Contrast-Security-OSS
diff --git a/‎Solutions/Google Cloud Platform Load Balancer Logs/Data Connectors/GCPFLoadBalancerLogs_GCP_CCP/GCPFLoadBalancerLogs_DCR.json‎
Lines changed: 70 additions & 0 deletions b/‎Solutions/Google Cloud Platform Load Balancer Logs/Data Connectors/GCPFLoadBalancerLogs_GCP_CCP/GCPFLoadBalancerLogs_DCR.json‎
Lines changed: 70 additions & 0 deletions
diff --git a/‎Solutions/Google Cloud Platform Load Balancer Logs/Data Connectors/GCPFLoadBalancerLogs_GCP_CCP/GCPFLoadBalancerLogs_Definition.json‎
Lines changed: 104 additions & 0 deletions b/‎Solutions/Google Cloud Platform Load Balancer Logs/Data Connectors/GCPFLoadBalancerLogs_GCP_CCP/GCPFLoadBalancerLogs_Definition.json‎
Lines changed: 104 additions & 0 deletions
diff --git a/‎Solutions/Google Cloud Platform Load Balancer Logs/Data Connectors/GCPFLoadBalancerLogs_GCP_CCP/GCPFLoadBalancerLogs_PollingConfig.json‎
Lines changed: 29 additions & 0 deletions b/‎Solutions/Google Cloud Platform Load Balancer Logs/Data Connectors/GCPFLoadBalancerLogs_GCP_CCP/GCPFLoadBalancerLogs_PollingConfig.json‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎Solutions/Google Cloud Platform Load Balancer Logs/Data Connectors/GCPFLoadBalancerLogs_GCP_CCP/GCPFLoadBalancerLogs_table.json‎
Lines changed: 144 additions & 0 deletions b/‎Solutions/Google Cloud Platform Load Balancer Logs/Data Connectors/GCPFLoadBalancerLogs_GCP_CCP/GCPFLoadBalancerLogs_table.json‎
Lines changed: 144 additions & 0 deletions
diff --git a/‎Solutions/Google Cloud Platform Load Balancer Logs/Data/Solution_GCPWAF.json‎
Lines changed: 16 additions & 0 deletions b/‎Solutions/Google Cloud Platform Load Balancer Logs/Data/Solution_GCPWAF.json‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎Solutions/Google Cloud Platform Load Balancer Logs/Package/3.0.0.zip‎
7.88 KB b/‎Solutions/Google Cloud Platform Load Balancer Logs/Package/3.0.0.zip‎
7.88 KB
@@ -0,0 +1,70 @@
+[
+    {
+        "name": "gcpLoadBalancerLogsDCR",
+        "apiVersion": "2021-09-01-preview",
+        "type": "Microsoft.Insights/dataCollectionRules",
+        "location": "{{location}}",
+        "properties": {
+            "streamDeclarations": {
+                "Custom-GCPLoadBalancerStream": {
+                    "columns": [
+                        {
+                            "name": "insertId",
+                            "type": "string"
+                        },
+                        {
+                            "name": "jsonPayload",
+                            "type": "dynamic"
+                        },
+                        {
+                            "name": "logName",
+                            "type": "string"
+                        },
+                        {
+                            "name": "receiveTimestamp",
+                            "type": "datetime"
+                        },
+                        {
+                            "name": "resource",
+                            "type": "dynamic"
+                        },
+                        {
+                            "name": "timestamp",
+                            "type": "datetime"
+                        },
+                        {
+                            "name": "httpRequest",
+                            "type": "dynamic"
+                        },
+                        {
+                            "name": "severity",
+                            "type": "string"
+                        }
+                    ]
+                }
+            },
+        "dataSources": {},
+            "destinations": {
+                "logAnalytics": [
+                    {
+                        "workspaceResourceId": "{{workspaceResourceId}}",
+                        "name": "clv2ws1"
+                    }
+                ]
+            },
+            "dataFlows": [
+                {
+                    "streams": [
+                        "Custom-GCPLoadBalancerStream"
+                    ],
+                    "destinations": [
+                        "clv2ws1"
+                    ],
