified_ApigeeX-Parser')))]", + "parserVersion3": "1.0.0", + "parserContentId3": "Unified_ApigeeX-Parser" + }, "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ @@ -64,7 +101,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Google Apigee data connector with template version 3.0.0", + "description": "Google Apigee data connector with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -409,56 +446,140 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject1').parserTemplateSpecName1]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition2'), variables('dataConnectorCCPVersion'))]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ApigeeX Data Parser with template version 3.0.0", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "displayName": "Google ApigeeX (CCP) (Preview)", + "contentKind": "DataConnector", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject1').parserVersion1]", + "contentVersion": "[variables('dataConnectorCCPVersion')]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[variables('parserObject1')._parserName1]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", "location": "[parameters('workspace-location')]", + "kind": "Customizable", "properties": { - "eTag": "*", - "displayName": "ApigeeX", - "category": "Microsoft Sentinel Parser", - "functionAlias": "ApigeeX", - "query": "ApigeeX_CL\n| extend EventVendor = 'Google'\n| extend EventProduct = 'ApigeeX'\n| project-rename\n EventSeverity=severity_s,\n EventEndTime=timestamp_t,\n SrcIpAddr=payload_requestMetadata_callerIp_s,\n HttpUserAgentOriginal=payload_requestMetadata_callerSuppliedUserAgent_s\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] + "connectorUiConfig": { + "id": "GoogleApigeeCCPDefinition", + "title": "Google ApigeeX (CCP) (Preview)", + "publisher": "Microsoft", + "descriptionMarkdown": "The [Google ApigeeX](https://cloud.google.com/apigee/docs) data connector provides the capability to ingest ApigeeX audit logs into Microsoft Sentinel using the GCP PubSub functionality. Refer to [GCP PubSub and Microsoft Sentinel documentation](https://learn.microsoft.com/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs) for more information on the architecture and flow.", + "graphQueriesTableName": "ApigeeXV2_CL", + "graphQueries": [ + { + "metricName": "Total ApigeeX events received", + "legend": "ApigeeX events received", + "baseQuery": "ApigeeXV2_CL" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of ApigeeX logs", + "query": "ApigeeXV2_CL\n | take 10" + } + ], + "dataTypes": [ + { + "name": "ApigeeXV2_CL", + "lastDataReceivedQuery": "ApigeeXV2_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors", + "value": null + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + } + ], + "customs": [ + { + "name": "GCP Service Account", + "description": "GCP service account with permissions to read logs is required for GCP Logging API. Also json file with service account key is required. See the documentation to learn more about [required permissions](https://cloud.google.com/iam/docs/audit-logging#audit_log_permissions), [creating service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) and [creating service account key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys)." + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "type": "MarkdownControlEnvBased", + "parameters": { + "prodScript": "#### 1. Set up your GCP environment
You must have the following GCP resources defined and configured:
- topic
- subscription for the topic
- workload identity pool
- workload identity provider
- service account with permissions to get and consume from subscription

There are two methods to configure the required resources:
1.[RECOMMENDED] Provided Terraform scripts that configure the key resources: For the service account, custom role, and identity pool, please use [this script](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPInitialAuthenticationSetup/GCPInitialAuthenticationSetup.tf) and [instructions](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup). For the log sink, topic, and subscription to PubSub, please use the [following script](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation) and [instructions](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs)
2. Manually deploy each resource. For this process, please see our [reference document.](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=manual%2Cauditlogs)

NOTE: These instructions do not include enabling APIGee in the environment. You will need to either enable the service before or after the deployment of the connector.", + "govScript": "#### 1. Set up your GCP environment
You must have the following GCP resources defined and configured:
- topic
- subscription for the topic
- workload identity pool
- workload identity provider
- service account with permissions to get and consume from subscription

There are two methods to configure the required resources:
1.[RECOMMENDED] Provided Terraform scripts that configure the key resources: For the service account, custom role, and identity pool, please use [this script](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPInitialAuthenticationSetup/GCPInitialAuthenticationSetup.tf) and [instructions](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup). For the log sink, topic, and subscription to PubSub, please use the [following script](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov) and [instructions](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs)
