Skip to content

Commit a7e36a0

Browse files
v-dvedakv-dvedak
authored
Merge pull request Azure#12840 from yusufozturk/master-vmetric-datastream
VirtualMetric DataStream Solution for Microsoft Sentinel and Microsoft Sentinel data lake
2 parents 3838fde + 1b1623f commit a7e36a0

File tree

16 files changed

+22352
-0
lines changed

16 files changed

+22352
-0
lines changed

Logos/VirtualMetric.svg

Lines changed: 8 additions & 0 deletions
Loading

Sample Data/VirtualMetricDataStream_CEF.csv

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
TenantId,"TimeGenerated [UTC]",DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,OriginalLogSeverity,AdditionalExtensions,DeviceAction,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,CommunicationDirection,DeviceDnsDomain,DeviceExternalID,DeviceFacility,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DestinationPort,DestinationIP,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceAddress,DeviceName,DeviceMacAddress,ProcessID,"EndTime [UTC]",ExternalID,ExtID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,Message,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,EventOutcome,Protocol,Reason,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,ReceiptTime,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourcePort,SourceIP,"StartTime [UTC]",SourceUserID,SourceUserName,EventType,DeviceEventCategory,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,FieldDeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,FieldDeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,FieldDeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,Computer,SourceSystem,SimplifiedDeviceAction,CollectorHostName,Type,"_ResourceId"
2+
"00000000-0000-0000-0000-000000000000","9/3/2025, 12:05:45.692 PM","Palo Alto Networks","PAN-OS","11.1.9",general,SYSTEM,1,,"PanOSDGl1=0;PanOSDGl2=0;PanOSDGl3=0;PanOSDGl4=0;PanOSVsysName=;PanOSActionFlags=0x0;anOSTimeGeneratedHighResolution=2025-09-01T11:40:45.000+02:00",,,,,,,,,,000702596951,,,,,,,,,,,,,,,,,,,,panamera01,,,,,7499071207306488098,,,,,,,,,,,"Auto update agent found no new WildFire updates",,,,,,,,,,,,,,,,,,,"Sep 01 2025 08:40:45 GMT",,,,,,,,,,,,,,,,,general,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Virtual System",,,,,,,,,,,,,,,,,,,general,Module,,,,,,,,,,,,panamera01,VirtualMetric,,,CommonSecurityLog,
3+
"00000000-0000-0000-0000-000000000000","9/15/2025, 7:36:11.745 AM","Palo Alto Networks","PAN-OS","11.1.9",general,SYSTEM,1,,,,,,,,,,,,000702596951,,,,,,,,,,,,,,,,,,,,panamera01,,,,,7499071207306488098,,,,,,,,,,,"Auto update agent found no new WildFire updates",,,,,,,,,,,,,,,,,,,"Sep 01 2025 08:40:45 GMT",,,,,,,,,,,,,,,,,general,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Virtual System",,,,,584505011149499420,CorrelationID,,,,,,,,,,,,,general,Module,,,,,,,,,,,,panamera01,VirtualMetric,,,CommonSecurityLog,
4+
"00000000-0000-0000-0000-000000000000","9/5/2025, 8:55:46.000 AM",Fortinet,Fortigate,"v7.6.1",00014,"traffic:local close",3,,"FTNTFGTeventtime=1757073346045809566;FTNTFGTlogid=0001000014;FTNTFGTsubtype=local;FTNTFGTlevel=notice;FTNTFGTvd=root;FTNTFGTsrcintfrole=undefined;FTNTFGTdstintfrole=wan;FTNTFGTsrccountry=Reserved;FTNTFGTdstcountry=United States;FTNTFGTpolicyid=0;FTNTFGTtrandisp=noop;FTNTFGTapp=HTTPS;FTNTFGTduration=2;FTNTFGTsentpkt=5;FTNTFGTrcvdpkt=3",close,HTTPS,,,,,,,,FGVMEVHCOQK4HJ22,,root,,port1,,,,,,,,,,443,"173.243.141.6",,,,,,,,,,5277,,,,,,,,,,164,,,,,,,,,,,275,,6,,,,,,,,,,,,,,,,,,7022,"192.168.1.73",,,,,"traffic:local",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"VirtualMetric-FW2",VirtualMetric,close,,CommonSecurityLog,
5+
"00000000-0000-0000-0000-000000000000","9/5/2025, 8:55:47.000 AM",Fortinet,Fortigate,"v7.6.1",00014,"traffic:local close",3,,"FTNTFGTeventtime=1757073347195814866;FTNTFGTlogid=0001000014;FTNTFGTsubtype=local;FTNTFGTlevel=notice;FTNTFGTvd=root;FTNTFGTsrcintfrole=undefined;FTNTFGTdstintfrole=wan;FTNTFGTsrccountry=Reserved;FTNTFGTdstcountry=United States;FTNTFGTpolicyid=0;FTNTFGTtrandisp=noop;FTNTFGTapp=HTTPS;FTNTFGTduration=2;FTNTFGTsentpkt=5;FTNTFGTrcvdpkt=4",close,HTTPS,,,,,,,,FGVMEVHCOQK4HJ22,,root,,port1,,,,,,,,,,443,"173.243.141.6",,,,,,,,,,5279,,,,,,,,,,228,,,,,,,,,,,275,,6,,,,,,,,,,,,,,,,,,7024,"192.168.1.73",,,,,"traffic:local",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"VirtualMetric-FW2",VirtualMetric,close,,CommonSecurityLog,
6+
"00000000-0000-0000-0000-000000000000","9/5/2025, 8:55:49.000 AM",Fortinet,Fortigate,"v7.6.1",00014,"traffic:local deny",3,,"FTNTFGTeventtime=1757073349236109166;FTNTFGTlogid=0001000014;FTNTFGTsubtype=local;FTNTFGTlevel=notice;FTNTFGTvd=root;FTNTFGTsrcintfrole=wan;FTNTFGTdstintfrole=undefined;FTNTFGTsrccountry=Reserved;FTNTFGTdstcountry=Reserved;FTNTFGTpolicyid=0;FTNTFGTpolicytype=local-in-policy;FTNTFGTtrandisp=noop;FTNTFGTapp=udp/6667;FTNTFGTduration=0;FTNTFGTsentpkt=0;FTNTFGTrcvdpkt=0",deny,"udp/6667",,,,,,,,FGVMEVHCOQK4HJ22,,port1,,root,,,,,,,,,,6667,"255.255.255.255",,,,,,,,,,5281,,,,,,,,,,0,"Connection Failed",,,,,,,,,,0,,17,,,,,,,,,,,,,,,,,,56071,"192.168.1.9",,,,,"traffic:local",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"VirtualMetric-FW2",VirtualMetric,deny,,CommonSecurityLog,