+                    "transformKql": "source | extend jsonPayload = parse_json(todynamic(jsonPayload)) | extend resourceLabel = todynamic(resource).labels | extend httpRequest = parse_json(httpRequest) | project  TimeGenerated=todatetime(receiveTimestamp),Timestamp=todatetime(timestamp),LogName=tostring(logName),InsertId=tostring(insertId),BackendTargetProjectNumber=tostring(jsonPayload.backendTargetProjectNumber),CacheDecision=todynamic(jsonPayload.cacheDecision),EnforcedSecurityPolicy=todynamic(jsonPayload.enforcedSecurityPolicy),PreviewSecurityPolicy=todynamic(jsonPayload.previewSecurityPolicy),EnforcedEdgeSecurityPolicy=todynamic(jsonPayload.enforcedEdgeSecurityPolicy),PayloadRemoteIp=tostring(jsonPayload.remoteIp),SecurityPolicyRequestData=todynamic(jsonPayload.securityPolicyRequestData),PreviewEdgeSecurityPolicy=todynamic(jsonPayload.previewEdgeSecurityPolicy),StatusDetails=tostring(jsonPayload.statusDetails),Latency=tostring(httpRequest.latency),RemoteIp=tostring(httpRequest.remoteIp),RequestMethod=tostring(httpRequest.requestMethod),RequestSize=tostring(httpRequest.requestSize),RequestUrl=tostring(httpRequest.requestUrl),RequestStatus=tostring(httpRequest.status),UserAgent=tostring(httpRequest.userAgent),BackendServiceName=tostring(resourceLabel.backend_service_name),ForwardingRuleName=tostring(resourceLabel.forwarding_rule_name),ProjectId=tostring(resourceLabel.project_id),UrlMapName=tostring(resourceLabel.url_map_name),Zone=tostring(resourceLabel.zone),Severity=tostring(severity)",
+                    "outputStream": "Custom-GCPLoadBalancerLogs_CL"
+                }
+            ],
+            "dataCollectionEndpointId": "{{dataCollectionEndpointId}}"
+        }
+    }
+]
@@ -0,0 +1,104 @@
+{
+    "name": "GCPFLoadBalancerLogsCCPDefinition",
+    "apiVersion": "2022-09-01-preview",
+    "type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
+    "location": "{{location}}",
+    "kind": "Customizable",
+    "properties": {
+    "connectorUiConfig": {
+        "id": "GCPFLoadBalancerLogsCCPDefinition",
+        "title": "GCP Pub/Sub Load Balancer Logs (Preview)",
+        "publisher": "Microsoft",
+        "descriptionMarkdown": "Google Cloud Platform (GCP) Load Balancer logs provide detailed insights into network traffic, capturing both inbound and outbound activities. These logs are used for monitoring access patterns and identifying potential security threats across GCP resources. Additionally, these logs also include GCP Web Application Firewall (WAF) logs, enhancing the ability to detect and mitigate risks effectively.",
+        "graphQueriesTableName": "GCPLoadBalancerLogs_CL",
+        "graphQueries": [
+            {
+                "metricName": "Total events received",
+                "legend": "GCP Pub/Sub Load Balancer Logs",
+                "baseQuery": "{{graphQueriesTableName}}"
+            }
+        ],
+        "sampleQueries": [
+            {
+                "description": "Get Sample of GCP Load Balancer Logs",
+                "query": "{{graphQueriesTableName}}\n | take 10"
+            }
+        ],
+        "dataTypes": [
+            {
+                "name": "{{graphQueriesTableName}}",
+                "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            }
+        ],
+        "availability": {
+            "status": 1,
+            "isPreview": false
+        },
+        "connectivityCriteria": [
+            {
+                "type": "HasDataConnectors"
+            }
+        ],
+        "permissions": {
+            "resourceProvider": [
+                {
+                    "provider": "Microsoft.OperationalInsights/workspaces",
+                    "permissionsDisplayText": "Read and Write permissions are required.",
+                    "providerDisplayName": "Workspace",
+                    "scope": "Workspace",
+                    "requiredPermissions": {
+                        "read": true,
+                        "write": true,
+                        "delete": true,
+                        "action": false
+                    }
+                }
+            ]
+        },
+        "instructionSteps": [
+            {
+                "instructions": [
+                    {
+                        "type": "MarkdownControlEnvBased",
+                        "parameters": {
+                            "prodScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation).",
+                            "govScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)."