2. Manually deploy each resource. For this process, please see our [reference document.](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=manual%2Cauditlogs)

NOTE: These instructions do not include enabling APIGee in the environment. You will need to either enable the service before or after the deployment of the connector." + } + }, + { + "type": "CopyableLabel", + "parameters": { + "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.", + "fillWith": [ + "TenantId" + ], + "name": "PoolId", + "disabled": true + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 2. Connect new collectors \n To enable GCP Apigee Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect." + } + }, + { + "type": "GCPGrid", + "parameters": {} + }, + { + "type": "GCPContextPane", + "parameters": {} + } + ] + } + ], + "isConnectivityCriteriasMatchSome": false + } } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", - "dependsOn": [ - "[variables('parserObject1')._parserId1]" - ], + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ApigeeX')]", - "contentId": "[variables('parserObject1').parserContentId1]", - "kind": "Parser", - "version": "[variables('parserObject1').parserVersion1]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", "source": { - "name": "Google Apigee", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" }, "author": { "name": "Microsoft", @@ -469,6 +590,126 @@ "email": "support@microsoft.com", "tier": "Microsoft", "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "ApigeeXV2_CL", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "dataCollectionEndpointId": "[variables('dataCollectionEndpointResourceId2')]", + "streamDeclarations": { + "Custom-ApigeeXV2_CL": { + "columns": [ + { + "name": "protoPayload", + "type": "dynamic" + }, + { + "name": "insertId", + "type": "string" + }, + { + "name": "resource", + "type": "dynamic" + }, + { + "name": "timestamp", + "type": "datetime" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "logName", + "type": "string" + }, + { + "name": "receiveTimestamp", + "type": "datetime" + } + ] + } + }, + "dataSources": "[variables('TemplateEmptyObject')]", + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "SentinelWorkspace" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-ApigeeXV2_CL" + ], + "destinations": [ + "SentinelWorkspace" + ], + "transformKql": "source\n| extend TimeGenerated = timestamp\n", + "outputStream": "Custom-ApigeeXV2_CL" + } + ] + } + }, + { + "name": "ApigeeXV2_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "ApigeeXV2_CL", + "columns": [ + { + "name": "protoPayload", + "type": "dynamic" + }, + { + "name": "insertId", + "type": "string" + }, + { + "name": "resource", + "type": "dynamic" + }, + { + "name": "timestamp", + "type": "datetime" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "logName", + "type": "string" + }, + { + "name": "receiveTimestamp", + "type": "datetime" + }, + { + "name": "TimeGenerated", + "type": "datetime" + } + ] } } } @@ -477,50 +718,653 @@ "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition2'),'-', variables('dataConnectorCCPVersion'))))]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject1').parserContentId1]", - "contentKind": "Parser", - "displayName": "ApigeeX", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", - "version": "[variables('parserObject1').parserVersion1]" + "version": "[variables('dataConnectorCCPVersion')]" } }, { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject1')._parserName1]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", "location": "[parameters('workspace-location')]", + "kind": "Customizable", "properties": { - "eTag": "*", - "displayName": "ApigeeX", - "category": "Microsoft Sentinel Parser", - "functionAlias": "ApigeeX", - "query": "ApigeeX_CL\n| extend EventVendor = 'Google'\n| extend EventProduct = 'ApigeeX'\n| project-rename\n EventSeverity=severity_s,\n EventEndTime=timestamp_t,\n SrcIpAddr=payload_requestMetadata_callerIp_s,\n HttpUserAgentOriginal=payload_requestMetadata_callerSuppliedUserAgent_s\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] + "connectorUiConfig": { + "id": "GoogleApigeeCCPDefinition", + "title": "Google ApigeeX (CCP) (Preview)", + "publisher": "Microsoft", + "descriptionMarkdown": "The [Google ApigeeX](https://cloud.google.com/apigee/docs) data connector provides the capability to ingest ApigeeX audit logs into Microsoft Sentinel using the GCP PubSub functionality. Refer to [GCP PubSub and Microsoft Sentinel documentation](https://learn.microsoft.com/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs) for more information on the architecture and flow.", + "graphQueriesTableName": "ApigeeXV2_CL", + "graphQueries": [ + { + "metricName": "Total ApigeeX events received", + "legend": "ApigeeX events received", + "baseQuery": "ApigeeXV2_CL" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of ApigeeX logs", + "query": "ApigeeXV2_CL\n | take 10" + } + ], + "dataTypes": [ + { + "name": "ApigeeXV2_CL", + "lastDataReceivedQuery": "ApigeeXV2_CL\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors", + "value": null + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + } + ], + "customs": [ + { + "name": "GCP Service Account", + "description": "GCP service account with permissions to read logs is required for GCP Logging API. Also json file with service account key is required. See the documentation to learn more about [required permissions](https://cloud.google.com/iam/docs/audit-logging#audit_log_permissions), [creating service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) and [creating service account key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys)." + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "type": "MarkdownControlEnvBased", + "parameters": { + "prodScript": "#### 1. Set up your GCP environment