Solutions/VirtualMetric DataStream/Data Connectors/VirtualMetric-DirectorProxy/DeployToAzure.json

Lines changed: 241 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,241 @@
1+
{
2+
"$schema": "http://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3+
"contentVersion": "1.0.0.0",
4+
"parameters": {
5+
"functionAppName": {
6+
"type": "string",
7+
"metadata": {
8+
"description": "Name of the Function App (must be globally unique)"
9+
}
10+
}
11+
},
12+
"variables": {
13+
"location": "[resourceGroup().location]",
14+
"storageAccountName": "[concat('vm', uniqueString(resourceGroup().id))]",
15+
"hostingPlanName": "[concat(parameters('functionAppName'), '-plan')]",
16+
"functionPackageUrl": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/VirtualMetric DataStream/Data Connectors/VirtualMetric-DirectorProxy/DirectorProxyFunction.zip",
17+
"contentShare": "[concat(toLower(parameters('functionAppName')), '-content')]",
18+
"functionToken": "[base64(concat(uniqueString(resourceGroup().id, parameters('functionAppName'), deployment().name), '-', guid(resourceGroup().id, parameters('functionAppName'), 'token')))]"
19+
},
20+
"resources": [
21+
{
22+
"apiVersion": "2023-05-01",
23+
"type": "Microsoft.Storage/storageAccounts",
24+
"name": "[variables('storageAccountName')]",
25+
"location": "[variables('location')]",
26+
"tags": {
27+
"DisplayName": "Function App Storage"
28+
},
29+
"sku": {
30+
"name": "Standard_LRS"
31+
},
32+
"kind": "StorageV2",
33+
"properties": {
34+
"supportsHttpsTrafficOnly": true,
35+
"minimumTlsVersion": "TLS1_2",
36+
"defaultToOAuthAuthentication": true,
37+
"allowBlobPublicAccess": false,
38+
"publicNetworkAccess": "Enabled",
39+
"encryption": {
40+
"services": {
41+
"blob": {
42+
"enabled": true
43+
},
44+
"file": {
45+
"enabled": true
46+
}
47+
},
48+
"keySource": "Microsoft.Storage"
49+
}
50+
}
51+
},
52+
{
53+
"apiVersion": "2022-03-01",
54+
"name": "[variables('hostingPlanName')]",
55+
"type": "Microsoft.Web/serverfarms",
56+
"location": "[variables('location')]",
57+
"kind": "elastic",
58+
"tags": {
59+
"DisplayName": "VirtualMetric Proxy Function App"
60+
},
61+
"properties": {
62+
"maximumElasticWorkerCount": 20,
63+
"reserved": true,
64+
"zoneRedundant": false
65+
},
66+
"sku": {
67+
"name": "EP1",
68+
"tier": "ElasticPremium",
69+
"size": "EP1",
70+
"family": "EP",
71+
"capacity": 1
72+
}
73+
},
74+
{
75+
"apiVersion": "2022-09-01",
76+
"name": "[parameters('functionAppName')]",
77+
"type": "Microsoft.Web/sites",
78+
"kind": "functionapp,linux",
79+
"location": "[variables('location')]",
80+
"identity": {
81+
"type": "SystemAssigned"
82+
},
83+
"tags": {
84+
"DisplayName": "VirtualMetric Proxy Function App"
85+
},
86+
"dependsOn": [
87+
"[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
88+
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
89+
],
90+
"properties": {
91+
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
92+
"siteConfig": {
93+
"appSettings": [
94+
{
95+
"name": "X_VMETRIC_TOKEN",
96+
"value": "[variables('functionToken')]"
97+
},
98+
{
99+
"name": "FUNCTIONS_EXTENSION_VERSION",
100+
"value": "~4"
101+
},
102+
{
103+
"name": "FUNCTIONS_WORKER_RUNTIME",
104+
"value": "custom"
105+
},
106+
{
107+
"name": "AzureWebJobsStorage",
108+
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=',variables('storageAccountName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-05-01').keys[0].value,';EndpointSuffix=core.windows.net')]"