+                        }
+                    },
+                    {
+                        "type": "CopyableLabel",
+                        "parameters": {
+                            "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
+                            "fillWith": [
+                                "TenantId"
+                            ],
+                            "name": "PoolId",
+                            "disabled": true
+                        }
+                    },
+                    {
+                        "type": "Markdown",
+                        "parameters": {
+                            "content": "#### 2. Enable Load Balancer logs \nIn your GCP account, navigate to the Load Balancer section. In here you can nevigate to [**Backend Service**] -> [**Edit**], once you are in the [**Backend Service**]  on the [**Logging**] section **enable** the checkbox of [**Enable Logs**]. Once you open the rule, switch the toggle button under the **Logs** section to **On**, and save the changes.\n\nFor more information: [Link to documentation](https://cloud.google.com/load-balancing/docs/https/https-logging-monitoring)"
+                        }
+                    },
+                    {
+                        "type": "Markdown",
+                        "parameters": {
+                            "content": "#### 3. Connect new collectors \n To enable GCP Load Balancer Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
+                        }
+                    },
+                    {
+                        "type": "GCPGrid",
+                    "parameters": {}
+                    },
+                    {
+                        "type": "GCPContextPane",
+                    "parameters": {}
+                    }
+                ]
+            }
+        ]
+    }
+ }
+}
@@ -0,0 +1,29 @@
+[
+    {
+        "name": "GCPFirewallLogsTemplateConnections",
+        "apiVersion": "2023-02-01-preview",
+        "type": "Microsoft.SecurityInsights/dataConnectors",
+        "location": "{{location}}",
+        "kind": "GCP",
+        "properties": {
+            "connectorDefinitionName": "GCPFLoadBalancerLogsCCPDefinition",
+            "dcrConfig": {
+                "streamName": "Custom-GCPLoadBalancerStream",
+                "dataCollectionEndpoint": "{{dataCollectionEndpoint}}",
+                "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}"
+            },
+            "dataType": "GCPLoadBalancerLogs_CL",
+            "auth": {
+                "serviceAccountEmail": "{{GCPServiceAccountEmail}}",
+                "projectNumber": "{{GCPProjectNumber}}",
+                "workloadIdentityProviderId": "{{GCPWorkloadIdentityProviderId}}"
+            },
+            "request": {
+                "projectId": "{{GCPProjectId}}",
+                "subscriptionNames": [
+                    "{{GCPSubscriptionName}}"
+                ]
+            }
+        }
+    }
+]
@@ -0,0 +1,144 @@
+[{
+    "name": "GCPLoadBalancerLogs_CL",
+    "type": "Microsoft.OperationalInsights/workspaces/tables",
+    "apiVersion": "2021-03-01-privatepreview",
+    "tags": {},
+    "properties": {
+        "schema": {
+            "name": "GCPLoadBalancerLogs_CL",
+            "columns": [
+                {
+                    "name": "TimeGenerated",
+                    "type": "datetime",
+                    "description": "The time the log entry was received by logging."
+                },
+                {
+                    "name": "BackendTargetProjectNumber",
+                    "type": "String",
+                    "description": "The Backend Service Project Number."
+                },
+                {
+                    "name": "CacheDecision",
+                    "type": "Dynamic",
+                    "description": "Indicates whether a request was served from the cache or the backend."
+                },
+                {
+                    "name": "EnforcedSecurityPolicy",
+                    "type": "Dynamic",
+                    "description": "Indicates whether a security policy (such as a WAF or access control rules) was applied to a request."
+                },
+                {
+                    "name": "PreviewSecurityPolicy",
+                    "type": "Dynamic",
+                    "description": "Request matches a rule configured for preview (present only when a preview rule would have taken priority over the enforced rule)."
+                },
+                {
+                    "name": "EnforcedEdgeSecurityPolicy",
+                    "type": "Dynamic",
+                    "description": "the edge security policy rule that was enforced."