You must have the following GCP resources defined and configured:
- topic
- subscription for the topic
- workload identity pool
- workload identity provider
- service account with permissions to get and consume from subscription

There are two methods to configure the required resources:
1.[RECOMMENDED] Provided Terraform scripts that configure the key resources: For the service account, custom role, and identity pool, please use [this script](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPInitialAuthenticationSetup/GCPInitialAuthenticationSetup.tf) and [instructions](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup). For the log sink, topic, and subscription to PubSub, please use the [following script](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation) and [instructions](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs)
2. Manually deploy each resource. For this process, please see our [reference document.](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=manual%2Cauditlogs)

NOTE: These instructions do not include enabling APIGee in the environment. You will need to either enable the service before or after the deployment of the connector.", + "govScript": "#### 1. Set up your GCP environment
You must have the following GCP resources defined and configured:
- topic
- subscription for the topic
- workload identity pool
- workload identity provider
- service account with permissions to get and consume from subscription

There are two methods to configure the required resources:
1.[RECOMMENDED] Provided Terraform scripts that configure the key resources: For the service account, custom role, and identity pool, please use [this script](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPInitialAuthenticationSetup/GCPInitialAuthenticationSetup.tf) and [instructions](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup). For the log sink, topic, and subscription to PubSub, please use the [following script](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov) and [instructions](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs)
2. Manually deploy each resource. For this process, please see our [reference document.](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=manual%2Cauditlogs)

NOTE: These instructions do not include enabling APIGee in the environment. You will need to either enable the service before or after the deployment of the connector." + } + }, + { + "type": "CopyableLabel", + "parameters": { + "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.", + "fillWith": [ + "TenantId" + ], + "name": "PoolId", + "disabled": true + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 2. Connect new collectors \n To enable GCP Apigee Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect." + } + }, + { + "type": "GCPGrid", + "parameters": {} + }, + { + "type": "GCPContextPane", + "parameters": {} + } + ] + } + ], + "isConnectivityCriteriasMatchSome": false + } } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]", "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", - "dependsOn": [ - "[variables('parserObject1')._parserId1]" - ], + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ApigeeX')]", - "contentId": "[variables('parserObject1').parserContentId1]", - "kind": "Parser", - "version": "[variables('parserObject1').parserVersion1]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections2'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "displayName": "Google ApigeeX (CCP) (Preview)", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": { + "GCPServiceAccountEmail": { + "defaultValue": "Enter GCPServiceAccountEmail value", + "type": "string", + "minLength": 4 + }, + "GCPProjectNumber": { + "defaultValue": "Enter GCPProjectNumber value", + "type": "string", + "minLength": 1 + }, + "GCPWorkloadIdentityProviderId": { + "defaultValue": "Enter GCPWorkloadIdentityProviderId value", + "type": "string", + "minLength": 4 + }, + "GCPSubscriptionName": { + "defaultValue": "Enter GCPSubscriptionName value", + "type": "string", + "minLength": 3 + }, + "connectorDefinitionName": { + "defaultValue": "Google ApigeeX (CCP) (Preview)", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + } + }, + "variables": { + "_dataConnectorContentIdConnections2": "[variables('_dataConnectorContentIdConnections2')]" + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections2')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections2'))]", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'GCPApigeeXV2CCP')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GCP", + "properties": { + "connectorDefinitionName": "GoogleApigeeCCPDefinition", + "dcrConfig": { + "streamName": "Custom-ApigeeXV2_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "dataType": "ApigeeXV2_CL", + "auth": { + "serviceAccountEmail": "[[parameters('GCPServiceAccountEmail')]", + "projectNumber": "[[parameters('GCPProjectNumber')]", + "workloadIdentityProviderId": "[[parameters('GCPWorkloadIdentityProviderId')]" + }, + "request": { + "projectId": "{{GCPProjectId'}}", + "subscriptionNames": [ + "[[parameters('GCPSubscriptionName')]" + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections2'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject1').parserTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "ApigeeX Data Parser with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject1').parserVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject1')._parserName1]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for ApigeeX", + "category": "Microsoft Sentinel Parser", + "functionAlias": "ApigeeX", + "query": "ApigeeX_CL\n| extend EventVendor = 'Google'\n| extend EventProduct = 'ApigeeX'\n| project-rename\n EventSeverity=severity_s,\n EventEndTime=timestamp_t,\n SrcIpAddr=payload_requestMetadata_callerIp_s,\n HttpUserAgentOriginal=payload_requestMetadata_callerSuppliedUserAgent_s\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ApigeeX')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "name": "Google Apigee", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject1').parserContentId1]", + "contentKind": "Parser", + "displayName": "Parser for ApigeeX", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "version": "[variables('parserObject1').parserVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject1')._parserName1]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for ApigeeX", + "category": "Microsoft Sentinel Parser", + "functionAlias": "ApigeeX", + "query": "ApigeeX_CL\n| extend EventVendor = 'Google'\n| extend EventProduct = 'ApigeeX'\n| project-rename\n EventSeverity=severity_s,\n EventEndTime=timestamp_t,\n SrcIpAddr=payload_requestMetadata_callerIp_s,\n HttpUserAgentOriginal=payload_requestMetadata_callerSuppliedUserAgent_s\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ApigeeX')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "kind": "Solution", + "name": "Google Apigee", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject2').parserTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "ApigeeXV2 Data Parser with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject2').parserVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject2')._parserName2]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for ApigeeXv2", + "category": "Microsoft Sentinel Parser", + "functionAlias": "ApigeeXv2", + "query": "ApigeeXV2_CL\n| extend\n EventVendor = 'Google',\n EventProduct = 'ApigeeX',\n RequestName = tostring(parse_json(tostring(protoPayload.request)).instance),\n EnvironmentName = tostring(split(tostring(parse_json(tostring(protoPayload.request)).instance), '/')[3]),\n RequestAttributesTime = tostring(parse_json(tostring(parse_json(tostring(protoPayload.requestMetadata)).requestAttributes)).['time']),\n InstertID = insertId,\n ResourceType = tostring(resource.type),\n Type = tostring(protoPayload.['@type']),\n MethodName = tostring(protoPayload.methodName),\n ProjectID = tostring(parse_json(tostring(resource.labels)).project_id),\n Service = tostring(parse_json(tostring(resource.labels)).service),\n Method = tostring(parse_json(tostring(resource.labels)).method),\n PrincipalEmail = tostring(parse_json(tostring(protoPayload.authenticationInfo)).principalEmail),\n PrincipalSubject = tostring(parse_json(tostring(protoPayload.authenticationInfo)).principalSubject),\n SrcIpAddr = tostring(parse_json(tostring(protoPayload.requestMetadata)).callerIp),\n HttpUserAgentOriginal = tostring(parse_json(tostring(protoPayload.requestMetadata)).callerSuppliedUserAgent),\n RequestAttributes =tostring(parse_json(tostring(protoPayload.requestMetadata)).requestAttributes),\n ServiceName = tostring(parse_json(tostring(protoPayload.serviceName))),\n AuthorizationInfo = tostring(parse_json(tostring(protoPayload.authorizationInfo))),\n ResourceName = tostring(parse_json(tostring(protoPayload.resourceName))),\n InstanceUID = tostring(parse_json(tostring(protoPayload.request)).instanceUid),\n RequestType = tostring(parse_json(tostring(protoPayload.request)).['@type']),\n EventEndTime = timestamp,\n ResourceLocation = tostring(parse_json(tostring(protoPayload.resourceLocation))),\n DestinationAttributes = tostring(parse_json(tostring(protoPayload.requestMetadata)).destinationAttributes),\n Resources = protoPayload.resources\n| project-away protoPayload, resource\n| project-rename\n EventSeverity = severity,\n InsertID = insertId,\n LogName = logName,\n TimeStamp = timestamp\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", + "dependsOn": [ + "[variables('parserObject2')._parserId2]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ApigeeXv2')]", + "contentId": "[variables('parserObject2').parserContentId2]", + "kind": "Parser", + "version": "[variables('parserObject2').parserVersion2]", + "source": { + "name": "Google Apigee", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject2').parserContentId2]", + "contentKind": "Parser", + "displayName": "Parser for ApigeeXv2", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]", + "version": "[variables('parserObject2').parserVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject2')._parserName2]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for ApigeeXv2", + "category": "Microsoft Sentinel Parser", + "functionAlias": "ApigeeXv2", + "query": "ApigeeXV2_CL\n| extend\n EventVendor = 'Google',\n EventProduct = 'ApigeeX',\n RequestName = tostring(parse_json(tostring(protoPayload.request)).instance),\n EnvironmentName = tostring(split(tostring(parse_json(tostring(protoPayload.request)).instance), '/')[3]),\n RequestAttributesTime = tostring(parse_json(tostring(parse_json(tostring(protoPayload.requestMetadata)).requestAttributes)).