Skip to content

Commit d6122ef

Browse files
v-atulyadavv-atulyadav
authored
Merge pull request Azure#13076 from JonathanStross/master
Pathlock Threat Detection and Response Microsoft Sentinel Solution for SAP Integration
2 parents e69115f + bfb3791 commit d6122ef

File tree

14 files changed

+1900
-0
lines changed

14 files changed

+1900
-0
lines changed

Logos/pathlock_logo.svg

Lines changed: 19 additions & 0 deletions
Loading

Solutions/Pathlock_TDnR/Data Connectors/Pathlock_TDnR.json

Lines changed: 164 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,164 @@
1+
{
2+
"id": "Pathlock_TDnR",
3+
"title": "Pathlock Threat Detection and Response Integration",
4+
"publisher": "Pathlock Inc.",
5+
"logo": "pathlock_logo.svg",
6+
"descriptionMarkdown": "Pathlock Threat Detection and Response enables seamless forwarding of security alerts and logs detected and collected by the Pathlock Platform into Microsoft Sentinel Solution for SAP.",
7+
"graphQueriesTableName": "Pathlock_TDnR_CL",
8+
"graphQueries": [
9+
{
10+
"metricName": "Total events received",
11+
"legend": "SID",
12+
"baseQuery": "{{graphQueriesTableName}} | project TimeGenerated, SYSID= sid"
13+
}
14+
],
15+
"sampleQueries": [
16+
{
17+
"description": "Get Sample Events",
18+
"query": "{{graphQueriesTableName}}\n | take 10"
19+
}
20+
],
21+
"dataTypes": [
22+
{
23+
"name": "{{graphQueriesTableName}}",
24+
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
25+
}
26+
],
27+
"connectivityCriteria": [
28+
{
29+
"type": "HasDataConnectors"
30+
}
31+
],
32+
"availability": {
33+
"isPreview": true
34+
},
35+
"permissions": {
36+
"resourceProvider": [
37+
{
38+
"provider": "Microsoft.OperationalInsights/workspaces",
39+
"permissionsDisplayText": "Read and Write permissions are required.",
40+
"providerDisplayName": "Workspace",
41+
"scope": "Workspace",
42+
"requiredPermissions": {
43+
"write": true,
44+
"read": true,
45+
"delete": true
46+
}
47+
},
48+
{
49+
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
50+
"permissionsDisplayText": "Read permissions to shared keys for the workspace are required.",
51+
"providerDisplayName": "Keys",
52+
"scope": "Workspace",
53+
"requiredPermissions": {
54+
"action": true
55+
}
56+
}
57+
],
58+
"customs": [
59+
{
60+
"name": "Microsoft Entra",
61+
"description": "Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher."
62+
},
63+
{
64+
"name": "Microsoft Azure",
65+
"description": "Permission to assign Monitoring Metrics Publisher role on data collection rules. Typically requires Azure RBAC Owner or User Access Administrator role."
66+
}
67+
]
68+
},
69+
"instructionSteps": [
70+
{
71+
"title": "1. Create ARM Resources and Provide the Required Permissions",
72+
"description": "We will create data collection rule (DCR) and data collection endpoint (DCE) resources. We will also create a Microsoft Entra app registration and assign the required permissions to it.",
73+
"instructions": [
74+
{
75+
"type": "Markdown",
76+
"parameters": {
77+
"content": "#### Automated deployment of Azure resources\nClicking on \"Deploy push connector resources\" will trigger the creation of DCR and DCE resources.\nIt will then create a Microsoft Entra app registration with client secret and grant permissions on the DCR. This setup enables data to be sent securely to the DCR using a OAuth v2 client credentials."
78+
}
79+
},
80+
{
81+
"parameters": {
82+
"label": "Deploy push connector resources",
83+
"applicationDisplayName": "Pathlock Threat Detection and Response forwarding to Microsoft Sentinel Solution for SAP"
84+
},
85+
"type": "DeployPushConnectorButton_test"
86+
}
87+
]
88+
},
89+
{
90+
"title": "2. Maintain the data collection endpoint details and authentication info in Pathlock Threat Detection and Response",
91+
"description": "Share the data collection endpoint URL and authentication info with the Pathlock Threat Detection and Response Integration administrator to configure the Integration.",
92+
"instructions": [
93+
{
94+
"parameters": {
95+
"label": "Use this value to configure as Tenant ID in the LogIngestionAPI credential.",
96+
"fillWith": [
97+
"TenantId"
98+
]
99+
},
100+
"type": "CopyableLabel"
101+
},
102+
{
103+
"parameters": {
104+
"label": "Entra Application ID",
105+
"fillWith": [
106+
"ApplicationId"
107+
],
108+
"placeholder": "Deploy push connector to get the Application ID"
109+
},
110+
"type": "CopyableLabel"
111+
},
112+
{
113+
"parameters": {
114+
"label": "Entra Application Secret",
115+
"fillWith": [
116+
"ApplicationSecret"
117+
],
118+
"placeholder": "Deploy push connector to get the Application Secret"
119+
},
120+
"type": "CopyableLabel"
121+
},
122+
{
123+
"parameters": {
124+
"label": "Use this value to configure the LogsIngestionURL parameter.",
125+
"fillWith": [
126+
"DataCollectionEndpoint"
127+
],
128+
"placeholder": "Deploy push connector to get the DCE URI"
129+
},
130+
"type": "CopyableLabel"
131+
},
132+
{
133+
"parameters": {
134+
"label": "DCR Immutable ID",
135+
"fillWith": [
136+
"DataCollectionRuleId"
137+
],
138+
"placeholder": "Deploy push connector to get the DCR ID"
139+
},
140+
"type": "CopyableLabel"
141+
}
142+
]
143+
}
144+
],
145+
"metadata": {
146+
"id": "Pathlock_TDnR",
147+
"version": "3.0.0",
148+
"kind": "dataConnector",
149+
"source": {
150+
"kind": "solution",
151+
"name": "Pathlock Threat Detection and Response Integration for Microsoft Sentinel Solution for SAP"
152+
},
153+
"author": {
154+
"name": "Pathlock Inc.",
155+
"email": "[email protected]"
156+
},
157+
"support": {
158+
"tier": "Partner",
159+
"name": "Pathlock Threat Detection and Response",
160+
"email": "[email protected]",
161+
"link": "https://pathlock.com/support/"
162+
}
163+
}
164+
}