+                },
+                {
+                    "name": "PreviewEdgeSecurityPolicy",
+                    "type": "Dynamic",
+                    "description": "populated if a request matches an edge security policy rule configured for preview."
+                },
+                {
+                    "name": "PayloadRemoteIp",
+                    "type": "String",
+                    "description": "The remote ip address of the payload."
+                },
+                {
+                    "name": "SecurityPolicyRequestData",
+                    "type": "Dynamic",
+                    "description": "The security policy data of the request."
+                },
+                {
+                    "name": "StatusDetails",
+                    "type": "String",
+                    "description": "The status details of the request."
+                },
+                {
+                    "name": "Latency",
+                    "type": "String",
+                    "description": "The latency of the request."
+                },
+                {
+                    "name": "RemoteIp",
+                    "type": "String",
+                    "description": "The remote ip of the request."
+                },
+                {
+                    "name": "RequestMethod",
+                    "type": "String",
+                    "description": "The http method of the request."
+                },
+                {
+                    "name": "RequestSize",
+                    "type": "String",
+                    "description": "The size of the request."
+                },
+                {
+                    "name": "RequestUrl",
+                    "type": "String",
+                    "description": "The url of the request."
+                },
+                {
+                    "name": "RequestStatus",
+                    "type": "String",
+                    "description": "The status code of the request."
+                },
+                {
+                    "name": "UserAgent",
+                    "type": "String",
+                    "description": "The user agent of the request."
+                },
+                {
+                    "name": "BackendServiceName",
+                    "type": "String",
+                    "description": "The backend service name in Google Cloud Platform ."
+                },
+                {
+                    "name": "ForwardingRuleName",
+                    "type": "String",
+                    "description": "The forwarding rule resource of the load balancer in Google Cloud Platform."
+                },
+                {
+                    "name": "ProjectId",
+                    "type": "String",
+                    "description": "The Project id in Google Cloud Platform"
+                },
+                {
+                    "name": "UrlMapName",
+                    "type": "String",
+                    "description": "The url map resource name in Google Cloud Platform.",
+                    "dataTypeHint": "URI"
+                },
+                {
+                    "name": "Zone",
+                    "type": "String",
+                    "description": "The Zone name of the Load Balancer."
+                },
+                {
+                    "name": "Severity",
+                    "type": "String",
+                    "description": "The severity of the incident."
+                },
+                {
+                    "name": "LogName",
+                    "type": "String",
+                    "description": "Information including a suffix identifying the log sub-type (e.g., admin activity, system access, data access) and where in the hierarchy the request was made."
+                },
+                {
+                    "name": "Timestamp",
+                    "type": "DateTime",
+                    "description": "The time the event described by the log entry occurred."
+                },
+                {
+                    "name": "InsertId",
+                    "type": "String",
+                    "description": "Optional. Providing a unique identifier for the log entry allows Logging to remove duplicate entries with the same timestamp and insertId in a single query result."
+                }
+            ]
+        }
+    }
+}]
@@ -0,0 +1,16 @@
+{
+  "Name": "Google Cloud Platform Load Balancer Logs",
+  "Author": "Microsoft - [email protected]",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/refs/heads/master/Logos/google_logo.svg\"width=\"75px\" height=\"75px\">",
+  "Description": "The Google Cloud Platform Load Balancer data connector allows you to seamlessly ingest and monitor logs from GCP's Pub/Sub Load Balancer logs into Microsoft Sentinel. Built on the Microsoft Sentinel Codeless Connector Platform (CCP), this connector supports DCR-based ingestion time transformations, ensuring that the received security data is parsed in destination tables for optimal query performance. By leveraging this connector, you can enhance your security operations by gaining comprehensive visibility into your GCP Load Balancer logs, enabling proactive threat detection and response.",
+  "Data Connectors": [
+    "Data Connectors/GCPFLoadBalancerLogs_GCP_CCP/GCPFLoadBalancerLogs_Definition.json"
+  ],
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Google Cloud Platform Load Balancer Logs\\",
+  "Version": "3.0.0",
+  "Metadata": "SolutionMetadata.json",
+  "TemplateSpec": true,
+  "StaticDataConnectorIds": [
+    "WAF"
+  ] 
+}