['time']),\n InstertID = insertId,\n ResourceType = tostring(resource.type),\n Type = tostring(protoPayload.['@type']),\n MethodName = tostring(protoPayload.methodName),\n ProjectID = tostring(parse_json(tostring(resource.labels)).project_id),\n Service = tostring(parse_json(tostring(resource.labels)).service),\n Method = tostring(parse_json(tostring(resource.labels)).method),\n PrincipalEmail = tostring(parse_json(tostring(protoPayload.authenticationInfo)).principalEmail),\n PrincipalSubject = tostring(parse_json(tostring(protoPayload.authenticationInfo)).principalSubject),\n SrcIpAddr = tostring(parse_json(tostring(protoPayload.requestMetadata)).callerIp),\n HttpUserAgentOriginal = tostring(parse_json(tostring(protoPayload.requestMetadata)).callerSuppliedUserAgent),\n RequestAttributes =tostring(parse_json(tostring(protoPayload.requestMetadata)).requestAttributes),\n ServiceName = tostring(parse_json(tostring(protoPayload.serviceName))),\n AuthorizationInfo = tostring(parse_json(tostring(protoPayload.authorizationInfo))),\n ResourceName = tostring(parse_json(tostring(protoPayload.resourceName))),\n InstanceUID = tostring(parse_json(tostring(protoPayload.request)).instanceUid),\n RequestType = tostring(parse_json(tostring(protoPayload.request)).['@type']),\n EventEndTime = timestamp,\n ResourceLocation = tostring(parse_json(tostring(protoPayload.resourceLocation))),\n DestinationAttributes = tostring(parse_json(tostring(protoPayload.requestMetadata)).destinationAttributes),\n Resources = protoPayload.resources\n| project-away protoPayload, resource\n| project-rename\n EventSeverity = severity,\n InsertID = insertId,\n LogName = logName,\n TimeStamp = timestamp\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", + "dependsOn": [ + "[variables('parserObject2')._parserId2]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ApigeeXv2')]", + "contentId": "[variables('parserObject2').parserContentId2]", + "kind": "Parser", + "version": "[variables('parserObject2').parserVersion2]", + "source": { + "kind": "Solution", + "name": "Google Apigee", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject3').parserTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Unified_ApigeeX Data Parser with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject3').parserVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject3')._parserName3]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for both ApiGeeX connectors", + "category": "Microsoft Sentinel Parser", + "functionAlias": "Unified_ApigeeX", + "query": "let t1= ApigeeX_CL\n | extend EventVendor = 'Google',\n EventProduct = 'ApigeeX'\n | project-rename\n RequestName = payload_request_name_s,\n RequestAPIProxyType = payload_request_environment_apiProxyType_s,\n DeploymentType = payload_request_environment_deploymentType_s,\n Description = payload_request_environment_description_s,\n DisplayName = payload_request_environment_displayname_s,\n EnvironmentName = payload_request_environment_name_s,\n ResponseType = payload_response_type_s,\n ResponseName = payload_response_name_s,\n ResponseDisplayName = payload_response_displayName_s,\n ResponseAPIProxyType = payload_response_apiProxyType_s,\n StatusCode = payload_status_code_d,\n StatusMessage = payload_status_message_s, \n RequestReportTime = payload_request_reportTime_s,\n RequestAttributesTime = payload_requestMetadata_requestAttributes_time_t,\n InsertID = insert_id_s, \n ResourceType = resource_type_s,\n EventSeverity=severity_s,\n TimeStamp = timestamp_t,\n Type = payload__type_s,\n LogName = log_name_s,\n MethodName = payload_methodName_s,\n ProjectID = resource_labels_project_id_s,\n Service = resource_labels_service_s,\n Method = resource_labels_method_s,\n PrincipalEmail = payload_authenticationInfo_principalEmail_s,\n SrcIpAddr=payload_requestMetadata_callerIp_s,\n HttpUserAgentOriginal=payload_requestMetadata_callerSuppliedUserAgent_s,\n RequestAttributes = payload_requestMetadata_requestAttributes_time_s,\n ServiceName = payload_serviceName_s,\n AuthorizationInfo = payload_authorizationInfo_s,\n ResourceName = payload_resourceName_s,\n InstanceUID = payload_request_instanceUid_g,\n RequestType = payload_request_type_s,\n EventEndTime=timestamp_t;\nlet t2 = ApigeeXV2_CL\n | extend\n EventVendor = 'Google',\n EventProduct = 'ApigeeX', \n RequestName = tostring(parse_json(tostring(protoPayload.request)).instance),\n EnvironmentName = tostring(split(tostring(parse_json(tostring(protoPayload.request)).instance), '/')[3]),\n RequestAttributesTime = tostring(parse_json(tostring(parse_json(tostring(protoPayload.requestMetadata)).requestAttributes)).['time']),\n InsertID = insertId,\n ResourceType = tostring(resource.type),\n Type = tostring(protoPayload.