Solutions/Pathlock_TDnR/Data Connectors/Pathlock_TDnR_PUSH_CCP/Pathlock_TDnR_CL.json

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
{
2+
"name": "Pathlock_TDnR_CL",
3+
"apiVersion": "2025-02-01",
4+
"type": "Microsoft.OperationalInsights/workspaces/tables",
5+
"location": "{{location}}",
6+
"tags": {},
7+
"properties": {
8+
"schema": {
9+
"name": "Pathlock_TDnR_CL",
10+
"columns": [
11+
{ "name": "TimeGenerated", "type": "datetime" },
12+
{ "name": "SYSID", "type": "string" },
13+
{ "name": "KEY_FIELD", "type": "string" },
14+
{ "name": "MANDT", "type": "string" },
15+
{ "name": "DATA_SOURCE", "type": "string" },
16+
{ "name": "EVENTID", "type": "string" },
17+
{ "name": "EVENTID_LFDNR", "type": "string" },
18+
{ "name": "INSTANCE", "type": "string" },
19+
{ "name": "HOSTNAME", "type": "string" },
20+
{ "name": "BNAME", "type": "string" },
21+
{ "name": "TCODE", "type": "string" },
22+
{ "name": "REPORT", "type": "string" },
23+
{ "name": "OKCODE", "type": "string" },
24+
{ "name": "AREA", "type": "string" },
25+
{ "name": "SUBID", "type": "string" },
26+
{ "name": "AGR_NAME", "type": "string" },
27+
{ "name": "PROFN", "type": "string" },
28+
{ "name": "TERMINAL", "type": "string" },
29+
{ "name": "DATUM", "type": "string" },
30+
{ "name": "ZEIT", "type": "string" },
31+
{ "name": "SRC_IP", "type": "string" },
32+
{ "name": "DEST_IP", "type": "string" },
33+
{ "name": "URI", "type": "string" },
34+
{ "name": "PGMID", "type": "string" },
35+
{ "name": "OBJECT", "type": "string" },
36+
{ "name": "OBJ_NAME", "type": "string" },
37+
{ "name": "LOG_LINE", "type": "string" },
38+
{ "name": "DATUM_UTC", "type": "string" },
39+
{ "name": "ZEIT_UTC", "type": "string" },
40+
{ "name": "FORWARDED", "type": "string" },
41+
{ "name": "EXPORTED", "type": "string" },
42+
{ "name": "CONFIRMED", "type": "string" },
43+
{ "name": "RT_SYSID", "type": "string" },
44+
{ "name": "CONF_USER", "type": "string" },
45+
{ "name": "CONF_DATE", "type": "string" },
46+
{ "name": "CONF_TIME", "type": "string" },
47+
{ "name": "CONF_CHG_USER", "type": "string" },
48+
{ "name": "CONF_CHG_DATE", "type": "string" },
49+
{ "name": "CONF_CHG_TIME", "type": "string" },
50+
{ "name": "INCIDENT", "type": "string" },
51+
{ "name": "PUSH", "type": "string" },
52+
{ "name": "BYTES", "type": "long" },
53+
{ "name": "AFFECTED_USER", "type": "string" },
54+
{ "name": "TABNAME", "type": "string" },
55+
{ "name": "FILTER_NO", "type": "string" },
56+
{ "name": "FILENAME", "type": "string" },
57+
{ "name": "AUDIT_ACTIONID", "type": "string" },
58+
{ "name": "MSG_TYPE", "type": "string" },
59+
{ "name": "MSG_ID", "type": "string" },
60+
{ "name": "MSG_NO", "type": "string" },
61+
{ "name": "MESSAGE_V1", "type": "string" },
62+
{ "name": "MESSAGE_V2", "type": "string" },
63+
{ "name": "MESSAGE_V3", "type": "string" },
64+
{ "name": "MESSAGE_V4", "type": "string" },
65+
{ "name": "CENTRAL_TS", "type": "string" }
66+
]
67+
}
68+
}
69+
}

0 commit comments

Comments
 (0)