CyberArk Audit New CCF Data Connector

[nitsan-tzur]

Required items, please complete

Change(s):

• New Audit Service CCF data connector

Reason for Change(s):

• An alternative to Azure Functions based connector

Testing Completed:

• Yes

[v-maheshbh]

Hi @nitsan-tzur
Kindly attach the CCF connector screenshot in the connected state, and please share the invocation details and logs.

Thanks!

[nitsan-tzur]

Hi @v-maheshbh, attaching relevant screenshots of connected status and recent data fetch from target custom table

[v-maheshbh]

Hi @nitsan-tzur
Since the solution was originally implemented using an Azure Functions–based connector and now incorporates a CCF connector, the earlier Azure Function implementation is recommended to be deprecated.

Thanks!

[nitsan-tzur]

Hi @nitsan-tzur Since the solution was originally implemented using an Azure Functions–based connector and now incorporates a CCF connector, the earlier Azure Function implementation is recommended to be deprecated.

Thanks!

It was discussed and agreed with Microsoft team we've worked with on CCF to not deprecate the Azure Functions connector at this point

[v-maheshbh]

Hi @nitsan-tzur
Kindly repackage the solution, as the createUiDefinition file has not been updated to align with the analytical rule and the mainTemplate file.
As the last published version on the Content Hub is 3.0.2 while the current package has been built with version 3.1.0.

Thanks!

[nitsan-tzur]

Hi @nitsan-tzur Kindly repackage the solution, as the createUiDefinition file has not been updated to align with the analytical rule and the mainTemplate file. As the last published version on the Content Hub is 3.0.2 while the current package has been built with version 3.1.0.

Thanks!

Hi @v-maheshbh,
Edited createUiDefinition.json and zip package were updated

[v-maheshbh]

Hi @nitsan-tzur

The solution contains three analytical rules, which are not reflected here.
Kindly repackage the solution using the V3 tool:
https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/README.md

[nitsan-tzur]

Hi @nitsan-tzur

The solution contains three analytical rules, which are not reflected here. Kindly repackage the solution using the V3 tool: https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/README.md

Hi @v-maheshbh updated Analytic Rules in createUiDefinition.json

[v-maheshbh]

Hi @nitsan-tzur
The main template deployment is failing. Kindly review the configuration and address the underlying issue to ensure successful deployment.

Thanks!

[nitsan-tzur]

Hi @nitsan-tzur The main template deployment is failing. Kindly review the configuration and address the underlying issue to ensure successful deployment.

Thanks!

Hi @v-maheshbh please see screen shots of successful deployment with corresponding paramters.
I think you might have misconfigured the deployment parameters

[v-maheshbh]

Hi @nitsan-tzur

I checked on my end and I'm getting a deployment error. Please verify using the latest main template.

Thanks!

[nitsan-tzur]

Hi @nitsan-tzur

I checked on my end and I'm getting a deployment error. Please verify using the latest main template.

Thanks!

Hi @v-maheshbh
Please see attached a successful fresh deployment from today. Looking at the screenshot you've shared it seems you've entered a wrong workspace-location parameter. It should be a valid Azure region value e.g. eastus

[v-maheshbh]

Hi @nitsan-tzur

Kindly note that I have repackaged the solution, as the analytic rule was not previously updated correctly in the mainTemplate.json.
The analytic rule has been updated now. Kindly check once and confirm if everything is working as expected after deployment.

Thanks!

[nitsan-tzur]

Hi @nitsan-tzur

Kindly note that I have repackaged the solution, as the analytic rule was not previously updated correctly in the mainTemplate.json. The analytic rule has been updated now. Kindly check once and confirm if everything is working as expected after deployment.

Thanks!

Hi @v-maheshbh,
Please see attached an error I'm getting trying to deploy recent changes. Also, the renaming of CyberArk_AuditEvents_CL (that you've reverted) was made intentionally to support seamless transition from Azure Functions based connector to CCF, keeping data flowing to already existing table.

[v-maheshbh]

Hi @nitsan-tzur
Kindly review the comments shared above and address them accordingly.

Thanks!

[nitsan-tzur]

Hi @nitsan-tzur Kindly review the comments shared above and address them accordingly.

Thanks!

Hi @v-maheshbh,

Table renamed as suggested but template validation is still failing on same error:
{
"code": "InvalidTemplate",
"message": "Deployment template validation failed: 'The resource 'Microsoft.OperationalInsights/workspaces/eastus/providers/Microsoft.SecurityInsights/contentTemplates/eastus-ar-aaaaaaaaaaaaa' at line '1' and column '58754' is defined multiple times in a template. Please see https://aka.ms/arm-syntax-resources for usage details.'."
}

[v-maheshbh]

Hi @nitsan-tzur Kindly review the comments shared above and address them accordingly.

Thanks!

Hi @v-maheshbh,

Table renamed as suggested but template validation is still failing on same error: { "code": "InvalidTemplate", "message": "Deployment template validation failed: 'The resource 'Microsoft.OperationalInsights/workspaces/eastus/providers/Microsoft.SecurityInsights/contentTemplates/eastus-ar-aaaaaaaaaaaaa' at line '1' and column '58754' is defined multiple times in a template. Please see https://aka.ms/arm-syntax-resources for usage details.'." }

Hi @nitsan-tzur

The above error was encountered because the GUID was missing in the analytical rule. This issue has now been resolved.
Kindly deploy the latest main template and attach a testing screenshot of the CCF data connector in a connected state for reference.

Thanks!

[v-maheshbh]

Hi @nitsan-tzur

Kindly review and address the above comments.

Thanks!

[nitsan-tzur]

Hi @nitsan-tzur

Kindly review and address the above comments.

Thanks!

Hi @nitsan-tzur

Kindly review and address the above comments.

Thanks!

Hi @v-maheshbh,

Getting this error after connecting:
Failed to create required resources for data connector InvalidPayload:Data collection rule is invalid, [{"code":"InvalidTransformOutput","message":"Types of transform output columns do not match the ones defined by the output stream: timestamp [produced:'Long', output:'Int']","target":"properties.dataFlows[0]"}]

[nitsan-tzur]

@v-maheshbh I pushed a fix addressing latest deployment error.
E2E test are passing on our end

[v-maheshbh]

Hi @nitsan-tzur

Kindly update the datatype of the timestamp field in both the DCR and the corresponding custom table schema. This will ensure the updated schema is reflected correctly in the packaged solution and in the main template.

Please avoid manual updates to the main template, as this is not recommended.

Thanks!

[nitsan-tzur]

Hi @nitsan-tzur

Kindly update the datatype of the timestamp field in both the DCR and the corresponding custom table schema. This will ensure the updated schema is reflected correctly in the packaged solution and in the main template.

Please avoid manual updates to the main template, as this is not recommended.

Thanks!

Hi @v-maheshbh,
DCR was updated together with new zip package

[v-maheshbh]

Hi @nitsan-tzur
Kindly deploy the latest main template and attach the screenshot showing the CCF connected state so we can proceed with the approval.

Thanks!

[nitsan-tzur]

Hi @nitsan-tzur Kindly deploy the latest main template and attach the screenshot showing the CCF connected state so we can proceed with the approval.

Thanks!

Hi @v-maheshbh,
Please find attached screenshot of connected CCF and data flowing in