[\"@type\"]),\n MethodName = tostring(protoPayload.methodName),\n ProjectID = tostring(parse_json(tostring(resource.labels)).project_id),\n Service = tostring(parse_json(tostring(resource.labels)).service),\n Method = tostring(parse_json(tostring(resource.labels)).method),\n PrincipalEmail = tostring(parse_json(tostring(protoPayload.authenticationInfo)).principalEmail),\n PrincipalSubject = tostring(parse_json(tostring(protoPayload.authenticationInfo)).principalSubject),\n SrcIpAddr = tostring(parse_json(tostring(protoPayload.requestMetadata)).callerIp),\n HttpUserAgentOriginal = tostring(parse_json(tostring(protoPayload.requestMetadata)).callerSuppliedUserAgent), \n RequestAttributes =tostring(parse_json(tostring(protoPayload.requestMetadata)).requestAttributes),\n ServiceName = tostring(parse_json(tostring(protoPayload.serviceName))),\n AuthorizationInfo = tostring(parse_json(tostring(protoPayload.authorizationInfo))),\n ResourceName = tostring(parse_json(tostring(protoPayload.resourceName))),\n InstanceUID = tostring(parse_json(tostring(protoPayload.request)).instanceUid),\n RequestType = tostring(parse_json(tostring(protoPayload.request)).[\"@type\"]),\n EventEndTime = timestamp,\n ResourceLocation = tostring(parse_json(tostring(protoPayload.resourceLocation))), \n DestinationAttributes = tostring(parse_json(tostring(protoPayload.requestMetadata)).destinationAttributes),\n Resources = protoPayload.resources\n | project-away protoPayload, resource\n | project-rename\n EventSeverity = severity,\n LogName = logName,\n TimeStamp = timestamp;\nt1\n| union t2\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", + "dependsOn": [ + "[variables('parserObject3')._parserId3]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Unified_ApigeeX')]", + "contentId": "[variables('parserObject3').parserContentId3]", + "kind": "Parser", + "version": "[variables('parserObject3').parserVersion3]", + "source": { + "name": "Google Apigee", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject3').parserContentId3]", + "contentKind": "Parser", + "displayName": "Parser for both ApiGeeX connectors", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]", + "version": "[variables('parserObject3').parserVersion3]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject3')._parserName3]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for both ApiGeeX connectors", + "category": "Microsoft Sentinel Parser", + "functionAlias": "Unified_ApigeeX", + "query": "let t1= ApigeeX_CL\n | extend EventVendor = 'Google',\n EventProduct = 'ApigeeX'\n | project-rename\n RequestName = payload_request_name_s,\n RequestAPIProxyType = payload_request_environment_apiProxyType_s,\n DeploymentType = payload_request_environment_deploymentType_s,\n Description = payload_request_environment_description_s,\n DisplayName = payload_request_environment_displayname_s,\n EnvironmentName = payload_request_environment_name_s,\n ResponseType = payload_response_type_s,\n ResponseName = payload_response_name_s,\n ResponseDisplayName = payload_response_displayName_s,\n ResponseAPIProxyType = payload_response_apiProxyType_s,\n StatusCode = payload_status_code_d,\n StatusMessage = payload_status_message_s, \n RequestReportTime = payload_request_reportTime_s,\n RequestAttributesTime = payload_requestMetadata_requestAttributes_time_t,\n InsertID = insert_id_s, \n ResourceType = resource_type_s,\n EventSeverity=severity_s,\n TimeStamp = timestamp_t,\n Type = payload__type_s,\n LogName = log_name_s,\n MethodName = payload_methodName_s,\n ProjectID = resource_labels_project_id_s,\n Service = resource_labels_service_s,\n Method = resource_labels_method_s,\n PrincipalEmail = payload_authenticationInfo_principalEmail_s,\n SrcIpAddr=payload_requestMetadata_callerIp_s,\n HttpUserAgentOriginal=payload_requestMetadata_callerSuppliedUserAgent_s,\n RequestAttributes = payload_requestMetadata_requestAttributes_time_s,\n ServiceName = payload_serviceName_s,\n AuthorizationInfo = payload_authorizationInfo_s,\n ResourceName = payload_resourceName_s,\n InstanceUID = payload_request_instanceUid_g,\n RequestType = payload_request_type_s,\n EventEndTime=timestamp_t;\nlet t2 = ApigeeXV2_CL\n | extend\n EventVendor = 'Google',\n EventProduct = 'ApigeeX', \n RequestName = tostring(parse_json(tostring(protoPayload.request)).instance),\n EnvironmentName = tostring(split(tostring(parse_json(tostring(protoPayload.request)).instance), '/')[3]),\n RequestAttributesTime = tostring(parse_json(tostring(parse_json(tostring(protoPayload.requestMetadata)).requestAttributes)).['time']),\n InsertID = insertId,\n ResourceType = tostring(resource.type),\n Type = tostring(protoPayload.[\"@type\"]),\n MethodName = tostring(protoPayload.methodName),\n ProjectID = tostring(parse_json(tostring(resource.labels)).project_id),\n Service = tostring(parse_json(tostring(resource.labels)).service),\n Method = tostring(parse_json(tostring(resource.labels)).method),\n PrincipalEmail = tostring(parse_json(tostring(protoPayload.authenticationInfo)).principalEmail),\n PrincipalSubject = tostring(parse_json(tostring(protoPayload.authenticationInfo)).principalSubject),\n SrcIpAddr = tostring(parse_json(tostring(protoPayload.requestMetadata)).callerIp),\n HttpUserAgentOriginal = tostring(parse_json(tostring(protoPayload.requestMetadata)).callerSuppliedUserAgent), \n RequestAttributes =tostring(parse_json(tostring(protoPayload.requestMetadata)).requestAttributes),\n ServiceName = tostring(parse_json(tostring(protoPayload.serviceName))),\n AuthorizationInfo = tostring(parse_json(tostring(protoPayload.authorizationInfo))),\n ResourceName = tostring(parse_json(tostring(protoPayload.resourceName))),\n InstanceUID = tostring(parse_json(tostring(protoPayload.request)).instanceUid),\n RequestType = tostring(parse_json(tostring(protoPayload.request)).