109+
},
110+
{
111+
"name": "WEBSITE_RUN_FROM_PACKAGE",
112+
"value": "[variables('functionPackageUrl')]"
113+
},
114+
{
115+
"name": "GOMAXPROCS",
116+
"value": "2"
117+
},
118+
{
119+
"name": "GOGC",
120+
"value": "100"
121+
},
122+
{
123+
"name": "AzureFunctionsJobHost__logging__logLevel__default",
124+
"value": "Information"
125+
},
126+
{
127+
"name": "WEBSITE_ENABLE_SYNC_UPDATE_SITE",
128+
"value": "true"
129+
},
130+
{
131+
"name": "SCM_DO_BUILD_DURING_DEPLOYMENT",
132+
"value": "false"
133+
},
134+
{
135+
"name": "ENABLE_ORYX_BUILD",
136+
"value": "false"
137+
}
138+
],
139+
"cors": {
140+
"allowedOrigins": [
141+
"https://portal.azure.com"
142+
]
143+
},
144+
"use32BitWorkerProcess": false,
145+
"ftpsState": "FtpsOnly",
146+
"linuxFxVersion": "custom|",
147+
"alwaysOn": true,
148+
"http20Enabled": true,
149+
"minTlsVersion": "1.2",
150+
"scmMinTlsVersion": "1.2",
151+
"httpLoggingEnabled": true,
152+
"detailedErrorLoggingEnabled": true,
153+
"requestTracingEnabled": true
154+
},
155+
"clientAffinityEnabled": false,
156+
"httpsOnly": true,
157+
"publicNetworkAccess": "Enabled",
158+
"virtualNetworkSubnetId": null,
159+
"functionsRuntimeAdminIsolationEnabled": false
160+
},
161+
"resources": [
162+
{
163+
"type": "basicPublishingCredentialsPolicies",
164+
"apiVersion": "2022-09-01",
165+
"name": "scm",
166+
"properties": {
167+
"allow": true
168+
},
169+
"dependsOn": [
170+
"[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]"
171+
]
172+
},
173+
{
174+
"type": "basicPublishingCredentialsPolicies",
175+
"apiVersion": "2022-09-01",
176+
"name": "ftp",
177+
"properties": {
178+
"allow": false
179+
},
180+
"dependsOn": [
181+
"[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]"
182+
]
183+
},
184+
{
185+
"type": "config",
186+
"apiVersion": "2022-09-01",
187+
"name": "logs",
188+
"dependsOn": [
189+
"[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]"
190+
],
191+
"properties": {
192+
"applicationLogs": {
193+
"fileSystem": {
194+
"level": "Information"
195+
}
196+
},
197+
"httpLogs": {
198+
"fileSystem": {
199+
"enabled": true,
200+
"retentionInDays": 7,
201+
"retentionInMb": 35
202+
}
203+
},
204+
"failedRequestsTracing": {
205+
"enabled": true
206+
},
207+
"detailedErrorMessages": {
208+
"enabled": true
209+
}
210+
}
211+
}
212+
]
213+
}
214+
],
215+
"outputs": {
216+
"functionAppName": {
217+
"type": "string",
218+
"value": "[parameters('functionAppName')]"
219+
},
220+
"functionAppUrl": {
221+
"type": "string",
222+
"value": "[concat('https://', reference(resourceId('Microsoft.Web/sites', parameters('functionAppName'))).defaultHostName)]"
223+
},
224+
"storageAccountName": {
225+
"type": "string",
226+
"value": "[variables('storageAccountName')]"
227+
},
228+
"scmUrl": {
229+
"type": "string",
230+
"value": "[concat('https://', parameters('functionAppName'), '.scm.azurewebsites.net/')]"
231+
},
232+
"managedIdentityPrincipalId": {
233+
"type": "string",
234+
"value": "[reference(resourceId('Microsoft.Web/sites', parameters('functionAppName')), '2022-09-01', 'full').identity.principalId]"
235+
},
236+
"functionToken": {
237+
"type": "string",
238+
"value": "[variables('functionToken')]"
239+
}
240+
}
241+
}

Solutions/VirtualMetric DataStream/Data Connectors/VirtualMetric-DirectorProxy/DirectorProxyFunction.zip

15.9 MB
Binary file not shown.

0 commit comments

Comments
 (0)