[\"@type\"]),\n EventEndTime = timestamp,\n ResourceLocation = tostring(parse_json(tostring(protoPayload.resourceLocation))), \n DestinationAttributes = tostring(parse_json(tostring(protoPayload.requestMetadata)).destinationAttributes),\n Resources = protoPayload.resources\n | project-away protoPayload, resource\n | project-rename\n EventSeverity = severity,\n LogName = logName,\n TimeStamp = timestamp;\nt1\n| union t2\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", + "dependsOn": [ + "[variables('parserObject3')._parserId3]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Unified_ApigeeX')]", + "contentId": "[variables('parserObject3').parserContentId3]", + "kind": "Parser", + "version": "[variables('parserObject3').parserVersion3]", "source": { "kind": "Solution", "name": "Google Apigee", @@ -543,12 +1387,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.1.0", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Google Apigee", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Google ApigeeX solution provides the capability to ingest ApigeeX audit logs into Microsoft Sentinel using the GCP Logging API. Refer to GCP Logging API documentation for more information.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Parsers: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Google ApigeeX solution provides the capability to ingest ApigeeX audit logs into Microsoft Sentinel using the GCP Logging API or PubSub architecture. Refer to GCP Logging API documentation for more information on the Azure Function connector and the Microsoft Sentinel documentation for the basics on PubSub based ingestion.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 2, Parsers: 3

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -578,10 +1422,25 @@ "contentId": "[variables('_dataConnectorContentId1')]", "version": "[variables('dataConnectorVersion1')]" }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "version": "[variables('dataConnectorCCPVersion')]" + }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", "version": "[variables('parserObject1').parserVersion1]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject2').parserContentId2]", + "version": "[variables('parserObject2').parserVersion2]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject3').parserContentId3]", + "version": "[variables('parserObject3').parserVersion3]" } ] }, diff --git a/Solutions/Google Apigee/Package/testParameters.json b/Solutions/Google Apigee/Package/testParameters.json index e55ec41a9ac..554801e41b7 100644 --- a/Solutions/Google Apigee/Package/testParameters.json +++ b/Solutions/Google Apigee/Package/testParameters.json @@ -20,5 +20,19 @@ "metadata": { "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } } } diff --git a/Solutions/Google Apigee/Parsers/ApigeeXV2.yaml b/Solutions/Google Apigee/Parsers/ApigeeXV2.yaml new file mode 100644 index 00000000000..ba7d482ea22 --- /dev/null +++ b/Solutions/Google Apigee/Parsers/ApigeeXV2.yaml @@ -0,0 +1,43 @@ +id: f44281ae-62a7-4043-b27a-aa6e438f3e1a +Function: + Title: Parser for ApigeeXv2 + Version: '1.0.0' + LastUpdated: '2024-12-19' +Category: Microsoft Sentinel Parser +FunctionName: ApigeeXv2 +FunctionAlias: ApigeeXv2 +FunctionQuery: | + ApigeeXV2_CL + | extend + EventVendor = 'Google', + EventProduct = 'ApigeeX', + RequestName = tostring(parse_json(tostring(protoPayload.request)).instance), + EnvironmentName = tostring(split(tostring(parse_json(tostring(protoPayload.request)).instance), '/')[3]), + RequestAttributesTime = tostring(parse_json(tostring(parse_json(tostring(protoPayload.requestMetadata)).requestAttributes)).['time']), + InstertID = insertId, + ResourceType = tostring(resource.type), + Type = tostring(protoPayload.['@type']), + MethodName = tostring(protoPayload.methodName), + ProjectID = tostring(parse_json(tostring(resource.labels)).project_id), + Service = tostring(parse_json(tostring(resource.labels)).service), + Method = tostring(parse_json(tostring(resource.labels)).method), + PrincipalEmail = tostring(parse_json(tostring(protoPayload.authenticationInfo)).principalEmail), + PrincipalSubject = tostring(parse_json(tostring(protoPayload.authenticationInfo)).principalSubject), + SrcIpAddr = tostring(parse_json(tostring(protoPayload.requestMetadata)).callerIp), + HttpUserAgentOriginal = tostring(parse_json(tostring(protoPayload.requestMetadata)).callerSuppliedUserAgent), + RequestAttributes =tostring(parse_json(tostring(protoPayload.requestMetadata)).requestAttributes), + ServiceName = tostring(parse_json(tostring(protoPayload.serviceName))), + AuthorizationInfo = tostring(parse_json(tostring(protoPayload.authorizationInfo))), + ResourceName = tostring(parse_json(tostring(protoPayload.resourceName))), + InstanceUID = tostring(parse_json(tostring(protoPayload.request)).instanceUid), + RequestType = tostring(parse_json(tostring(protoPayload.request)).['@type']), + EventEndTime = timestamp, + ResourceLocation = tostring(parse_json(tostring(protoPayload.resourceLocation))), + DestinationAttributes = tostring(parse_json(tostring(protoPayload.requestMetadata)).destinationAttributes), + Resources = protoPayload.resources + | project-away protoPayload, resource + | project-rename + EventSeverity = severity, + InsertID = insertId, + LogName = logName, + TimeStamp = timestamp \ No newline at end of file diff --git a/Solutions/Google Apigee/Parsers/Unified_ApigeeX.yaml b/Solutions/Google Apigee/Parsers/Unified_ApigeeX.yaml new file mode 100644 index 00000000000..18df6bf2f90 --- /dev/null +++ b/Solutions/Google Apigee/Parsers/Unified_ApigeeX.yaml @@ -0,0 +1,82 @@ +id: 6eae941d-8cdb-45c7-9896-aab2a6082dfb +Function: + Title: Parser for both ApiGeeX connectors + Version: '1.0.0' + LastUpdated: '2024-12-19' +Category: Microsoft Sentinel Parser +FunctionName: Unified_ApigeeX +FunctionAlias: Unified_ApigeeX +FunctionQuery: | + let t1= ApigeeX_CL + | extend EventVendor = 'Google', + EventProduct = 'ApigeeX' + | project-rename + RequestName = payload_request_name_s, + RequestAPIProxyType = payload_request_environment_apiProxyType_s, + DeploymentType = payload_request_environment_deploymentType_s, + Description = payload_request_environment_description_s, + DisplayName = payload_request_environment_displayname_s, + EnvironmentName = payload_request_environment_name_s, + ResponseType = payload_response_type_s, + ResponseName = payload_response_name_s, + ResponseDisplayName = payload_response_displayName_s, + ResponseAPIProxyType = payload_response_apiProxyType_s, + StatusCode = payload_status_code_d, + StatusMessage = payload_status_message_s, + RequestReportTime = payload_request_reportTime_s, + RequestAttributesTime = payload_requestMetadata_requestAttributes_time_t, + InsertID = insert_id_s, + ResourceType = resource_type_s, + EventSeverity=severity_s, + TimeStamp = timestamp_t, + Type = payload__type_s, + LogName = log_name_s, + MethodName = payload_methodName_s, + ProjectID = resource_labels_project_id_s, + Service = resource_labels_service_s, + Method = resource_labels_method_s, + PrincipalEmail = payload_authenticationInfo_principalEmail_s, + SrcIpAddr=payload_requestMetadata_callerIp_s, + HttpUserAgentOriginal=payload_requestMetadata_callerSuppliedUserAgent_s, + RequestAttributes = payload_requestMetadata_requestAttributes_time_s, + ServiceName = payload_serviceName_s, + AuthorizationInfo = payload_authorizationInfo_s, + ResourceName = payload_resourceName_s, + InstanceUID = payload_request_instanceUid_g, + RequestType = payload_request_type_s, + EventEndTime=timestamp_t; + let t2 = ApigeeXV2_CL + | extend + EventVendor = 'Google', + EventProduct = 'ApigeeX', + RequestName = tostring(parse_json(tostring(protoPayload.request)).instance), + EnvironmentName = tostring(split(tostring(parse_json(tostring(protoPayload.request)).instance), '/')[3]), + RequestAttributesTime = tostring(parse_json(tostring(parse_json(tostring(protoPayload.requestMetadata)).requestAttributes)).['time']), + InsertID = insertId, + ResourceType = tostring(resource.type), + Type = tostring(protoPayload.["@type"]), + MethodName = tostring(protoPayload.methodName), + ProjectID = tostring(parse_json(tostring(resource.labels)).project_id), + Service = tostring(parse_json(tostring(resource.labels)).service), + Method = tostring(parse_json(tostring(resource.labels)).method), + PrincipalEmail = tostring(parse_json(tostring(protoPayload.authenticationInfo)).principalEmail), + PrincipalSubject = tostring(parse_json(tostring(protoPayload.authenticationInfo)).principalSubject), + SrcIpAddr = tostring(parse_json(tostring(protoPayload.requestMetadata)).callerIp), + HttpUserAgentOriginal = tostring(parse_json(tostring(protoPayload.requestMetadata)).callerSuppliedUserAgent), + RequestAttributes =tostring(parse_json(tostring(protoPayload.requestMetadata)).requestAttributes), + ServiceName = tostring(parse_json(tostring(protoPayload.serviceName))), + AuthorizationInfo = tostring(parse_json(tostring(protoPayload.authorizationInfo))), + ResourceName = tostring(parse_json(tostring(protoPayload.resourceName))), + InstanceUID = tostring(parse_json(tostring(protoPayload.request)).instanceUid), + RequestType = tostring(parse_json(tostring(protoPayload.request)).["@type"]), + EventEndTime = timestamp, + ResourceLocation = tostring(parse_json(tostring(protoPayload.resourceLocation))), + DestinationAttributes = tostring(parse_json(tostring(protoPayload.requestMetadata)).destinationAttributes), + Resources = protoPayload.resources + | project-away protoPayload, resource + | project-rename + EventSeverity = severity, + LogName = logName, + TimeStamp = timestamp; + t1 + | union t2 \ No newline at end of file diff --git a/Solutions/Google Apigee/ReleaseNotes.md b/Solutions/Google Apigee/ReleaseNotes.md index edb0c4a1289..dd42989999a 100644 --- a/Solutions/Google Apigee/ReleaseNotes.md +++ b/Solutions/Google Apigee/ReleaseNotes.md @@ -1,3 +1,4 @@ **Version** | **Date Modified (DD-MM-YYYY)**| **ChangeHistory** | |------------|-------------------------------|-------------------------------------------------------------------------------------------| -| 3.0.0 | 05-09-2024 | Updated the python runtime version to 3.11 | +| 3.1.0 | 28-02-2025 | Added new CCP **Data Connector** to the Solution | +| 3.0.0 | 05-09-2024 | Updated the python runtime version to 3.11 in **Data Connector** Function APP |